Use secret password for admin user on test deployment (#1135)

Unfortunately it is time. We all knew this was coming but last night someone deleted all pages from our test deployment. That's really not a big problem, as they are recreated from a DB dump on every deploy anyway. It's still annoying (and made us think our deployment partially failed :D). (Not exactly sure in what category in the changelog this belongs... admins surely test stuff on our test deployment as well) The test deployment for this PR probably fails or won't show the right behavior as some scripts from `master` are used. But I deployed this manually: https://testlukas.tobira.opencast.org/ (password for admin there is `hund123` ... which *won't* be the password for the actual deployment :D)
elan-ev · Mar 7, 2024 · 2c83d20 · 2c83d20
2 parents 2ddd3ca + f663a95
commit 2c83d20
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 4 deletions.
diff --git a/.deployment/deploy.yml b/.deployment/deploy.yml
@@ -6,6 +6,7 @@
     # will usually be overwritten by --extra-vars='deployid=<id>'
     id: "{{ deployid }}"
     opencast_admin_password: '{{ lookup("env", "OPENCAST_ADMIN_PASSWORD") }}'
+    tobira_admin_password: '{{ lookup("env", "TOBIRA_ADMIN_PASSWORD") }}'
 
   tasks:
     # We always recreate the DB from the last release dump. To do that, we have

diff --git a/.deployment/templates/config.toml b/.deployment/templates/config.toml
@@ -25,8 +25,8 @@ unix_socket_permissions = 0o777
 [auth]
 source = "tobira-session"
 session.from_login_credentials = "login-callback:http+unix://[/opt/tobira/{{ id }}/socket/auth.sock]/"
-login_page.note.en = 'Dummy users: "jose", "morgan", "björk", "sabine" and "admin". Password for all: "tobira".'
-login_page.note.de = 'Testnutzer: "jose", "morgan", "björk", "sabine" und "admin". Passwort für alle: "tobira".'
+login_page.note.en = 'Dummy users: "jose", "morgan", "björk" and "sabine". Password for all: "tobira".'
+login_page.note.de = 'Testnutzer: "jose", "morgan", "björk" und "sabine". Passwort für alle: "tobira".'
 
 trusted_external_key = "tobira"
 

diff --git a/.deployment/templates/tobiraauth.service b/.deployment/templates/tobiraauth.service
@@ -7,6 +7,7 @@ After=network.target
 
 [Service]
 WorkingDirectory=/opt/tobira/{{ id }}/
+Environment="TOBIRA_ADMIN_PASSWORD={{ tobira_admin_password }}"
 ExecStart=node /opt/tobira/{{ id }}/login-handler.js {{ id }}
 Restart=always
 User=tobira

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -74,6 +74,7 @@ jobs:
       working-directory: .deployment
       env:
         OPENCAST_ADMIN_PASSWORD: ${{ secrets.TOBIRA_OPENCAST_ADMIN_PASSWORD }}
+        TOBIRA_ADMIN_PASSWORD: ${{ secrets.TOBIRA_ADMIN_PASSWORD }}
       run: >
         ansible-playbook
         --private-key=~/.ssh/id_ed25519

diff --git a/util/dummy-login/dist/index.js b/util/dummy-login/dist/index.js
diff --git a/util/dummy-login/index.ts b/util/dummy-login/index.ts
@@ -44,8 +44,18 @@ const main = async () => {
 };
 
 const check: LoginCheck = async ({ userid, password }) => {
+    // On the test deployment, for admin, we require a good password.
+    const expectedPassword = (process.argv[2] && userid === "admin")
+        ? process.env.TOBIRA_ADMIN_PASSWORD
+        : DUMMY_PASSWORD;
+
+    if (!expectedPassword) {
+        console.error("Tobira admin password env not set!");
+        return "forbidden";
+    }
+
     const user = DUMMY_USERS[userid];
-    if (password === DUMMY_PASSWORD && user) {
+    if (password === expectedPassword && user) {
         return {
             username: userid,
             displayName: user.displayName,