Do not harcode user's password hash in scripts

Generate user's password hash based on `EDGE_USER_PASSWORD` variable instead of hardcoding it Signed-off-by: Miguel Martín <mmartinv@redhat.com>
2023-11-20 11:45:24 +01:00 · 2023-11-20 11:45:24 +01:00 · 20c8892ec9
commit 20c8892ec9
parent a0d357c66b
5 changed files with 56 additions and 35 deletions
--- a/test/cases/ostree-ami-image.sh
+++ b/test/cases/ostree-ami-image.sh
@ -78,10 +78,16 @@ SSH_DATA_DIR=$(/usr/libexec/osbuild-composer-test/gen-ssh.sh)
 SSH_KEY=${SSH_DATA_DIR}/id_rsa
 SSH_KEY_PUB=$(cat "${SSH_KEY}".pub)
 IGNITION_USER=core
+IGNITION_USER_PASSWORD="${IGNITION_USER_PASSWORD:-foobar}"
+IGNITION_USER_PASSWORD_SHA512=$(openssl passwd -6 -stdin <<< "${IGNITION_USER_PASSWORD}")

 # Set FIPS variable default
 FIPS="${FIPS:-false}"

+# Generate the user's password hash
+EDGE_USER_PASSWORD="${EDGE_USER_PASSWORD:-foobar}"
+EDGE_USER_PASSWORD_SHA512=$(openssl passwd -6 -stdin <<< "${EDGE_USER_PASSWORD}")
+
 case "${ID}-${VERSION_ID}" in
    "rhel-9."*)
        OSTREE_REF="rhel/9/${ARCH}/edge"
@ -481,7 +487,7 @@ sudo tee "$IGNITION_CONFIG_PATH" > /dev/null << EOF
          "wheel"
        ],
        "name": "$IGNITION_USER",
-        "passwordHash": "\$6\$GRmb7S0p8vsYmXzH\$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl.",
+        "passwordHash": "${IGNITION_USER_PASSWORD_SHA512}",
        "sshAuthorizedKeys": [
          "$SSH_KEY_PUB"
        ]
@ -591,7 +597,7 @@ tee -a "$BLUEPRINT_FILE" > /dev/null << EOF
 [[customizations.user]]
 name = "admin"
 description = "Administrator account"
-password = "\$6\$GRmb7S0p8vsYmXzH\$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl."
+password = "${EDGE_USER_PASSWORD_SHA512}"
 key = "${SSH_KEY_PUB}"
 home = "/home/admin/"
 groups = ["wheel"]
@ -858,7 +864,7 @@ ansible_private_key_file=${SSH_KEY}
 ansible_ssh_common_args="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
 ansible_become=yes
 ansible_become_method=sudo
-ansible_become_pass=${EDGE_USER_PASSWORD}
+ansible_become_pass=${IGNITION_USER_PASSWORD}
 EOF

 # Test IoT/Edge OS
@ -902,7 +908,7 @@ version = "*"
 [[customizations.user]]
 name = "admin"
 description = "Administrator account"
-password = "\$6\$GRmb7S0p8vsYmXzH\$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl."
+password = "${EDGE_USER_PASSWORD_SHA512}"
 home = "/home/admin/"
 groups = ["wheel"]
 EOF
@ -987,12 +993,12 @@ sudo ssh \
    "${SSH_OPTIONS[@]}" \
    -i "${SSH_KEY}" \
    admin@"${PUBLIC_GUEST_ADDRESS}" \
-    "echo ${EDGE_USER_PASSWORD} |sudo -S ostree remote delete rhel-edge"
+    "echo '${EDGE_USER_PASSWORD}' |sudo -S ostree remote delete rhel-edge"
 sudo ssh \
    "${SSH_OPTIONS[@]}" \
    -i "${SSH_KEY}" \
    admin@"${PUBLIC_GUEST_ADDRESS}" \
-    "echo ${EDGE_USER_PASSWORD} |sudo -S ostree remote add --no-gpg-verify rhel-edge ${OBJECT_URL}/repo"
+    "echo '${EDGE_USER_PASSWORD}' |sudo -S ostree remote add --no-gpg-verify rhel-edge ${OBJECT_URL}/repo"

 # Upgrade image/commit.
 greenprint "🗳 Upgrade ostree image/commit"
@ -1000,12 +1006,12 @@ sudo ssh \
    "${SSH_OPTIONS[@]}" \
    -i "${SSH_KEY}" \
    admin@"${PUBLIC_GUEST_ADDRESS}" \
-    "echo ${EDGE_USER_PASSWORD} |sudo -S rpm-ostree upgrade"
+    "echo '${EDGE_USER_PASSWORD}' |sudo -S rpm-ostree upgrade"
 sudo ssh \
    "${SSH_OPTIONS[@]}" \
    -i "${SSH_KEY}" \
    admin@"${PUBLIC_GUEST_ADDRESS}" \
-    "echo ${EDGE_USER_PASSWORD} |nohup sudo -S systemctl reboot &>/dev/null & exit"
+    "echo '${EDGE_USER_PASSWORD}' |nohup sudo -S systemctl reboot &>/dev/null & exit"

 # Sleep 10 seconds here to make sure EC2 instance restarted already
 sleep 10
@ -1036,7 +1042,7 @@ ansible_private_key_file=${SSH_KEY}
 ansible_ssh_common_args="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
 ansible_become=yes
 ansible_become_method=sudo
-ansible_become_pass=${EDGE_USER_PASSWORD}
+ansible_become_pass=${IGNITION_USER_PASSWORD}
 EOF

 # Test IoT/Edge OS
--- a/test/cases/ostree-ng.sh
+++ b/test/cases/ostree-ng.sh
@ -114,6 +114,10 @@ SYSROOT_RO="false"
 # Set FIPS variable default
 FIPS="${FIPS:-false}"

+# Generate the user's password hash
+EDGE_USER_PASSWORD="${EDGE_USER_PASSWORD:-foobar}"
+EDGE_USER_PASSWORD_SHA512=$(openssl passwd -6 -stdin <<< "${EDGE_USER_PASSWORD}")
+
 case "${ID}-${VERSION_ID}" in
    fedora-*)
        CONTAINER_TYPE=iot-container
@ -402,7 +406,7 @@ version = "*"
 [[customizations.user]]
 name = "admin"
 description = "Administrator account"
-password = "\$6\$GRmb7S0p8vsYmXzH\$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl."
+password = "${EDGE_USER_PASSWORD_SHA512}"
 key = "${SSH_KEY_PUB}"
 home = "/home/admin/"
 groups = ["wheel"]
@ -515,7 +519,7 @@ tee -a "$BLUEPRINT_FILE" > /dev/null << EOF
 [[customizations.user]]
 name = "installeruser"
 description = "Added by installer blueprint"
-password = "\$6\$GRmb7S0p8vsYmXzH\$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl."
+password = "${EDGE_USER_PASSWORD_SHA512}"
 key = "${SSH_KEY_PUB}"
 home = "/home/installeruser/"
 groups = ["wheel"]
--- a/test/cases/ostree-raw-image.sh
+++ b/test/cases/ostree-raw-image.sh
@ -107,6 +107,9 @@ CUSTOM_DIRS_FILES="false"
 # Set FIPS variable default
 FIPS="${FIPS:-false}"

+# Generate the user's password hash
+EDGE_USER_PASSWORD_SHA512=$(openssl passwd -6 -stdin <<< "${EDGE_USER_PASSWORD:-foobar}")
+
 case "${ID}-${VERSION_ID}" in
    "rhel-8"* )
        OSTREE_REF="rhel/8/${ARCH}/edge"
@ -350,7 +353,7 @@ if [[ "$USER_IN_RAW" == "false" ]]; then
 [[customizations.user]]
 name = "admin"
 description = "Administrator account"
-password = "\$6\$GRmb7S0p8vsYmXzH\$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl."
+password = "${EDGE_USER_PASSWORD_SHA512}"
 key = "${SSH_KEY_PUB}"
 home = "/home/admin/"
 groups = ["wheel"]
@ -435,7 +438,7 @@ if [[ "$USER_IN_RAW" == "true" ]]; then
 [[customizations.user]]
 name = "admin"
 description = "Administrator account"
-password = "\$6\$GRmb7S0p8vsYmXzH\$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl."
+password = "${EDGE_USER_PASSWORD_SHA512}"
 key = "${SSH_KEY_PUB}"
 home = "/home/admin/"
 groups = ["wheel"]
@ -617,7 +620,7 @@ name = "${KERNEL_RT_PKG}"
 [[customizations.user]]
 name = "admin"
 description = "Administrator account"
-password = "\$6\$GRmb7S0p8vsYmXzH\$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl."
+password = "${EDGE_USER_PASSWORD_SHA512}"
 home = "/home/admin/"
 groups = ["wheel"]
 EOF
@ -708,8 +711,8 @@ EOF

    # Rebase image/commit.
    greenprint "🗳 Rebase ostree image/commit"
-    sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${BIOS_GUEST_ADDRESS} "echo ${EDGE_USER_PASSWORD} |sudo -S rpm-ostree rebase ${REF_PREFIX}:${OSTREE_REF}"
-    sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${BIOS_GUEST_ADDRESS} "echo ${EDGE_USER_PASSWORD} |nohup sudo -S systemctl reboot &>/dev/null & exit"
+    sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${BIOS_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |sudo -S rpm-ostree rebase ${REF_PREFIX}:${OSTREE_REF}"
+    sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${BIOS_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |nohup sudo -S systemctl reboot &>/dev/null & exit"

    # Sleep 10 seconds here to make sure vm restarted already
    sleep 10
@ -904,7 +907,7 @@ if [[ "$USER_IN_RAW" == "false" ]]; then
 [[customizations.user]]
 name = "admin"
 description = "Administrator account"
-password = "\$6\$GRmb7S0p8vsYmXzH\$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl."
+password = "${EDGE_USER_PASSWORD_SHA512}"
 home = "/home/admin/"
 groups = ["wheel"]
 EOF
@ -999,14 +1002,14 @@ if [[ "$ID" == "fedora" ]]; then
    # The Fedora IoT Raw image sets the fedora-iot remote URL to https://ostree.fedoraproject.org/iot
    # Replacing with our own local repo
    greenprint "Replacing default remote"
-    sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${UEFI_GUEST_ADDRESS} "echo ${EDGE_USER_PASSWORD} |sudo -S ostree remote delete ${OSTREE_OSNAME}"
-    sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${UEFI_GUEST_ADDRESS} "echo ${EDGE_USER_PASSWORD} |sudo -S ostree remote add --no-gpg-verify ${OSTREE_OSNAME} ${PROD_REPO_URL}"
+    sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${UEFI_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |sudo -S ostree remote delete ${OSTREE_OSNAME}"
+    sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${UEFI_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |sudo -S ostree remote add --no-gpg-verify ${OSTREE_OSNAME} ${PROD_REPO_URL}"
 fi

 # Upgrade image/commit.
 greenprint "🗳 Upgrade ostree image/commit"
-sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${UEFI_GUEST_ADDRESS} "echo ${EDGE_USER_PASSWORD} |sudo -S rpm-ostree upgrade"
-sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${UEFI_GUEST_ADDRESS} "echo ${EDGE_USER_PASSWORD} |nohup sudo -S systemctl reboot &>/dev/null & exit"
+sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${UEFI_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |sudo -S rpm-ostree upgrade"
+sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${UEFI_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |nohup sudo -S systemctl reboot &>/dev/null & exit"

 # Sleep 10 seconds here to make sure vm restarted already
 sleep 10
--- a/test/cases/ostree-simplified-installer.sh
+++ b/test/cases/ostree-simplified-installer.sh
@ -129,6 +129,9 @@ FDO_USER_ONBOARDING="false"
 # Set FIPS variable default
 FIPS="${FIPS:-false}"

+# Generate the user's password hash
+EDGE_USER_PASSWORD_SHA512=$(openssl passwd -6 -stdin <<< "${EDGE_USER_PASSWORD:-foobar}")
+
 case "${ID}-${VERSION_ID}" in
    "rhel-8"* )
        OSTREE_REF="rhel/8/${ARCH}/edge"
@ -377,7 +380,7 @@ name = "${KERNEL_RT_PKG}"
 [[customizations.user]]
 name = "admin"
 description = "Administrator account"
-password = "\$6\$GRmb7S0p8vsYmXzH\$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl."
+password = "${EDGE_USER_PASSWORD_SHA512}"
 key = "${SSH_KEY_PUB}"
 home = "/home/admin/"
 groups = ["wheel"]
@ -440,7 +443,7 @@ groups = []
 [[customizations.user]]
 name = "simple"
 description = "Administrator account"
-password = "\$6\$GRmb7S0p8vsYmXzH\$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl."
+password = "${EDGE_USER_PASSWORD_SHA512}"
 key = "${SSH_KEY_PUB}"
 home = "/home/simple/"
 groups = ["wheel"]
@ -517,7 +520,7 @@ for _ in $(seq 0 30); do
 done

 # With new ostree-libs-2022.6-3, edge vm needs to reboot twice to make the /sysroot readonly
-sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" "simple@${EDGE_GUEST_ADDRESS}" "echo ${EDGE_USER_PASSWORD} |nohup sudo -S systemctl reboot &>/dev/null & exit"
+sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" "simple@${EDGE_GUEST_ADDRESS}" "echo '${EDGE_USER_PASSWORD}' |nohup sudo -S systemctl reboot &>/dev/null & exit"
 # Sleep 10 seconds here to make sure vm restarted already
 sleep 10
 for _ in $(seq 0 30); do
@ -594,7 +597,7 @@ tee -a "$BLUEPRINT_FILE" >> /dev/null << EOF
 [[customizations.user]]
 name = "simple"
 description = "Administrator account"
-password = "\$6\$GRmb7S0p8vsYmXzH\$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl."
+password = "${EDGE_USER_PASSWORD_SHA512}"
 key = "${SSH_KEY_PUB}"
 home = "/home/simple/"
 groups = ["wheel"]
@ -950,7 +953,7 @@ name = "${KERNEL_RT_PKG}"
 [[customizations.user]]
 name = "admin"
 description = "Administrator account"
-password = "\$6\$GRmb7S0p8vsYmXzH\$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl."
+password = "${EDGE_USER_PASSWORD_SHA512}"
 home = "/home/admin/"
 groups = ["wheel"]
 EOF
@ -1010,8 +1013,8 @@ sudo composer-cli compose delete "${COMPOSE_ID}" > /dev/null
 sudo composer-cli blueprints delete rebase > /dev/null

 greenprint "🗳 Rebase ostree image/commit"
-sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${EDGE_GUEST_ADDRESS} "echo ${EDGE_USER_PASSWORD} |sudo -S rpm-ostree rebase ${REF_PREFIX}:${OSTREE_REF}"
-sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${EDGE_GUEST_ADDRESS} "echo ${EDGE_USER_PASSWORD} |nohup sudo -S systemctl reboot &>/dev/null & exit"
+sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${EDGE_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |sudo -S rpm-ostree rebase ${REF_PREFIX}:${OSTREE_REF}"
+sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${EDGE_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |nohup sudo -S systemctl reboot &>/dev/null & exit"

 # Sleep 10 seconds here to make sure vm restarted already
 sleep 10
@ -1259,7 +1262,7 @@ name = "${KERNEL_RT_PKG}"
 [[customizations.user]]
 name = "admin"
 description = "Administrator account"
-password = "\$6\$GRmb7S0p8vsYmXzH\$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl."
+password = "${EDGE_USER_PASSWORD_SHA512}"
 home = "/home/admin/"
 groups = ["wheel"]
 EOF
@ -1320,8 +1323,8 @@ sudo composer-cli compose delete "${COMPOSE_ID}" > /dev/null
 sudo composer-cli blueprints delete upgrade > /dev/null

 greenprint "🗳 Upgrade ostree image/commit"
-sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${EDGE_GUEST_ADDRESS} "echo ${EDGE_USER_PASSWORD} |sudo -S rpm-ostree upgrade"
-sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${EDGE_GUEST_ADDRESS} "echo ${EDGE_USER_PASSWORD} |nohup sudo -S systemctl reboot &>/dev/null & exit"
+sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${EDGE_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |sudo -S rpm-ostree upgrade"
+sudo ssh "${SSH_OPTIONS[@]}" -i "${SSH_KEY}" admin@${EDGE_GUEST_ADDRESS} "echo '${EDGE_USER_PASSWORD}' |nohup sudo -S systemctl reboot &>/dev/null & exit"

 # Sleep 10 seconds here to make sure vm restarted already
 sleep 10
--- a/test/cases/ostree-vsphere.sh
+++ b/test/cases/ostree-vsphere.sh
@ -89,7 +89,8 @@ SSH_KEY_PUB=$(cat "${SSH_KEY}".pub)
 IGNITION_SERVER_FOLDER=/var/www/html/ignition
 IGNITION_SERVER_URL=http://${HOST_IP_ADDRESS}/ignition
 IGNITION_USER=core
-IGNITION_USER_PASSWORD=foobar
+IGNITION_USER_PASSWORD="${IGNITION_USER_PASSWORD:-foobar}"
+IGNITION_USER_PASSWORD_SHA512=$(openssl passwd -6 -stdin <<< "${IGNITION_USER_PASSWORD}")

 # Set up variables.
 SYSROOT_RO="true"
@ -97,6 +98,10 @@ SYSROOT_RO="true"
 # Set FIPS variable default
 FIPS="${FIPS:-false}"

+# Generate the user's password hash
+EDGE_USER_PASSWORD="${EDGE_USER_PASSWORD:-foobar}"
+EDGE_USER_PASSWORD_SHA512=$(openssl passwd -6 -stdin <<< "${EDGE_USER_PASSWORD}")
+
 DATACENTER_70="Datacenter7.0"
 DATASTORE_70="datastore-80"
 DATACENTER_70_POOL="/Datacenter7.0/host/Automation/Resources"
@ -363,7 +368,7 @@ sudo tee "$IGNITION_CONFIG_PATH" > /dev/null << EOF
          "wheel"
        ],
        "name": "$IGNITION_USER",
-        "passwordHash": "\$6\$GRmb7S0p8vsYmXzH\$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl.",
+        "passwordHash": "${IGNITION_USER_PASSWORD_SHA512}",
        "sshAuthorizedKeys": [
          "$SSH_KEY_PUB"
        ]
@ -437,7 +442,7 @@ tee -a "$BLUEPRINT_FILE" > /dev/null << EOF
 [[customizations.user]]
 name = "admin"
 description = "Administrator account"
-password = "\$6\$GRmb7S0p8vsYmXzH\$o0E020S.9JQGaHkszoog4ha4AQVs3sk8q0DvLjSMxoxHBKnB2FBXGQ/OkwZQfW/76ktHd0NX5nls2LPxPuUdl."
+password = "${EDGE_USER_PASSWORD_SHA512}"
 key = "${SSH_KEY_PUB}"
 home = "/home/admin/"
 groups = ["wheel"]
@ -522,7 +527,7 @@ ansible_private_key_file=${SSH_KEY}
 ansible_ssh_common_args="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
 ansible_become=yes
 ansible_become_method=sudo
-ansible_become_pass=${IGNITION_USER_PASSWORD}
+ansible_become_pass=${EDGE_USER_PASSWORD}
 EOF

 # Test IoT/Edge OS