Skip to content

Commit

Permalink
FEATURE/MEDIUM: userList: generate random secure password
Browse files Browse the repository at this point in the history
This change previously hard coded password ("insecure-password" in HAProxy config) usage and instead use hashed password("password").
So, on every start up a random password is generated, hashed and then saved to HAProxy conf.
Generated password is stored in memory, while hashed password is saved to HAProxy conf.
  • Loading branch information
amelhusic committed May 6, 2020
1 parent faede19 commit 146eb1a
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 3 deletions.
1 change: 1 addition & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ module github.com/haproxytech/haproxy-consul-connect
go 1.13

require (
github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
github.com/criteo/haproxy-spoe-go v0.0.0-20190925130734-97891c13d324
github.com/d4l3k/messagediff v1.2.1 // indirect
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ github.com/Azure/go-autorest v10.15.3+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxS
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/DataDog/datadog-go v2.2.0+incompatible h1:V5BKkxACZLjzHjSgBbr2gvLA2Ae49yhc6CSY7MLy5k4=
github.com/DataDog/datadog-go v2.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 h1:KeNholpO2xKjgaaSyd+DyQRrsQjhbSeS7qe4nEw8aQw=
github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962/go.mod h1:kC29dT1vFpj7py2OvG1khBdQpo3kInWP+6QipLbdngo=
github.com/Microsoft/go-winio v0.4.3 h1:M3NHMuPgMSUPdE5epwNUHlRPSVzHs8HpRTrVXhR0myo=
github.com/Microsoft/go-winio v0.4.3/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
github.com/NYTimes/gziphandler v1.0.1 h1:iLrQrdwjDd52kHDA5op2UBJFjmOb9g+7scBan4RN8F0=
Expand Down
28 changes: 25 additions & 3 deletions haproxy/config.go
Original file line number Diff line number Diff line change
@@ -1,22 +1,27 @@
package haproxy

import (
"crypto/rand"
"encoding/base64"
"io/ioutil"
"os"
"path"
"runtime"

"text/template"

"github.com/GehirnInc/crypt"
_ "github.com/GehirnInc/crypt/sha256_crypt"
"github.com/haproxytech/haproxy-consul-connect/lib"
log "github.com/sirupsen/logrus"
)

const (
dataplaneUser = "haproxy"
dataplanePass = "pass"
)

var dataplanePass string

var baseCfgTmpl = `
global
master-worker
Expand All @@ -27,7 +32,7 @@ global
nbthread {{.NbThread}}
userlist controller
user {{.DataplaneUser}} insecure-password {{.DataplanePass}}
user {{.DataplaneUser}} password {{.DataplanePass}}
`

const spoeConfTmpl = `
Expand Down Expand Up @@ -105,12 +110,18 @@ func newHaConfig(baseDir string, sd *lib.Shutdown) (*haConfig, error) {
}
defer cfgFile.Close()

dataplanePass = createRandomString()
hashPass, err := hashPassword(dataplanePass)
if err != nil {
return nil, err
}

err = tmpl.Execute(cfgFile, baseParams{
NbThread: runtime.GOMAXPROCS(0),
SocketPath: cfg.StatsSock,
LogsPath: cfg.LogsSock,
DataplaneUser: dataplaneUser,
DataplanePass: dataplanePass,
DataplanePass: hashPass,
})
if err != nil {
sd.Done()
Expand All @@ -131,3 +142,14 @@ func newHaConfig(baseDir string, sd *lib.Shutdown) (*haConfig, error) {

return cfg, nil
}

func hashPassword(password string) (string, error) {
crypter := crypt.SHA256.New()
return crypter.Generate([]byte(password), []byte("$5$salt"))
}

func createRandomString() string {
randBytes := make([]byte, 32)
_, _ = rand.Read(randBytes)
return base64.URLEncoding.EncodeToString(randBytes)
}

0 comments on commit 146eb1a

Please sign in to comment.