FEATURE/MEDIUM: userList: generate random secure password

This change previously hard coded password ("insecure-password" in HAProxy config) usage and instead use hashed password("password"). So, on every start up a random password is generated, hashed and then saved to HAProxy conf. Generated password is stored in memory, while hashed password is saved to HAProxy conf.
haproxytech · May 6, 2020 · 5273053 · 5273053
1 parent faede19
commit 5273053
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 3 deletions.
diff --git a/go.mod b/go.mod
@@ -3,6 +3,7 @@ module github.com/haproxytech/haproxy-consul-connect
 go 1.13
 
 require (
+	github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962
 	github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
 	github.com/criteo/haproxy-spoe-go v0.0.0-20190925130734-97891c13d324
 	github.com/d4l3k/messagediff v1.2.1 // indirect

diff --git a/go.sum b/go.sum
@@ -8,6 +8,8 @@ github.com/Azure/go-autorest v10.15.3+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxS
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/DataDog/datadog-go v2.2.0+incompatible h1:V5BKkxACZLjzHjSgBbr2gvLA2Ae49yhc6CSY7MLy5k4=
 github.com/DataDog/datadog-go v2.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
+github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 h1:KeNholpO2xKjgaaSyd+DyQRrsQjhbSeS7qe4nEw8aQw=
+github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962/go.mod h1:kC29dT1vFpj7py2OvG1khBdQpo3kInWP+6QipLbdngo=
 github.com/Microsoft/go-winio v0.4.3 h1:M3NHMuPgMSUPdE5epwNUHlRPSVzHs8HpRTrVXhR0myo=
 github.com/Microsoft/go-winio v0.4.3/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
 github.com/NYTimes/gziphandler v1.0.1 h1:iLrQrdwjDd52kHDA5op2UBJFjmOb9g+7scBan4RN8F0=

diff --git a/haproxy/config.go b/haproxy/config.go
@@ -2,21 +2,26 @@ package haproxy
 
 import (
 	"io/ioutil"
+	"math/rand"
 	"os"
 	"path"
 	"runtime"
+	"time"
 
 	"text/template"
 
+	"github.com/GehirnInc/crypt"
+	_ "github.com/GehirnInc/crypt/sha256_crypt"
 	"github.com/haproxytech/haproxy-consul-connect/lib"
 	log "github.com/sirupsen/logrus"
 )
 
 const (
 	dataplaneUser = "haproxy"
-	dataplanePass = "pass"
 )
 
+var dataplanePass string
+
 var baseCfgTmpl = `
 global
 	master-worker
@@ -27,7 +32,7 @@ global
 	nbthread {{.NbThread}}
 
 userlist controller
-	user {{.DataplaneUser}} insecure-password {{.DataplanePass}}
+	user {{.DataplaneUser}} password {{.DataplanePass}}
 `
 
 const spoeConfTmpl = `
@@ -105,12 +110,15 @@ func newHaConfig(baseDir string, sd *lib.Shutdown) (*haConfig, error) {
 	}
 	defer cfgFile.Close()
 
+	dataplanePass = createRandomString(6)
+	hashPass, _ := hashPassword(dataplanePass)
+
 	err = tmpl.Execute(cfgFile, baseParams{
 		NbThread:      runtime.GOMAXPROCS(0),
 		SocketPath:    cfg.StatsSock,
 		LogsPath:      cfg.LogsSock,
 		DataplaneUser: dataplaneUser,
-		DataplanePass: dataplanePass,
+		DataplanePass: hashPass,
 	})
 	if err != nil {
 		sd.Done()
@@ -131,3 +139,18 @@ func newHaConfig(baseDir string, sd *lib.Shutdown) (*haConfig, error) {
 
 	return cfg, nil
 }
+
+func hashPassword(password string) (string, error) {
+	crypter := crypt.SHA256.New()
+	return crypter.Generate([]byte(password), []byte("$5$salt"))
+}
+
+func createRandomString(n int) string {
+	var dictionary = []rune("_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")
+	b := make([]rune, n)
+	rand.Seed(time.Now().UnixNano())
+	for i := range b {
+		b[i] = dictionary[rand.Intn(len(dictionary))]
+	}
+	return string(b)
+}