Set CRYPTO_RANDOM as environment variable at startup time (#134)

2024-10-17 21:05:04 -04:00 · 2020-01-28 07:16:23 +01:00 · 2020-01-28 07:16:23 +01:00 · 3781585862
commit 3781585862
parent 7a481d0d1d
3 changed files with 19 additions and 9 deletions
--- a/2
+++ b/2
@ -84,8 +84,6 @@ RUN cd /var/www && ./git-revision.sh > revisions.txt
 # Set Environment Variables
 # --------------------------------
 ENV WEB_API_USER "sharelatex"
-# password is regenerated in init_scripts/00_regen_sharelatex_secrets.sh
-ENV WEB_API_PASSWORD "password"

 ENV SHARELATEX_APP_NAME "Overleaf Community Edition"

--- a/init_scripts/00_regen_sharelatex_secrets.sh
+++ b/init_scripts/00_regen_sharelatex_secrets.sh
@ -1,7 +1,19 @@
 #!/bin/sh
-# Create random secret keys (twice, once for http auth pass, once for cookie secret).
-CRYPTO_RANDOM=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 -w 0 | rev | cut -b 2- | rev | tr -d '\n+/')
-sed -i "0,/CRYPTO_RANDOM/s/CRYPTO_RANDOM/$CRYPTO_RANDOM/" /etc/sharelatex/settings.coffee

-CRYPTO_RANDOM=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 -w 0 | rev | cut -b 2- | rev | tr -d '\n+/')
-sed -i "0,/CRYPTO_RANDOM/s/CRYPTO_RANDOM/$CRYPTO_RANDOM/" /etc/sharelatex/settings.coffee
+# generate secrets and defines them as environment variables
+# https://github.com/phusion/baseimage-docker#centrally-defining-your-own-environment-variables
+
+WEB_API_PASSWORD_FILE=/etc/container_environment/WEB_API_PASSWORD
+CRYPTO_RANDOM_FILE=/etc/container_environment/CRYPTO_RANDOM
+
+if [ ! -f "$WEB_API_PASSWORD_FILE" ] || [ ! -f "$CRYPTO_RANDOM_FILE" ]; then
+
+    echo "generating random secrets"
+
+    SECRET=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 -w 0 | rev | cut -b 2- | rev | tr -d '\n+/')
+    echo ${SECRET} > ${WEB_API_PASSWORD_FILE}
+
+    SECRET=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 -w 0 | rev | cut -b 2- | rev | tr -d '\n+/')
+    echo ${SECRET} > ${CRYPTO_RANDOM_FILE}
+fi
+
--- a/settings.coffee
+++ b/settings.coffee
@ -3,7 +3,7 @@ Path = require('path')
 # These credentials are used for authenticating api requests
 # between services that may need to go over public channels
 httpAuthUser = "sharelatex"
-httpAuthPass = "CRYPTO_RANDOM" # Randomly generated for you
+httpAuthPass = process.env["WEB_API_PASSWORD"]
 httpAuthUsers = {}
 httpAuthUsers[httpAuthUser] = httpAuthPass

@ -162,7 +162,7 @@ settings =
 	# If provided, a sessionSecret is used to sign cookies so that they cannot be
 	# spoofed. This is recommended.
 	security:
-		sessionSecret: process.env["SHARELATEX_SESSION_SECRET"] or "CRYPTO_RANDOM" # This was randomly generated for you
+		sessionSecret: process.env["SHARELATEX_SESSION_SECRET"] or process.env["CRYPTO_RANDOM"]

 	# These credentials are used for authenticating api requests
 	# between services that may need to go over public channels