refactor (build/gql-server): Introduce Hasura override config and a file to store Adm Password (#20993)

* Introduce Hasura override config and a password file * Add message when set a password to Hasura * add logs to inspect errors * fix config file name * test changing key file owner * test without override file * fix print status * store password as env var * changes suggested in PR
2024-08-30 11:49:58 -03:00 · 2024-08-30 11:49:58 -03:00 · acff8ba0f8
commit acff8ba0f8
parent 664dc2d8f2
4 changed files with 20 additions and 11 deletions
--- a/build/packages-template/bbb-graphql-server/after-install.sh
+++ b/build/packages-template/bbb-graphql-server/after-install.sh
@ -23,16 +23,20 @@ case "$1" in

  echo "Postgresql configured"

-  #Generate a random password to Hasura to improve security
-  HASURA_ADM_PASSWORD=$(grep '^HASURA_GRAPHQL_ADMIN_SECRET=' /etc/default/bbb-graphql-server | cut -d '=' -f 2)
-  if [ "$HASURA_ADM_PASSWORD" = "bigbluebutton" ]; then
-    echo "Set a random password to Hasura replacing the default 'bigbluebutton'"
-    HASURA_RANDOM_ADM_PASSWORD=$(openssl rand -base64 32 | sed 's/=//g' | sed 's/+//g' | sed 's/\///g')
-    sed -i "s/HASURA_GRAPHQL_ADMIN_SECRET=bigbluebutton/HASURA_GRAPHQL_ADMIN_SECRET=$HASURA_RANDOM_ADM_PASSWORD/g" /etc/default/bbb-graphql-server
-    HASURA_ADM_PASSWORD="$HASURA_RANDOM_ADM_PASSWORD"
-  fi
+#Generate a random password to Hasura to improve security
+if [ ! -f /usr/share/bbb-graphql-server/admin-secret ]; then
+  mkdir -p /usr/share/bbb-graphql-server
+  chmod 700  /usr/share/bbb-graphql-server/
+  HASURA_RANDOM_ADM_PASSWORD=$(openssl rand -base64 32 | sed 's/=//g' | sed 's/+//g' | sed 's/\///g')
+  echo "HASURA_GRAPHQL_ADMIN_SECRET=$HASURA_RANDOM_ADM_PASSWORD" > /usr/share/bbb-graphql-server/admin-secret
+  chown bigbluebutton:bigbluebutton /usr/share/bbb-graphql-server/admin-secret
+  chmod 600 /usr/share/bbb-graphql-server/admin-secret
+  echo "Set a random password to Hasura at /usr/share/bbb-graphql-server/admin-secret"
+fi

-  sed -i "s/^admin_secret: .*/admin_secret: $HASURA_ADM_PASSWORD/g" /usr/share/bbb-graphql-server/config.yaml
+#Set admin secret for Hasura CLI
+HASURA_ADM_PASSWORD=$(grep '^HASURA_GRAPHQL_ADMIN_SECRET=' /usr/share/bbb-graphql-server/admin-secret | cut -d '=' -f 2)
+sed -i "s/^admin_secret: .*/admin_secret: $HASURA_ADM_PASSWORD/g" /usr/share/bbb-graphql-server/config.yaml

  if [ ! -f /.dockerenv ]; then
    systemctl enable bbb-graphql-server.service
--- a/build/packages-template/bbb-graphql-server/bbb-graphql-server.service
+++ b/build/packages-template/bbb-graphql-server/bbb-graphql-server.service
@ -11,6 +11,10 @@ User=bigbluebutton
 Group=bigbluebutton
 WorkingDirectory=/usr/local/bin
 EnvironmentFile=/etc/default/bbb-graphql-server
+# Optional file (the service should not fail if the file does not exist)
+EnvironmentFile=-/etc/bigbluebutton/bbb-graphql-server.env
+# Load Hasura password
+EnvironmentFile=/usr/share/bbb-graphql-server/admin-secret
 ExecStart=/usr/local/bin/hasura-graphql-engine serve
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=always
@ -22,4 +26,3 @@ LimitNOFILE=4096

 [Install]
 WantedBy=multi-user.target bigbluebutton.target
-
--- a/build/packages-template/bbb-graphql-server/hasura-config.env
+++ b/build/packages-template/bbb-graphql-server/hasura-config.env
@ -8,7 +8,6 @@ HASURA_GRAPHQL_LIVE_QUERIES_MULTIPLEXED_BATCH_SIZE=1000
 HASURA_GRAPHQL_STREAMING_QUERIES_MULTIPLEXED_REFETCH_INTERVAL=100
 HASURA_GRAPHQL_STREAMING_QUERIES_MULTIPLEXED_BATCH_SIZE=1000
 HASURA_GRAPHQL_SERVER_PORT=8085
-HASURA_GRAPHQL_ADMIN_SECRET=bigbluebutton
 HASURA_GRAPHQL_ENABLE_TELEMETRY=false
 HASURA_GRAPHQL_WEBSOCKET_KEEPALIVE=10
 HASURA_GRAPHQL_AUTH_HOOK=http://127.0.0.1:8901/userInfo
--- a/docs/docs/administration/configuration-files.md
+++ b/docs/docs/administration/configuration-files.md
@ -25,6 +25,9 @@ Starting with BigBlueButton 2.3 many of the configuration files have local overr
 | /usr/share/bbb-apps-akka/conf/application.conf                          | /etc/bigbluebutton/bbb-apps-akka.conf            |                                                                                  |
 | /usr/share/bbb-fsesl-akka/conf/application.conf                         | /etc/bigbluebutton/bbb-fsesl-akka.conf           |                                                                                  |
 | /var/bigbluebutton/html5-client/private/config/settings.yml             | /etc/bigbluebutton/bbb-html5.yml                 | Arrays are merged by replacement (as of 2.4-rc-5)                                |
+| /etc/default/bbb-graphql-server                                         | /etc/bigbluebutton/bbb-graphql-server.env        | It can replace any Hasura config but HASURA_GRAPHQL_ADMIN_SECRET                 |
+| /usr/share/bbb-graphql-server/admin-secret                              |                                                  | Stores Hasura admin password (HASURA_GRAPHQL_ADMIN_SECRET), it can be edited     |
+| /usr/share/bbb-graphql-middleware/config.yml                            | /etc/bigbluebutton/bbb-graphql-middleware.yml    |                                                                                  |
 | /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml         | /etc/bigbluebutton/turn-stun-servers.xml         | Replaces the original file                                                       |
 | /usr/local/bigbluebutton/bbb-webrtc-sfu/config/default.yml              | /etc/bigbluebutton/bbb-webrtc-sfu/production.yml | Arrays are merged by replacement                                                 |
 | /usr/local/bigbluebutton/bbb-pads/config/settings.json                  | /etc/bigbluebutton/bbb-pads.json                 | Arrays are merged by replacement                                                 |