Add script to auto-generate the xkcd passwords

This simplifies setting up the contests and makes that we set reasonable
strength passwords by default. In case you make multiple groups (for
example WF4{47}) we can work from the templates set in git.

Author: Michael Vasseur

provision-contest/ansible/README.md

@@ -24,7 +24,11 @@ to prevent duplication.
 Global and group variables are stored under `group_vars`. The file
 `group_vars/all/secret.yml.example` should be copied to
 `group_vars/all/secret.yml` and then all variables should be set
-and/or modified as required.
+and/or modified as required. The script `generate_passwords.py` can be used
+to prefill some of those passwords with a xkcd style password. In `secret.yml.example`
+the passwords can be listed as either `{some-password}` or `some-password` the `{}` is *not*
+required but only used as anchor for the script, so adding the `{}` would make it part of the
+password.
 
 There are a few places where additional files should/can be added:
 * SSH public/private keys under `roles/ssh/files/`.

provision-contest/ansible/generate_passwords.py

@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+
+# Script based on: https://pypi.org/project/xkcdpass/
+from xkcdpass import xkcd_password as xp
+import re, os
+
+words = xp.generate_wordlist(wordfile=xp.locate_wordfile(), min_length=3, max_length=8)
+
+for root,_,files in os.walk('group_vars'):
+    out = ''
+    if '/' not in root:
+        continue
+    if 'secret.yml.example' not in files:
+        continue
+    if os.path.isfile(os.path.join(root, 'secret.yml')):
+        print("Secret file exists already, exiting.")
+        exit(-1)
+    with open(os.path.join(root, 'secret.yml.example'), 'r') as fi:
+        for line in fi:
+            if '{' in line:
+                parms = str(re.search('{.*}', line).group())[1:-1]
+                if '-' in parms:
+                    if 'strong' in parms:
+                        vls = {parms: xp.generate_xkcdpassword(words, numwords=5, delimiter='-')}
+                    else:
+                        vls = {parms: xp.generate_xkcdpassword(words, numwords=3, delimiter='-')}
+                    out += line.format(**vls)
+            else:
+                out += line
+    with open(os.path.join(root, 'secret.yml'), 'w') as fo:
+        fo.write(out)

provision-contest/ansible/group_vars/all/secret.yml.example

@@ -1,30 +1,36 @@
+# Templated passwords as `{some-strong-password}` are written to make sure our
+# script detects those, if you manually change those the `{}` are not required and
+# would become part of the password.
+# Adding `strong` in the template will create longer passwords and is used for the
+# passwords which almost never need to be manually typed.
+
 # Password for the MySQL replication user.
 # Set this to enable master-master replication between two domservers.
-#REPLICATION_PASSWORD: some-replication-password
+#REPLICATION_PASSWORD: {some-strong-replication-password}
 
 # Database user password.
-DB_PASSWORD: some-database-password
+DB_PASSWORD: {some-strong-database-password}
 
 # Credentials for the judgehost.
 JUDGEHOST_USER: judgehost
-JUDGEHOST_PASSWORD: some-judgehost-password
+JUDGEHOST_PASSWORD: {some-strong-judgehost-password}
 
 # Username and password to be used in .netrc files on admin machines
 ADMIN_USER: admin
-ADMIN_PASSWORD: some-admin-password
+ADMIN_PASSWORD: {some-admin-password}
 
 # Password for domjudge shell user
 # Set this to enable a password on the 'domjudge' shell accounts
 # created on the domserver and judgehosts.
-#DJ_SHELL_USER_PW: some-hashed-password
+#DJ_SHELL_USER_PW: {some-hashed-password}
 
 # Accounts to create when setting up the CDS
 CDS_ACCOUNTS:
     - username: admin
-      password: adm1n
+      password: {some-adm1n-password}
       type: admin
     - username: presAdmin
-      password: padm1n
+      password: {some-presentation-adm1n-password}
       type: admin
     - username: blue
       password: blu3
@@ -36,7 +42,7 @@ CDS_ACCOUNTS:
       password: publ1c
       type: public
     - username: presentation
-      password: presentat1on
+      password: {some-public-presentation-password}
       type: public
     - username: myicpc
       password: my1cpc