check validity of FERNETKEY, update readme

aptalca · aptalca · commit 61ada0b8bf76 · 2020-07-21T13:42:10.000-04:00
diff --git a/README.md b/README.md
@@ -64,6 +64,7 @@ Here are some example snippets to help you get started creating a container.
 docker create \
   --name=ldap-auth \
   -e TZ=Europe/London \
+  -e FERNETKEY= `#optional` \
   -p 8888:8888 \
   -p 9000:9000 \
   --restart unless-stopped \
@@ -84,6 +85,7 @@ services:
     container_name: ldap-auth
     environment:
       - TZ=Europe/London
+      - FERNETKEY= #optional
     ports:
       - 8888:8888
       - 9000:9000
@@ -99,6 +101,7 @@ Container images are configured using parameters passed at runtime (such as thos
 | `-p 8888` | the port for ldap auth daemon |
 | `-p 9000` | the port for ldap login page |
 | `-e TZ=Europe/London` | Specify a timezone to use EG Europe/London |
+| `-e FERNETKEY=` | Optionally define a custom fernet key, has to be base64-encoded 32-byte (only needed if container is frequently recreated, or if using multi-node setups, invalidating previous authentications) |
 
 ## Environment variables from files (Docker secrets)
 
@@ -123,7 +126,7 @@ Keep in mind umask is not chmod it subtracts from permissions based on it's valu
 
 - This container itself does not have any settings and it relies on the pertinent information passed through in http headers of incoming requests. Make sure that your webserver is set up with the right config.
 - Here's a sample config: [nginx-ldap-auth.conf](https://github.com/nginxinc/nginx-ldap-auth/blob/master/nginx-ldap-auth.conf).
-- Unlike the upstream project, this image encodes the cookie information with fernet, using a randomly generated key during container creation.
+- Unlike the upstream project, this image encodes the cookie information with fernet, using a randomly generated key during container creation (or optionally user defined).
 - Also unlike the upstream project, this image serves the login page at `/ldaplogin` (as well as `/login`) to prevent clashes with reverse proxied apps that may also use `/login` for their internal auth.
 
 
@@ -197,6 +200,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **21.07.20:** - Add support for optional user defined fernet key.
 * **02.06.20:** - Rebasing to alpine 3.12, serve login page at `/ldaplogin` as well as `/login`, to prevent clashes with reverese proxied apps.
 * **17.05.20:** - Add support for self-signed CA certs.
 * **20.02.20:** - Switch to python3.
diff --git a/readme-vars.yml b/readme-vars.yml
@@ -24,18 +24,24 @@ param_ports:
   - { external_port: "9000", internal_port: "9000", port_desc: "the port for ldap login page" }
 param_usage_include_env: true
 param_env_vars:
-  - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London"}
+  - { env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London" }
+
+# optional container parameters
+opt_param_usage_include_env: true
+opt_param_env_vars:
+  - { env_var: "FERNETKEY", env_value: "", desc: "Optionally define a custom fernet key, has to be base64-encoded 32-byte (only needed if container is frequently recreated, or if using multi-node setups, invalidating previous authentications)" }
 
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
   - This container itself does not have any settings and it relies on the pertinent information passed through in http headers of incoming requests. Make sure that your webserver is set up with the right config.
   - Here's a sample config: [nginx-ldap-auth.conf](https://github.com/nginxinc/nginx-ldap-auth/blob/master/nginx-ldap-auth.conf).
-  - Unlike the upstream project, this image encodes the cookie information with fernet, using a randomly generated key during container creation.
+  - Unlike the upstream project, this image encodes the cookie information with fernet, using a randomly generated key during container creation (or optionally user defined).
   - Also unlike the upstream project, this image serves the login page at `/ldaplogin` (as well as `/login`) to prevent clashes with reverse proxied apps that may also use `/login` for their internal auth.
 
 # changelog
 changelogs:
+  - { date: "21.07.20:", desc: "Add support for optional user defined fernet key." }
   - { date: "02.06.20:", desc: "Rebasing to alpine 3.12, serve login page at `/ldaplogin` as well as `/login`, to prevent clashes with reverese proxied apps." }
   - { date: "17.05.20:", desc: "Add support for self-signed CA certs." }
   - { date: "20.02.20:", desc: "Switch to python3." }
diff --git a/root/etc/cont-init.d/30-config b/root/etc/cont-init.d/30-config
@@ -2,7 +2,11 @@
 
 # generate fernet key for ldap if it doesn't exist
 if grep -q 'REPLACEWITHFERNETKEY' /app/ldap-backend-app.py; then
-    if [[ -z "${FERNETKEY}" ]]; then
+    if [ -z "${FERNETKEY}" ]; then
+        KEY=$(python3 /app/fernet-key.py)
+        echo "generated fernet key"
+    elif [ $(openssl base64 -d <<< "${FERNETKEY}" | wc -c) != "32" ]; then
+        echo "FERNETKEY env var is not set to a base64 encoded 32-byte key"
         KEY=$(python3 /app/fernet-key.py)
         echo "generated fernet key"
     else
