From 316047b1d394686b75dfe4755c7f2d324182f642 Mon Sep 17 00:00:00 2001 From: Girish Ramakrishnan Date: Tue, 20 Feb 2024 11:02:56 +0100 Subject: [PATCH] minio does not show the password login by default when OIDC is setup we generate a dynamic password because users might forget to change the admin password (with the oidc login being so click friendly) --- Dockerfile | 2 +- POSTINSTALL.md | 16 ++++----- env.sh | 9 ------ env.sh.template | 4 +++ start.sh | 13 +++++++- test/package-lock.json | 14 ++++---- test/package.json | 2 +- test/test.js | 73 +++++++++++++++++++++++------------------- 8 files changed, 72 insertions(+), 61 deletions(-) delete mode 100644 env.sh create mode 100644 env.sh.template diff --git a/Dockerfile b/Dockerfile index 5616f1d..2d91c91 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,6 +11,6 @@ RUN wget https://dl.min.io/server/minio/release/linux-amd64/archive/minio.${VERS # https://dl.min.io/client/mc/release/linux-amd64/ RUN wget https://dl.min.io/client/mc/release/linux-amd64/mc -O /app/code/mc && chmod +x /app/code/mc -COPY env.sh start.sh /app/code/ +COPY env.sh.template start.sh /app/code/ CMD [ "/app/code/start.sh" ] diff --git a/POSTINSTALL.md b/POSTINSTALL.md index 637d4c6..cb09066 100644 --- a/POSTINSTALL.md +++ b/POSTINSTALL.md @@ -1,21 +1,19 @@ + Please use the following credentials to login: **Username**: minioadmin
**Password**: minioadmin
Please change the credentials immediately by following this [guide](https://cloudron.io/documentation/apps/minio/#admin-credentials). +
-By default, Cloudron users have `readwrite` access policy. -If you'd like to change it, you should create a respective policy by following [Minio documentation](https://min.io/docs/minio/linux/administration/identity-access-management/policy-based-access-control.html) -After that you should add the variable `MINIO_IDENTITY_OPENID_ROLE_POLICY` in /app/data/env.sh, e.g. +Please use the following credentials to login via 'Other Authentication Methods' -> 'Use Credentials': -``` -export MINIO_IDENTITY_OPENID_ROLE_POLICY="new-policy-name" -``` +**Username**: minioadmin
+**Password**: See `MINIO_ROOT_PASSWORD` in `/app/data/env.sh` Open File Manager
-Where `new-policy-name` is the policy you have created. +Cloudron users have `readwrite` access policy. See the [docs](https://cloudron.io/documentation/apps/minio/#admin-credentials) on how to change it. -Be sure to restart the app after making changes. -
+ diff --git a/env.sh b/env.sh deleted file mode 100644 index 6aad718..0000000 --- a/env.sh +++ /dev/null @@ -1,9 +0,0 @@ -# Add custom minio configuration to this file. Restart the app for changes to take effect. - -export CLOUDRON_MINIO_STARTUP_ARGS='server /app/data/data' - -# See https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html#envvar.MINIO_ROOT_USER -# You can use pwgen -1s 64 to generate usernames and passwords -export MINIO_ROOT_USER=minioadmin -export MINIO_ROOT_PASSWORD=minioadmin - diff --git a/env.sh.template b/env.sh.template new file mode 100644 index 0000000..dfdc06d --- /dev/null +++ b/env.sh.template @@ -0,0 +1,4 @@ +# Add custom minio configuration to this file. Restart the app for changes to take effect. + +export CLOUDRON_MINIO_STARTUP_ARGS='server /app/data/data' + diff --git a/start.sh b/start.sh index f8f8657..a25c947 100755 --- a/start.sh +++ b/start.sh @@ -5,7 +5,18 @@ set -eu mkdir -p /app/data/data /run/minio/config /run/minio/certs # env vars take precedence over config.yaml (https://github.com/minio/minio/blob/master/docs/distributed/CONFIG.md#things-to-know) -[[ ! -f /app/data/env.sh ]] && cp /app/code/env.sh /app/data/env.sh +if [[ ! -f /app/data/env.sh ]]; then + echo "=> First run" + cp /app/code/env.sh.template /app/data/env.sh + # minio does not show the password login by default when OIDC is setup (https://github.com/minio/minio/discussions/16928) + # we generate a dynamic password because users might forget to change the admin password (with the oidc login being so click friendly) + if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then + echo -e "export MINIO_ROOT_USER=minioadmin\nexport MINIO_ROOT_PASSWORD=$(pwgen -1s 20)\n\n" >> /app/data/env.sh + else + echo -e "export MINIO_ROOT_USER=minioadmin\nexport MINIO_ROOT_PASSWORD=minioadmin\n\n" >> /app/data/env.sh + fi +fi + source /app/data/env.sh # https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html#envvar.MINIO_SERVER_URL diff --git a/test/package-lock.json b/test/package-lock.json index 5b5ff42..1c404e8 100644 --- a/test/package-lock.json +++ b/test/package-lock.json @@ -12,7 +12,7 @@ "chromedriver": "^121.0.2", "expect.js": "^0.3.1", "mocha": "^10.3.0", - "selenium-webdriver": "^4.17.0", + "selenium-webdriver": "^4.18.1", "superagent": "^8.1.2" } }, @@ -1192,9 +1192,9 @@ "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, "node_modules/selenium-webdriver": { - "version": "4.17.0", - "resolved": "https://registry.npmjs.org/selenium-webdriver/-/selenium-webdriver-4.17.0.tgz", - "integrity": "sha512-e2E+2XBlGepzwgFbyQfSwo9Cbj6G5fFfs9MzAS00nC99EewmcS2rwn2MwtgfP7I5p1e7DYv4HQJXtWedsu6DvA==", + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/selenium-webdriver/-/selenium-webdriver-4.18.1.tgz", + "integrity": "sha512-uP4OJ5wR4+VjdTi5oi/k8oieV2fIhVdVuaOPrklKghgS59w7Zz3nGa5gcG73VcU9EBRv5IZEBRhPr7qFJAj5mQ==", "dependencies": { "jszip": "^3.10.1", "tmp": "^0.2.1", @@ -2408,9 +2408,9 @@ "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==" }, "selenium-webdriver": { - "version": "4.17.0", - "resolved": "https://registry.npmjs.org/selenium-webdriver/-/selenium-webdriver-4.17.0.tgz", - "integrity": "sha512-e2E+2XBlGepzwgFbyQfSwo9Cbj6G5fFfs9MzAS00nC99EewmcS2rwn2MwtgfP7I5p1e7DYv4HQJXtWedsu6DvA==", + "version": "4.18.1", + "resolved": "https://registry.npmjs.org/selenium-webdriver/-/selenium-webdriver-4.18.1.tgz", + "integrity": "sha512-uP4OJ5wR4+VjdTi5oi/k8oieV2fIhVdVuaOPrklKghgS59w7Zz3nGa5gcG73VcU9EBRv5IZEBRhPr7qFJAj5mQ==", "requires": { "jszip": "^3.10.1", "tmp": "^0.2.1", diff --git a/test/package.json b/test/package.json index f59e080..2addaea 100644 --- a/test/package.json +++ b/test/package.json @@ -12,7 +12,7 @@ "chromedriver": "^121.0.2", "expect.js": "^0.3.1", "mocha": "^10.3.0", - "selenium-webdriver": "^4.17.0", + "selenium-webdriver": "^4.18.1", "superagent": "^8.1.2" } } diff --git a/test/test.js b/test/test.js index 152e0a5..597be59 100644 --- a/test/test.js +++ b/test/test.js @@ -34,7 +34,7 @@ describe('Application life cycle test', function () { const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' }; let browser, app; - var athenticated_by_oidc = false; + let athenticated_by_oidc = false, rootPassword; let username = process.env.USERNAME; let password = process.env.PASSWORD; @@ -57,7 +57,10 @@ describe('Application life cycle test', function () { expect(app).to.be.an('object'); } - async function login(accessKey='minioadmin', secretKey='minioadmin') { + async function login(username, password) { + await browser.manage().deleteAllCookies(); + await browser.get('about:blank'); + await browser.sleep(2000); await browser.get(`https://${app.fqdn}/login`); await browser.sleep(2000); @@ -68,8 +71,8 @@ describe('Application life cycle test', function () { await browser.sleep(2000); } await waitForElement(By.id('accessKey')); - await browser.findElement(By.id('accessKey')).sendKeys(accessKey); - await browser.findElement(By.id('secretKey')).sendKeys(secretKey); + await browser.findElement(By.id('accessKey')).sendKeys(username); + await browser.findElement(By.id('secretKey')).sendKeys(password); await browser.findElement(By.xpath('//button[@id="do-login"]')).click(); await waitForElement(By.xpath('//span[contains(text(), "Buckets")]')); await timers.setTimeout(5000); @@ -134,9 +137,27 @@ describe('Application life cycle test', function () { expect(response.body.toString('utf8')).to.contain('AccessDenied'); } + async function changeAdminCredentials() { + let data = fs.readFileSync(path.join(__dirname, '../env.sh.template'), 'utf8'); + data += '\nexport MINIO_ROOT_USER=minioakey\nexport MINIO_ROOT_PASSWORD=minioskey\n'; + fs.writeFileSync('/tmp/env.sh', data); + execSync(`cloudron push --app ${app.id} /tmp/env.sh /app/data/env.sh`, EXEC_ARGS); + execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS); + await timers.setTimeout(10000); + } + + async function getAdminCredentials() { + execSync(`cloudron pull --app ${app.id} /app/data/env.sh /tmp/env.sh`, EXEC_ARGS); + const data = fs.readFileSync('/tmp/env.sh', 'utf8'); + const m = data.match(/MINIO_ROOT_PASSWORD=(.*)/); + if (!m) throw new Error('Could not detect root password'); + rootPassword = m[1].trim(); + console.log(`root password is [${rootPassword}]`); + } + xit('build app', function () { execSync('cloudron build', EXEC_ARGS); }); - // no SSO + // // no SSO it('install app (no SSO)', async function () { execSync(`cloudron install --no-sso --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS); await timers.setTimeout(10000); @@ -144,33 +165,25 @@ describe('Application life cycle test', function () { it('can get app information', getAppInfo); - it('can Admin login', login.bind(null, 'minioadmin', 'minioadmin')); + it('can admin login', login.bind(null, 'minioadmin', 'minioadmin')); it('can add bucket', addBucket); it('can logout', logout); it('does redirect', checkRedirect); it('check api', checkApi); - it('can change Admin credentials', async function () { - let data = fs.readFileSync(path.join(__dirname, '../env.sh'), 'utf8'); - data = data - .replace(/MINIO_ROOT_USER=.*/, 'MINIO_ROOT_USER=minioakey') - .replace(/MINIO_ROOT_PASSWORD=.*/, 'MINIO_ROOT_PASSWORD=minioskey'); - fs.writeFileSync('/tmp/env.sh', data); - execSync(`cloudron push --app ${app.id} /tmp/env.sh /app/data/env.sh`, EXEC_ARGS); + it('can change admin credentials', changeAdminCredentials); + it('can restart app', async function () { execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS); await timers.setTimeout(10000); }); - it('can restart app', function () { execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS); }); - - it('can Admin login', login.bind(null, 'minioakey', 'minioskey')); + it('can admin login', login.bind(null, 'minioakey', 'minioskey')); it('has bucket', checkBucket); it('can logout', logout); it('does redirect', checkRedirect); it('check api', checkApi); it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); }); - // SSO it('install app (SSO)', async function () { execSync(`cloudron install --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS); @@ -178,8 +191,8 @@ describe('Application life cycle test', function () { }); it('can get app information', getAppInfo); - - it('can Admin login', login.bind(null, 'minioadmin', 'minioadmin')); + it('can get admin credentials', getAdminCredentials); + it('can admin login', async function () { await login('minioadmin', rootPassword); }); it('can add bucket', addBucket); it('can logout', logout); it('does redirect', checkRedirect); @@ -189,20 +202,14 @@ describe('Application life cycle test', function () { it('has bucket', checkBucket); it('can logout', logout); - it('can change Admin credentials', async function () { - let data = fs.readFileSync(path.join(__dirname, '../env.sh'), 'utf8'); - data = data - .replace(/MINIO_ROOT_USER=.*/, 'MINIO_ROOT_USER=minioakey') - .replace(/MINIO_ROOT_PASSWORD=.*/, 'MINIO_ROOT_PASSWORD=minioskey'); - fs.writeFileSync('/tmp/env.sh', data); - execSync(`cloudron push --app ${app.id} /tmp/env.sh /app/data/env.sh`, EXEC_ARGS); + it('can change admin credentials', changeAdminCredentials); + + it('can restart app', async function () { execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS); await timers.setTimeout(10000); }); - it('can restart app', function () { execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS); }); - - it('can Admin login', login.bind(null, 'minioakey', 'minioskey')); + it('can admin login', login.bind(null, 'minioakey', 'minioskey')); it('has bucket', checkBucket); it('can logout', logout); it('does redirect', checkRedirect); @@ -223,7 +230,7 @@ describe('Application life cycle test', function () { }); it('can get app information', getAppInfo); - it('can Admin login', login.bind(null, 'minioakey', 'minioskey')); + it('can admin login', login.bind(null, 'minioakey', 'minioskey')); it('has bucket', checkBucket); it('can logout', logout); @@ -241,7 +248,7 @@ describe('Application life cycle test', function () { }); it('can get app information', getAppInfo); - it('can Admin login', login.bind(null, 'minioakey', 'minioskey')); + it('can admin login', login.bind(null, 'minioakey', 'minioskey')); it('has bucket', checkBucket); it('can logout', logout); @@ -255,7 +262,7 @@ describe('Application life cycle test', function () { it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); }); // test update - it('can install app', function () { execSync('cloudron install --appstore-id io.minio.cloudronapp --location ' + LOCATION, EXEC_ARGS); }); + it('can install app for update', function () { execSync('cloudron install --appstore-id io.minio.cloudronapp --location ' + LOCATION, EXEC_ARGS); }); it('can get app information', getAppInfo); it('can login', login.bind(null, 'minioadmin', 'minioadmin')); @@ -272,7 +279,7 @@ describe('Application life cycle test', function () { it('can configure', function () { execSync(`cloudron configure --app ${LOCATION} --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS); }); it('can get app information', getAppInfo); - it('can Admin login', login.bind(null, 'minioadmin', 'minioadmin')); + it('can admin login', login.bind(null, 'minioadmin', 'minioadmin')); it('has bucket', checkBucket); it('can logout', logout);