From b92084b66893b01e832644f020415313bc0736c9 Mon Sep 17 00:00:00 2001 From: CNE FICHEPOIL Pierre Date: Wed, 12 Mar 2025 16:39:50 +0100 Subject: [PATCH 1/3] Allow root password to be updated using ENV variable --- .../server/security/ServerSecurity.java | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/server/src/main/java/com/arcadedb/server/security/ServerSecurity.java b/server/src/main/java/com/arcadedb/server/security/ServerSecurity.java index 6eb6b91122..fa96dd96df 100644 --- a/server/src/main/java/com/arcadedb/server/security/ServerSecurity.java +++ b/server/src/main/java/com/arcadedb/server/security/ServerSecurity.java @@ -125,8 +125,25 @@ public void loadUsers() { } } + String rootPassword = server != null ? + server.getConfiguration().getValueAsString(GlobalConfiguration.SERVER_ROOT_PASSWORD) : + GlobalConfiguration.SERVER_ROOT_PASSWORD.getValueAsString(); if (users.isEmpty() || (users.containsKey("root") && users.get("root").getPassword() == null)) + { askForRootPassword(); + } + else if (rootPassword != null && (users.containsKey("root") && users.get("root").getPassword() != rootPassword)) + { + credentialsValidator.validateCredentials("root", rootPassword); + + final String encodedPassword = encodePassword(rootPassword, ServerSecurity.generateRandomSalt()); + + if (existsUser("root")) { + getUser("root").setPassword(encodedPassword); + saveUsers(); + } + } + final long fileLastModified = usersRepository.getFileLastModified(); if (fileLastModified > -1 && reloadConfigurationTimer == null) { From bdd4a3723b729445847523d41812decedf837220 Mon Sep 17 00:00:00 2001 From: CNE FICHEPOIL Pierre Date: Wed, 12 Mar 2025 16:45:27 +0100 Subject: [PATCH 2/3] removed extra root existance check --- .../java/com/arcadedb/server/security/ServerSecurity.java | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/server/src/main/java/com/arcadedb/server/security/ServerSecurity.java b/server/src/main/java/com/arcadedb/server/security/ServerSecurity.java index fa96dd96df..3fd188fc70 100644 --- a/server/src/main/java/com/arcadedb/server/security/ServerSecurity.java +++ b/server/src/main/java/com/arcadedb/server/security/ServerSecurity.java @@ -137,11 +137,8 @@ else if (rootPassword != null && (users.containsKey("root") && users.get("root") credentialsValidator.validateCredentials("root", rootPassword); final String encodedPassword = encodePassword(rootPassword, ServerSecurity.generateRandomSalt()); - - if (existsUser("root")) { - getUser("root").setPassword(encodedPassword); - saveUsers(); - } + getUser("root").setPassword(encodedPassword); + saveUsers(); } From e742d90154c5a845612ed3fa6f886d3c6efabc9d Mon Sep 17 00:00:00 2001 From: CNE FICHEPOIL Pierre Date: Wed, 12 Mar 2025 17:28:02 +0100 Subject: [PATCH 3/3] Also allow rootPasswordPath to overwrite the root password --- .../server/security/ServerSecurity.java | 31 +++++++++++++++---- 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/server/src/main/java/com/arcadedb/server/security/ServerSecurity.java b/server/src/main/java/com/arcadedb/server/security/ServerSecurity.java index 3fd188fc70..1ff9f779f7 100644 --- a/server/src/main/java/com/arcadedb/server/security/ServerSecurity.java +++ b/server/src/main/java/com/arcadedb/server/security/ServerSecurity.java @@ -125,20 +125,39 @@ public void loadUsers() { } } - String rootPassword = server != null ? + final String rootPasswordFromEnv = server != null ? server.getConfiguration().getValueAsString(GlobalConfiguration.SERVER_ROOT_PASSWORD) : GlobalConfiguration.SERVER_ROOT_PASSWORD.getValueAsString(); + + + + final String rootPasswordPath = server != null ? + server.getConfiguration().getValueAsString(GlobalConfiguration.SERVER_ROOT_PASSWORD_PATH) : + GlobalConfiguration.SERVER_ROOT_PASSWORD_PATH.getValueAsString(); + + + final String rootPasswordFromFile = rootPasswordPath != null ? (Files.isReadable(Path.of(rootPasswordPath)) ? Files.readString(Path.of(rootPasswordPath)) : null) : null; + if (users.isEmpty() || (users.containsKey("root") && users.get("root").getPassword() == null)) { askForRootPassword(); } - else if (rootPassword != null && (users.containsKey("root") && users.get("root").getPassword() != rootPassword)) + else if ((rootPasswordFromFile != null || rootPasswordFromEnv != null) && (users.containsKey("root"))) { - credentialsValidator.validateCredentials("root", rootPassword); + final String curRootPassword = users.get("root").getPassword(); + if (rootPasswordFromFile != null && rootPasswordFromEnv != null) + LogManager.instance().log(this, Level.WARNING, "Both `arcadedb.server.rootPassword` and `arcadedb.server.rootPasswordPath` settings were used, falling back to `arcadedb.server.rootPasswordPath`"); + + final String pickedNewRootPassword = rootPasswordFromFile == null ? rootPasswordFromEnv : rootPasswordFromFile; - final String encodedPassword = encodePassword(rootPassword, ServerSecurity.generateRandomSalt()); - getUser("root").setPassword(encodedPassword); - saveUsers(); + + if (curRootPassword != pickedNewRootPassword) + { + credentialsValidator.validateCredentials("root", pickedNewRootPassword); + final String encodedPassword = encodePassword(pickedNewRootPassword, ServerSecurity.generateRandomSalt()); + getUser("root").setPassword(encodedPassword); + saveUsers(); + } }