Encrypted Datasource Password, Used by Docker Container

[Greg Moser]

I'm setting up some quick-start docker containers for Slatwall, and I need to pass an environment variable of the MySQL datasource password into a config file for the application.  At the end of the day I want to write a file that has some thing like this in it:

this.datasources["slatwall"] = {

  class: 'org.gjt.mm.mysql.Driver'

  , connectionString: 'jdbc:mysql://mysql:3306/slatwall?useUnicode=true&characterEncoding=UTF-8&useLegacyDatetimeCode=true'

  , username: 'root'

  , password: "encrypted:1d47b6a5394fffcde0d64f1526b24a03c83a6ae87b00fade88080ee5b08bf655d425196e9695d555"

};

During instantiation with docker-compose we have a file that looks like this:

web:

  build: slatwall/slatwall-lucee

  ports:

   - "80:8080"

  links:

   - db

  environment:

   MYSQL_ROOT_PASSWORD : ChangeThis!

db:

  image: mysql

  ports:

   - "3306:3306"

  environment:

   MYSQL_ROOT_PASSWORD : ChangeThis!

   MYSQL_DATABASE : slatwall

As part of our entrypoint script we want to write the environment variable of MYSQL_ROOT_PASSWORD on the slatwall/slatwall-lucee container into our application config, but I need to know how to encrypt the plain text password, into the encrypted format that Lucee can use.

Thoughts?

-Greg

[John Cooper]

I have been trying to do the same thing from my puppet deployments. I did have a go at writing a ruby encoder following the java code in the source but never got it to work as expected. As the algorithm is fixed and can be decoded on any server using the secret key that is publicly available in the source then it does not add much protection but it would stop me!

I have resorted to just entering the password into a local copy of lucee and grabbing the encrypted string out that config file.

john

[Terry Whitney]

Randomly generate the password, set the password  then inject it into the config file.

date +%s | sha256sum | base64 | head -c 32 ; echo >> /tmp/MYpasswordfile

where [option] would be the header of the config line you need to change. 

• sed  '/\[option\]/a /tmp/MYpasswordFile' input
  

rm -rf /tmp/MYpasswordFile

[Pete Freitag]

On Fri, Sep 18, 2015 at 12:18 PM, Terry Whitney <twhitn...@gmail.com> wrote:

Randomly generate the password, set the password  then inject it into the config file.

date +%s | sha256sum | base64 | head -c 32 ; echo >> /tmp/MYpasswordfile

That's not really random, it's the current date hashed and encoded. 

If you want random use something like this instead:

openssl rand -base64 32

--

Pete Freitag
https://foundeo.com/ - ColdFusion Consulting & Products
http://hackmycf.com - CFML Server Security Scanner

[John Cooper]

Hi Terry,

That would set the database access password to a random(ish) string. Not sure that helps.

What I want is to take a known database password. Encrypt it using the algorithm that Lucee uses for storing it in the config file and then insert that into the config file.

Ideally a cli type tool would allow me to generate that somehow.

john

[Greg Moser]

I'm distributing an application via docker and want the end user to be able to set their password as an enviornment variable.  If they choose for it to be random they can enable that during the running of the container by creating a random string to be passed to both the lucee and MySQL container.  However if they want it to be something know to them so that they can connect to port 3306 and run mysql command directly... that should be fine too.

It seems as though this thread got off topic by talking about how to generate a random string.  I am asking how any string, random or not, can be encrypted using whatever key lucee uses for storing datasource passwords.

Unless of course I could use a non encrypted password in my Application.cfc, but I've never seen examples of that working.

--
See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
---
You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/4R_xOyfZ0fE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/19513526-bf27-4289-891e-7292c456b291%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Terry Whitney]

If you already have the target system, and know the password then why not just distribute the configuration files with your application?

[Greg Moser]

I don't know the password.  The point is to allow people to define whatever password they want.  Otherwise everyone running Slatwall would have the same password.  It is an open source eCommerce application.

--

See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
---
You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/4R_xOyfZ0fE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/8ce91bcb-2ca5-48a8-b35e-4398b710325d%40googlegroups.com.

[Greg Moser]

Take a look at how mysql containers are run using enviornment variables.

https://hub.docker.com/_/mysql/

For example, mysql wouldn't distribute their containers with everyone running the same MYSQL_ROOT_PASSWORD and that is why they allow you to define it when you instantiate their container.

I have a lucee container with Slatwall (http://www.slatwallcommerce.com) sitting on top of it.  Both the MySQL container and the Slatwall/Lucee container get run at the same time.  When that happens you want to pass as an enviornmet variable the same password into both containers.  The as part of my Slatwall/Lucee container I need to encrypt that password in the way that Lucee likes so that the 2 containers can talk to eachother.

You would typically use a yaml file and docker-compose to spin up these two containers in concert.  You can look to something like this magento container and how it expects a MYSQL password as an enviornment variable:
https://hub.docker.com/r/alexcheng/magento/

-Greg

On Sep 21, 2015 9:01 AM, "Terry Whitney" <twhitn...@gmail.com> wrote:

--

[Terry Whitney]

Well, keep in mind I am a Sysadmin first, so I think of shortest route possible to result.

I would look at the lucee cfc's that run the db configuration. A quick trip down the source shows SALT mentioned a few times. You more than likely could create an installer that calls a custom cfc that creates the DB source for you, all the while running cfrexecute that adds the credentials needed for a mysql user.

On Tuesday, September 15, 2015 at 2:07:47 PM UTC-4, Greg Moser wrote:

[Greg Moser]

Can you point me to the cfc's that you are talking about?  Where are they in the codebase of Lucee?

--

See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
---
You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/4R_xOyfZ0fE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/46b826fb-3ba7-4777-bb0b-0371be7d77f8%40googlegroups.com.

[Greg Moser]

Also, I think that you first point of just distributing the config files make a ton of sense.  When I've done my own personal deployment using docker containers in the past that is exactly what I've done... so I think the advice is well received, just need to do something a little different for this use case.

[Terry Whitney]

I would look at their github repository, namely the files that comprise of the admin area.

https://github.com/lucee/Lucee/tree/master/core/src/main/cfml/context/admin

You can do a search and you get pages of data.

https://github.com/lucee/Lucee/search?utf8=%E2%9C%93&q=.cfc&type=Code

[Geoff Bowers]

On Wednesday, 16 September 2015 04:07:47 UTC+10, Greg Moser wrote:

As part of our entrypoint script we want to write the environment variable of MYSQL_ROOT_PASSWORD on the slatwall/slatwall-lucee container into our application config, but I need to know how to encrypt the plain text password, into the encrypted format that Lucee can use.

Don't you have to pass the mysql password as clear text from the compose file for your mysql container?  If so, just pass the datasource password in clear text to lucee; it does not need to be encrypted.

For future reference, one way to deal with the password encryption in Lucee/Railo is using Brad's little utility:

 https://github.com/bdw429s/RailoPasswordManagement

As an aside, I find the tutum/mysql container a little bit more useful than the default as it allows you to set passwords, and create your database on container creation all via ENV variables:

 https://github.com/tutumcloud/mysql

Hope that helps,

-- geoff

http://www.daemon.com.au/

twitter. @modius

[Greg Moser]

That is fantastic.  I had assumed that it needed to be encrypted, and didn't realize that it could be in clear text.

Also, thank you for pointing me towards that utility that Brad put together.  I'm sure it will come in handy!

-Greg

--

See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
---
You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/4R_xOyfZ0fE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/fbd80469-bfe6-4b19-b320-90d19022f73d%40googlegroups.com.

[Greg Moser]

Ok, new issue... Now it would appear that there is an issue with using <cfdbinfo /> on a datasource that gets setup via the application.cfc.  In short <cfdbinfo /> only recognized datasources that are setup within the administrator, which is itself a separate issue that should be resolved at some point.  Because we use <cfdbinfo /> in a couple of key places of the application I'm trying to find an alternate solution for setting up the datasource in the lucee-server.xml

HERE IS MY NEW QUESTION:

Is there anyway to pull environment variables into lucee-server.xml, I was able to successfully pull it into CFML doing the following:

createObject("java", "java.lang.System").getenv().get("MYSQL_ROOT_PASSWORD")

Now, I'm wondering if I could do something like:

${MYSQL_ROOT_PASSWORD} in the lucee-server.xml file

Does anyone know if this is possible?

-Greg

On Tuesday, September 22, 2015 at 8:05:06 AM UTC-7, Greg Moser wrote:

That is fantastic.  I had assumed that it needed to be encrypted, and didn't realize that it could be in clear text.

Also, thank you for pointing me towards that utility that Brad put together.  I'm sure it will come in handy!

-Greg

On Mon, Sep 21, 2015 at 7:13 PM, Geoff Bowers <mod...@daemon.com.au> wrote:

On Wednesday, 16 September 2015 04:07:47 UTC+10, Greg Moser wrote:

As part of our entrypoint script we want to write the environment variable of MYSQL_ROOT_PASSWORD on the slatwall/slatwall-lucee container into our application config, but I need to know how to encrypt the plain text password, into the encrypted format that Lucee can use.

Don't you have to pass the mysql password as clear text from the compose file for your mysql container?  If so, just pass the datasource password in clear text to lucee; it does not need to be encrypted.

For future reference, one way to deal with the password encryption in Lucee/Railo is using Brad's little utility:

 https://github.com/bdw429s/RailoPasswordManagement

As an aside, I find the tutum/mysql container a little bit more useful than the default as it allows you to set passwords, and create your database on container creation all via ENV variables:

 https://github.com/tutumcloud/mysql

Hope that helps,

-- geoff

http://www.daemon.com.au/

twitter. @modius

--
See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
---
You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/4R_xOyfZ0fE/unsubscribe.

To unsubscribe from this group and all its topics, send an email to lucee+unsubscribe@googlegroups.com.

To post to this group, send email to lu...@googlegroups.com.

[Terry Whitney]

I would not want to mess with a configuration file, but you easily could create read and write a file in a directory lucee has permissions for.

You could use cfexecute to run a bash script to read the environmental variables and post those to a file.

On Tuesday, September 15, 2015 at 2:07:47 PM UTC-4, Greg Moser wrote:

[Geoff Bowers]

On Wednesday, 23 September 2015 10:35:21 UTC+10, Greg Moser wrote:

Is there anyway to pull environment variables into lucee-server.xml, I was able to successfully pull it into CFML doing the following:

createObject("java", "java.lang.System").getenv().get("MYSQL_ROOT_PASSWORD")

Now, I'm wondering if I could do something like:

${MYSQL_ROOT_PASSWORD} in the lucee-server.xml file

Does anyone know if this is possible?

Variable replacement in the lucee configs using ENV variables should eventually be possible in Lucee 5.  These two posts provide some background.

http://lang.lucee.org/t/how-do-we-make-configuring-lucee-rock/193

http://lang.lucee.org/t/environment-variables-and-system-properties/116

Hope that helps,

GB

[Greg Moser]

Thanks Geoff,

For any future readers I was able to get a datasource setup at runtime of a docker container and this is the Dockerfile and supporting files:

https://github.com/ten24/slatwall-docker/tree/master/slatwall-lucee

I was also able to encrypt a lucee administrator password as part of my entrypoint bash script here:

https://github.com/ten24/slatwall-docker/blob/master/slatwall-lucee/entrypoint.sh

For some reason I'm not able to generate a unique salt for the administrative password (although I tried), and I'm not sure exactly why.

Anyway, thanks for all the help everyone.... and if you want to test out Slatwall, you can run the docker-compose in that git-repo and it should spin up a container with MySQL for you.

-Greg

--

See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
---
You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/4R_xOyfZ0fE/unsubscribe.

To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.

To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/5678a834-846a-4717-b78e-59897818483f%40googlegroups.com.

[Dominic Watson]

We setup datasources in Application.cfc and then inspect them with cfdbinfo without any problems so perhaps there is something else going on Greg?

--

Pixl8 Interactive, 3 Tun Yard, Peardon Street, London SW8 3HT, United Kingdom T: +44 [0] 845 260 0726• W: www.pixl8.co.uk• E: in...@pixl8.co.uk

Follow us on: Facebook Twitter LinkedIn

CONFIDENTIAL AND PRIVILEGED - This e-mail and any attachment is intended solely for the addressee, is strictly confidential and may also be subject to legal, professional or other privilege or may be protected by work product immunity or other legal rules. If you are not the addressee please do not read, print, re-transmit, store or act in reliance on it or any attachments. Instead, please email it back to the sender and then immediately permanently delete it. Pixl8 Interactive Ltd Registered in England. Registered number: 04336501. Registered office: 8 Spur Road, Cosham, Portsmouth, Hampshire, PO6 3EB

[Greg Moser]

I think that the issue might be using cfdbinfo in the Application.cfc directly.  If I use it in the general application it is fine, it is that we also sometime run a cfdbinfo for pre ormUpdate scripts to run.

--

See Lucee at CFCamp Oct 22 & 23 2015 @ Munich Airport, Germany - Get your ticket NOW - http://www.cfcamp.org/
---
You received this message because you are subscribed to a topic in the Google Groups "Lucee" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/lucee/4R_xOyfZ0fE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to lucee+un...@googlegroups.com.
To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAEYvUxk44JzgLzPU0MYdRKPiZj6qvfuXrDV2PLyJ0Qfo9_FsfQ%40mail.gmail.com.

[Dominic Watson]

> I think that the issue might be using cfdbinfo in the Application.cfc directly.

Right, yes - there is certainly some odd behaviour when setting application settings in Application.cfc and then trying to use them immediately. Same with mappings.

You received this message because you are subscribed to the Google Groups "Lucee" group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+un...@googlegroups.com.

To post to this group, send email to lu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/CAMBCdPsGLn-%3DA-DUg%2BYe5KvVdDNdQdAESD4FC4krpS08AgrDjQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.