From 6b7f2fc0a17df275f3195448949cd0ed6f2667a9 Mon Sep 17 00:00:00 2001
From: "Alex Ellis (VMware)" <alexellis2@gmail.com>
Date: Fri, 13 Jul 2018 15:18:21 +0100
Subject: [PATCH] Enable basic-auth by default

The deployment script will enable basic-auth by default to help
avoid people deploying to a public IP with no protection from
malicious actors.

- In deploy_stash.sh /dev/random can hang on some systems, so using
  urandom will give a better experience, if less "random" data.
  For the purposes of creating an initial basic auth password this
  is sufficient.
- Alpine Linux does not have the shasum command, but sha256sum.
- Tested on MacOS with and without --no-auth flag.
- Does not apply for armhf or powershell.

BASIC_AUTH env-var added by Vivek Syngh @viveksyngh

Signed-off-by: Alex Ellis (VMware) <alexellis2@gmail.com>
---
 deploy_stack.sh | 48 ++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 46 insertions(+), 2 deletions(-)

diff --git a/deploy_stack.sh b/deploy_stack.sh
index aaea8aa1..c38ce917 100755
--- a/deploy_stack.sh
+++ b/deploy_stack.sh
@@ -5,6 +5,50 @@ if ! [ -x "$(command -v docker)" ]; then
   exit 1
 fi
 
-echo "Deploying stack"
-docker stack deploy func --compose-file docker-compose.yml
+export BASIC_AUTH="true"
+
+sha_cmd="shasum -a 256"
+if ! command -v shasum >/dev/null; then
+  sha_cmd="sha256sum"
+fi
+
+while [ ! $# -eq 0 ]
+do
+	case "$1" in
+		--no-auth | -n)
+			export BASIC_AUTH="false"
+			;;
+    --help | -h)
+			echo "Usage: \n [default]\tdeploy the OpenFaaS core services\n --no-auth [-n]\tdisable basic authentication.\n --help\tdisplays this screen"
+      exit
+			;;
+	esac
+	shift
+done
+
+# Secrets should be created even if basic-auth is disabled.
+echo "Attempting to create credentials for gateway.."
+echo "admin" | docker secret create basic-auth-user -
+secret=$(head -c 16 /dev/urandom| $sha_cmd | cut -d " " -f 1)
+echo "$secret" | docker secret create basic-auth-password -
+if [ $? = 0 ];
+then
+  echo "[Credentials]\n username: admin \n password: $secret\n echo -n "$secret" | faas-cli login --username=admin --password-stdin"
+else
+  echo "[Credentials]\n already exist, not creating"
+fi
+
+if [ $BASIC_AUTH = "true" ];
+then
+  echo ""
+  echo "Enabling basic authentication for gateway.."
+  echo ""
+else
+  echo ""
+  echo "Disabling basic authentication for gateway.."
+  echo ""
+fi
 
+echo "Deploying OpenFaaS core services"
+
+docker stack deploy func --compose-file docker-compose.yml
-- 
GitLab