chef · rensycthomas · Feb 10, 2025
diff --git a/components/automate-backend-ctl/habitat/lib/automate/backend/automate_config.rb b/components/automate-backend-ctl/habitat/lib/automate/backend/automate_config.rb
@@ -1,5 +1,6 @@
 require 'erb'
 require 'openssl'
+require 'base64'
 
 module Automate
   module Backend
@@ -64,6 +65,10 @@ def create_fqdn_cert()
         [fqdn_key.to_pem, fqdn_cert.to_pem]
       end
 
+      def encode_string(input_string)
+        encoded_string = Base64.encode64(input_string).chomp
+      end
+
       def render
         ERB.new(content(template_path), nil, '-').result(binding)
       end

diff --git a/components/automate-backend-deployment/README.md b/components/automate-backend-deployment/README.md
@@ -4,5 +4,4 @@ This provides the `automate-backend-deployment` package.
 
 This package will build a package using terraform/a2ha-terraform, inspecs, test, certs and Makefile.
 
-This is the heart of the a2ha because this component will set up a workspace for a2ha and all the a2ha command will get available after installing this package.
-
+This is the heart of the a2ha because this component will set up a workspace for a2ha and all the a2ha command will get available after installing this package.
diff --git a/components/automate-cli/cmd/chef-automate/automateHAAwsDeployment.go b/components/automate-cli/cmd/chef-automate/automateHAAwsDeployment.go
@@ -3,6 +3,7 @@ package main
 import (
 	"container/list"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/pem"
 	"fmt"
 	"net/http"
@@ -146,6 +147,7 @@ func (a *awsDeployment) generateConfig(state string) error {
 	}
 
 	a.setDefaultBasePath()
+	a.encodePasswordFields()
 
 	return writeHAConfigFiles(awsA2harbTemplate, a.config, state)
 }
@@ -547,3 +549,18 @@ func (a *awsDeployment) isIamRolePresent() error {
 	}
 	return nil
 }
+
+func (a *awsDeployment) encodePasswordFields() {
+	if a.config.Aws.Config.SetupManagedServices {
+		writer.Println("Encoding password fields")
+		if len(a.config.Aws.Config.OpensearchUserPassword) > 0 {
+			a.config.Aws.Config.OpensearchUserPassword = base64.StdEncoding.EncodeToString([]byte((a.config.Aws.Config.OpensearchUserPassword)))
+		}
+		if len(a.config.Aws.Config.RDSSuperUserPassword) > 0 {
+			a.config.Aws.Config.RDSSuperUserPassword = base64.StdEncoding.EncodeToString([]byte((a.config.Aws.Config.RDSSuperUserPassword)))
+		}
+		if len(a.config.Aws.Config.RDSDBUserPassword) > 0 {
+			a.config.Aws.Config.RDSDBUserPassword = base64.StdEncoding.EncodeToString([]byte((a.config.Aws.Config.RDSDBUserPassword)))
+		}
+	}
+}
diff --git a/components/automate-cli/cmd/chef-automate/automateHADeployExistingInfra.go b/components/automate-cli/cmd/chef-automate/automateHADeployExistingInfra.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"container/list"
+	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
@@ -96,6 +97,7 @@ func (e *existingInfra) generateConfig(state string) error {
 	}
 
 	e.setDefaultBasePath()
+	e.encodePasswordFields()
 
 	return writeHAConfigFiles(existingNodesA2harbTemplate, e.config, state)
 }
@@ -776,3 +778,18 @@ func writeGoogleserviceJsonFile(filePath string, serviceAccount GoogleServiceAcc
 	return nil
 
 }
+
+func (e *existingInfra) encodePasswordFields() {
+	if e.config.ExternalDB.Database.Type == "aws" || e.config.ExternalDB.Database.Type == "self-managed" {
+		writer.Println("Encoding password fields")
+		if len(e.config.ExternalDB.Database.Opensearch.OpensearchSuperUserPassword) > 0 {
+			e.config.ExternalDB.Database.Opensearch.OpensearchSuperUserPassword = base64.StdEncoding.EncodeToString([]byte((e.config.ExternalDB.Database.Opensearch.OpensearchSuperUserPassword)))
+		}
+		if len(e.config.ExternalDB.Database.PostgreSQL.PostgreSQLSuperUserPassword) > 0 {
+			e.config.ExternalDB.Database.PostgreSQL.PostgreSQLSuperUserPassword = base64.StdEncoding.EncodeToString([]byte((e.config.ExternalDB.Database.PostgreSQL.PostgreSQLSuperUserPassword)))
+		}
+		if len(e.config.ExternalDB.Database.PostgreSQL.PostgreSQLDBUserPassword) > 0 {
+			e.config.ExternalDB.Database.PostgreSQL.PostgreSQLDBUserPassword = base64.StdEncoding.EncodeToString([]byte((e.config.ExternalDB.Database.PostgreSQL.PostgreSQLDBUserPassword)))
+		}
+	}
+}
diff --git a/components/automate-cli/cmd/chef-automate/decode_password.go b/components/automate-cli/cmd/chef-automate/decode_password.go
@@ -0,0 +1,107 @@
+package main
+
+import (
+	"encoding/base64"
+
+	dc "github.com/chef/automate/api/config/deployment"
+	"github.com/chef/automate/components/automate-cli/pkg/docs"
+	"github.com/chef/automate/lib/io/fileutils"
+	"github.com/chef/toml"
+	"github.com/spf13/cobra"
+)
+
+var decodePasswordCmdFlags = struct {
+	config string
+}{}
+
+func init() {
+	RootCmd.AddCommand(decodePasswordCmd)
+	decodePasswordCmd.PersistentFlags().StringVarP(
+		&decodePasswordCmdFlags.config,
+		"config",
+		"c",
+		"",
+		"Config file that needs to be updated with decoded passwords")
+}
+
+var decodePasswordCmd = &cobra.Command{
+	Use:    "decode-password [/path/to/config.toml]",
+	Short:  "Decodes the password fields",
+	Long:   "Decodes the password fields in the specified config.toml file",
+	RunE:   runDecodePasswordCmd,
+	Args:   cobra.ExactArgs(1),
+	Hidden: true,
+	Annotations: map[string]string{
+		docs.Tag: docs.BastionHost,
+	},
+}
+
+func runDecodePasswordCmd(cmd *cobra.Command, args []string) error {
+	if len(args) > 0 {
+		configFile := args[0]
+		if len(configFile) > 0 {
+			if checkIfFileExist(configFile) {
+				tomlbyte, _ := fileutils.ReadFile(configFile) // nosemgrep
+				configString := string(tomlbyte)
+				var config dc.AutomateConfig
+				if _, err := toml.Decode(configString, &config); err != nil {
+					return err
+				}
+				if config.Global != nil && config.Global.V1 != nil && config.Global.V1.External != nil {
+					if config.Global.V1.External.Postgresql != nil && config.Global.V1.External.Postgresql.Auth != nil && config.Global.V1.External.Postgresql.Auth.Password != nil {
+						if config.Global.V1.External.Postgresql.Auth.Password.Superuser != nil && config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password != nil {
+							superUserPassword := config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value
+							if superUserPassword != "" {
+								superUserPswd, decErr := base64.StdEncoding.DecodeString(superUserPassword)
+								if decErr != nil {
+									return decErr
+								}
+								config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value = string(superUserPswd)
+							}
+						}
+						if config.Global.V1.External.Postgresql.Auth.Password.Dbuser != nil && config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password != nil {
+							dbUserPassword := config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value
+							if dbUserPassword != "" {
+								dbUserPswd, decErr := base64.StdEncoding.DecodeString(dbUserPassword)
+								if decErr != nil {
+									return decErr
+								}
+								config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value = string(dbUserPswd)
+							}
+						}
+					}
+					if config.Global.V1.External.Opensearch != nil && config.Global.V1.External.Opensearch.Auth != nil && config.Global.V1.External.Opensearch.Auth.Scheme != nil {
+						if config.Global.V1.External.Opensearch.Auth.Scheme.Value == "basic_auth" && config.Global.V1.External.Opensearch.Auth.BasicAuth != nil && config.Global.V1.External.Opensearch.Auth.BasicAuth.Password != nil {
+							password := config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value
+							decodedPassword, err := decodeString(password)
+							if err == nil && decodedPassword != "" {
+								config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value = decodedPassword
+							}
+						}else if config.Global.V1.External.Opensearch.Auth.Scheme.Value == "aws_os" && config.Global.V1.External.Opensearch.Auth.AwsOs != nil && config.Global.V1.External.Opensearch.Auth.AwsOs.Password != nil {
+							password := config.Global.V1.External.Opensearch.Auth.AwsOs.Password.Value
+							decodedPassword, err := decodeString(password)
+							if err == nil && decodedPassword != "" {
+								config.Global.V1.External.Opensearch.Auth.AwsOs.Password.Value = decodedPassword
+
+							}
+						}
+					}
+					_, err := fileutils.CreateTomlFileFromConfig(&config, configFile)
+					if err != nil {
+						return err
+					}
+
+				}
+			}
+		}
+	}
+	return nil
+}
+
+func decodeString (encodedStr string) (string, error) {
+	decodedStr, decErr := base64.StdEncoding.DecodeString(encodedStr)
+	if decErr != nil {
+		return "", decErr
+	}
+	return string(decodedStr), nil
+}
diff --git a/components/automate-cli/cmd/chef-automate/decode_password_test.go b/components/automate-cli/cmd/chef-automate/decode_password_test.go
@@ -0,0 +1,21 @@
+package main
+
+import (
+	"testing"
+
+	dc "github.com/chef/automate/api/config/deployment"
+	"github.com/chef/automate/lib/io/fileutils"
+	"github.com/chef/toml"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRunDecodePasswordCmd(t *testing.T) {
+	runDecodePasswordCmd(cmd, []string{CONFIG_PATH + "/config_externaldb.toml"})
+	tomlbyte, _ := fileutils.ReadFile(CONFIG_PATH + "/config_externaldb.toml")
+	configString := string(tomlbyte)
+	var config dc.AutomateConfig
+	toml.Decode(configString, &config)
+	assert.Equal(t, "admin", config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value)
+	assert.Equal(t, "admin", config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value)
+	assert.Equal(t, "admin", config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value)
+}
diff --git a/components/automate-cli/cmd/chef-automate/encode_password.go b/components/automate-cli/cmd/chef-automate/encode_password.go
@@ -0,0 +1,94 @@
+package main
+
+import (
+	"encoding/base64"
+
+	dc "github.com/chef/automate/api/config/deployment"
+	"github.com/chef/automate/components/automate-cli/pkg/docs"
+	"github.com/chef/automate/lib/io/fileutils"
+	"github.com/chef/toml"
+	"github.com/spf13/cobra"
+)
+
+var encodePasswordCmdFlags = struct {
+	config string
+}{}
+
+var encodePasswordCmd = &cobra.Command{
+	Use:    "encode-password [/path/to/config.toml]",
+	Short:  "Encodes the password fields",
+	Long:   "Encodes the password fields in the specified config.toml file",
+	RunE:   runEncodePasswordCmd,
+	Args:   cobra.ExactArgs(1),
+	Hidden: true,
+	Annotations: map[string]string{
+		docs.Tag: docs.BastionHost,
+	},
+}
+
+func init() {
+	RootCmd.AddCommand(encodePasswordCmd)
+	encodePasswordCmd.PersistentFlags().StringVarP(
+		&encodePasswordCmdFlags.config,
+		"config",
+		"c",
+		"",
+		"Config file that needs to be updated with encoded passwords")
+
+}
+
+func runEncodePasswordCmd(cmd *cobra.Command, args []string) error {
+	if len(args) > 0 {
+		configFile := args[0]
+		if len(configFile) > 0 {
+			if checkIfFileExist(configFile) {
+				tomlbyte, _ := fileutils.ReadFile(configFile) // nosemgrep
+				configString := string(tomlbyte)
+				var config dc.AutomateConfig
+				if _, err := toml.Decode(configString, &config); err != nil {
+					return err
+				}
+				if config.Global != nil && config.Global.V1 != nil && config.Global.V1.External != nil {
+					if config.Global.V1.External.Postgresql != nil && config.Global.V1.External.Postgresql.Auth != nil && config.Global.V1.External.Postgresql.Auth.Password != nil {
+						if config.Global.V1.External.Postgresql.Auth.Password.Superuser != nil && config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password != nil {
+							superUserPassword := config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value
+							if superUserPassword != "" {
+								superUserPassword = base64.StdEncoding.EncodeToString([]byte(superUserPassword))
+								config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value = superUserPassword
+							}
+						}
+						if config.Global.V1.External.Postgresql.Auth.Password.Dbuser != nil && config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password != nil {
+							dbUserPassword := config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value
+							if dbUserPassword != "" {
+								dbUserPassword = base64.StdEncoding.EncodeToString([]byte(dbUserPassword))
+								config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value = dbUserPassword
+							}
+						}
+					}
+					if config.Global.V1.External.Opensearch != nil && config.Global.V1.External.Opensearch.Auth != nil && config.Global.V1.External.Opensearch.Auth.Scheme != nil {
+						if config.Global.V1.External.Opensearch.Auth.Scheme.Value == "basic_auth" && config.Global.V1.External.Opensearch.Auth.BasicAuth != nil && config.Global.V1.External.Opensearch.Auth.BasicAuth.Password != nil {
+							userPassword := config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value
+							if userPassword != "" {
+								userPassword = base64.StdEncoding.EncodeToString([]byte(userPassword))
+								config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value = userPassword
+							}
+						}else if config.Global.V1.External.Opensearch.Auth.Scheme.Value == "aws_os" && config.Global.V1.External.Opensearch.Auth.AwsOs != nil && config.Global.V1.External.Opensearch.Auth.AwsOs.Password != nil {
+							userPassword := config.Global.V1.External.Opensearch.Auth.AwsOs.Password.Value
+							if userPassword != "" {
+								userPassword = base64.StdEncoding.EncodeToString([]byte(userPassword))
+								config.Global.V1.External.Opensearch.Auth.AwsOs.Password.Value = userPassword
+							}
+						}
+
+					}
+					_, err := fileutils.CreateTomlFileFromConfig(&config, configFile)
+					if err != nil {
+						return err
+					}
+
+				}
+			}
+		}
+	}
+	return nil
+}
diff --git a/components/automate-cli/cmd/chef-automate/encode_password_test.go b/components/automate-cli/cmd/chef-automate/encode_password_test.go
@@ -0,0 +1,27 @@
+package main
+
+import (
+	"testing"
+
+	dc "github.com/chef/automate/api/config/deployment"
+	"github.com/chef/automate/lib/io/fileutils"
+	"github.com/chef/toml"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+)
+
+const CONFIG_PATH = "../../pkg/testfiles/onprem"
+
+var cmd = &cobra.Command{}
+
+func TestRunEncodePasswordCmd(t *testing.T) {
+	runEncodePasswordCmd(cmd, []string{CONFIG_PATH + "/config_externaldb.toml"})
+	tomlbyte, _ := fileutils.ReadFile(CONFIG_PATH + "/config_externaldb.toml")
+	configString := string(tomlbyte)
+	var config dc.AutomateConfig
+	toml.Decode(configString, &config)
+	assert.Equal(t, "YWRtaW4=", config.Global.V1.External.Opensearch.Auth.BasicAuth.Password.Value)
+	assert.Equal(t, "YWRtaW4=", config.Global.V1.External.Postgresql.Auth.Password.Superuser.Password.Value)
+	assert.Equal(t, "YWRtaW4=", config.Global.V1.External.Postgresql.Auth.Password.Dbuser.Password.Value)
+	runDecodePasswordCmd(cmd, []string{CONFIG_PATH + "/config_externaldb.toml"})
+}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -4,5 +4,4 @@ This provides the `automate-backend-deployment` package.

		This package will build a package using terraform/a2ha-terraform, inspecs, test, certs and Makefile.

		This is the heart of the a2ha because this component will set up a workspace for a2ha and all the a2ha command will get available after installing this package.

		This is the heart of the a2ha because this component will set up a workspace for a2ha and all the a2ha command will get available after installing this package.