Fix #34940: automatically generate password for Redis

LEDfan · LEDfan · commit 581f5c8f1fa8 · 2025-04-29T08:28:07.000+02:00
diff --git a/pom.xml b/pom.xml
@@ -34,6 +34,7 @@
         <fabric8.client.version>7.1.0</fabric8.client.version>
         <docker.client.version>7.0.8-OA-3</docker.client.version>
         <jersey.version>3.1.10</jersey.version>
+        <apache.commons.lang3>3.17.0</apache.commons.lang3>
         <!-- Plugin versions -->
         <maven.assembly.plugin.version>3.7.1</maven.assembly.plugin.version>
         <maven.compiler.plugin.version>3.14.0</maven.compiler.plugin.version>
@@ -150,6 +151,11 @@
             <artifactId>jackson-module-kotlin</artifactId>
             <version>${jackson.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>${apache.commons.lang3}</version>
+        </dependency>
 
         <!-- Dependencies for tests -->
         <dependency>
diff --git a/src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/DockerOrchestrator.kt b/src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/DockerOrchestrator.kt
@@ -98,7 +98,7 @@ class DockerOrchestrator(channel: Channel<ShinyProxyEvent>,
         caddyConfig = CaddyConfig(dockerClient, dataDir, config)
         dockerActions = DockerActions(dockerClient)
         shinyProxyReadyChecker = ShinyProxyReadyChecker(channel, dockerActions, dockerClient, dataDir)
-        redisConfig = RedisConfig(dockerClient, dockerActions, dataDir, config)
+        redisConfig = RedisConfig(dockerClient, dockerActions, persistentState, dataDir, config)
         craneConfig = CraneConfig(dockerClient, dockerActions, dataDir, inputDir, redisConfig, caddyConfig, persistentState)
         monitoringConfig = MonitoringConfig(dockerClient, dockerActions, dataDir, caddyConfig, config)
         logFilesCleaner = LogFilesCleaner(dataDir.resolve("logs"), fileManager, dockerActions)
@@ -390,6 +390,7 @@ class DockerOrchestrator(channel: Channel<ShinyProxyEvent>,
 
     override suspend fun init(source: IShinyProxySource) {
         logger.info { "Initializing DockerOrchestrator" }
+        redisConfig.init()
         val containers = dockerClient.listContainers(
             DockerClient.ListContainersParam.withStatusRunning(),
             DockerClient.ListContainersParam.withLabel(LabelFactory.APP_LABEL, LabelFactory.APP_LABEL_VALUE)
diff --git a/src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/PersistentState.kt b/src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/PersistentState.kt
@@ -40,46 +40,56 @@ class PersistentState(dataDir: Path) {
     fun readState(): State {
         try {
             if (!file.exists()) {
-                return State(mapOf())
+                return State(mapOf(), null)
             }
             return objectMapper.readValue(file)
         } catch (e: Exception) {
             logger.warn(e) { "Could not read store state" }
-            return State(mapOf())
+            return State(mapOf(), null)
         }
     }
 
     fun storeLatest(realmId: String, instance: String) {
-        try {
-            val newMap = readState().realms.toMutableMap()
+        updateState { state ->
+            val newMap = state.realms.toMutableMap()
             if (newMap.containsKey(realmId)) {
                 newMap[realmId] = newMap.getValue(realmId).copy(latestInstance = instance)
             } else {
                 newMap[realmId] = RealmState(instance)
             }
-            val newState = State(newMap)
-            objectMapper.writeValue(file, newState)
-        } catch (e: Exception) {
-            logger.warn(e) { "Could not store state" }
+            state.copy(realms = newMap)
         }
     }
 
     fun storeLatestCrane(realmId: String, instance: String) {
-        try {
-            val newMap = readState().realms.toMutableMap()
+        updateState { state ->
+            val newMap = state.realms.toMutableMap()
             if (newMap.containsKey(realmId)) {
                 newMap[realmId] = newMap.getValue(realmId).copy(craneLatestInstance = instance)
             } else {
                 newMap[realmId] = RealmState(null, instance)
             }
-            val newState = State(newMap)
+            state.copy(realms = newMap)
+        }
+    }
+
+    fun storeRedisPassword(password: String) {
+        updateState { state ->
+            state.copy(redisPassword = password)
+        }
+    }
+
+    private fun updateState(block: (State) -> State) {
+        try {
+            val state = readState()
+            val newState = block(state)
             objectMapper.writeValue(file, newState)
         } catch (e: Exception) {
             logger.warn(e) { "Could not store state" }
         }
     }
 
-    data class State(val realms: Map<String, RealmState>)
+    data class State(val realms: Map<String, RealmState> = mapOf(), val redisPassword: String? = null)
 
     data class RealmState(val latestInstance: String?, val craneLatestInstance: String? = null)
 
diff --git a/src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/RedisConfig.kt b/src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/RedisConfig.kt
@@ -25,27 +25,41 @@ import eu.openanalytics.shinyproxyoperator.FileManager
 import io.github.oshai.kotlinlogging.KotlinLogging
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.withContext
+import org.apache.commons.lang3.RandomStringUtils
 import org.mandas.docker.client.DockerClient
 import org.mandas.docker.client.messages.ContainerConfig
 import org.mandas.docker.client.messages.HostConfig
 import java.nio.file.Files
 import java.nio.file.Path
 
-class RedisConfig(private val dockerClient: DockerClient, private val dockerActions: DockerActions, mainDataDir: Path, config: Config) {
+class RedisConfig(private val dockerClient: DockerClient,
+                  private val dockerActions: DockerActions,
+                  private val persistentState: PersistentState,
+                  mainDataDir: Path,
+                  config: Config) {
 
     private val containerName = "sp-redis"
     private val dataDir: Path = mainDataDir.resolve(containerName)
-    private val redisPassword: String
+    private lateinit var redisPassword: String
     private val logger = KotlinLogging.logger {}
     private val redisImage: String = config.readConfigValue("redis:7.2.4", "SPO_REDIS_IMAGE") { it }
     private val fileManager = FileManager()
 
-    init {
-        redisPassword = readPasswordFile("/run/secrets/redis_password")
-            ?: readPasswordFile("redis_password.txt")
-            ?: config.readConfigValue("", "SPO_REDIS_PASSWORD") { it }
-        if (redisPassword == "") {
-            error("Invalid redis password")
+    fun init() {
+        val redisPasswordInState = persistentState.readState().redisPassword
+        if (redisPasswordInState == null) {
+            val redisPasswordInConfig = readPasswordFile("/run/secrets/redis_password")
+                ?: readPasswordFile("redis_password.txt")
+            redisPassword = if (redisPasswordInConfig != null) {
+                redisPasswordInConfig
+            } else {
+                logger.info { "Generating password for Redis" }
+                RandomStringUtils.secureStrong().nextAlphanumeric(32)
+            }
+            persistentState.storeRedisPassword(redisPassword)
+        } else {
+            logger.info { "Re-using password from Redis state" }
+            redisPassword = redisPasswordInState
         }
     }
 
diff --git a/src/test/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/MainIntegrationTest.kt b/src/test/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/MainIntegrationTest.kt
@@ -33,6 +33,7 @@ import org.junit.jupiter.params.ParameterizedTest
 import org.junit.jupiter.params.provider.ValueSource
 import kotlin.io.path.deleteIfExists
 import kotlin.io.path.readText
+import kotlin.io.path.writeText
 import kotlin.test.assertEquals
 import kotlin.test.assertNotNull
 
@@ -248,7 +249,7 @@ class MainIntegrationTest : IntegrationTestBase() {
 
         // 6. wait for instance to startup (startup will fail)
         val error = eventController.waitForInputError()
-        assertEquals("Failed to read file 'realm1.shinyproxy.yaml', error: No or invalid realm-id", error)
+        assertEquals("Failed to read file 'realm1.shinyproxy.yaml', error: 'No or invalid realm-id'", error)
 
         // 7. check that caddy still points to original instance
         dockerAssertions.assertCaddyContainer("simple_test_caddy.json", mapOf("#CONTAINER_IP#" to shinyProxyContainerA.getSharedNetworkIpAddress()!!))
@@ -409,6 +410,7 @@ class MainIntegrationTest : IntegrationTestBase() {
     fun `restart operator during (failing) update without state file`() = setup { dataDir, inputDir, operator, eventController, dockerAssertions, recyclableChecker, config ->
         // idea of test: launch instance A, update config to get instance B, however, instance B fails to start up, in the meantime restart the operator and then update config again to A
         // the operator will start a new instance, with an increased revision
+        dataDir.resolve("state.yaml").writeText("redisPassword: 75ZEykd5RYsZS7v9H7PYCaFcrscJHWa4\n")
         // 1. create a SP instance
         val hashA = createInputFile(inputDir, "simple_config.yaml", "realm1.shinyproxy.yaml")
         val shinyProxyInstanceA = ShinyProxyInstance("realm1", "default", "default-realm1", hashA, true, 0)
@@ -439,6 +441,7 @@ class MainIntegrationTest : IntegrationTestBase() {
         operator.stop()
 
         dataDir.resolve("state.yaml").deleteIfExists()
+        dataDir.resolve("state.yaml").writeText("redisPassword: 75ZEykd5RYsZS7v9H7PYCaFcrscJHWa4\n")
         delay(10_000)
 
         // 7. restart operator
@@ -627,6 +630,7 @@ class MainIntegrationTest : IntegrationTestBase() {
         assertEquals(listOf(
             "${dataDir}${craneContainerInfo.name()}/application.yml:/opt/crane/application.yml:ro",
             "${dataDir}${craneContainerInfo.name()}/generated.yml:/opt/crane/generated.yml:ro",
+            "${dataDir}/logs${craneContainerInfo.name()}:/opt/crane/logs",
             "/tmp/crane-mount:/mnt",
         ), craneContainerInfo.hostConfig().binds())
         dockerAssertions.assertCaddyContainer("simple_config_crane_caddy.yaml", mapOf(
diff --git a/src/test/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/helpers/DockerAssertions.kt b/src/test/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/helpers/DockerAssertions.kt
@@ -55,8 +55,10 @@ class DockerAssertions(private val base: IntegrationTestBase,
         assertEquals("redis", redisContainer.config().labels()["app"])
         assertEquals("1000", redisContainer.config().user())
 
-        val redisConfig = dataDir.resolve("sp-redis").resolve("redis.conf").readText()
-        assertEquals(readExpectedFile("redis.conf"), redisConfig)
+        // remove generated password from file
+        val redisConfig = dataDir.resolve("sp-redis").resolve("redis.conf").readText().dropLast(33)
+        val expectedRedisconfig = readExpectedFile("redis.conf").dropLast(20)
+        assertEquals(expectedRedisconfig, redisConfig)
     }
 
     fun assertCaddyContainer(expectedName: String, replacements: Map<String, String>, tls: Boolean = false) {
@@ -116,13 +118,14 @@ class DockerAssertions(private val base: IntegrationTestBase,
     fun assertShinyProxyContainer(shinyProxyContainer: Container, shinyProxyInstance: ShinyProxyInstance) {
         val containerInfo = base.dockerClient.inspectContainer(shinyProxyContainer.id())
         assertEquals(true, containerInfo.state().running())
-        assertEquals("sp-network-${shinyProxyInstance.realmId}", containerInfo.hostConfig().networkMode())
+        assertEquals("sp-shared-network", containerInfo.hostConfig().networkMode())
         assertEquals(listOf("sp-network-${shinyProxyInstance.realmId}", "sp-shared-network"), containerInfo.networkSettings().networks().keys.toList())
         assertEquals(listOf(
             "/var/run/docker.sock:/var/run/docker.sock:ro",
             "${dataDir}${containerInfo.name()}/application.yml:/opt/shinyproxy/application.yml:ro",
             "${dataDir}${containerInfo.name()}/generated.yml:/opt/shinyproxy/generated.yml:ro",
             "${dataDir}${containerInfo.name()}/templates:/opt/shinyproxy/templates:ro",
+            "${dataDir}/logs${containerInfo.name()}:/opt/shinyproxy/logs",
             "${dataDir}${containerInfo.name()}/termination-log:/dev/termination-log",
         ), containerInfo.hostConfig().binds())
         assertEquals(listOf(dockerGID), containerInfo.hostConfig().groupAdd())
diff --git a/src/test/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/helpers/IntegrationTestBase.kt b/src/test/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/helpers/IntegrationTestBase.kt
@@ -98,7 +98,6 @@ abstract class IntegrationTestBase {
             val mockConfig = MockConfig(config + mapOf(
                 "SPO_DOCKER_DATA_DIR" to dataDir.toString(),
                 "SPO_INPUT_DIR" to inputDir.toString(),
-                "SPO_REDIS_PASSWORD" to "MOCK_REDIS_PASSWORD",
                 "SPO_FILE_POLL_INTERVAL" to "10"
             ))
             val eventController = AwaitableEvenController()
