@@ -98,7 +98,116 @@ merge_missing_settings_from_rpmnew() {
|
||||
rm -f "$src_pairs" "$target_pairs" "$missing_lines" "$merged_file"
|
||||
}
|
||||
|
||||
generate_random_auth_jwt_key() {
|
||||
if command -v openssl >/dev/null 2>&1; then
|
||||
openssl rand -base64 32 2>/dev/null | tr -d '\n'
|
||||
return 0
|
||||
fi
|
||||
if command -v base64 >/dev/null 2>&1; then
|
||||
head -c 32 /dev/urandom | base64 | tr -d '\n'
|
||||
return 0
|
||||
fi
|
||||
return 1
|
||||
}
|
||||
|
||||
auth_jwt_key_is_set() {
|
||||
local target="$1"
|
||||
[ -f "$target" ] || return 1
|
||||
|
||||
local extracted
|
||||
extracted="$(awk '
|
||||
/^settings:[[:space:]]*$/ { in_settings = 1; next }
|
||||
in_settings && /^[^[:space:]]/ { in_settings = 0 }
|
||||
in_settings && $0 ~ /^ auth_jwt_signing_key:[[:space:]]*/ {
|
||||
value = $0
|
||||
sub(/^[[:space:]]*auth_jwt_signing_key:[[:space:]]*/, "", value)
|
||||
sub(/[[:space:]]*#.*/, "", value)
|
||||
gsub(/^[[:space:]]+|[[:space:]]+$/, "", value)
|
||||
gsub(/^["'\'']|["'\'']$/, "", value)
|
||||
print value
|
||||
exit
|
||||
}
|
||||
' "$target")"
|
||||
|
||||
[ -n "$extracted" ]
|
||||
}
|
||||
|
||||
set_auth_jwt_key() {
|
||||
local target="$1"
|
||||
local jwt_key="$2"
|
||||
local updated_file
|
||||
|
||||
[ -f "$target" ] || return 1
|
||||
updated_file="$(mktemp /tmp/vctp-postinstall-authkey-XXXXXX)" || return 1
|
||||
|
||||
if awk -v new_key="$jwt_key" '
|
||||
BEGIN { in_settings = 0; replaced = 0; inserted = 0 }
|
||||
{
|
||||
if ($0 ~ /^settings:[[:space:]]*$/) {
|
||||
in_settings = 1
|
||||
print
|
||||
next
|
||||
}
|
||||
|
||||
if (in_settings && $0 ~ /^ auth_jwt_signing_key:[[:space:]]*/) {
|
||||
print " auth_jwt_signing_key: \"" new_key "\""
|
||||
replaced = 1
|
||||
next
|
||||
}
|
||||
|
||||
if (in_settings && $0 ~ /^[^[:space:]]/) {
|
||||
if (!replaced && !inserted) {
|
||||
print " auth_jwt_signing_key: \"" new_key "\""
|
||||
inserted = 1
|
||||
}
|
||||
in_settings = 0
|
||||
}
|
||||
|
||||
print
|
||||
}
|
||||
END {
|
||||
if (in_settings && !replaced && !inserted) {
|
||||
print " auth_jwt_signing_key: \"" new_key "\""
|
||||
}
|
||||
}
|
||||
' "$target" > "$updated_file"; then
|
||||
cat "$updated_file" > "$target"
|
||||
rm -f "$updated_file"
|
||||
return 0
|
||||
fi
|
||||
|
||||
rm -f "$updated_file"
|
||||
return 1
|
||||
}
|
||||
|
||||
ensure_auth_jwt_key_in_settings() {
|
||||
local target="$1"
|
||||
[ -f "$target" ] || return 0
|
||||
|
||||
if auth_jwt_key_is_set "$target"; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
local generated
|
||||
generated="$(generate_random_auth_jwt_key)" || {
|
||||
echo "vCTP postinstall: unable to generate auth_jwt_signing_key (openssl/base64 unavailable)"
|
||||
return 0
|
||||
}
|
||||
|
||||
if [ -z "$generated" ]; then
|
||||
echo "vCTP postinstall: unable to generate auth_jwt_signing_key (empty key)"
|
||||
return 0
|
||||
fi
|
||||
|
||||
if set_auth_jwt_key "$target" "$generated"; then
|
||||
echo "vCTP postinstall: generated and set settings.auth_jwt_signing_key in ${target}"
|
||||
else
|
||||
echo "vCTP postinstall: failed to write settings.auth_jwt_signing_key in ${target}"
|
||||
fi
|
||||
}
|
||||
|
||||
merge_missing_settings_from_rpmnew "$TARGET_CFG" "$SOURCE_CFG" || :
|
||||
ensure_auth_jwt_key_in_settings "$TARGET_CFG" || :
|
||||
|
||||
if [ -f "$TARGET_CFG" ]; then
|
||||
chown root:dtms "$TARGET_CFG" || :
|
||||
|
||||
@@ -19,6 +19,21 @@ settings:
|
||||
vcenter_insecure: false
|
||||
# Legacy API endpoints are disabled by default.
|
||||
enable_legacy_api: false
|
||||
auth_enabled: false
|
||||
auth_mode: "disabled" # disabled | optional | required
|
||||
auth_jwt_signing_key: "" # base64-encoded key, required when auth_enabled=true
|
||||
auth_token_lifespan_minutes: 120
|
||||
auth_jwt_issuer: "vctp"
|
||||
auth_jwt_audience: "vctp-api"
|
||||
auth_clock_skew_seconds: 60
|
||||
auth_group_role_mappings: {}
|
||||
ldap_groups: []
|
||||
ldap_bind_address: ""
|
||||
ldap_base_dn: ""
|
||||
ldap_trust_cert_file: ""
|
||||
ldap_disable_validation: false
|
||||
ldap_insecure: false
|
||||
enable_pprof: false
|
||||
# Deprecated (ignored): legacy event poller
|
||||
vcenter_event_polling_seconds: 0
|
||||
# Deprecated (ignored): legacy inventory poller
|
||||
|
||||
Reference in New Issue
Block a user