Mercurial > gemma
comparison schema/install-db.sh @ 478:3af7ca761f6a
Purge password reset role
The risk of SQL-injections and thus privilege escalation
via the metamorphic user was estimated not high enough to
justify the extra role. Thus, bring database back in line
with rev. ffdb507d5b42 and re-enable password reset.
author | Tom Gottfried <tom@intevation.de> |
---|---|
date | Thu, 23 Aug 2018 16:41:44 +0200 |
parents | 638371a0e557 |
children | ad07846b09d1 |
comparison
equal
deleted
inserted
replaced
477:00b52d653039 | 478:3af7ca761f6a |
---|---|
14 -d, --db=NAME create the database NAME. Default: "gemma" | 14 -d, --db=NAME create the database NAME. Default: "gemma" |
15 -p, --port=PORT connect do the postgresql cluster at PORT. | 15 -p, --port=PORT connect do the postgresql cluster at PORT. |
16 Default is the postgresql standard port 5432 | 16 Default is the postgresql standard port 5432 |
17 -D, --demo also install demo accounts and data | 17 -D, --demo also install demo accounts and data |
18 --adminpw set the password to use for the "sysadmin" account. | 18 --adminpw set the password to use for the "sysadmin" account. |
19 Default is a random password. | |
20 --servicepw set the password to use for the "gemma_service" account. | |
21 Default is a random password. | 19 Default is a random password. |
22 --metapw set the password to use for the "meta_login" account. | 20 --metapw set the password to use for the "meta_login" account. |
23 Default is a random password. | 21 Default is a random password. |
24 --drop drop database and all roles | 22 --drop drop database and all roles |
25 --help display this help and exit | 23 --help display this help and exit |
45 db=gemma | 43 db=gemma |
46 port=5432 | 44 port=5432 |
47 demo=0 | 45 demo=0 |
48 drop=0 | 46 drop=0 |
49 adminpw=`genpw 15` | 47 adminpw=`genpw 15` |
50 servicepw=`genpw 15` | |
51 metapw=`genpw 15` | 48 metapw=`genpw 15` |
52 | 49 |
53 # Parse options: | 50 # Parse options: |
54 | 51 |
55 OPTS=`getopt \ | 52 OPTS=`getopt \ |
56 -l help,demo,db:,port:,drop,adminpw:,servicepw:,metapw: \ | 53 -l help,demo,db:,port:,drop,adminpw:,metapw: \ |
57 -o Dd:p: -n "$ME" -- "$@"` | 54 -o Dd:p: -n "$ME" -- "$@"` |
58 [ $? -eq 0 ] || { usage ; exit 1 ; } | 55 [ $? -eq 0 ] || { usage ; exit 1 ; } |
59 | 56 |
60 eval set -- "$OPTS" | 57 eval set -- "$OPTS" |
61 | 58 |
69 port="$2" | 66 port="$2" |
70 shift 2 | 67 shift 2 |
71 ;; | 68 ;; |
72 --adminpw) | 69 --adminpw) |
73 adminpw="$2" | 70 adminpw="$2" |
74 shift 2 | |
75 ;; | |
76 --servicepw) | |
77 servicepw="$2" | |
78 shift 2 | 71 shift 2 |
79 ;; | 72 ;; |
80 --metapw) | 73 --metapw) |
81 metapw="$2" | 74 metapw="$2" |
82 shift 2 | 75 shift 2 |
112 -f "$BASEDIR/manage_users.sql" \ | 105 -f "$BASEDIR/manage_users.sql" \ |
113 -f "$BASEDIR/auth.sql" | 106 -f "$BASEDIR/auth.sql" |
114 | 107 |
115 # setup initial login roles with given passwords: | 108 # setup initial login roles with given passwords: |
116 psql -qt -p "$port" -d "$db" \ | 109 psql -qt -p "$port" -d "$db" \ |
117 -v adminpw="$adminpw" -v servicepw="$servicepw" -v metapw="$metapw" \ | 110 -v adminpw="$adminpw" -v metapw="$metapw" \ |
118 -f "$BASEDIR/std_login_roles.sql" | 111 -f "$BASEDIR/std_login_roles.sql" |
119 | 112 |
120 if [[ $demo -eq 1 ]] ; then | 113 if [[ $demo -eq 1 ]] ; then |
121 psql -qv ON_ERROR_STOP= -p "$port" \ | 114 psql -qv ON_ERROR_STOP= -p "$port" \ |
122 -f "$BASEDIR/demo-data/responsibility_areas.sql" \ | 115 -f "$BASEDIR/demo-data/responsibility_areas.sql" \ |
131 echo "Really drop database '$db' and all gemma roles? [type 'yes']: " | 124 echo "Really drop database '$db' and all gemma roles? [type 'yes']: " |
132 read a | 125 read a |
133 if [[ $a == "yes" ]] ; then | 126 if [[ $a == "yes" ]] ; then |
134 dropdb -p "$port" "$db" | 127 dropdb -p "$port" "$db" |
135 psql -p $port -A -t -c '\du' | awk -F '|' -v port=$port \ | 128 psql -p $port -A -t -c '\du' | awk -F '|' -v port=$port \ |
136 '$1 "." $3 ~ /waterway_user|waterway_admin|sys_admin|pw_reset|metamorph/ \ | 129 '$1 "." $3 ~ /waterway_user|waterway_admin|sys_admin|metamorph/ \ |
137 { system("dropuser -p " port " \"" $1 "\"") }' | 130 { system("dropuser -p " port " \"" $1 "\"") }' |
138 else | 131 else |
139 echo "No harm done." | 132 echo "No harm done." |
140 fi | 133 fi |
141 fi | 134 fi |