Fix Insecure Default Configuration

containers/database/Dockerfile

@@ -8,7 +8,16 @@
 # Use a pinned version
 FROM postgres:15.3
 
+# Sent from the build for the database in the main docker-compose.yml file.
+ARG OED_DB_PASSWORD
+
 # All SQL files in the build context
 # get copied into the container and
 # run on init.
 COPY *.sql /docker-entrypoint-initdb.d/
+# Edit the initialization SQL file to used the passed OED database password.
+# The one copied always has a password of opened.
+# The edited password should correspond to the same named environment variable in
+# the OED web container so they will match when the software tries to log in
+# it will be successful.
+RUN sed -i "s/opened/${OED_DB_PASSWORD}/" /docker-entrypoint-initdb.d/init.sql

docker-compose-dev.yml

@@ -11,26 +11,24 @@
 # or an appropriate variant to cause the values in this file to override
 # the ones in the default docker file.
 # *****************************************************************
-
-version: "3.8"
 services:
     database:
         # The next lines enable access to the PostgreSQL server from the host machine.
         # It can be very valuable for debugging the database via tools such as PGAdmin.
         # They can be commented out to close that port but it will stop that type of debugging.
         ports:
-           - "5432:5432"
+            - "5432:5432"
     web:
         environment:
             # Set this value to yes or no, other values wil result in a configuration error.
             # Unless you are testing a production setup, this is normally no.
-            - OED_PRODUCTION=no
+            OED_PRODUCTION: no
             # This is to let the install know that the second, developer docker file was used.
             # It is mostly as a safety check and during the transition to warn developers to
             # transition to the new system. It should NOT be changed.
             # The value is not set in the production config file to avoid someone wanting to
             # set it there and that is not desired.
-            - OED_DOCKER_CONFIG_DEV=yes
+            OED_DOCKER_CONFIG_DEV: yes
         ports:
             # If you are experiencing port conflicts with 3000 then you can modify this to
             # use another port. For example, to switch to port xxxx you would do:
@@ -44,19 +42,21 @@ services:
                 "./src/scripts/installOED.sh",
                 # This allows for starting OED with special values for a developer.
                 # See developer docs for details.
+                # If environment variable install_args is not set then it becomes blank without warning user.
                 "${install_args:-}"
             ]
 
     # Cypress testing service
     # This is used for UI testing and normally only creates this Docker container
     # if you specially start up UI testing.
+    # TODO This is not longer working. It is unclear why.
     cypress:
       image: cypress/included
       profiles:
         - ui-testing
       environment:
-        - CYPRESS_BASE_URL=http://web:3000
-        - DISPLAY=:99
+        CYPRESS_BASE_URL: http://web:3000
+        DISPLAY: 99
       working_dir: /usr/src/app
       depends_on:
         web:

docker-compose.yml

@@ -12,24 +12,65 @@
 # with a modified command. OED sites should NEVER do this.
 # *****************************************************************
 
-version: "3.8"
+x-common-variables: &common-db-web-variables
+    # The OED install process will not allow this password and it will
+    # be replaced with a random, secure password if not changed here.
+    # That is fine as many sites do not need regular access to the
+    # database so a password they created is not important. OED will
+    # provide the password created for future use.
+    # If the password is changed then it is important to make it secure to
+    # avoid unauthorized access. Note the double quotes ("") around the password
+    # are not part of the password.
+    # OED STRONGLY recommends that if this is a site/production build that the passwords
+    # are strong and be at least 12 characters for the database and this is enforced.
+    # This value should NEVER be changed after the first time OED is started.
+    # Doing it will cause OED not to know the current password and it will stop
+    # working. One should use the changePostgresPasswords command provided by OED
+    # and described in the documentation.
+    # Obviously this should never be an empty string but if that is done then the OED install will fail.
+    # For developers: This value must match the one used in src/server/util/changePostgresPass.js
+    # to work properly for security checks.
+    POSTGRES_PASSWORD: "pleaseChange"
+     # Default oed user postgres password that should be changed for security.
+    # The OED install process will not allow this password and it will
+    # be replaced with a random, secure password if not changed here.
+    # That is fine as many sites do not need regular access to the
+    # database so a password they created is not important. OED will
+    # provide the password created for future use.
+    # If the password is changed then it is important to make it secure to
+    # avoid unauthorized access. Note the double quotes ("") around the password
+    # are not part of the password.
+    # OED STRONGLY recommends that if this is a site/production build that the passwords
+    # are strong and be at least 12 characters for the database and this is enforced.
+    # This value should NEVER be changed after the first time OED is started.
+    # Doing it will cause OED not to know the current password and it will stop
+    # working. One should use the changePostgresPasswords command provided by OED
+    # and described in the documentation.
+    # Obviously this should never be an empty string but if that is done then the OED install will fail.
+    # For developers: This value must match the one used in src/server/util/changePostgresPass.js
+    # to work properly for security checks.
+    # TODO Hope to fix, but for now this MUST match the same key value below.
+    OED_DB_PASSWORD: "opened"
+
 services:
     # Database service. It's PostgreSQL, see the Dockerfile in ./database.
     database:
         environment:
-            # Default postgres password that should be changed for security.
-            # The OED install process will not allow this password and it will
-            # be replaced with a random, secure password if not changed here.
-            # That is fine as many sites do not need regular access to the
-            # database so a password they created is not important. OED will
-            # provide the password created for future use.
-            # If the password is changed then it is important to make it secure to
-            # avoid unauthorized access.
-            - POSTGRES_PASSWORD=pleaseChange
+            # Includes the environment variables needed by database & web containers.
+            <<: *common-db-web-variables
+           # Normally there is no reason to the next value. Changing them may break OED.
             # Custom PGDATA per recommendations from official Docker page
-            - PGDATA=/var/lib/postgresql/data/pgdata
+            PGDATA: /var/lib/postgresql/data/pgdata
         # Location of database Docker configuration and startup files.
-        build: ./containers/database/
+        build:
+            context: ./containers/database/
+            args:
+                # TODO The hope was this would get the environment variable and pass it to
+                # the database build. However, it is not working.
+                # oedPassword: ${OED_DB_PASSWORD}
+                # TODO This is a fix (hopefully temporary) to pass the needed value.
+                # TODO Hope to fix, but for now this MUST match the same key value above.
+                OED_DB_PASSWORD: "opened"
         volumes:
             # This maps the proper Docker database directory back to the local file
             # system. It is critical that the changes actually be written back to
@@ -39,75 +80,68 @@ services:
         # Tries to make sure postgres is running properly. For example, the DB can be
         # running but not ready to accept connections.
         healthcheck:
-            test: ["CMD-SHELL", "pg_isready -U postgres"]
+            test: [ "CMD-SHELL", "pg_isready -U postgres" ]
             interval: 10s
             timeout: 10s
             retries: 3
     # Web service runs Node
     web:
         # Configuration variables for the app.
         environment:
-            # Default oed user postgres password that should be changed for security.
-            # The OED install process will not allow this password and it will
-            # be replaced with a random, secure password if not changed here.
-            # That is fine as many sites do not need regular access to the
-            # database so a password they created is not important. OED will
-            # provide the password created for future use.
-            # If the password is changed then it is important to make it secure to
-            # avoid unauthorized access.
-            - OED_DB_PASSWORD=opened
+            # Includes the environment variables needed by database & web containers.
+            <<: *common-db-web-variables
             # Default web token that should be changed for security.
             # The OED install process will not allow this token and it will
             # be replaced with a random, secure token if not changed.
             # That is fine as there is normally no usage outside of the OED app for this.
             # OED will provide the token created for future use.
             # If the taken is changed here then it is important to make it secure to
             # avoid unauthorized access.
-            - OED_TOKEN_SECRET=?
+            OED_TOKEN_SECRET: "?"
             # The OED_MAIL_... values are set to enable OED to send email about issues.
-            - OED_MAIL_METHOD=none # Method of sending mail. Supports "secure-smtp", "none". Case insensitive.
-            - OED_MAIL_SMTP=smtp.example.com # Edit this
-            - OED_MAIL_SMTP_PORT=465 # Edit this
-            - OED_MAIL_IDENT=someone@example.com # The user email that is used for sending emails (SMTP)
-            - OED_MAIL_CREDENTIAL=credential # Set the email password for sending email here
-            - OED_MAIL_FROM=mydomain@example.com # The email address that the email will come from
-            - OED_MAIL_TO=someone@example.com # Set the destination address here for where to send emails
-            - OED_MAIL_ORG=My Organization Name # Org name for mail that is included in the subject
+            OED_MAIL_METHOD: none # Method of sending mail. Supports "secure-smtp", "none". Case insensitive.
+            OED_MAIL_SMTP: smtp.example.com # Edit this
+            OED_MAIL_SMTP_PORT: 465 # Edit this
+            OED_MAIL_IDENT: someone@example.com # The user email that is used for sending emails (SMTP)
+            OED_MAIL_CREDENTIAL: credential # Set the email password for sending email here
+            OED_MAIL_FROM: mydomain@example.com # The email address that the email will come from
+            OED_MAIL_TO: someone@example.com # Set the destination address here for where to send emails
+            OED_MAIL_ORG: My Organization Name # Org name for mail that is included in the subject
             # Changing this value does not impact what OED displays.
             # What it will change is the date/time stamp on logs, notes and change dates that place the current date/time.
             # It can also impact the interpretation of readings sent to OED such as Unix timestamps.
-            - TZ=Etc/UTC # Set the timezone of the Docker container where OED runs the web services.
+            TZ: Etc/UTC # Set the timezone of the Docker container where OED runs the web services.
             # OED_PRODUCTION should NEVER be changed here. If this is for an OED site then
             # it is VERY important that it be yes for security reasons. If you are doing
             # development then you should be changing the other docker file as per the help
             # page for developers.
-            # - OED_PRODUCTION=yes
+            # OED_PRODUCTION: yes
             # TODO THIS VALUE IS TEMPORARILY BEING SET TO no DURING THE TRANSITION TO THE NEW SETUP WHERE
             #       THERE IS A SEPARATE DOCKER CONFIGURATION FILE FOR DEVELOPERS. THIS ALLOWS DEVELOPERS
             #       TO CONTINUE TO USE THE CURRENT COMMAND TO START UP OED. THE PLAN IS TO REMOVE THIS
             #       AFTER THE PHASE IN PERIOD.
-            - OED_PRODUCTION=no
+            OED_PRODUCTION: no
             # See the ports mapping below to change the port used on your system.
             # Normally OED_SERVER_PORT is not modified.
-            - OED_SERVER_PORT=3000
+            OED_SERVER_PORT: 3000
             # Normally these users are fine and there should be no reason to change the next
             # three items.
-            - OED_DB_USER=oed
-            - OED_DB_DATABASE=oed
+            OED_DB_USER: oed
+            OED_DB_DATABASE: oed
             # This user is used when the standard OED testing is run. It is left in this Docker
             # config file in case sites want to run the test suite.
-            - OED_DB_TEST_DATABASE=oed_testing
+            OED_DB_TEST_DATABASE: oed_testing
             # Docker will set this hostname.
-            - OED_DB_HOST=database
+            OED_DB_HOST: database
             # This is the standard postgres port. At a site this should not cause issues as it
             # is only used within the Docker container.
-            - OED_DB_PORT=5432
+            OED_DB_PORT: 5432
             # This is the file where OED log messages are stored. It is now a backup location for
             # messages since all should be logged to the database and available via an OED web page.
-            - OED_LOG_FILE=log.txt
+            OED_LOG_FILE: log.txt
             # If in a subdirectory, set it here
-            # - OED_SUBDIR=/subdir/
-            # Set the correct build environment.
+            # OED_SUBDIR: /subdir/
+        # Set the correct build environment.
         build:
             context: ./
             dockerfile: ./containers/web/Dockerfile
@@ -128,18 +162,13 @@ services:
         depends_on:
             # - database
             database:
-              # We need the database and it has to be ready for work (see healthcheck above).
-              condition: service_healthy
+                # We need the database and it has to be ready for work (see healthcheck above).
+                condition: service_healthy
         # As with the DB above, this tries to ensure all is okay.
         healthcheck:
-            test: ["CMD", "curl", "-f", "http://localhost:3000"]
+            test: [ "CMD", "curl", "-f", "http://localhost:3000" ]
             interval: 10s
             timeout: 5s
             retries: 5
         # Lets docker compose up work right
-        # If environment variable install_args is not set then it becomes blank without warning user.
-        command:
-            [
-                "bash",
-                "./src/scripts/installOED.sh",
-            ]
+        command: [ "bash", "./src/scripts/installOED.sh" ]

package.json

@@ -45,7 +45,8 @@
 		"generateTestingData": "node -e 'require(\"./src/server/data/automatedTestingData\").generateTestingData()'",
 		"testData": "node -e 'require(\"./src/server/data/automatedTestingData.js\").insertSpecialUnitsConversionsMetersGroups()'",
 		"webData": "node -e 'require(\"./src/server/data/websiteData.js\").insertWebsiteData()'",
-		"addLogMsg": "node -e 'require(\"./src/server/services/addLogMsg.js\").addLogMsgToDB()'"
+		"addLogMsg": "node -e 'require(\"./src/server/services/addLogMsg.js\").addLogMsgToDB()'",
+		"changePostgresPasswords": "node -e 'require(\"./src/server/util/changePostgresPasswords.js\").changePostgresPasswords()'"
 	},
 	"nodemonConfig": {
 		"watch": [