Implement setting API password via env variable

Signed-off-by: DL6ER <dl6er@dl6er.de>
2023-10-17 20:58:17 +02:00 · 2023-10-17 20:58:17 +02:00 · 6f8bc4ee82
parent b853e2a855
commit 6f8bc4ee82
5 changed files with 40 additions and 21 deletions
--- a/src/api/config.c
+++ b/src/api/config.c
@ -283,26 +283,8 @@ static const char *getJSONvalue(struct conf_item *conf_item, cJSON *elem, struct
 				break;
 			}

-			// Get password hash as allocated string (an empty string is hashed to an empty string)
-			char *pwhash = strlen(elem->valuestring) > 0 ? create_password(elem->valuestring) : strdup("");
-
-			// Verify that the password hash is valid
-			if(verify_password(elem->valuestring, pwhash, false) != PASSWORD_CORRECT)
-			{
-				free(pwhash);
+			if(!set_and_check_password(conf_item, elem->valuestring))
 				return "Failed to create password hash (verification failed), password remains unchanged";
-			}
-
-			// Get pointer to pwhash instead
-			conf_item--;
-
-			// Free previously allocated memory (if applicable)
-			if(conf_item->t == CONF_STRING_ALLOCATED)
-				free(conf_item->v.s);
-
-			// Set item
-			conf_item->v.s = pwhash;
-			log_debug(DEBUG_CONFIG, "Set %s to \"%s\"", conf_item->k, conf_item->v.s);

 			break;
 		}
--- a/src/config/password.c
+++ b/src/config/password.c
@ -570,3 +570,30 @@ int run_performance_test(void)

 	return EXIT_SUCCESS;
 }
+
+bool set_and_check_password(struct conf_item *conf_item, const char *password)
+{
+	// Get password hash as allocated string (an empty string is hashed to an empty string)
+	char *pwhash = strlen(password) > 0 ? create_password(password) : strdup("");
+
+	// Verify that the password hash is valid
+	if(verify_password(password, pwhash, false) != PASSWORD_CORRECT)
+	{
+		free(pwhash);
+		log_warn("Failed to create password hash (verification failed), password remains unchanged");
+		return false;
+	}
+
+	// Get pointer to pwhash instead
+	conf_item--;
+
+	// Free previously allocated memory (if applicable)
+	if(conf_item->t == CONF_STRING_ALLOCATED)
+		free(conf_item->v.s);
+
+	// Set item
+	conf_item->v.s = pwhash;
+	log_debug(DEBUG_CONFIG, "Set %s to \"%s\"", conf_item->k, conf_item->v.s);
+
+	return true;
+}
--- a/src/config/password.h
+++ b/src/config/password.h
@ -18,6 +18,7 @@ void sha256_raw_to_hex(uint8_t *data, char *buffer);
 char *create_password(const char *password) __attribute__((malloc));
 char verify_password(const char *password, const char *pwhash, const bool rate_limiting);
 int run_performance_test(void);
+bool set_and_check_password(struct conf_item *conf_item, const char *password);

 enum password_result {
 	PASSWORD_INCORRECT = 0,
--- a/src/config/toml_helper.c
+++ b/src/config/toml_helper.c
@ -18,6 +18,8 @@
 #include <sys/file.h>
 // rotate_files()
 #include "files.h"
+//set_and_check_password()
+#include "config/password.h"

 // Open the TOML file for reading or writing
 FILE * __attribute((malloc)) __attribute((nonnull(1))) openFTLtoml(const char *mode)
@ -714,6 +716,7 @@ void readTOMLvalue(struct conf_item *conf_item, const char* key, toml_table_t *t
 		case CONF_PASSWORD:
 		{
 			// This is ignored, it is only a pseudo-element with no real content
+			break;
 		}
 	}
 }
@ -950,7 +953,11 @@ bool readEnvValue(struct conf_item *conf_item, struct config *newconf)
 		}
 		case CONF_PASSWORD:
 		{
-			// This is ignored, it is only a pseudo-element with no real content
+			if(!set_and_check_password(conf_item, envvar))
+			{
+				log_warn("ENV %s is invalid", envkey);
+				break;
+			}
 		}
 	}

--- a/test/run.sh
+++ b/test/run.sh
@ -68,8 +68,10 @@ bash test/pdns/setup.sh
 OLDUMASK=$(umask)
 umask 0022

-# Start FTL
+# Set exemplary config value by environment variable
 export FTLCONF_misc_nice="-11"
+
+# Start FTL
 if ! su pihole -s /bin/sh -c /home/pihole/pihole-FTL; then
  echo "pihole-FTL failed to start"
  exit 1