cleanup credentials

.env

@@ -30,15 +30,16 @@ OPENC3_REDIS_PORT=6379
 OPENC3_REDIS_EPHEMERAL_HOSTNAME=openc3-redis-ephemeral
 OPENC3_REDIS_EPHEMERAL_PORT=6380
 # Usernames and passwords
+# These lines can be removed from this file if available in the host computer environment variables
 OPENC3_REDIS_USERNAME=openc3
 OPENC3_REDIS_PASSWORD=openc3password
 OPENC3_BUCKET_USERNAME=openc3minio
 OPENC3_BUCKET_PASSWORD=openc3miniopassword
-OPENC3_SERVICE_PASSWORD=openc3service
 OPENC3_SR_REDIS_USERNAME=scriptrunner
 OPENC3_SR_REDIS_PASSWORD=scriptrunnerpassword
 OPENC3_SR_BUCKET_USERNAME=scriptrunnerminio
 OPENC3_SR_BUCKET_PASSWORD=scriptrunnerminiopassword
+OPENC3_SERVICE_PASSWORD=openc3service
 # Build and repository settings
 ALPINE_VERSION=3.18
 ALPINE_BUILD=3

compose.yaml

@@ -14,7 +14,7 @@
 # GNU Affero General Public License for more details.
 
 # Modified by OpenC3, Inc.
-# All changes Copyright 2022, OpenC3, Inc.
+# All changes Copyright 2023, OpenC3, Inc.
 # All Rights Reserved
 #
 # This file may also be used under the terms of a commercial license
@@ -111,8 +111,13 @@ services:
         max-size: "10m"
         max-file: "3"
     environment:
-      - "RAILS_ENV=production"
-      - "GEM_HOME=/gems"
+      RAILS_ENV: "production"
+      GEM_HOME: "/gems"
+      OPENC3_REDIS_USERNAME: "${OPENC3_REDIS_USERNAME}"
+      OPENC3_REDIS_PASSWORD: "${OPENC3_REDIS_PASSWORD}"
+      OPENC3_BUCKET_USERNAME: "${OPENC3_BUCKET_USERNAME}"
+      OPENC3_BUCKET_PASSWORD: "${OPENC3_BUCKET_PASSWORD}"
+      OPENC3_SERVICE_PASSWORD: "${OPENC3_SERVICE_PASSWORD}"
     env_file:
       - ".env"
 
@@ -136,8 +141,17 @@ services:
         max-size: "10m"
         max-file: "3"
     environment:
-      - "RAILS_ENV=production"
-      - "GEM_HOME=/gems"
+      RAILS_ENV: "production"
+      GEM_HOME: "/gems"
+      OPENC3_REDIS_USERNAME: "${OPENC3_REDIS_USERNAME}"
+      OPENC3_REDIS_PASSWORD: "${OPENC3_REDIS_PASSWORD}"
+      OPENC3_BUCKET_USERNAME: "${OPENC3_BUCKET_USERNAME}"
+      OPENC3_BUCKET_PASSWORD: "${OPENC3_BUCKET_PASSWORD}"
+      OPENC3_SR_REDIS_USERNAME: "${OPENC3_SR_REDIS_USERNAME}"
+      OPENC3_SR_REDIS_PASSWORD: "${OPENC3_SR_REDIS_PASSWORD}"
+      OPENC3_SR_BUCKET_USERNAME: "${OPENC3_SR_BUCKET_USERNAME}"
+      OPENC3_SR_BUCKET_PASSWORD: "${OPENC3_SR_BUCKET_PASSWORD}"
+      OPENC3_SERVICE_PASSWORD: "${OPENC3_SERVICE_PASSWORD}"
     env_file:
       - ".env"
 
@@ -165,7 +179,12 @@ services:
         max-size: "10m"
         max-file: "3"
     environment:
-      - "GEM_HOME=/gems"
+      GEM_HOME: "/gems"
+      OPENC3_REDIS_USERNAME: "${OPENC3_REDIS_USERNAME}"
+      OPENC3_REDIS_PASSWORD: "${OPENC3_REDIS_PASSWORD}"
+      OPENC3_BUCKET_USERNAME: "${OPENC3_BUCKET_USERNAME}"
+      OPENC3_BUCKET_PASSWORD: "${OPENC3_BUCKET_PASSWORD}"
+      OPENC3_SERVICE_PASSWORD: "${OPENC3_SERVICE_PASSWORD}"
     env_file:
       - ".env"
     extra_hosts:
@@ -223,7 +242,13 @@ services:
         max-size: "10m"
         max-file: "3"
     environment:
-      - "GEM_HOME=/gems"
+      GEM_HOME: "/gems"
+      OPENC3_REDIS_USERNAME: "${OPENC3_REDIS_USERNAME}"
+      OPENC3_REDIS_PASSWORD: "${OPENC3_REDIS_PASSWORD}"
+      OPENC3_BUCKET_USERNAME: "${OPENC3_BUCKET_USERNAME}"
+      OPENC3_BUCKET_PASSWORD: "${OPENC3_BUCKET_PASSWORD}"
+      OPENC3_SR_BUCKET_USERNAME: "${OPENC3_SR_BUCKET_USERNAME}"
+      OPENC3_SR_BUCKET_PASSWORD: "${OPENC3_SR_BUCKET_PASSWORD}"
     env_file:
       - ".env"
 

examples/hostinstall/centos7/openc3_env.sh

@@ -19,8 +19,6 @@ export OPENC3_REDIS_PASSWORD=openc3password
 export OPENC3_BUCKET_USERNAME=openc3minio
 export OPENC3_BUCKET_PASSWORD=openc3miniopassword
 
-export OPENC3_SERVICE_PASSWORD=openc3service
-
 export OPENC3_SR_REDIS_USERNAME=scriptrunner
 export OPENC3_SR_REDIS_PASSWORD=scriptrunnerpassword
 export OPENC3_SR_BUCKET_USERNAME=scriptrunnerminio

openc3-cosmos-script-runner-api/app/models/running_script.rb

@@ -360,8 +360,8 @@ def self.spawn(scope, name, suite_runner = nil, disconnect = false, environment
       end
     else
       process.environment['OPENC3_API_USER'] = ENV['OPENC3_API_USER']
-      if ENV['OPENC3_API_PASSWORD'] || ENV['OPENC3_SERVICE_PASSWORD']
-        process.environment['OPENC3_API_PASSWORD'] = ENV['OPENC3_API_PASSWORD'] || ENV['OPENC3_SERVICE_PASSWORD']
+      if ENV['OPENC3_SERVICE_PASSWORD']
+        process.environment['OPENC3_API_PASSWORD'] = ENV['OPENC3_SERVICE_PASSWORD']
       else
         raise "No authentication available for script"
       end

openc3-cosmos-script-runner-api/app/models/script.rb

@@ -99,8 +99,8 @@ def self.process_suite(name, contents, new_process: true, username: nil, scope:)
         end
       else
         process.environment['OPENC3_API_USER'] = ENV['OPENC3_API_USER']
-        if ENV['OPENC3_API_PASSWORD'] || ENV['OPENC3_SERVICE_PASSWORD']
-          process.environment['OPENC3_API_PASSWORD'] = ENV['OPENC3_API_PASSWORD'] || ENV['OPENC3_SERVICE_PASSWORD']
+        if ENV['OPENC3_SERVICE_PASSWORD']
+          process.environment['OPENC3_API_PASSWORD'] = ENV['OPENC3_SERVICE_PASSWORD']
         else
           raise "No authentication available for script"
         end

openc3-cosmos-script-runner-api/spec/spec_helper.rb

@@ -17,7 +17,7 @@
 # All changes Copyright 2022, OpenC3, Inc.
 # All Rights Reserved
 #
-# This file may also be used under the terms of a commercial license 
+# This file may also be used under the terms of a commercial license
 # if purchased from OpenC3, Inc.
 
 # This file was generated by the `rails generate rspec:install` command. Conventionally, all

openc3-redis/users.acl

@@ -1,5 +1,5 @@
 user healthcheck on nopass -@all +cluster|info +ping
-user openc3 on >openc3password allkeys allchannels -@all +@read +@write +@pubsub +@connection +@transaction +info
-user scriptrunner on >scriptrunnerpassword resetkeys resetchannels ~running-script* ~*script-locks ~*script-breakpoints ~*openc3_log_messages &_action_cable_internal &script-api:* -@all +@read +@write +@pubsub +@hash +@connection
-user admin on >adminpassword +@admin
+user openc3 on #022bd57403439b2a3ec0c081cdd35d40a199bbd4ee6fc0e5113edd4fe1c10071 allkeys allchannels -@all +@read +@write +@pubsub +@connection +@transaction +info
+user scriptrunner on #e808c74e210256ee7cf3ec165271544167de776d526f7fa94243e5cdcc08b0c1 resetkeys resetchannels ~running-script* ~*script-locks ~*script-breakpoints ~*openc3_log_messages &_action_cable_internal &script-api:* -@all +@read +@write +@pubsub +@hash +@connection
+user admin on #749f09bade8aca755660eeb17792da880218d4fbdc4e25fbec279d7fe9f65d70 +@admin
 user default off

openc3/README.md

@@ -17,7 +17,6 @@ set OPENC3_REDIS_USERNAME=openc3
 set OPENC3_REDIS_PASSWORD=openc3password
 set OPENC3_BUCKET_USERNAME=openc3minio
 set OPENC3_BUCKET_PASSWORD=openc3miniopassword
-set OPENC3_SERVICE_PASSWORD=openc3service
 set OPENC3_SR_REDIS_USERNAME=scriptrunner
 set OPENC3_SR_REDIS_PASSWORD=scriptrunnerpassword
 set OPENC3_SR_BUCKET_USERNAME=scriptrunnerminio
@@ -31,7 +30,6 @@ OPENC3_REDIS_USERNAME=openc3
 OPENC3_REDIS_PASSWORD=openc3password
 OPENC3_BUCKET_USERNAME=openc3minio
 OPENC3_BUCKET_PASSWORD=openc3miniopassword
-OPENC3_SERVICE_PASSWORD=openc3service
 OPENC3_SR_REDIS_USERNAME=scriptrunner
 OPENC3_SR_REDIS_PASSWORD=scriptrunnerpassword
 OPENC3_SR_BUCKET_USERNAME=scriptrunnerminio

openc3/lib/openc3/io/json_api.rb

@@ -53,7 +53,7 @@ def _generate_url(microservice_name:, prefix:, schema: 'http', hostname: nil, po
     # generate the auth object
     def _generate_auth
       if ENV['OPENC3_API_TOKEN'].nil? and ENV['OPENC3_API_USER'].nil?
-        if ENV['OPENC3_API_PASSWORD'] || ENV['OPENC3_SERVICE_PASSWORD']
+        if ENV['OPENC3_API_PASSWORD']
           return OpenC3Authentication.new()
         else
           return nil

openc3/lib/openc3/io/json_api_object.rb

@@ -72,7 +72,7 @@ def initialize(url: ENV['OPENC3_API_URL'], timeout: 1.0, authentication: nil)
     # generate the auth object
     def generate_auth
       if ENV['OPENC3_API_TOKEN'].nil? and ENV['OPENC3_API_USER'].nil?
-        if ENV['OPENC3_API_PASSWORD'] || ENV['OPENC3_SERVICE_PASSWORD']
+        if ENV['OPENC3_API_PASSWORD']
           return OpenC3Authentication.new()
         else
           return nil

openc3/lib/openc3/models/auth_model.rb

@@ -26,13 +26,10 @@
 module OpenC3
   class AuthModel
     PRIMARY_KEY = 'OPENC3__TOKEN'
-    SERVICE_KEY = 'OPENC3__SERVICE__TOKEN'
 
     TOKEN_CACHE_TIMEOUT = 5
     @@token_cache = nil
     @@token_cache_time = nil
-    @@service_token_cache = nil
-    @@service_token_cache_time = nil
 
     def self.is_set?(key = PRIMARY_KEY)
       Store.exists(key) == 1
@@ -43,20 +40,15 @@ def self.verify(token, permission: nil)
 
       token_hash = hash(token)
       return true if @@token_cache and (Time.now - @@token_cache_time) < TOKEN_CACHE_TIMEOUT and @@token_cache == token_hash
-      return true if @@service_token_cache and (Time.now - @@service_token_cache_time) < TOKEN_CACHE_TIMEOUT and @@service_token_cache == token_hash and permission != 'admin'
 
       @@token_cache = Store.get(PRIMARY_KEY)
       @@token_cache_time = Time.now
       return true if @@token_cache == token_hash
 
-      @@service_token_cache = Store.get(SERVICE_KEY)
-      @@service_token_cache_time = @@token_cache_time
-      if ENV['OPENC3_SERVICE_PASSWORD'] and hash(ENV['OPENC3_SERVICE_PASSWORD']) != @@service_token_cache
-        set_hash = hash(ENV['OPENC3_SERVICE_PASSWORD'])
-        OpenC3::Store.set(SERVICE_KEY, set_hash)
-        @@service_token_cache = set_hash
-      end
-      return true if @@service_token_cache == token_hash and permission != 'admin'
+      # Handle a service password - Generally only used by ScriptRunner
+      service_password = ENV['OPENC3_SERVICE_PASSWORD']
+      return true if service_password and service_password == token and permission != 'admin'
+
       return false
     end
 

openc3/lib/openc3/script/script.rb

@@ -222,7 +222,7 @@ def generate_timeout
     # generate the auth object
     def generate_auth
       if ENV['OPENC3_API_TOKEN'].nil? and ENV['OPENC3_API_USER'].nil?
-        if ENV['OPENC3_API_PASSWORD'] || ENV['OPENC3_SERVICE_PASSWORD']
+        if ENV['OPENC3_API_PASSWORD']
           return OpenC3Authentication.new()
         else
           return nil
@@ -292,7 +292,7 @@ def generate_timeout
     # generate the auth object
     def generate_auth
       if ENV['OPENC3_API_TOKEN'].nil? and ENV['OPENC3_API_USER'].nil?
-        if ENV['OPENC3_API_PASSWORD'] || ENV['OPENC3_SERVICE_PASSWORD']
+        if ENV['OPENC3_API_PASSWORD']
           return OpenC3Authentication.new()
         else
           return nil

openc3/lib/openc3/script/web_socket_api.rb

@@ -161,7 +161,7 @@ def disconnect
     # Generate the appropriate token for OpenC3
     def generate_auth
       if ENV['OPENC3_API_TOKEN'].nil? and ENV['OPENC3_API_USER'].nil?
-        if ENV['OPENC3_API_PASSWORD'] || ENV['OPENC3_SERVICE_PASSWORD']
+        if ENV['OPENC3_API_PASSWORD']
           return OpenC3Authentication.new()
         else
           raise "Environment Variables Not Set for Authentication"

openc3/lib/openc3/utilities/authentication.rb

@@ -31,9 +31,9 @@ class OpenC3AuthenticationRetryableError < OpenC3AuthenticationError; end
   # OpenC3 base / open source authentication code
   class OpenC3Authentication
     def initialize()
-      @token = ENV['OPENC3_API_PASSWORD'] || ENV['OPENC3_SERVICE_PASSWORD']
+      @token = ENV['OPENC3_API_PASSWORD']
       if @token.nil?
-        raise OpenC3AuthenticationError, "Authentication requires environment variables OPENC3_API_PASSWORD or OPENC3_SERVICE_PASSWORD"
+        raise OpenC3AuthenticationError, "Authentication requires environment variable OPENC3_API_PASSWORD"
       end
     end
 

openc3/python/openc3/environment.py

@@ -42,7 +42,6 @@
 _openc3_bucket_url = "OPENC3_BUCKET_URL"
 _openc3_bucket_username = "OPENC3_BUCKET_USERNAME"
 _openc3_bucket_password = "OPENC3_BUCKET_PASSWORD"
-_openc3_service_password = "OPENC3_SERVICE_PASSWORD"
 _openc3_devel = "OPENC3_DEVEL"
 _openc3_full_backtrace = "OPENC3_FULL_BACKTRACE"
 _openc3_config_bucket = "OPENC3_CONFIG_BUCKET"
@@ -104,7 +103,6 @@
 OPENC3_BUCKET_URL = os.environ.get(_openc3_bucket_url)
 OPENC3_BUCKET_USERNAME = os.environ.get(_openc3_bucket_username)
 OPENC3_BUCKET_PASSWORD = os.environ.get(_openc3_bucket_password)
-OPENC3_SERVICE_PASSWORD = os.environ.get(_openc3_service_password)
 OPENC3_DEVEL = os.environ.get(_openc3_devel)
 OPENC3_FULL_BACKTRACE = os.environ.get(_openc3_full_backtrace)
 OPENC3_CONFIG_BUCKET = os.environ.get(_openc3_config_bucket)

openc3/python/openc3/io/json_api_object.py

@@ -67,7 +67,7 @@ def __init__(self, url, timeout=1.0, authentication=None):
     # generate the auth object
     def generate_auth(self):
         if OPENC3_API_TOKEN is None and OPENC3_API_USER is None:
-            if OPENC3_API_PASSWORD or OPENC3_SERVICE_PASSWORD:
+            if OPENC3_API_PASSWORD:
                 return OpenC3Authentication()
             else:
                 return None

openc3/python/openc3/script/server_proxy.py

@@ -43,7 +43,7 @@ def generate_timeout(self):
     # generate the auth object
     def generate_auth(self):
         if OPENC3_API_TOKEN is None and OPENC3_API_USER is None:
-            if OPENC3_API_PASSWORD or OPENC3_SERVICE_PASSWORD:
+            if OPENC3_API_PASSWORD:
                 return OpenC3Authentication()
             else:
                 return None

openc3/python/openc3/utilities/authentication.py

@@ -35,10 +35,10 @@ class OpenC3AuthenticationRetryableError(OpenC3AuthenticationError):
 # OpenC3 base / open source authentication code
 class OpenC3Authentication:
     def __init__(self):
-        self._token = OPENC3_API_PASSWORD or OPENC3_SERVICE_PASSWORD
+        self._token = OPENC3_API_PASSWORD
         if not self._token:
             raise OpenC3AuthenticationError(
-                "Authentication requires environment variables OPENC3_API_PASSWORD or OPENC3_SERVICE_PASSWORD"
+                "Authentication requires environment variable OPENC3_API_PASSWORD"
             )
 
     def token(self):