fix fernet key, add legacy-cgi

aptalca · aptalca · commit db9ee61c95c5 · 2024-12-25T11:35:00.000-05:00
diff --git a/Dockerfile b/Dockerfile
@@ -29,6 +29,7 @@ RUN \
     wheel && \
   pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.21/ \
     cryptography \
+    legacy-cgi \
     python-ldap=="${LDAP_VERSION}" && \
   printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
   echo "**** cleanup ****" && \
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
@@ -29,6 +29,7 @@ RUN \
     wheel && \
   pip install -U --no-cache-dir --find-links https://wheel-index.linuxserver.io/alpine-3.21/ \
     cryptography \
+    legacy-cgi \
     python-ldap=="${LDAP_VERSION}" && \
   printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
   echo "**** cleanup ****" && \
diff --git a/README.md b/README.md
@@ -296,6 +296,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **25.12.24:** - Add `legacy-cgi`. Fix fernet key storage.
 * **22.12.24:** - Rebase to Alpine 3.21. Add support for read-only and non-root.
 * **30.06.24:** - Rebase to Alpine 3.20.
 * **23.12.23:** - Rebase to Alpine 3.19.
diff --git a/readme-vars.yml b/readme-vars.yml
@@ -74,6 +74,7 @@ init_diagram: |
   "ldap-auth:latest" <- Base Images
 # changelog
 changelogs:
+  - {date: "25.12.24:", desc: "Add `legacy-cgi`. Fix fernet key storage."}
   - {date: "22.12.24:", desc: "Rebase to Alpine 3.21. Add support for read-only and non-root."}
   - {date: "30.06.24:", desc: "Rebase to Alpine 3.20."}
   - {date: "23.12.23:", desc: "Rebase to Alpine 3.19."}
diff --git a/root/app/fernet-key.py b/root/app/fernet-key.py
@@ -4,4 +4,4 @@
 from cryptography.fernet import Fernet
 
 key = Fernet.generate_key()
-print(key)
+print(key.decode())
diff --git a/root/app/ldap-backend-app.py b/root/app/ldap-backend-app.py
@@ -137,7 +137,8 @@ def do_POST(self):
 
             self.send_response(302)
 
-            cipher_suite = Fernet(os.getenv("FERNET_KEY"))
+            fernetkey = os.getenv("FERNET_KEY").encode()
+            cipher_suite = Fernet(fernetkey)
             enc = cipher_suite.encrypt(ensure_bytes(user + ':' + passwd))
             enc = enc.decode()
             self.send_header('Set-Cookie', 'nginxauth=' + enc + '; httponly')
diff --git a/root/app/nginx-ldap-auth-daemon.py b/root/app/nginx-ldap-auth-daemon.py
@@ -85,7 +85,8 @@ def do_GET(self):
         ctx['action'] = 'decoding credentials'
 
         try:
-            cipher_suite = Fernet(os.getenv("FERNET_KEY"))
+            fernetkey = os.getenv("FERNET_KEY").encode()
+            cipher_suite = Fernet(fernetkey)
             self.log_message('Trying to dechipher credentials...')
             auth_decoded = auth_header[6:].encode()
             auth_decoded = cipher_suite.decrypt(auth_decoded)
diff --git a/root/etc/s6-overlay/s6-rc.d/init-ldap-config/run b/root/etc/s6-overlay/s6-rc.d/init-ldap-config/run
@@ -11,7 +11,7 @@ if [[ ! -f "/run/.fernetkey" ]]; then
         KEY=$(python3 /app/fernet-key.py)
         echo "generated fernet key"
     else
-        KEY="b'${FERNETKEY}'"
+        KEY="${FERNETKEY}"
         echo "using FERNETKEY from env variable"
     fi
     echo "${KEY}" > /run/.fernetkey
