Move database password to the password store

src/freedombone-app-gnusocial

@@ -874,7 +874,7 @@ function expire_gnusocial_posts {
     echo '' >> $gnusocial_expire_script
     echo '$oldate=date(("Y-m-d"), strtotime("-3 months"));' >> $gnusocial_expire_script
     echo '$username="root";' >> $gnusocial_expire_script
-    echo "\$password=trim(file_get_contents(\"$DATABASE_PASSWORD_FILE\"));" >> $gnusocial_expire_script
+    echo "\$password=shell_exec('${PROJECT_NAME}-pass -u root -a mariadb');" >> $gnusocial_expire_script
     echo '$database="gnusocial";' >> $gnusocial_expire_script
     echo '' >> $gnusocial_expire_script
     echo 'if (!$link = mysql_connect("localhost", $username, $password)) {' >> $gnusocial_expire_script

src/freedombone-app-postactiv

@@ -607,7 +607,7 @@ function expire_postactiv_posts {
     echo '' >> $postactiv_expire_script
     echo '$oldate=date(("Y-m-d"), strtotime("-3 months"));' >> $postactiv_expire_script
     echo '$username="root";' >> $postactiv_expire_script
-    echo "\$password=trim(file_get_contents(\"$DATABASE_PASSWORD_FILE\"));" >> $postactiv_expire_script
+    echo "\$password=shell_exec('${PROJECT_NAME}-pass -u root -a mariadb');" >> $postactiv_expire_script
     echo '$database="postactiv";' >> $postactiv_expire_script
     echo '' >> $postactiv_expire_script
     echo 'if (!$link = mysql_connect("localhost", $username, $password)) {' >> $postactiv_expire_script

src/freedombone-backup-local

@@ -63,10 +63,7 @@ ADMIN_NAME=
 # Sites are suspended so that verification should work
 SUSPENDED_SITE=
 
-DATABASE_PASSWORD=''
-if [ -f /root/dbpass ]; then
-    DATABASE_PASSWORD=$(cat /root/dbpass)
-fi
+DATABASE_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
 
 function make_backup_directory {
     # make a backup directory on the drive

src/freedombone-backup-remote

@@ -70,10 +70,7 @@ if [ ! -f /home/${ADMIN_USERNAME}/backup.list ]; then
 fi
 
 # MariaDB password
-DATABASE_PASSWORD=''
-if [ -f /root/dbpass ]; then
-    DATABASE_PASSWORD=$(cat /root/dbpass)
-fi
+DATABASE_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
 
 # local directory where the backup will be made
 if [ ! -d $SERVER_DIRECTORY ]; then

src/freedombone-pass

@@ -54,7 +54,7 @@ function get_backup_key_id {
                            grep 'pub ' | awk -F ' ' '{print $2}' | \
                            awk -F '/' '{print $2}')
     if [ ${#MY_BACKUP_KEY_ID} -lt 4 ]; then
-        echo $"gpg backup key was not found"
+        echo $"Error: gpg backup key was not found"
         return 58213
     fi
 }
@@ -141,12 +141,12 @@ get_backup_key_id
 MASTER_PASSWORD=$(gpg -q --armor --export-secret-key $MY_BACKUP_KEY_ID | sed '/---/d' | sed '/Version/d' | sed '/^$/d')
 
 if [ ! $CURR_USERNAME ]; then
-    echo $'No username given'
+    echo $'Error: No username given'
     exit 1
 fi
 
 if [ ! -d /home/$CURR_USERNAME ]; then
-    echo $"User $CURR_USERNAME does not exist"
+    echo $"Error: User $CURR_USERNAME does not exist"
     exit 2
 fi
 
@@ -158,7 +158,7 @@ if [ ${REMOVE_APP} ]; then
 fi
 
 if [ ! $CURR_APP ]; then
-    echo $'No app name given'
+    echo $'Error: No app name given'
     exit 3
 fi
 

src/freedombone-repair-database

@@ -44,7 +44,8 @@ ADMIN_EMAIL_ADDRESS=${ADMIN_USERNAME}@${HOSTNAME}
 # Frequency - daily/weekly
 BACKUP_TYPE='daily'
 
-MYSQL_ROOT_PASSWORD=$(cat /root/dbpass)
+MYSQL_ROOT_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
+
 TEMPFILE=/root/repair-database-$DATABASE
 
 umask 0077

src/freedombone-restore-local

@@ -66,10 +66,7 @@ if [ -f $COMPLETION_FILE ]; then
 fi
 
 # MariaDB password
-DATABASE_PASSWORD=''
-if [ -f /root/dbpass ]; then
-    DATABASE_PASSWORD=$(cat /root/dbpass)
-fi
+DATABASE_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
 
 function check_backup_exists {
     if [ ! -d $USB_MOUNT/backup ]; then
@@ -182,18 +179,14 @@ function restore_mariadb {
         echo $"Restoring mysql settings"
         temp_restore_dir=/root/tempmariadb
         restore_directory_from_usb $temp_restore_dir mariadb
-        echo $"Get the MariaDB password from the backup"
-        if [ ! -f ${temp_restore_dir}${temp_restore_dir}/db ]; then
-            echo $"MariaDB password file not found"
-            exit 495
-        fi
-        BACKUP_MARIADB_PASSWORD=$(cat ${temp_restore_dir}${temp_restore_dir}/db)
-        if [[ $BACKUP_MARIADB_PASSWORD != $DATABASE_PASSWORD ]]; then
+        echo $'Obtaining MariaDB password'
+        db_pass=$(${PROJECT_NAME}-pass -u root -a mariadb)
+        if [ ${#db_pass} -gt 0 ]; then
             echo $"Restore the MariaDB user table"
-            mysqlsuccess=$(mysql -u root --password=$DATABASE_PASSWORD mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
+            mysqlsuccess=$(mysql -u root --password="$DATABASE_PASSWORD" mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
             if [ ! "$?" = "0" ]; then
                 echo $"Try again using the password obtained from backup"
-                mysqlsuccess=$(mysql -u root --password=$BACKUP_MARIADB_PASSWORD mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
+                mysqlsuccess=$(mysql -u root --password="$db_pass" mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
             fi
             if [ ! "$?" = "0" ]; then
                 echo "$mysqlsuccess"
@@ -204,14 +197,10 @@ function restore_mariadb {
             echo $"Restarting database"
             service mysql restart
             echo $"Change the MariaDB password to the backup version"
-            DATABASE_PASSWORD=$BACKUP_MARIADB_PASSWORD
+            DATABASE_PASSWORD="$db_pass"
+            ${PROJECT_NAME}-pass -u root -a mariadb -p "$DATABASE_PASSWORD"
         fi
-        shred -zu ${temp_restore_dir}${temp_restore_dir}/db
         rm -rf $temp_restore_dir
-
-        # Change database password file
-        echo "$DATABASE_PASSWORD" > /root/dbpass
-        chmod 600 /root/dbpass
     fi
 }
 
@@ -723,9 +712,9 @@ check_admin_user
 copy_gpg_keys
 restore_configfiles
 same_admin_user
+restore_passwordstore
 restore_mariadb
 restore_letsencrypt
-restore_passwordstore
 restore_tor
 restore_mutt_settings
 restore_gpg

src/freedombone-restore-remote

@@ -94,10 +94,7 @@ else
 fi
 
 # MariaDB password
-DATABASE_PASSWORD=''
-if [ -f /root/dbpass ]; then
-    DATABASE_PASSWORD=$(cat /root/dbpass)
-fi
+DATABASE_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
 
 function copy_gpg_keys {
     echo $"Copying GPG keys from admin user to root"
@@ -176,18 +173,15 @@ function restore_mariadb {
         echo $"Restoring MariaDB settings"
         temp_restore_dir=/root/tempmariadb
         restore_directory_from_friend $temp_restore_dir mariadb
-        echo $"Get the MariaDB password from the backup"
-        if [ ! -f ${temp_restore_dir}${temp_restore_dir}/db ]; then
-            echo $"MariaDB password file not found"
-            exit 495
-        fi
-        BACKUP_MARIADB_PASSWORD=$(cat ${temp_restore_dir}${temp_restore_dir}/db)
-        if [[ "$BACKUP_MARIADB_PASSWORD" != "$DATABASE_PASSWORD" ]]; then
+
+        echo $'Obtaining MariaDB password'
+        db_pass=$(${PROJECT_NAME}-pass -u root -a mariadb)
+        if [ ${#db_pass} -gt 0 ]; then
             echo $"Restore the MariaDB user table"
             mysqlsuccess=$(mysql -u root --password="$DATABASE_PASSWORD" mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
             if [ ! "$?" = "0" ]; then
                 echo $"Try again using the password obtained from backup"
-                mysqlsuccess=$(mysql -u root --password="$BACKUP_MARIADB_PASSWORD" mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
+                mysqlsuccess=$(mysql -u root --password="$db_pass" mysql -o < ${temp_restore_dir}${temp_restore_dir}/mysql.sql)
             fi
             if [ ! "$?" = "0" ]; then
                 echo "$mysqlsuccess"
@@ -196,14 +190,10 @@ function restore_mariadb {
             echo $"Restarting database"
             service mysql restart
             echo $"Change the MariaDB password to the backup version"
-            DATABASE_PASSWORD=$BACKUP_MARIADB_PASSWORD
+            DATABASE_PASSWORD="$db_pass"
+            ${PROJECT_NAME}-pass -u root -a mariadb -p "$DATABASE_PASSWORD"
         fi
-        shred -zu ${temp_restore_dir}${temp_restore_dir}/db
         rm -rf ${temp_restore_dir}
-
-        # Change database password file
-        echo "$DATABASE_PASSWORD" > /root/dbpass
-        chmod 600 /root/dbpass
     fi
 }
 
@@ -659,9 +649,9 @@ ${PROJECT_NAME}-recoverkey -u ${ADMIN_USERNAME} -l $BACKUP_LIST
 
 copy_gpg_keys
 restore_configfiles
+restore_passwordstore
 restore_mariadb
 restore_letsencrypt
-restore_passwordstore
 restore_mutt_settings
 restore_gpg
 restore_procmail

src/freedombone-utils-database

@@ -34,10 +34,6 @@ MARIADB_PASSWORD=
 # Used to indicate whether the backup contains MariaDB databases or not
 BACKUP_INCLUDES_DATABASES="no"
 
-# contains the mysql root password which
-# is used for backups and repair
-DATABASE_PASSWORD_FILE=/root/dbpass
-
 function remove_backup_database_local {
     database_name=$1
 
@@ -114,9 +110,18 @@ function backup_database_local {
 }
 
 function get_mariadb_password {
+    # migrate from database password file to using the password store
+    DATABASE_PASSWORD_FILE=/root/dbpass
     if [ -f $DATABASE_PASSWORD_FILE ]; then
         MARIADB_PASSWORD=$(cat $DATABASE_PASSWORD_FILE)
+        ${PROJECT_NAME}-pass -u root -a mariadb -p "$MARIADB_PASSWORD"
+        if [[ "$(${PROJECT_NAME}-pass -u root -a mariadb)" == "$MARIADB_PASSWORD" ]]; then
+            shred -zu $DATABASE_PASSWORD_FILE
+            echo $'MariaDB password moved into password store'
+            return
+        fi
     fi
+    MARIADB_PASSWORD=$(${PROJECT_NAME}-pass -u root -a mariadb)
 }
 
 function install_mariadb {
@@ -135,8 +140,7 @@ function install_mariadb {
         else
             MARIADB_PASSWORD="$(openssl rand -base64 32 | cut -c1-${MINIMUM_PASSWORD_LENGTH})"
         fi
-        echo "$MARIADB_PASSWORD" > $DATABASE_PASSWORD_FILE
-        chmod 600 $DATABASE_PASSWORD_FILE
+        ${PROJECT_NAME}-pass -u root -a mariadb -p "$MARIADB_PASSWORD"
     fi
 
     debconf-set-selections <<< "mariadb-server mariadb-server/root_password password $MARIADB_PASSWORD"
@@ -164,8 +168,7 @@ function backup_databases_script_header {
         echo '' >> /usr/bin/backupdatabases
         echo "EMAIL='$MY_EMAIL_ADDRESS'" >> /usr/bin/backupdatabases
         echo '' >> /usr/bin/backupdatabases
-        echo -n 'MYSQL_PASSWORD=$(cat ' >> /usr/bin/backupdatabases
-        echo "$DATABASE_PASSWORD_FILE)" >> /usr/bin/backupdatabases
+        echo "MYSQL_PASSWORD=\$(${PROJECT_NAME}-pass -u root -a mariadb)" >> /usr/bin/backupdatabases
         echo 'umask 0077' >> /usr/bin/backupdatabases
         echo '' >> /usr/bin/backupdatabases
         echo '# exit if we are backing up to friends servers' >> /usr/bin/backupdatabases
@@ -207,7 +210,8 @@ function repair_databases_script {
         return
     fi
 
-    if [ ! -f $DATABASE_PASSWORD_FILE ]; then
+    db_pass=$(${PROJECT_NAME}-pass -u root -p mariadb)
+    if [[ "$db_pass" == 'Error:'* ]]; then
         return
     fi