Update to 2022-03-04 11:00

2025-04-14 09:13:16 +02:00 · 2022-03-04 11:00:17 +01:00 · 2022-03-04 11:00:17 +01:00 · 8c7a9d243a
commit 8c7a9d243a
parent bc6d7f90ae
4 changed files with 34 additions and 11 deletions
--- a/roles/phpmyadmin/defaults/main.yml
+++ b/roles/phpmyadmin/defaults/main.yml
@ -72,3 +72,7 @@ pma_sso_groups: []
 #   - group: DB_Admins
 #     sql_login: admin
 #     sql_password: s3cr3t.
+
+# Instead of storing SQL credentials in clear text in sso.php, you can define an encryption key here
+# This encryption key should be passed to phpMyAdmin in the X-Encryption-Token HTTP header so phpMyAdmin can decrypt the passwords
+# pma_sso_encryption_token: myrandompassword
--- a/roles/phpmyadmin/tasks/facts.yml
+++ b/roles/phpmyadmin/tasks/facts.yml
@ -35,3 +35,20 @@
        - pass_file: "{{pma_root_dir }}/meta/ansible_dbpass"
    - set_fact: pma_db_pass={{ rand_pass }}
  tags: pma
+
+- name: Encrypt SQL user passwords
+  command: php{{ pma_php_version }} -r "echo openssl_encrypt('{{ item.sql_password }}','aes-128-cbc','{{ pma_sso_encryption_token }}',0,substr(hash('sha256','{{ item.user }}'),0,16));"
+  register: pma_sso_users_encrypted
+  changed_when: False
+  loop: "{{ pma_sso_users | default([]) }}"
+  when: pma_sso_encryption_token is defined
+  tags: pma
+
+- name: Encrypt SQL group passwords
+  command: php{{ pma_php_version }} -r "echo openssl_encrypt('{{ item.sql_password }}','aes-128-cbc','{{ pma_sso_encryption_token }}',0,substr(hash('sha256','{{ item.group }}'),0,16));"
+  register: pma_sso_groups_encrypted
+  changed_when: False
+  loop: "{{ pma_sso_groups | default([]) }}"
+  when: pma_sso_encryption_token is defined
+  tags: pma
+
--- a/roles/phpmyadmin/tasks/install.yml
+++ b/roles/phpmyadmin/tasks/install.yml
@ -52,3 +52,12 @@
  when: db_created.changed
  tags: pma

+- name: Setup a cron job to cleanup expired sessions
+  cron:
+    name: phpmyadmin_{{ pma_id }}_session_cleanup
+    cron_file: phpmyadmin
+    user: "{{ pma_php_user }}"
+    job: "find {{ pma_root_dir }}/sessions -type f -mmin +480 -exec rm -f \"{}\" \\;"
+    special_time: hourly
+  tags: pma
+
--- a/roles/phpmyadmin/templates/sso.php.j2
+++ b/roles/phpmyadmin/templates/sso.php.j2
@ -1,20 +1,13 @@
 <?php

-$login['admin'] = 'sqladmin';
-$password['admin'] = '{{ mysql_admin_pass | regex_replace('\'', '\\\'')}}';
 {% for user in pma_sso_users | default([]) %}
 $login['{{ user.user }}'] = '{{ user.sql_login }}';
-$password['{{ user.user }}'] = '{{ user.sql_password | regex_replace('\'', '\\\'') }}';
+$password['{{ user.user }}'] = '{{ (pma_sso_encryption_token is defined) | ternary(pma_sso_users_encrypted.results | selectattr('item.user', 'equalto', user.user) | map(attribute='stdout') | first, user.sql_password | regex_replace('\'', '\\\'')) }}';
 {% endfor %}

 {% for group in pma_sso_groups | default([]) %}
 $g_login['{{ group.group }}'] = '{{ group.sql_login }}';
-$g_password['{{ group.group }}'] = '{{ group.sql_password | regex_replace('\'', '\\\'') }}';
-{% endfor %}
-
-{% for client in wh_clients | default([]) %}
-$g_login['Client_{{ client.name }}'] = '{{ client.name | regex_replace('\'', '\\\'') }}';
-$g_password['Client_{{ client.name }}'] = '{{ client.db_pass | default((wh_pass_seed | password_hash('sha256', 65534 | random(seed=client.name) | string))[9:27]) | regex_replace('\'', '\\\'') }}';
+$g_password['{{ group.group }}'] = '{{ (pma_sso_encryption_token is defined) | ternary(pma_sso_groups_encrypted.results | selectattr('item.group', 'equalto', group.group) | map(attribute='stdout') | first, group.sql_password | regex_replace('\'', '\\\'')) }}';
 {% endfor %}

 {% for field in pma_sso_user_fields %}
@ -33,7 +26,7 @@ if(isSet($ssologin) && isSet($login[$ssologin]) && isSet($password[$ssologin]))
    session_name('PmaSignonSession');
    session_start();
    $_SESSION['PMA_single_signon_user'] = $login[$ssologin];
-    $_SESSION['PMA_single_signon_password'] = $password[$ssologin];
+    $_SESSION['PMA_single_signon_password'] = {{ (pma_sso_encryption_token is defined) | ternary("openssl_decrypt($password[$ssologin],'aes-128-cbc',$_SERVER['HTTP_X_ENCRYPTION_TOKEN'],0,substr(hash('sha256',$ssologin),0,16))",'$password[$ssologin]') }};
    session_write_close();
    header('Location: /index.php');
    exit(0);
@ -44,7 +37,7 @@ if(isSet($ssologin) && isSet($login[$ssologin]) && isSet($password[$ssologin]))
            session_name('PmaSignonSession');
            session_start();
            $_SESSION['PMA_single_signon_user'] = $g_login[$group];
-            $_SESSION['PMA_single_signon_password'] = $g_password[$group];
+            $_SESSION['PMA_single_signon_password'] = {{ (pma_sso_encryption_token is defined) | ternary("openssl_decrypt($g_password[$group],'aes-128-cbc',$_SERVER['HTTP_X_ENCRYPTION_TOKEN'],0,substr(hash('sha256',$group),0,16))",'$g_password[$group]') }};
            session_write_close();
            header('Location: /index.php');
            exit(0);