93 lines
3.7 KiB
Bash
Executable File
93 lines
3.7 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
ROOT="/opt/hx-ki"
|
|
COMPOSE="/opt/hx-ki/com2-stack/docker-compose.yml"
|
|
PG_C="hxki-postgres"
|
|
MY_C="hxki-mariadb"
|
|
|
|
echo "=== COM2 · DISCOVER + VERIFY DB CREDS (one-shot, no guessing) ==="
|
|
|
|
[ -f "$COMPOSE" ] || { echo "FAIL: missing $COMPOSE"; exit 1; }
|
|
|
|
echo "[0] Start only DB containers (for verification tests)"
|
|
docker compose -f "$COMPOSE" up -d "$PG_C" "$MY_C" >/dev/null 2>&1 || true
|
|
|
|
echo "[1] Read current container ENV (ground truth candidates)"
|
|
PG_USER="$(docker inspect "$PG_C" --format '{{range .Config.Env}}{{println .}}{{end}}' | awk -F= '/^POSTGRES_USER=/{print $2}' | tail -n1 || true)"
|
|
PG_DB="$(docker inspect "$PG_C" --format '{{range .Config.Env}}{{println .}}{{end}}' | awk -F= '/^POSTGRES_DB=/{print $2}' | tail -n1 || true)"
|
|
MY_ROOT_PW_ENV="$(docker inspect "$MY_C" --format '{{range .Config.Env}}{{println .}}{{end}}' | awk -F= '/^(MARIADB_ROOT_PASSWORD|MYSQL_ROOT_PASSWORD)=/{print $2}' | tail -n1 || true)"
|
|
|
|
echo " PG_USER=${PG_USER:-<unknown>} PG_DB=${PG_DB:-<unknown>}"
|
|
echo " MY_ROOT_PW_ENV=${MY_ROOT_PW_ENV:+<set>} ${MY_ROOT_PW_ENV:+"(not shown)"}"
|
|
|
|
echo "[2] Collect password candidates from existing files (no guessing)"
|
|
# We only scan /opt/hx-ki for known keys; no invention.
|
|
mapfile -t CANDIDATES < <(
|
|
grep -RInh --binary-files=without-match -E \
|
|
'(^|[[:space:]])(POSTGRES_PASSWORD|PG_PASSWORD|DB_POSTGRESDB_PASSWORD|MARIADB_ROOT_PASSWORD|MYSQL_ROOT_PASSWORD|MAUTIC_DB_PASSWORD|MAUTIC_DB_ROOT_PASSWORD)[[:space:]]*[:=][[:space:]]*[^[:space:]]+' \
|
|
"$ROOT" 2>/dev/null \
|
|
| sed -E 's/.*[:=][[:space:]]*//' \
|
|
| sed -E "s/^['\"]//; s/['\"]$//" \
|
|
| awk 'NF' \
|
|
| sort -u
|
|
)
|
|
|
|
# Add current env passwords as candidates (if set)
|
|
if [ -n "${MY_ROOT_PW_ENV:-}" ]; then
|
|
CANDIDATES+=("$MY_ROOT_PW_ENV")
|
|
fi
|
|
|
|
# De-dup again
|
|
mapfile -t CANDIDATES < <(printf "%s\n" "${CANDIDATES[@]}" | awk 'NF' | sort -u)
|
|
|
|
echo " Found candidates: ${#CANDIDATES[@]}"
|
|
|
|
mask() { local s="$1"; local n="${#s}"; if [ "$n" -le 4 ]; then echo "****"; else echo "****${s: -4}"; fi; }
|
|
|
|
echo "[3] Verify Postgres password by REAL login test (no assumptions)"
|
|
PG_OK=""
|
|
if [ -z "${PG_USER:-}" ]; then
|
|
echo " FAIL: PG_USER not detectable from container env"
|
|
else
|
|
for pw in "${CANDIDATES[@]}"; do
|
|
# Try connecting to default DBs first; existence of PG_DB may vary.
|
|
if docker exec -e PGPASSWORD="$pw" "$PG_C" sh -lc \
|
|
"psql -U '$PG_USER' -d postgres -tAc 'SELECT 1' >/dev/null 2>&1 || psql -U '$PG_USER' -d template1 -tAc 'SELECT 1' >/dev/null 2>&1"; then
|
|
PG_OK="$pw"
|
|
echo " OK: Postgres login works with password $(mask "$pw")"
|
|
break
|
|
fi
|
|
done
|
|
[ -n "$PG_OK" ] || echo " FAIL: No candidate password could log in to Postgres as user '$PG_USER'"
|
|
fi
|
|
|
|
echo "[4] Verify MariaDB root password by REAL login test (no assumptions)"
|
|
MY_OK=""
|
|
for pw in "${CANDIDATES[@]}"; do
|
|
if docker exec "$MY_C" sh -lc "mysql -uroot -p'$pw' -e 'SELECT 1' >/dev/null 2>&1"; then
|
|
MY_OK="$pw"
|
|
echo " OK: MariaDB root login works with password $(mask "$pw")"
|
|
break
|
|
fi
|
|
done
|
|
[ -n "$MY_OK" ] || echo " FAIL: No candidate password could log in to MariaDB as root"
|
|
|
|
echo
|
|
echo "=== RESULT (verifiziert oder nicht auffindbar) ==="
|
|
if [ -n "$PG_OK" ]; then
|
|
echo "POSTGRES_USER=$PG_USER"
|
|
echo "POSTGRES_PASSWORD=<VERIFIED $(mask "$PG_OK")>"
|
|
else
|
|
echo "POSTGRES: VERIFIED PASSWORD NOT FOUND IN /opt/hx-ki SOURCES"
|
|
fi
|
|
|
|
if [ -n "$MY_OK" ]; then
|
|
echo "MYSQL_ROOT_PASSWORD=<VERIFIED $(mask "$MY_OK")>"
|
|
else
|
|
echo "MARIADB: VERIFIED ROOT PASSWORD NOT FOUND IN /opt/hx-ki SOURCES"
|
|
fi
|
|
|
|
echo
|
|
echo "If one of them is NOT found: the only deterministic path is a controlled password reset (auth bypass), because plaintext cannot be recovered from the data directories."
|