Files
explorer-monorepo/scripts/check-besu-config.sh

93 lines
3.7 KiB
Bash
Raw Normal View History

#!/usr/bin/env bash
# Check Besu Configuration and Enable DEBUG API
# Can be run on RPC node or via SSH
set -euo pipefail
RPC_IP="${1:-192.168.11.250}"
fix(security): fail-fast on missing JWT_SECRET, harden CSP, strip hardcoded passwords backend/api/rest/server.go: - NewServer() now delegates to loadJWTSecret(), which: - Rejects JWT_SECRET < 32 bytes (log.Fatal). - Requires JWT_SECRET when APP_ENV=production or GO_ENV=production. - Generates a 32-byte crypto/rand ephemeral secret in dev only. - Treats rand.Read failure as fatal (removes the prior time-based fallback that was deterministic and forgeable). - Default Content-Security-Policy rewritten: - Drops 'unsafe-inline' and 'unsafe-eval'. - Drops private CIDRs (192.168.11.221:854[5|6]). - Adds frame-ancestors 'none', base-uri 'self', form-action 'self'. - CSP_HEADER is required in production; fatal if unset there. backend/api/rest/server_security_test.go (new): - Covers the three loadJWTSecret() paths (valid, whitespace-trimmed, ephemeral in dev). - Covers isProductionEnv() across APP_ENV / GO_ENV combinations. - Asserts defaultDevCSP contains no unsafe directives or private CIDRs and includes the frame-ancestors / base-uri / form-action directives. scripts/*.sh: - Removed '***REDACTED-LEGACY-PW***' default value from SSH_PASSWORD / NEW_PASSWORD in 7 helper scripts. Each script now fails with exit 2 and points to docs/SECURITY.md if the password isn't supplied via env or argv. EXECUTE_DEPLOYMENT.sh, EXECUTE_NOW.sh: - Replaced hardcoded DB_PASSWORD='***REDACTED-LEGACY-PW***' with a ':?' guard that aborts with a clear error if DB_PASSWORD (and, for EXECUTE_DEPLOYMENT, RPC_URL) is not exported. Other env vars keep sensible non-secret defaults via ${VAR:-default}. README.md: - Removed the hardcoded Database Password / RPC URL lines. Replaced with an env-variable reference table pointing at docs/SECURITY.md and docs/DATABASE_CONNECTION_GUIDE.md. docs/DEPLOYMENT.md: - Replaced 'PASSWORD: SSH password (default: ***REDACTED-LEGACY-PW***)' with a required-no-default contract and a link to docs/SECURITY.md. docs/SECURITY.md (new): - Full secret inventory keyed to the env variable name and the file that consumes it. - Five-step rotation checklist covering the Postgres role, the Proxmox VM SSH password, JWT_SECRET, vendor API keys, and a gitleaks-based history audit. - Explicit note that merging secret-scrub PRs does NOT invalidate already-leaked credentials; rotation is the operator's responsibility. Verification: - go build ./... + go vet ./... pass clean. - Targeted tests (LoadJWTSecret*, IsProduction*, DefaultDevCSP*) pass. Advances completion criterion 2 (Secrets & config hardened). Residual leakage from START_HERE.md / LETSENCRYPT_CONFIGURATION_GUIDE.md is handled by PR #2 (doc consolidation), which deletes those files.
2026-04-18 19:02:27 +00:00
SSH_PASSWORD="${SSH_PASSWORD:-${2:-}}"
if [ -z "${SSH_PASSWORD}" ]; then
echo "ERROR: SSH_PASSWORD is required. Pass it as an argument or export SSH_PASSWORD in the environment." >&2
echo " Hardcoded default removed for security; see docs/SECURITY.md." >&2
exit 2
fi
CONFIG_FILE="${3:-/etc/besu/config-rpc-core.toml}"
echo "╔══════════════════════════════════════════════════════════════╗"
echo "║ CHECKING BESU CONFIGURATION ║"
echo "╚══════════════════════════════════════════════════════════════╝"
echo ""
# Check if running locally or via SSH
if [ "$RPC_IP" = "localhost" ] || [ "$RPC_IP" = "127.0.0.1" ]; then
# Running locally on RPC node
echo "Checking local configuration..."
if [ -f "$CONFIG_FILE" ]; then
echo "✅ Config file found: $CONFIG_FILE"
echo ""
echo "Current rpc-http-api setting:"
grep "rpc-http-api" "$CONFIG_FILE" | head -1
echo ""
if grep -q "rpc-http-api" "$CONFIG_FILE" | grep -q "DEBUG"; then
echo "✅ DEBUG API is already enabled"
else
echo "❌ DEBUG API is NOT enabled"
echo ""
echo "To enable, run:"
echo " sed -i 's/rpc-http-api=\[\"ETH\",\"NET\",\"WEB3\",\"TXPOOL\",\"QBFT\",\"ADMIN\"\]/rpc-http-api=[\"ETH\",\"NET\",\"WEB3\",\"TXPOOL\",\"QBFT\",\"ADMIN\",\"DEBUG\",\"TRACE\"]/g' $CONFIG_FILE"
echo " systemctl restart besu-rpc"
fi
else
echo "❌ Config file not found: $CONFIG_FILE"
echo ""
echo "Available config files:"
ls -la /etc/besu/*.toml 2>/dev/null || echo "No config files found"
fi
else
# Running via SSH
if ! command -v sshpass >/dev/null 2>&1; then
echo "⚠️ sshpass not installed. Installing..."
sudo apt-get update -qq && sudo apt-get install -y sshpass 2>/dev/null || {
echo "❌ Cannot install sshpass automatically"
exit 1
}
fi
echo "Checking remote configuration on $RPC_IP..."
echo ""
CONFIG_CONTENT=$(sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \
root@"$RPC_IP" \
"cat $CONFIG_FILE 2>/dev/null || echo 'FILE_NOT_FOUND'" 2>&1)
if echo "$CONFIG_CONTENT" | grep -q "FILE_NOT_FOUND"; then
echo "❌ Config file not found: $CONFIG_FILE"
echo ""
echo "Available config files:"
sshpass -p "$SSH_PASSWORD" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 \
root@"$RPC_IP" \
"ls -la /etc/besu/*.toml 2>/dev/null || echo 'No config files found'"
else
echo "✅ Config file found"
echo ""
echo "Current rpc-http-api setting:"
echo "$CONFIG_CONTENT" | grep "rpc-http-api" | head -1
echo ""
if echo "$CONFIG_CONTENT" | grep "rpc-http-api" | grep -q "DEBUG"; then
echo "✅ DEBUG API is already enabled"
else
echo "❌ DEBUG API is NOT enabled"
echo ""
echo "To enable, SSH into the node and run:"
echo " sed -i 's/rpc-http-api=\[\"ETH\",\"NET\",\"WEB3\",\"TXPOOL\",\"QBFT\",\"ADMIN\"\]/rpc-http-api=[\"ETH\",\"NET\",\"WEB3\",\"TXPOOL\",\"QBFT\",\"ADMIN\",\"DEBUG\",\"TRACE\"]/g' $CONFIG_FILE"
echo " systemctl restart besu-rpc"
fi
fi
fi
echo ""