From 412a0ee57756812de9a6615f0cb8e6cf8a040eb2 Mon Sep 17 00:00:00 2001
From: Stephan Oeste <emzy@emzy.de>
Date: Tue, 26 Jul 2022 22:07:46 +0200
Subject: [PATCH] Add random generated mysql passwords on prod install

---
 production/install                           | 43 +++++++++++++++++---
 production/mempool-build-all                 | 15 +++++++
 production/mempool-config.bisq.json          |  4 +-
 production/mempool-config.liquid.json        |  4 +-
 production/mempool-config.liquidtestnet.json |  4 +-
 production/mempool-config.mainnet.json       |  4 +-
 production/mempool-config.signet.json        |  4 +-
 production/mempool-config.testnet.json       |  4 +-
 8 files changed, 64 insertions(+), 18 deletions(-)

diff --git a/production/install b/production/install
index fb3aa9281..e9b24bafa 100755
--- a/production/install
+++ b/production/install
@@ -218,6 +218,21 @@ MYSQL_HOME=/mysql
 MYSQL_USER=mysql
 MYSQL_GROUP=mysql
 
+# mempool mysql user/password
+MEMPOOL_MAINNET_USER='mempool'
+MEMPOOL_TESTNET_USER='mempool_testnet'
+MEMPOOL_SIGNET_USER='mempool_signet'
+MEMPOOL_LIQUID_USER='mempool_liquid'
+MEMPOOL_LIQUIDTESTNET_USER='mempool_liquidtestnet'
+MEMPOOL_BISQ_USER='mempool_bisq'
+# generate random hex string
+MEMPOOL_MAINNET_PASS=$(head -150 /dev/urandom | ${MD5} | awk '{print $1}')
+MEMPOOL_TESTNET_PASS=$(head -150 /dev/urandom | ${MD5} | awk '{print $1}')
+MEMPOOL_SIGNET_PASS=$(head -150 /dev/urandom | ${MD5} | awk '{print $1}')
+MEMPOOL_LIQUID_PASS=$(head -150 /dev/urandom | ${MD5} | awk '{print $1}')
+MEMPOOL_LIQUIDTESTNET_PASS=$(head -150 /dev/urandom | ${MD5} | awk '{print $1}')
+MEMPOOL_BISQ_PASS=$(head -150 /dev/urandom | ${MD5} | awk '{print $1}')
+
 # mempool data folder and user/group
 MEMPOOL_HOME=/mempool
 MEMPOOL_USER=mempool
@@ -1513,22 +1528,38 @@ esac
 
 mysql << _EOF_
 create database mempool;
-grant all on mempool.* to 'mempool'@'localhost' identified by 'mempool';
+grant all on mempool.* to '${MEMPOOL_MAINNET_USER}'@'localhost' identified by '${MEMPOOL_MAINNET_PASS}';
 
 create database mempool_testnet;
-grant all on mempool_testnet.* to 'mempool_testnet'@'localhost' identified by 'mempool_testnet';
+grant all on mempool_testnet.* to '${MEMPOOL_TESTNET_USER}'@'localhost' identified by '${MEMPOOL_TESTNET_PASS}';
 
 create database mempool_signet;
-grant all on mempool_signet.* to 'mempool_signet'@'localhost' identified by 'mempool_signet';
+grant all on mempool_signet.* to '${MEMPOOL_SIGNET_USER}'@'localhost' identified by '${MEMPOOL_SIGNET_PASS}';
 
 create database mempool_liquid;
-grant all on mempool_liquid.* to 'mempool_liquid'@'localhost' identified by 'mempool_liquid';
+grant all on mempool_liquid.* to '${MEMPOOL_LIQUID_USER}'@'localhost' identified by '${MEMPOOL_LIQUID_PASS}';
 
 create database mempool_liquidtestnet;
-grant all on mempool_liquidtestnet.* to 'mempool_liquidtestnet'@'localhost' identified by 'mempool_liquidtestnet';
+grant all on mempool_liquidtestnet.* to '${MEMPOOL_LIQUIDTESTNET_USER}'@'localhost' identified by '${MEMPOOL_LIQUIDTESTNET_PASS}';
 
 create database mempool_bisq;
-grant all on mempool_bisq.* to 'mempool_bisq'@'localhost' identified by 'mempool_bisq';
+grant all on mempool_bisq.* to '${MEMPOOL_BISQ_USER}'@'localhost' identified by '${MEMPOOL_BISQ_PASS}';
+_EOF_
+
+echo "[*] save MySQL credentials"
+cat > ${MEMPOOL_HOME}/mysql_credentials << _EOF_
+declare -x MEMPOOL_MAINNET_USER="${MEMPOOL_MAINNET_USER}"
+declare -x MEMPOOL_MAINNET_PASS="${MEMPOOL_MAINNET_PASS}"
+declare -x MEMPOOL_TESTNET_USER="${MEMPOOL_TESTNET_USER}"
+declare -x MEMPOOL_TESTNET_PASS="${MEMPOOL_TESTNET_PASS}"
+declare -x MEMPOOL_SIGNET_USER="${MEMPOOL_SIGNET_USER}"
+declare -x MEMPOOL_SIGNET_PASS="${MEMPOOL_SIGNET_PASS}"
+declare -x MEMPOOL_LIQUID_USER="${MEMPOOL_LIQUID_USER}"
+declare -x MEMPOOL_LIQUID_PASS="${MEMPOOL_LIQUID_PASS}"
+declare -x MEMPOOL_LIQUIDTESTNET_USER="${MEMPOOL_LIQUIDTESTNET_USER}"
+declare -x MEMPOOL_LIQUIDTESTNET_PASS="${MEMPOOL_LIQUIDTESTNET_PASS}"
+declare -x MEMPOOL_BISQ_USER="${MEMPOOL_BISQ_USER}"
+declare -x MEMPOOL_BISQ_PASS="${MEMPOOL_BISQ_PASS}"
 _EOF_
 
 ##### nginx
diff --git a/production/mempool-build-all b/production/mempool-build-all
index 5ac25f7e4..c0e9a2c2a 100755
--- a/production/mempool-build-all
+++ b/production/mempool-build-all
@@ -11,6 +11,9 @@ BITCOIN_RPC_PASS=$(grep '^rpcpassword' /bitcoin/bitcoin.conf | cut -d '=' -f2)
 ELEMENTS_RPC_USER=$(grep '^rpcuser' /elements/elements.conf | cut -d '=' -f2)
 ELEMENTS_RPC_PASS=$(grep '^rpcpassword' /elements/elements.conf | cut -d '=' -f2)
 
+# get mysql credentials
+. /mempool/mysql_credentials
+
 if [ -f "${LOCKFILE}" ];then
     echo "upgrade already running? check lockfile ${LOCKFILE}"
     exit 1
@@ -73,6 +76,18 @@ build_backend()
 	-e "s!__BITCOIN_RPC_PASS__!${BITCOIN_RPC_PASS}!" \
 	-e "s!__ELEMENTS_RPC_USER__!${ELEMENTS_RPC_USER}!" \
 	-e "s!__ELEMENTS_RPC_PASS__!${ELEMENTS_RPC_PASS}!" \
+        -e "s!__MEMPOOL_MAINNET_USER__!${MEMPOOL_MAINNET_USER}!" \
+        -e "s!__MEMPOOL_MAINNET_PASS__!${MEMPOOL_MAINNET_PASS}!" \
+        -e "s!__MEMPOOL_TESTNET_USER__!${MEMPOOL_TESTNET_USER}!" \
+        -e "s!__MEMPOOL_TESTNET_PASS__!${MEMPOOL_TESTNET_PASS}!" \
+        -e "s!__MEMPOOL_SIGNET_USER__!${MEMPOOL_SIGNET_USER}!" \
+        -e "s!__MEMPOOL_SIGNET_PASS__!${MEMPOOL_SIGNET_PASS}!" \
+        -e "s!__MEMPOOL_LIQUID_USER__!${MEMPOOL_LIQUID_USER}!" \
+        -e "s!__MEMPOOL_LIQUID_PASS__!${MEMPOOL_LIQUID_PASS}!" \
+        -e "s!__MEMPOOL_LIQUIDTESTNET_USER__!${LIQUIDTESTNET_USER}!" \
+        -e "s!__MEMPOOL_LIQUIDTESTNET_PASS__!${MEMPOOL_LIQUIDTESTNET_PASS}!" \
+        -e "s!__MEMPOOL_BISQ_USER__!${MEMPOOL_BISQ_USER}!" \
+        -e "s!__MEMPOOL_BISQ_PASS__!${MEMPOOL_BISQ_PASS}!" \
 	"mempool-config.json"
     fi
     npm install --omit=dev --omit=optional || exit 1
diff --git a/production/mempool-config.bisq.json b/production/mempool-config.bisq.json
index 1e91be930..599711764 100644
--- a/production/mempool-config.bisq.json
+++ b/production/mempool-config.bisq.json
@@ -21,8 +21,8 @@
     "ENABLED": false,
     "HOST": "127.0.0.1",
     "PORT": 3306,
-    "USERNAME": "mempool_bisq",
-    "PASSWORD": "mempool_bisq",
+    "USERNAME": "__MEMPOOL_BISQ_USER__",
+    "PASSWORD": "__MEMPOOL_BISQ_PASS__",
     "DATABASE": "mempool_bisq"
   },
   "STATISTICS": {
diff --git a/production/mempool-config.liquid.json b/production/mempool-config.liquid.json
index 70ab56625..11ad8ffcd 100644
--- a/production/mempool-config.liquid.json
+++ b/production/mempool-config.liquid.json
@@ -28,8 +28,8 @@
     "ENABLED": true,
     "HOST": "127.0.0.1",
     "PORT": 3306,
-    "USERNAME": "mempool_liquid",
-    "PASSWORD": "mempool_liquid",
+    "USERNAME": "__MEMPOOL_LIQUID_USER__",
+    "PASSWORD": "__MEMPOOL_LIQUID_PASS__",
     "DATABASE": "mempool_liquid"
   },
   "STATISTICS": {
diff --git a/production/mempool-config.liquidtestnet.json b/production/mempool-config.liquidtestnet.json
index b3c4dfaaf..7769bfb53 100644
--- a/production/mempool-config.liquidtestnet.json
+++ b/production/mempool-config.liquidtestnet.json
@@ -28,8 +28,8 @@
     "ENABLED": true,
     "HOST": "127.0.0.1",
     "PORT": 3306,
-    "USERNAME": "mempool_liquidtestnet",
-    "PASSWORD": "mempool_liquidtestnet",
+    "USERNAME": "__MEMPOOL_LIQUIDTESTNET_USER__",
+    "PASSWORD": "__MEMPOOL_LIQUIDTESTNET_PASS__",
     "DATABASE": "mempool_liquidtestnet"
   },
   "STATISTICS": {
diff --git a/production/mempool-config.mainnet.json b/production/mempool-config.mainnet.json
index 4575afdbe..06a14d223 100644
--- a/production/mempool-config.mainnet.json
+++ b/production/mempool-config.mainnet.json
@@ -32,8 +32,8 @@
     "ENABLED": true,
     "HOST": "127.0.0.1",
     "PORT": 3306,
-    "USERNAME": "mempool",
-    "PASSWORD": "mempool",
+    "USERNAME": "__MEMPOOL_MAINNET_USER__",
+    "PASSWORD": "__MEMPOOL_MAINNET_PASS__",
     "DATABASE": "mempool"
   },
   "STATISTICS": {
diff --git a/production/mempool-config.signet.json b/production/mempool-config.signet.json
index c1333f45a..f42c4dc50 100644
--- a/production/mempool-config.signet.json
+++ b/production/mempool-config.signet.json
@@ -24,8 +24,8 @@
     "ENABLED": true,
     "HOST": "127.0.0.1",
     "PORT": 3306,
-    "USERNAME": "mempool_signet",
-    "PASSWORD": "mempool_signet",
+    "USERNAME": "__MEMPOOL_SIGNET_USER__",
+    "PASSWORD": "__MEMPOOL_SIGNET_PASS__",
     "DATABASE": "mempool_signet"
   },
   "STATISTICS": {
diff --git a/production/mempool-config.testnet.json b/production/mempool-config.testnet.json
index 79190c2de..cc63f93bf 100644
--- a/production/mempool-config.testnet.json
+++ b/production/mempool-config.testnet.json
@@ -24,8 +24,8 @@
     "ENABLED": true,
     "HOST": "127.0.0.1",
     "PORT": 3306,
-    "USERNAME": "mempool_testnet",
-    "PASSWORD": "mempool_testnet",
+    "USERNAME": "__MEMPOOL_TESTNET_USER__",
+    "PASSWORD": "__MEMPOOL_TESTNET_PASS__",
     "DATABASE": "mempool_testnet"
   },
   "STATISTICS": {