feat: run conductor as root

config/config.toml

@@ -3,8 +3,7 @@ source_code = "https://git.batsense.net/librepages/conductor"
 conductor = "dummy"
 
 [creds]
-username = "librepages_api"
-password="longrandomlygeneratedpassword"
+token="longrandomlygeneratedpassword"
 
 [server]
 # Please set a unique value, your mCaptcha instance's security depends on this being 

contrib/librepages-conductor.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=LibrePages Conductor: Easiest way to deploy websites. Conductor component
+
+[Service]
+Type=simple
+User=root
+ExecStart=/usr/bin/conductor serve
+Restart=on-failure
+RestartSec=1
+SuccessExitStatus=3 4
+RestartForceExitStatus=3 4
+SystemCallArchitectures=native
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+Environment="RUST_LOG=info"
+
+[Unit]
+Wants=network-online.target
+Wants=network-online.target
+Requires=postgresql.service
+After=syslog.target
+
+[Install]
+WantedBy=multi-user.target

scripts/bin-publish.sh

@@ -38,6 +38,8 @@ DOCKER_IMG="realaravinth/$NAME:$3"
 
 get_bin(){
 	cp target/release/conductor $TARGET_DIR
+	cp -r config/ $TARGET_DIR
+	cp -r contrib/ $TARGET_DIR
 }
 
 copy() {

src/api/v1/mod.rs

@@ -17,7 +17,7 @@
 use actix_web::dev::ServiceRequest;
 use actix_web::web;
 use actix_web::Error;
-use actix_web_httpauth::extractors::basic::BasicAuth;
+use actix_web_httpauth::extractors::bearer::BearerAuth;
 
 use crate::errors::*;
 use crate::AppCtx;
@@ -26,14 +26,13 @@ use crate::SETTINGS;
 pub mod meta;
 pub mod webhook;
 
-pub async fn httpauth(
+pub async fn bearerauth(
     req: ServiceRequest,
-    credentials: BasicAuth,
+    credentials: BearerAuth,
 ) -> Result<ServiceRequest, (Error, ServiceRequest)> {
     let _ctx: &AppCtx = req.app_data().unwrap();
-    let username = credentials.user_id();
-    let password = credentials.password().unwrap();
-    if SETTINGS.authenticate(username, password) {
+    let token = credentials.token();
+    if SETTINGS.authenticate(token) {
         Ok(req)
     } else {
         let e = Error::from(ServiceError::Unauthorized);

src/api/v1/webhook.rs

@@ -24,7 +24,7 @@ use crate::errors::*;
 use crate::AppCtx;
 use crate::*;
 
-use super::httpauth;
+use super::bearerauth;
 
 pub mod routes {
     use super::*;
@@ -47,7 +47,7 @@ pub fn services(cfg: &mut web::ServiceConfig) {
 
 #[actix_web_codegen_const_routes::post(
     path = "API_V1_ROUTES.webhook.post_event",
-    wrap = "HttpAuthentication::basic(httpauth)"
+    wrap = "HttpAuthentication::bearer(bearerauth)"
 )]
 async fn post_event(ctx: AppCtx, payload: web::Json<EventType>) -> ServiceResult<impl Responder> {
     ctx.conductor.process(payload.into_inner()).await;
@@ -71,10 +71,7 @@ pub mod tests {
         .await;
 
         let creds = settings.creds.clone();
-        let auth = format!(
-            "Basic {}",
-            base64::encode(format!("{}:{}", creds.username.clone(), creds.password))
-        );
+        let auth = format!("Bearer {}", creds.token,);
 
         let msg = EventType::NewSite {
             hostname: "demo.librepages.org".into(),

src/settings.rs

@@ -54,8 +54,7 @@ pub enum ConductorType {
 
 #[derive(Debug, Clone, Deserialize)]
 pub struct Creds {
-    pub username: String,
-    pub password: String,
+    pub token: String,
 }
 
 #[derive(Debug, Clone, Deserialize)]
@@ -69,15 +68,15 @@ pub struct Settings {
 
 #[cfg(not(tarpaulin_include))]
 impl Settings {
-    pub fn authenticate(&self, username: &str, password: &str) -> bool {
-        self.creds.username == username && self.creds.password == password
+    pub fn authenticate(&self, token: &str) -> bool {
+        self.creds.token == token
     }
 
     pub fn new() -> Result<Self, ConfigError> {
         let mut s = Config::builder();
 
         const CURRENT_DIR: &str = "./config/config.toml";
-        const ETC: &str = "/etc/lpconductor/config.toml";
+        const ETC: &str = "/etc/librepages/conductor/config.toml";
 
         if let Ok(path) = env::var("LPCONDUCTOR_CONFIG") {
             s = s.add_source(File::with_name(&path));
@@ -138,6 +137,13 @@ fn set_separator_field(mut s: ConfigBuilder<DefaultState>) -> ConfigBuilder<Defa
         &format!("{PREFIX}{SEPARATOR}SERVER{SEPARATOR}PROXY_HAS_TLS"),
         "server.proxy_has_tls",
     );
+
+    s = from_env(
+        s,
+        &format!("{PREFIX}{SEPARATOR}CREDS{SEPARATOR}TOKEN"),
+        "creds.token",
+    );
+
     s
 }
 
@@ -148,16 +154,13 @@ mod tests {
     #[test]
     fn creds_works() {
         let settings = Settings::new().unwrap();
-        let mut creds = settings.creds.clone();
+        let creds = settings.creds.clone();
 
-        assert!(settings.authenticate(&creds.username, &creds.password));
-
-        creds.username = "noexist".into();
-        assert!(!settings.authenticate(&creds.username, &creds.password));
+        assert!(settings.authenticate(&creds.token));
 
         let mut creds = settings.creds.clone();
 
-        creds.password = "noexist".into();
-        assert!(!settings.authenticate(&creds.username, &creds.password));
+        creds.token = "noexist".into();
+        assert!(!settings.authenticate(&creds.token))
     }
 }