From c237511e5fefc568269e71e512640bb1045eb789 Mon Sep 17 00:00:00 2001
From: Nathan Phelps <naphelps@us.ibm.com>
Date: Mon, 28 Oct 2024 13:05:06 -0400
Subject: [PATCH] PostgreSQL container hardening. Added emeritus section to
 Maintainers file.

Signed-off-by: Nathan Phelps <naphelps@us.ibm.com>
---
 CHANGELOG.md                    |  1 +
 MAINTAINERS.md                  | 15 +++++++++++----
 Makefile                        |  2 +-
 docker/run-fdo-owner-service.sh |  8 +++++---
 sample-mfg/start-mfg.sh         |  8 +++++---
 5 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 34e28df..623b197 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # Changelog
 
 All notable changes to this project will be documented in this file.
+
 ## [1.4.0] - 2024-01.16
 - Issue 51: Updated to support FDO `1.1.7` release.
 - Removed unneeded getFDO.sh script which was duplicated by the Makefile.
diff --git a/MAINTAINERS.md b/MAINTAINERS.md
index 59e8f14..83a8b4a 100644
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@@ -3,7 +3,14 @@ Repository Maintainers
 
 See the information about [community membership roles](https://wiki.lfedge.org/display/OH/Community+Membership) to learn about the role of the maintainers and the process to become one.
 
-| Name           | GitHub                                         | Email                     |
-|----------------|------------------------------------------------|---------------------------|
-| Lorenzo King   | [@lorenzoking](https://github.com/lorenzoking) | <Lorenzomkingiii@ibm.com> |
-| Nathan Phelps  | [@naphelps](https://github.com/naphelps)       | <naphelps@us.ibm.com>     |
\ No newline at end of file
+| Name          | GitHub                                         | Email                     |
+|---------------|------------------------------------------------|---------------------------|
+| Nathan Phelps | [@naphelps](https://github.com/naphelps)       | <naphelps@us.ibm.com>     |
+
+# Emeritus Maintainers
+
+The emeritus maintainers of this repository are:
+
+| Name          | GitHub                                         | email                |
+| ------------- |------------------------------------------------|----------------------|
+| Lorenzo King  | [@lorenzoking](https://github.com/lorenzoking) |                      |
diff --git a/Makefile b/Makefile
index 289b527..081062c 100644
--- a/Makefile
+++ b/Makefile
@@ -9,7 +9,7 @@ STABLE_VERSION ?= 1.4.0
 
 export DOCKER_REGISTRY ?= openhorizon
 export FDO_DOCKER_IMAGE ?= fdo-owner-services
-FDO_IMAGE_LABELS ?= --label "vendor=IBM" --label "name=$(FDO_DOCKER_IMAGE)" --label "version=$(VERSION)" --label "release=$(shell git rev-parse --short HEAD)" --label "summary=Open Horizon FDO support image" --label "description=The FDO owner services run in the context of the open-horizon management hub"
+FDO_IMAGE_LABELS ?= --label "vendor=Open Horizon" --label "name=$(FDO_DOCKER_IMAGE)" --label "version=$(VERSION)" --label "release=$(shell git rev-parse --short HEAD)" --label "summary=Open Horizon FDO support image" --label "description=The FDO owner services run in the context of the open-horizon management hub"
 # This doesn't work. According to https://docs.docker.com/engine/reference/builder/#label it is not necessary to put all of the labels in a single image layer
 #FDO_IMAGE_LABELS ?= --label 'vendor=IBM name=$(FDO_DOCKER_IMAGE) version=$(VERSION) release=$(shell git rev-parse --short HEAD) summary="Open Horizon FDO support image" description="The FDO owner services run in the context of the open-horizon management hub"'
 
diff --git a/docker/run-fdo-owner-service.sh b/docker/run-fdo-owner-service.sh
index debde07..fb0ac55 100755
--- a/docker/run-fdo-owner-service.sh
+++ b/docker/run-fdo-owner-service.sh
@@ -54,12 +54,13 @@ export FIDO_DEVICE_ONBOARD_REL_VER=${FIDO_DEVICE_ONBOARD_REL_VER:-1.1.9}
 export FDO_OWN_COMP_SVC_PORT=${FDO_OWN_COMP_SVC_PORT:-9008}
 export FDO_OWN_SVC_PORT=${FDO_OWN_SVC_PORT:-8042}
 export FDO_OWN_DB=${FDO_OWN_DB:-fdo}
-export FDO_OWN_DB_PASSWORD=${FDO_OWN_DB_PASSWORD:-$(generateToken 15)}
+export FDO_OWN_DB_PASSWORD=${FDO_OWN_DB_PASSWORD:-$(generateToken 30)}
 export FDO_OWN_DB_PORT=${FDO_OWN_DB_PORT:-5433}
 export FDO_OWN_DB_SSL=${FDO_OWN_DB_SSL:-false}
 export FDO_OWN_DB_USER=${FDO_OWN_DB_USER:-fdouser}
-export FDO_OWN_SVC_AUTH=${FDO_OWN_SVC_AUTH:-apiUser:$(generateToken 15)}
+export FDO_OWN_SVC_AUTH=${FDO_OWN_SVC_AUTH:-apiUser:$(generateToken 30)}
 export FDO_DB_URL=${FDO_DB_URL:-jdbc:postgresql://postgres-fdo-owner-service:5432/$FDO_OWN_DB}
+export POSTGRES_HOST_AUTH_METHOD=${POSTGRES_HOST_AUTH_METHOD:-scram-sha-256}
 export POSTGRES_IMAGE_TAG=${POSTGRES_IMAGE_TAG:-13}
 
 
@@ -124,7 +125,8 @@ docker run -d \
            -e "POSTGRES_DB=$FDO_OWN_DB" \
            -e "POSTGRES_PASSWORD=$FDO_OWN_DB_PASSWORD" \
            -e "POSTGRES_USER=$FDO_OWN_DB_USER" \
-           -e "POSTGRES_HOST_AUTH_METHOD=trust" \
+           -e "POSTGRES_HOST_AUTH_METHOD=$POSTGRES_HOST_AUTH_METHOD" \
+           -e "POSTGRES_INITDB_ARGS=--auth-host=scram-sha-256 --auth-local=scram-sha-256" \
            --health-cmd="pg_isready -U $FDO_OWN_DB_USER" \
            --health-interval=15s \
            --health-retries=3 \
diff --git a/sample-mfg/start-mfg.sh b/sample-mfg/start-mfg.sh
index 63f2d62..674a617 100755
--- a/sample-mfg/start-mfg.sh
+++ b/sample-mfg/start-mfg.sh
@@ -54,13 +54,13 @@ generateToken() { head -c 1024 /dev/urandom | base64 | tr -cd "[:alpha:][:digit:
 
 
 export FDO_MFG_DB=${FDO_MFG_DB:-fdo_mfg}
-export FDO_MFG_DB_PASSWORD=${FDO_MFG_DB_PASSWORD:-$(generateToken 15)}
+export FDO_MFG_DB_PASSWORD=${FDO_MFG_DB_PASSWORD:-$(generateToken 30)}
 export FDO_MFG_DB_PORT=${FDO_MFG_DB_PORT:-5434}
 export FDO_MFG_DB_SSL=${FDO_MFG_DB_SSL:-false}
 export FDO_MFG_DB_URL=${FDO_MFG_DB_URL:-jdbc:postgresql://postgres-fdo-mfg-service:5432/$FDO_MFG_DB}
 export FDO_MFG_DB_USER=${FDO_MFG_DB_USER:-fdouser}
 export FDO_MFG_PORT=${FDO_MFG_PORT:-8039}
-export FDO_MFG_SVC_AUTH=${FDO_MFG_SVC_AUTH:-apiUser:$(generateToken 15)}
+export FDO_MFG_SVC_AUTH=${FDO_MFG_SVC_AUTH:-apiUser:$(generateToken 30)}
 export FDO_OWN_COMP_SVC_PORT=${FDO_OWN_COMP_SVC_PORT:-9008}
 export FDO_RV_URL=${FDO_RV_URL:-http://fdorv.com} # set to the production domain by default. Development domain is Owner's service public key protected as of v1.1.6.
 export FIDO_DEVICE_ONBOARD_REL_VER=${FIDO_DEVICE_ONBOARD_REL_VER:-1.1.9} # https://github.com/fido-device-onboard/release-fidoiot/releases
@@ -72,6 +72,7 @@ export HZN_ORG_ID=${HZN_ORG_ID:-myorg} # Default to organization admin provided
 export HZN_TRANSPORT=${HZN_TRANSPORT:-http}
 export EXCHANGE_USER=${EXCHANGE_USER:-$(echo $HZN_EXCHANGE_USER_AUTH | awk -F ":" '{print $1}')}
 export EXCHANGE_USER_PASSWORD=${EXCHANGE_USER_PASSWORD:-$(echo $HZN_EXCHANGE_USER_AUTH | awk -F ":" '{print $2}')}
+export POSTGRES_HOST_AUTH_METHOD=${POSTGRES_HOST_AUTH_METHOD:-scram-sha-256}
 export POSTGRES_IMAGE_TAG=${POSTGRES_IMAGE_TAG:-13}
 deviceBinaryDir='pri-fidoiot-v'$FIDO_DEVICE_ONBOARD_REL_VER
 rvHttpPort=${1:-80}
@@ -290,7 +291,8 @@ docker run -d \
            -e "POSTGRES_DB=$FDO_MFG_DB" \
            -e "POSTGRES_PASSWORD=$FDO_FDO_MFG_DB_PASSWORD" \
            -e "POSTGRES_USER=$FDO_MFG_DB_USER" \
-           -e "POSTGRES_HOST_AUTH_METHOD=trust" \
+           -e "POSTGRES_HOST_AUTH_METHOD=$POSTGRES_HOST_AUTH_METHOD" \
+           -e "POSTGRES_INITDB_ARGS=--auth-host=scram-sha-256 --auth-local=scram-sha-256" \
            --health-cmd="pg_isready -U $FDO_MFG_DB_USER" \
            --health-interval=15s \
            --health-retries=3 \