Fix htpassword update logic (#547)

ShashikanthRaoT · GitHub Enterprise · commit 14be193813a5 · 2023-11-21T10:55:51.000Z
* Fix htpassword update logic

* Delete mq.htpasswd.default file
diff --git a/Dockerfile-server b/Dockerfile-server
@@ -182,7 +182,6 @@ LABEL summary="IBM MQ Advanced for Developers Server" \
 USER 0
 COPY --from=cbuilder /opt/app-root/src/authservice/mqhtpass/build/mqhtpass.so /opt/mqm/lib64/
 COPY etc/mqm/qm-service-component.ini /run
-COPY etc/mqm/mq.htpasswd.default /etc/mqm/
 COPY incubating/mqadvanced-server-dev/install-extra-packages.sh /usr/local/bin/
 RUN chmod u+x /usr/local/bin/install-extra-packages.sh \
   && sleep 1 \
@@ -197,7 +196,6 @@ RUN ln -s /run/10-dev.mqsc /etc/mqm/10-dev.mqsc \
 RUN chown -R 1001:root /etc/mqm/* \
   && chmod -R g+w /etc/mqm/web \
   && chmod +x /usr/local/bin/runmq* \
-  && chmod 0660 /etc/mqm/mq.htpasswd.default \
   # Allow contents of qm-service-component.ini to be cleaned if MQ_CONNAUTH_USE_HTP is not set to true
   && chmod 0660 /run/qm-service-component.ini \
   && ln -s /run/qm-service-component.ini /etc/mqm/qm-service-component.ini
diff --git a/cmd/runmqdevserver/main.go b/cmd/runmqdevserver/main.go
@@ -21,7 +21,6 @@ import (
 	"strings"
 	"syscall"
 
-	"github.com/ibm-messaging/mq-container/internal/copy"
 	"github.com/ibm-messaging/mq-container/internal/htpasswd"
 	"github.com/ibm-messaging/mq-container/pkg/containerruntimelogger"
 	"github.com/ibm-messaging/mq-container/pkg/logger"
@@ -136,8 +135,9 @@ func doMain() error {
 	appPassword, appPwdset := os.LookupEnv("MQ_APP_PASSWORD")
 	if set && strings.EqualFold(enableHtPwd, "true") &&
 		(adminPwdset && len(strings.TrimSpace(adminPassword)) > 0 || appPwdset && len(strings.TrimSpace(appPassword)) > 0) {
-		// Copy default mq.htpasswd file to ephemeral volume
-		err = copy.CopyFile("/etc/mqm/mq.htpasswd.default", "/run/mq.htpasswd")
+		// Create an empty mq.htpasswd file on ephemeral volume
+		// #nosec G306 - its a write by owner/s group, and pose no harm.
+		err = os.WriteFile("/run/mq.htpasswd", []byte(""), 0660)
 		if err != nil {
 			logTermination(err)
 			return err
diff --git a/docs/pluggable-connauth.md b/docs/pluggable-connauth.md
@@ -12,7 +12,7 @@ This pluggable authentication mode is to allow developers using the mq-container
 
 ### Preparing htpasswd file
 
- 1. A default `mq.htpasswd.default` file is provided and placed under /etc/mqm/ directory inside the container.
+ 1. The `mq.htpasswd` file gets generated and placed under /run/ directory inside the container when the password for `admin` or `app` users is set via environment variables. No default password is set for these users.
  2. You can set the password for user `admin` by setting the environment variable `MQ_ADMIN_PASSWORD`.
  3. You can add user `app` into mq.htpasswd file by setting the environment variable `MQ_APP_PASSWORD`. This user `app` can be used to access `DEV.*` objects of the queue manager.
 
diff --git a/etc/mqm/mq.htpasswd.default b/etc/mqm/mq.htpasswd.default
