WIP #555 - refactor secrets and test default password on startup

otoroshi/app/env/Env.scala

@@ -213,6 +213,8 @@ class Env(val configuration: Configuration,
   lazy val providerCssUrlHtml: Html =
     providerCssUrl.map(url => Html(s"""<link href="$url" rel="stylesheet">""")).getOrElse(Html(""))
 
+  lazy val otoroshiSecret: String = configuration.getOptionalWithFileSupport[String]("otoroshi.secret").get
+
   lazy val providerDashboardSecret: String =
     configuration.getOptionalWithFileSupport[String]("otoroshi.provider.secret").getOrElse("secret")
 
@@ -559,6 +561,19 @@ class Env(val configuration: Configuration,
     logger.info(s"Admin UI  exposed on http://$backOfficeHost:$port")
   }
 
+  if (otoroshiSecret == "VeryLongPasswordThatYouMustToOverwrite") {
+    logger.warn("#########################################")
+    logger.warn("#########################################")
+    logger.warn("BEWARE OF USING DEFAULT OTOROSHI SECRET !!!")
+    logger.warn("You are using the default value for the main otoroshi secret. It is used to sign various stuff including session cookies. " +
+      "You MUST change its value before deploying to production")
+    logger.warn("You can change configuration by passing otoroshi.secret at runtime (https://maif.github.io/otoroshi/manual/firstrun/configfile.html)")
+    logger.warn("You can change if from environment variable with name OTOROSHI_SECRET (https://maif.github.io/otoroshi/manual/firstrun/env.html)")
+    logger.warn("Beware of using default otoroshi secret")
+    logger.warn("#########################################")
+    logger.warn("#########################################")
+  }
+
   lazy val datastores: DataStores = {
     configuration.getOptionalWithFileSupport[String]("app.storage").getOrElse("redis") match {
       case _ if clusterConfig.mode == ClusterMode.Worker =>

otoroshi/conf/application.conf

@@ -650,6 +650,8 @@ otoroshi {
   instance = ${app.instance}
   maintenanceMode = false
   maintenanceMode = ${?OTOROSHI_MAINTENANCE_MODE_ENABLED}
+  secret = "VeryLongPasswordThatYouMustToOverwrite"
+  secret = ${?OTOROSHI_SECRET}
   options {
     bypassUserRightsCheck = false
     bypassUserRightsCheck = ${?OTOROSHI_OPTIONS_BYPASSUSERRIGHTSCHECK}
@@ -672,7 +674,7 @@ otoroshi {
     staticExposedDomain = ${?OTOROSHI_OPTIONS_STATIC_EXPOSED_DOMAIN}
   }
   sessions {
-    secret = "8pqi0nU6p6srkH1rfJpMrNKEPMm4U6aBJd0zr5qAqs235WQRtVHCfTCLEzLW43yM"
+    secret = ${otoroshi.secret}
     secret = ${?OTOROSHI_SESSIONS_SECRET}
   }
   cache {

otoroshi/conf/base.conf

@@ -9,7 +9,7 @@ play.server.https.engineProvider = ssl.DynamicSSLEngineProvider
 # play.server.https.keyStoreDumpPath = "./otoroshi.jks"
 play.server.https.keyStoreDumpPath = ${?HTTPS_KEYSTORE_DUMP_PATH}
 
-play.http.secret.key = "sca4ujJ6NmTOinW60f+F2kPYZL5pzJrZj5gvsLAPPqI="
+play.http.secret.key = ${otoroshi.secret}
 play.http.secret.key = ${?PLAY_CRYPTO_SECRET}
 
 play.server.http.idleTimeout = 60s