Disable default developer configuration (#541)

* Disable default developer configuration

* Add new docker test

* Avoid loading of mq.htpasswd exit when MQ_CONNAUTH_USE_HTP not set

* Fix gosec error

* Copy ini file with specific name

* Load mqhtpasswd exit if admin and/or app password and MQ_CONNAUTH_USE_HTP=true

* Update develiper configuration documentation

* Fix typo and correct function description

Dockerfile-server

@@ -32,8 +32,8 @@ USER 0
 WORKDIR $GO_WORKDIR/
 ADD $MQ_ARCHIVE /opt/mqm
 ENV CGO_CFLAGS="-I/opt/mqm/inc/" \
-    CGO_LDFLAGS_ALLOW="-Wl,-rpath.*" \
-    PATH="${PATH}:/opt/mqm/bin"
+  CGO_LDFLAGS_ALLOW="-Wl,-rpath.*" \
+  PATH="${PATH}:/opt/mqm/bin"
 COPY go.mod go.sum ./
 COPY cmd/ ./cmd
 COPY internal/ ./internal
@@ -62,27 +62,27 @@ ARG BASE_TAG
 ARG MQ_ARCHIVE
 WORKDIR /tmp/mq
 ENV genmqpkg_inc32=0 \
-    genmqpkg_incadm=1 \
-    genmqpkg_incamqp=0 \
-    genmqpkg_incams=1 \
-    genmqpkg_inccbl=0 \
-    genmqpkg_inccics=0 \
-    genmqpkg_inccpp=0 \
-    genmqpkg_incdnet=0 \
-    genmqpkg_incjava=1 \
-    genmqpkg_incjre=1 \
-    genmqpkg_incman=0 \
-    genmqpkg_incmqbc=0 \
-    genmqpkg_incmqft=0 \
-    genmqpkg_incmqsf=0 \
-    genmqpkg_incmqxr=0 \
-    genmqpkg_incnls=1 \
-    genmqpkg_incras=1 \
-    genmqpkg_incsamp=1 \
-    genmqpkg_incsdk=0 \
-    genmqpkg_inctls=1 \
-    genmqpkg_incunthrd=0 \
-    genmqpkg_incweb=1
+  genmqpkg_incadm=1 \
+  genmqpkg_incamqp=0 \
+  genmqpkg_incams=1 \
+  genmqpkg_inccbl=0 \
+  genmqpkg_inccics=0 \
+  genmqpkg_inccpp=0 \
+  genmqpkg_incdnet=0 \
+  genmqpkg_incjava=1 \
+  genmqpkg_incjre=1 \
+  genmqpkg_incman=0 \
+  genmqpkg_incmqbc=0 \
+  genmqpkg_incmqft=0 \
+  genmqpkg_incmqsf=0 \
+  genmqpkg_incmqxr=0 \
+  genmqpkg_incnls=1 \
+  genmqpkg_incras=1 \
+  genmqpkg_incsamp=1 \
+  genmqpkg_incsdk=0 \
+  genmqpkg_inctls=1 \
+  genmqpkg_incunthrd=0 \
+  genmqpkg_incweb=1
 ADD $MQ_ARCHIVE /opt/mqm-noinstall
 # Run genmqpkg to reduce the MQ packages included
 RUN /opt/mqm-noinstall/bin/genmqpkg.sh -b /opt/mqm-redux
@@ -96,17 +96,17 @@ ARG BASE_IMAGE
 ARG BASE_TAG
 ARG GO_WORKDIR
 LABEL summary="IBM MQ Advanced Server" \
-      description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises" \
-      vendor="IBM" \
-      maintainer="IBM" \
-      distribution-scope="private" \
-      authoritative-source-url="https://www.ibm.com/software/passportadvantage/" \
-      url="https://www.ibm.com/products/mq/advanced" \
-      io.openshift.tags="mq messaging" \
-      io.k8s.display-name="IBM MQ Advanced Server" \
-      io.k8s.description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises" \
-      base-image=$BASE_IMAGE \
-      base-image-release=$BASE_TAG
+  description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises" \
+  vendor="IBM" \
+  maintainer="IBM" \
+  distribution-scope="private" \
+  authoritative-source-url="https://www.ibm.com/software/passportadvantage/" \
+  url="https://www.ibm.com/products/mq/advanced" \
+  io.openshift.tags="mq messaging" \
+  io.k8s.display-name="IBM MQ Advanced Server" \
+  io.k8s.description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises" \
+  base-image=$BASE_IMAGE \
+  base-image-release=$BASE_TAG
 COPY --from=mq-redux /opt/mqm-redux/ /opt/mqm/
 COPY setup-image.sh /usr/local/bin/
 COPY install-mq-server-prereqs.sh /usr/local/bin/
@@ -169,19 +169,19 @@ ARG BASE_IMAGE
 ARG BASE_TAG
 ARG GO_WORKDIR
 LABEL summary="IBM MQ Advanced for Developers Server" \
-      description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises" \
-      vendor="IBM" \
-      distribution-scope="private" \
-      authoritative-source-url="https://www.ibm.com/software/passportadvantage/" \
-      url="https://www.ibm.com/products/mq/advanced" \
-      io.openshift.tags="mq messaging" \
-      io.k8s.display-name="IBM MQ Advanced for Developers Server" \
-      io.k8s.description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises" \
-      base-image=$BASE_IMAGE \
-      base-image-release=$BASE_TAG
+  description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises" \
+  vendor="IBM" \
+  distribution-scope="private" \
+  authoritative-source-url="https://www.ibm.com/software/passportadvantage/" \
+  url="https://www.ibm.com/products/mq/advanced" \
+  io.openshift.tags="mq messaging" \
+  io.k8s.display-name="IBM MQ Advanced for Developers Server" \
+  io.k8s.description="Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises" \
+  base-image=$BASE_IMAGE \
+  base-image-release=$BASE_TAG
 USER 0
 COPY --from=cbuilder /opt/app-root/src/authservice/mqhtpass/build/mqhtpass.so /opt/mqm/lib64/
-COPY etc/mqm/*.ini /etc/mqm/
+COPY etc/mqm/qm-service-component.ini /run
 COPY etc/mqm/mq.htpasswd.default /etc/mqm/
 COPY incubating/mqadvanced-server-dev/install-extra-packages.sh /usr/local/bin/
 RUN chmod u+x /usr/local/bin/install-extra-packages.sh \
@@ -197,13 +197,16 @@ RUN ln -s /run/10-dev.mqsc /etc/mqm/10-dev.mqsc \
 RUN chown -R 1001:root /etc/mqm/* \
   && chmod -R g+w /etc/mqm/web \
   && chmod +x /usr/local/bin/runmq* \
-  && chmod 0660 /etc/mqm/mq.htpasswd.default
-
+  && chmod 0660 /etc/mqm/mq.htpasswd.default \
+  # Allow contents of qm-service-component.ini to be cleaned if MQ_CONNAUTH_USE_HTP is not set to true
+  && chmod 0660 /run/qm-service-component.ini \
+  && ln -s /run/qm-service-component.ini /etc/mqm/qm-service-component.ini
+
 ENV MQ_DEV=true \
-    MQ_ENABLE_EMBEDDED_WEB_SERVER=1 \
-    MQ_GENERATE_CERTIFICATE_HOSTNAME=localhost \
-    LD_LIBRARY_PATH=/opt/mqm/lib64 \
-    MQ_CONNAUTH_USE_HTP=true \
-    MQS_PERMIT_UNKNOWN_ID=true
+  MQ_ENABLE_EMBEDDED_WEB_SERVER=1 \
+  MQ_GENERATE_CERTIFICATE_HOSTNAME=localhost \
+  LD_LIBRARY_PATH=/opt/mqm/lib64 \
+  MQ_CONNAUTH_USE_HTP=true \
+  MQS_PERMIT_UNKNOWN_ID=true
 USER 1001
 ENTRYPOINT ["runmqdevserver"]

cmd/runmqdevserver/main.go

@@ -128,33 +128,43 @@ func doMain() error {
 		return err
 	}
 
-	// Copy default mq.htpasswd file to ephemeral volume
-	err = copy.CopyFile("/etc/mqm/mq.htpasswd.default", "/run/mq.htpasswd")
-	if err != nil {
-		logTermination(err)
-		return err
-	}
-
-	adminPassword, set := os.LookupEnv("MQ_ADMIN_PASSWORD")
-	if !set {
-		adminPassword = "passw0rd"
-		err = os.Setenv("MQ_ADMIN_PASSWORD", adminPassword)
+	// Enable mq htpasswd if MQ_CONNAUTH_USE_HTP is set true
+	// and either or both of MQ_APP_PASSWORD and MQ_ADMIN_PASSWORD
+	// environment variables specified.
+	enableHtPwd, set := os.LookupEnv("MQ_CONNAUTH_USE_HTP")
+	adminPassword, adminPwdset := os.LookupEnv("MQ_ADMIN_PASSWORD")
+	appPassword, appPwdset := os.LookupEnv("MQ_APP_PASSWORD")
+	if set && strings.EqualFold(enableHtPwd, "true") &&
+		(adminPwdset && len(strings.TrimSpace(adminPassword)) > 0 || appPwdset && len(strings.TrimSpace(appPassword)) > 0) {
+		// Copy default mq.htpasswd file to ephemeral volume
+		err = copy.CopyFile("/etc/mqm/mq.htpasswd.default", "/run/mq.htpasswd")
 		if err != nil {
-			logTerminationf("Error setting admin password variable: %v", err)
+			logTermination(err)
 			return err
 		}
-	}
-	err = htpasswd.SetPassword("admin", adminPassword, false)
-	if err != nil {
-		logTerminationf("Error setting admin password: %v", err)
-		return err
-	}
 
-	appPassword, set := os.LookupEnv("MQ_APP_PASSWORD")
-	if set {
-		err = htpasswd.SetPassword("app", appPassword, false)
+		if adminPwdset {
+			err = htpasswd.SetPassword("admin", adminPassword, false)
+			if err != nil {
+				logTerminationf("Error setting admin password: %v", err)
+				return err
+			}
+		}
+
+		if appPwdset {
+			err = htpasswd.SetPassword("app", appPassword, false)
+			if err != nil {
+				logTerminationf("Error setting app password: %v", err)
+				return err
+			}
+		}
+	} else {
+		// Clean contents of qm-service-component.ini if MQ_CONNAUTH_USE_HTP is not set to true
+		// so that mq.htpasswd exit is not loaded by queue manager
+		// #nosec G306 - its a write by owner/s group, and pose no harm.
+		err = os.WriteFile("/run/qm-service-component.ini", []byte(""), 0660)
 		if err != nil {
-			logTerminationf("Error setting app password: %v", err)
+			logTermination(err)
 			return err
 		}
 	}

cmd/runmqserver/main.go

@@ -27,6 +27,7 @@ import (
 	"github.com/ibm-messaging/mq-container/internal/copy"
 	"github.com/ibm-messaging/mq-container/internal/fips"
 	"github.com/ibm-messaging/mq-container/internal/ha"
+	"github.com/ibm-messaging/mq-container/internal/htpasswd"
 	"github.com/ibm-messaging/mq-container/internal/metrics"
 	"github.com/ibm-messaging/mq-container/internal/ready"
 	"github.com/ibm-messaging/mq-container/internal/tls"
@@ -329,7 +330,7 @@ func doMain() error {
 		}
 	}
 
-	if *devFlag {
+	if *devFlag && htpasswd.IsEnabled() {
 		_, err = mirrorHTPasswdLogs(ctx, &wg, name, newQM, mf)
 		if err != nil {
 			logTermination(err)
@@ -354,7 +355,7 @@ func doMain() error {
 
 	// This is a developer image only change
 	// This workaround should be removed and handled via <crtmqm -ii>, when inimerge is ready to handle stanza ordering
-	if *devFlag {
+	if *devFlag && htpasswd.IsEnabled() {
 		err = updateQMini(name)
 		if err != nil {
 			logTermination(err)

cmd/runmqserver/webserver.go

@@ -35,14 +35,9 @@ func startWebServer(webKeystore, webkeystorePW, webTruststoreRef string) error {
 	log.Println("Starting web server")
 	// #nosec G204 - command is fixed, no injection vector
 	cmd := exec.Command("strmqweb")
-	// Set a default app password for the web server, if one isn't already set
-	_, set := os.LookupEnv("MQ_APP_PASSWORD")
-	if !set {
-		// Take all current environment variables, and add the app password
-		cmd.Env = append(os.Environ(), "MQ_APP_PASSWORD=passw0rd")
-	} else {
-		cmd.Env = os.Environ()
-	}
+
+	// Pass all the environment to MQ Web Server JVM
+	cmd.Env = os.Environ()
 
 	// TLS enabled
 	if webKeystore != "" {

docs/developer-config.md

@@ -7,15 +7,15 @@ If you build this image with MQ Advanced for Developers, then an optional set of
 The MQ Developer Defaults supports some customization options, these are all controlled using environment variables:
 
 * **MQ_DEV** - Set this to `false` to stop the default objects being created.
-* **MQ_ADMIN_PASSWORD** - Changes the password of the `admin` user. Must be at least 8 characters long.
-* **MQ_APP_PASSWORD** - Changes the password of the app user. If set, this will cause the `DEV.APP.SVRCONN` channel to become secured and only allow connections that supply a valid userid and password. Must be at least 8 characters long.
+* **MQ_ADMIN_PASSWORD** - Specify the password of the `admin` user. Must be at least 8 characters long.
+* **MQ_APP_PASSWORD** - Specify the password of the `app` user. If set, this will cause the `DEV.APP.SVRCONN` channel to become secured and only allow connections that supply a valid userid and password. Must be at least 8 characters long.
 
 ## Details of the default configuration
 
 The following users are created:
 
-* User **admin** for administration.  Default password is **passw0rd**.
-* User **app** for messaging (in a group called `mqclient`).  No password by default.
+* User **admin** for administration.  No password by default. Password must be set using **MQ_ADMIN_PASSWORD**  environment variable.
+* User **app** for messaging (in a group called `mqclient`).  No password by default. Password must be set using **MQ_APP_PASSWORD**  environment variable.
 
 Users in `mqclient` group have been given access connect to all queues and topics starting with `DEV.**` and have `put`, `get`, `pub`, `sub`, `browse` and `inq` permissions.
 
@@ -41,8 +41,6 @@ When you navigate to this page you may be presented with a security exception wa
 If you choose to accept the security warning, you will be presented with the login menu for the IBM MQ Web Console. The default login for the console is:
 
 * **User:** admin
-* **Password:** passw0rd
-
-If you wish to change the password for the admin user, this can be done using the `MQ_ADMIN_PASSWORD` environment variable.
+* **Password:** No password by default. The password for the admin user must be specified using the `MQ_ADMIN_PASSWORD` environment variable.
 
 If you do not wish the web console to run, you can disable it by setting the environment variable `MQ_ENABLE_EMBEDDED_WEB_SERVER` to `false`.

incubating/mqadvanced-server-dev/web/installations/Installation1/servers/mqweb/mqwebcontainer.xml.dev

@@ -23,9 +23,6 @@
     </enterpriseApplication>
     <basicRegistry id="basic" realm="defaultRealm">
         <user name="admin" password="${env.MQ_ADMIN_PASSWORD}"/>
-        <!-- The app user will always get a default password of "passw0rd",
-             even if you don't set the environment variable.
-             See `webserver.go` -->
         <user name="app" password="${env.MQ_APP_PASSWORD}"/>
         <group name="MQWebUI">
             <member name="admin"/>

internal/htpasswd/htpasswd.go

@@ -111,3 +111,15 @@ func (htpfile mapHtPasswd) updateHtPasswordFile(isTest bool) error {
 	// #nosec G306 - its a read by owner/s group, and pose no harm.
 	return os.WriteFile(file, htpfile.GetBytes(), 0660)
 }
+
+func IsEnabled() bool {
+	htpassEnabled := false
+	enableHtPwd, set := os.LookupEnv("MQ_CONNAUTH_USE_HTP")
+	adminPassword, adminPwdset := os.LookupEnv("MQ_ADMIN_PASSWORD")
+	appPassword, appPwdset := os.LookupEnv("MQ_APP_PASSWORD")
+	if set && strings.EqualFold(enableHtPwd, "true") &&
+		(adminPwdset && len(strings.TrimSpace(adminPassword)) > 0 || appPwdset && len(strings.TrimSpace(appPassword)) > 0) {
+		htpassEnabled = true
+	}
+	return htpassEnabled
+}