From 1b4dbe66bc45a8655a0b434d5c44bdbe555476cf Mon Sep 17 00:00:00 2001
From: phact <estevezsebastian@gmail.com>
Date: Wed, 3 Sep 2025 10:33:20 -0400
Subject: [PATCH] os pw hash on startup

---
 .env.example                      | 5 +++--
 Dockerfile                        | 6 ++++++
 securityconfig/internal_users.yml | 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/.env.example b/.env.example
index a1fd6326..9840ef62 100644
--- a/.env.example
+++ b/.env.example
@@ -2,8 +2,9 @@
 LANGFLOW_SECRET_KEY=
 # flow id from the the openrag flow json
 FLOW_ID=1098eea1-6649-4e1d-aed1-b77249fb8dd0
-# must match the hashed password in secureconfig, must change for secure deployment!!!
-OPENSEARCH_PASSWORD=OSisgendb1!
+# Set a strong admin password for OpenSearch; a bcrypt hash is generated at
+# container startup from this value. Do not commit real secrets.
+OPENSEARCH_PASSWORD=
 # make here https://console.cloud.google.com/apis/credentials 
 GOOGLE_OAUTH_CLIENT_ID=
 GOOGLE_OAUTH_CLIENT_SECRET=
diff --git a/Dockerfile b/Dockerfile
index 77e7651e..55a49398 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -53,6 +53,12 @@ COPY securityconfig/ /usr/share/opensearch/securityconfig/
 RUN echo '#!/bin/bash' > /usr/share/opensearch/setup-security.sh && \
     echo 'echo "Waiting for OpenSearch to start..."' >> /usr/share/opensearch/setup-security.sh && \
     echo 'until curl -s -k -u admin:${OPENSEARCH_INITIAL_ADMIN_PASSWORD} https://localhost:9200; do sleep 1; done' >> /usr/share/opensearch/setup-security.sh && \
+    echo 'echo "Generating admin hash from OPENSEARCH_INITIAL_ADMIN_PASSWORD..."' >> /usr/share/opensearch/setup-security.sh && \
+    echo 'if [ -z "${OPENSEARCH_INITIAL_ADMIN_PASSWORD}" ]; then echo "[ERROR] OPENSEARCH_INITIAL_ADMIN_PASSWORD not set"; exit 1; fi' >> /usr/share/opensearch/setup-security.sh && \
+    echo 'HASH=$(/usr/share/opensearch/plugins/opensearch-security/tools/hash.sh -p "${OPENSEARCH_INITIAL_ADMIN_PASSWORD}" | sed -n '\''s/^hash: //p'\'')' >> /usr/share/opensearch/setup-security.sh && \
+    echo 'if [ -z "$HASH" ]; then echo "[ERROR] Failed to generate admin hash"; exit 1; fi' >> /usr/share/opensearch/setup-security.sh && \
+    echo 'sed -i "s|^  hash: \".*\"|  hash: \"$HASH\"|" /usr/share/opensearch/securityconfig/internal_users.yml' >> /usr/share/opensearch/setup-security.sh && \
+    echo 'echo "Updated internal_users.yml with runtime-generated admin hash"' >> /usr/share/opensearch/setup-security.sh && \
     echo 'echo "Applying OIDC and DLS security configuration..."' >> /usr/share/opensearch/setup-security.sh && \
     echo '/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \' >> /usr/share/opensearch/setup-security.sh && \
     echo '  -cd /usr/share/opensearch/securityconfig \' >> /usr/share/opensearch/setup-security.sh && \
diff --git a/securityconfig/internal_users.yml b/securityconfig/internal_users.yml
index 649ae0ee..f467581b 100644
--- a/securityconfig/internal_users.yml
+++ b/securityconfig/internal_users.yml
@@ -4,4 +4,4 @@ _meta:
 
 admin:
   reserved: true
-  hash: "$2y$12$YA8.WOaVAWKEZqEbP48bIe4R70/8zo.ozDAlwjKxczVBumZ.Ol5fS"
+  hash: "ADMIN_HASH_PLACEHOLDER"