handle secureComms to secret

search-services/README.md

@@ -385,7 +385,8 @@ The following environment variables are supported:
 | SEARCH_LOG_LEVEL | ERROR, WARN, INFO, DEBUG or TRACE | The root logger level. |
 | ENABLE_SPELLCHECK | true or false | Whether spellchecking is enabled or not. |
 | DISABLE_CASCADE_TRACKING | true or false | Whether cascade tracking is enabled or not. Disabling cascade tracking will improve performance, but result in some feature loss (e.g. path queries). |
-| ALFRESCO_SECURE_COMMS | https or none | Whether communication with the repository is secured. See below. |
+| ALFRESCO_SECURE_COMMS | https, secret or none | Whether communication with the repository is secured. See below. |
+| ALFRESCO_SECURE_COMMS_SHARED_SECRET | string | A shared secret for Solr and repository to authenticate each other |
 | SOLR_SSL_... | --- | These variables are also used to configure SSL. See below. |
 
 **Using Mutual Auth TLS (SSL)**
@@ -414,6 +415,10 @@ $ docker run -p 8983:8983 \
 searchservices:develop
 ```
 
+**Using Shared secret authentication**
+
+An alternative is to use a shared secret in order to secure repo <-> solr commnunication. You just need to set `ALFRESCO_SECURE_COMMS=secret` **AND** `ALFRESCO_SECURE_COMMS_SHARED_SECRET=my_super_secret_secret`
+
 SOLR Web Console will be available at:
 
 [https://localhost:8983/solr](https://localhost:8983/solr)

search-services/packaging/src/docker/search_config_setup.sh

@@ -3,6 +3,10 @@ set -e
 # By default its going to deploy "Master" setup configuration with "REPLICATION_TYPE=master".
 # Slave replica service can be enabled using "REPLICATION_TYPE=slave" environment value.
 
+log_warn() {
+	echo -e " ====WARN==== \n$*\nWARN CODE was $LOG_WARN" >&2
+}
+
 RERANK_TEMPLATE_PATH=$PWD/solrhome/templates/rerank/conf
 NORERANK_TEMPLATE_PATH=$PWD/solrhome/templates/noRerank/conf
 SOLR_RERANK_CONFIG_FILE=$RERANK_TEMPLATE_PATH/solrconfig.xml
@@ -87,16 +91,37 @@ fi
 
 # By default Docker Image is using TLS Mutual Authentication (SSL) for communications with Repository
 # Plain HTTP can be enabled by setting ALFRESCO_SECURE_COMMS to 'none'
-if [[ "none" == "$ALFRESCO_SECURE_COMMS" ]]; then
-   sed -i 's/alfresco.secureComms=https/alfresco.secureComms=none/' $SOLR_RERANK_CORE_FILE $SOLR_NORERANK_CORE_FILE
-   # Apply also the setting to existing SOLR cores property files when existing
-   if [[ -f ${PWD}/solrhome/alfresco/conf/solrcore.properties ]]; then
-       sed -i 's/alfresco.secureComms=https/alfresco.secureComms=none/' ${PWD}/solrhome/alfresco/conf/solrcore.properties
-   fi
-   if [[ -f ${PWD}/solrhome/archive/conf/solrcore.properties ]]; then
-       sed -i 's/alfresco.secureComms=https/alfresco.secureComms=none/' ${PWD}/solrhome/archive/conf/solrcore.properties
-   fi
-fi
+case "$ALFRESCO_SECURE_COMMS" in
+   secret)
+      if [ -n "$ALFRESCO_SECURE_COMMS_SHARED_SECRET" ]; then
+         sed -i "s/alfresco.secureComms=https/alfresco.secureComms=secret\nalfresco.secureComms.secret=${ALFRESCO_SECURE_COMMS_SHARED_SECRET}\n/" $SOLR_RERANK_CORE_FILE $SOLR_NORERANK_CORE_FILE
+         if [[ -f ${PWD}/solrhome/alfresco/conf/solrcore.properties ]]; then
+             sed -i "s/alfresco.secureComms=https/alfresco.secureComms=secret\nalfresco.secureComms.secret=${ALFRESCO_SECURE_COMMS_SHARED_SECRET}\n/" ${PWD}/solrhome/alfresco/conf/solrcore.properties
+         fi
+         if [[ -f ${PWD}/solrhome/archive/conf/solrcore.properties ]]; then
+             sed -i "s/alfresco.secureComms=https/alfresco.secureComms=secret\nalfresco.secureComms.secret=${ALFRESCO_SECURE_COMMS_SHARED_SECRET}\n/" ${PWD}/solrhome/archive/conf/solrcore.properties
+         fi
+      else
+         LOG_WARN=1
+      fi
+   ;;
+   none)
+     sed -i "s/alfresco.secureComms=https/alfresco.secureComms=none\n/" $SOLR_RERANK_CORE_FILE $SOLR_NORERANK_CORE_FILE
+     if [[ -f ${PWD}/solrhome/alfresco/conf/solrcore.properties ]]; then
+         sed -i "s/alfresco.secureComms=https/alfresco.secureComms=none\n/" ${PWD}/solrhome/alfresco/conf/solrcore.properties
+     fi
+     if [[ -f ${PWD}/solrhome/archive/conf/solrcore.properties ]]; then
+         sed -i "s/alfresco.secureComms=https/alfresco.secureComms=none\n/" ${PWD}/solrhome/archive/conf/solrcore.properties
+     fi
+   ;;
+   https|'')
+   ;;
+   *)
+      LOG_WARN=2
+   ;;
+esac
+
+[ -z $LOG_WARN ] || log_warn "something was wrong with the authentication config, defaulting to https mTLS auth.\nIf mTLS is not properly configured Search service might not work"
 
 if [[ true == "$ENABLE_SPELLCHECK" ]]; then
    sed -i 's/#alfresco.suggestable.property/alfresco.suggestable.property/' ${PWD}/solrhome/conf/shared.properties