IBX-9898: Added mandatory admin user password altering on ibexa:install

[konradoboza]

🎫 Issue	IBX-9898

Description:

We don't want to risk having the default admin:publish scenario for the new installations so I added invocation of existing command for updating user password. Since there in no obvious way to perform retry, I added exhaustive explanation on how admin default password should be altered afterwards in case it does not go through validation. Wording can be probably better so I allow myself to ask @juskora for help here. 😉

Retries are apparently possible as @Steveb-p nicely pointed out - added as below:

Note:

There are two unrelated PHPStan reports. While there are easy to fix, I don't want to give you additional load of rebasing since you handle upgrading to Sf7 already @alongosz. However, if it ticks one of the issues from the list I can do that on this very occasion with a little hassle.

Documentation:

[alongosz]

@ibexa/documentation I've added this to upgrade from 4.6 to 5.0 internal doc and marked it as a significant, but necessary, BC break.

FYI @glye you might want to take a look at this. This is a security improvement (not a security issue ;) ).

[alongosz]

+1 for the concept, with remarks from the internal discussion.

[mnocon]

I'd suggest adding a --no-interaction flag for CI runs, what do you think about it?

[konradoboza]

I'd suggest adding a --no-interaction flag for CI runs, what do you think about it?

That was the plan actually.

[Steveb-p]

I'd suggest adding a --no-interaction flag for CI runs, what do you think about it?

That was the plan actually.

You should use --no-interaction flag only if the original command was non-interactive as well. At least with the solution I proposed it should work nicely.

[juskora]

@konradoboza I suggest this with small modification :)

`For security reasons, you're required to change the default admin password.
Remember to follow currently set password validation rules as there is only one attempt.

If password isn't accepted now, you can still update it after the installation, using the following command:`

[konradoboza]

Thanks @juskora! If it indeed works with retries as Paweł suggests we might not need that. Otherwise, I will apply your suggestion at once. 😉

[juskora]

In terms of microcopy :)

[glye]

Great feature, thanks!

[konradoboza]

The Behat tests setup needs to be slightly adjusted to skip checking the password. Probably --no-interaction flag will do the trick, I let myself adding Ready for QA label to have some assistance with that. 😉

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[vidarl]

FYI : ibexa:install is executed when provisioning on Ibexa Cloud and the script still needs to run without user prompt there.

[konradoboza]

FYI : ibexa:install is executed when provisioning on Ibexa Cloud and the script still needs to run without user prompt there.

Good catch, thank you. This should do the trick ibexa/post-install#91.

[vidarl]

Could you also add the possibility to provide password as command line argument?
That would make it possible to run installation non-interactive, and still not have the default publish password

[konradoboza]

Could you also add the possibility to provide password as command line argument?
That would make it possible to run installation non-interactive, and still not have the default publish password

If you consider this for Ibexa Cloud installations I don't think this is safe to pass that in plain text and put in .platform.app.yaml.

[vidarl]

If you consider this for Ibexa Cloud installations I don't think this is safe to pass that in plain text and put in .platform.app.yaml.

I think it is valid use-case to be able to install Ibexa DXP with a custom password without having to be prompted by the installer.

For Ibexa Cloud I actually think we in addtion should have a --generate-admin-password options that generates a random password. That password would then also needs to be outputed, so that the end-user can learn it from the logs. That would still be way safer than continue using the default password

[konradoboza]

We discussed this topic within the team and the outcome is that we don't want to have plain password passed as a parameter in commands (including ibexa:install) for security reasons. The same approach was taken for ibexa/user#86.

For Ibexa Cloud I actually think we in addtion should have a --generate-admin-password options that generates a random password. That password would then also needs to be outputed, so that the end-user can learn it from the logs. That would still be way safer than continue using the default password

This is a bit tricky cause we need to have this password generated and validated against all the current constraints residing in ibexa/user. This is a topic for another story/improvement which we don't want to start with this PR.

The main idea here was to quickly resolve issue with the default admin:publish going silently to production installations. That being said we want this PR to be merged in the current shape as long as we don't find any issues.

Thank you for good suggestions, those should definitely be documented.

@glye could I kindly ask you to include the above in your notes? 😉