From 6f28eaed931380e0b9249f7e1e379dc5dd835870 Mon Sep 17 00:00:00 2001
From: Anthony <tony@mightybox.io>
Date: Wed, 27 Aug 2025 01:46:27 +0800
Subject: [PATCH] Added idempotency and more security

---
 scripts/dbreset.sh                        | 62 ++++++++++++++++-------
 scripts/pma-gateway/create_pma_gateway.sh | 54 +++++++++++++++++++-
 2 files changed, 97 insertions(+), 19 deletions(-)

diff --git a/scripts/dbreset.sh b/scripts/dbreset.sh
index 502f277..76061e5 100644
--- a/scripts/dbreset.sh
+++ b/scripts/dbreset.sh
@@ -1,8 +1,42 @@
 #!/bin/bash
+set -euo pipefail
+
+PMA_PASS_FILE="/var/lib/jelastic/keys/pma_root_pass"
+PMA_CONFIG="/etc/phpMyAdmin/config.inc.php"
+
+# Ensures phpMyAdmin config is set for automatic login with the given password
+ensure_pma_config() {
+    local password="$1"
+    echo "🔧 Ensuring phpMyAdmin config is up-to-date..."
+    
+    # Use a different delimiter for sed to handle special characters in the password
+    sudo sed -i "s|\(\['password'\]\s*=\s*'\)[^']*'|\1$password'|" "$PMA_CONFIG"
+
+    if ! sudo grep -q "\['auth_type'\]" "$PMA_CONFIG"; then
+        echo "\$cfg['Servers'][\$i]['auth_type'] = 'config';" | sudo tee -a "$PMA_CONFIG" > /dev/null
+    else
+        sudo sed -i "s/\(\['auth_type'\]\s*=\s*'\)[^']*'/\1config'/" "$PMA_CONFIG"
+    fi
+    if ! sudo grep -q "\['user'\]" "$PMA_CONFIG"; then
+        echo "\$cfg['Servers'][\$i]['user'] = 'root';" | sudo tee -a "$PMA_CONFIG" > /dev/null
+    else
+        sudo sed -i "s/\(\['user'\]\s*=\s*'\)[^']*'/\1root'/" "$PMA_CONFIG"
+    fi
+}
+
+# If password file exists, just re-apply the config. This is the fast, idempotent path.
+if [ -f "$PMA_PASS_FILE" ] && [ -s "$PMA_PASS_FILE" ]; then
+    echo "🔑 Root password file found. Re-configuring phpMyAdmin without DB reset."
+    stored_password=$(sudo cat "$PMA_PASS_FILE")
+    ensure_pma_config "$stored_password"
+    exit 0
+fi
+
+# --- First time execution: Full password reset ---
+echo "🔑 Root password file not found. Performing first-time password reset."
 
 # Generate a secure password
 new_password=$(openssl rand -base64 12)
-echo "🔐 New MariaDB root password will be: $new_password"
 
 # Stop MariaDB
 echo "🛑 Stopping MariaDB service..."
@@ -12,10 +46,11 @@ sleep 3
 # Start MariaDB in safe mode
 echo "🔧 Starting MariaDB in safe mode (skip-grant-tables)..."
 sudo mysqld_safe --skip-grant-tables --skip-networking --skip-name-resolve &
+PID=$!
 sleep 5
 
 # Check if mysqld is running
-if ! pgrep mysqld > /dev/null; then
+if ! ps -p $PID > /dev/null; then
     echo "❌ Failed to start mysqld_safe. Exiting."
     exit 1
 fi
@@ -48,21 +83,14 @@ sudo systemctl start mariadb
 
 if sudo systemctl is-active --quiet mariadb; then
     echo "✅ MariaDB is running."
-    echo "🔐 Root password has been reset to: $new_password"
-    echo ""
-    echo "📌 IMPORTANT:"
-    echo "   1. Update /etc/phpMyAdmin/config.inc.php:"
-    echo "      \$cfg['Servers'][\$i]['user'] = 'root';"
-    echo "      \$cfg['Servers'][\$i]['password'] = '$new_password';"
-    echo "      \$cfg['Servers'][\$i]['auth_type'] = 'config';"
-    echo ""
-    echo "   2. Restart the database node in the Virtuozzo control panel!"
-    echo "      This ensures Apache/phpMyAdmin can reconnect."
+    ensure_pma_config "$new_password"
+    
+    # Save the new password for future runs
+    echo "$new_password" | sudo tee "$PMA_PASS_FILE" > /dev/null
+    sudo chmod 600 "$PMA_PASS_FILE"
+    sudo chown root:root "$PMA_PASS_FILE"
+    echo "✅ New root password securely stored for future runs."
 else
     echo "❌ Failed to start MariaDB. Run: sudo systemctl status mariadb"
     exit 1
-fi
-
-sudo sed -i "s/\(\['password'\]\s*=\s*'\)[^']*'/\1$new_password'/" /etc/phpMyAdmin/config.inc.php
-sudo sed -i "s/\(\['auth_type'\]\s*=\s*'\)[^']*'/\1config'/" /etc/phpMyAdmin/config.inc.php
-sudo sed -i "s/\(\['user'\]\s*=\s*'\)[^']*'/\1root'/" /etc/phpMyAdmin/config.inc.php
\ No newline at end of file
+fi
\ No newline at end of file
diff --git a/scripts/pma-gateway/create_pma_gateway.sh b/scripts/pma-gateway/create_pma_gateway.sh
index 82a9f09..0acfd82 100644
--- a/scripts/pma-gateway/create_pma_gateway.sh
+++ b/scripts/pma-gateway/create_pma_gateway.sh
@@ -50,6 +50,46 @@ base=$(printf "%s" "$data" | base64 | tr -d '\n')
 mac=$(php -r "echo hash_hmac('sha256', '$data', '$SECRET');")
 token="$base.$mac"
 
+# Secure the phpMyAdmin vhost with Rewrite Rules to block direct access
+VHOST_CONFIG="/usr/share/phpMyAdmin/vhost.conf"
+NEEDS_RESTART=0
+if [ -f "$VHOST_CONFIG" ]; then
+    MARKER="# PMA Gateway Security Rules"
+    
+    # If rules are not already in place, add them.
+    if ! sudo grep -qF "$MARKER" "$VHOST_CONFIG"; then
+        
+        # Remove any existing rewrite block to ensure a clean state.
+        sudo sed -i '/\s*<rewrite>/,/<\/rewrite>/d' "$VHOST_CONFIG"
+
+        # Define the new rewrite block using a temporary file to avoid escaping issues.
+        REWRITE_TMP=$(mktemp)
+        cat > "$REWRITE_TMP" <<'EOF'
+  <rewrite>
+    <enable>1</enable>
+    <logLevel>0</logLevel>
+    <rules>
+      # PMA Gateway Security Rules
+      # Allow access to the gateway scripts themselves
+      RewriteCond %{REQUEST_URI} ^/access-db-.*\.php$
+      RewriteRule .* - [L]
+      # For all other requests, block if the security cookie is not present
+      RewriteCond %{HTTP_COOKIE} !pma_access_granted
+      RewriteRule .* - [F,L]
+    </rules>
+  </rewrite>
+EOF
+        
+        # Use awk to insert the new block before the </vhssl> tag for robustness
+        sudo awk -v r="$(cat $REWRITE_TMP)" '{if (/\s*<vhssl>/) print r} {print}' "$VHOST_CONFIG" | sudo tee "$VHOST_CONFIG" > /dev/null
+
+        rm -f "$REWRITE_TMP"
+        NEEDS_RESTART=1
+    fi
+else
+    echo "Warning: phpMyAdmin vhost config not found at $VHOST_CONFIG. Cannot apply security rules." >&2
+fi
+
 sudo tee "$GATEWAY_FILE" >/dev/null <<'PHP'
 <?php
 // Secure phpMyAdmin gateway – auto-generated, do NOT edit manually.
@@ -84,6 +124,7 @@ if (strpos($data, ':') === false) {
 
 list($slug, $exp) = explode(':', $data, 2);
 if (time() > intval($exp)) {
+    unlink(__FILE__); // Self-destruct if expired
     deny();
 }
 
@@ -92,8 +133,9 @@ if (!hash_equals($sig, hash_hmac('sha256', $data, $secret))) {
     deny();
 }
 
-// Issue short-lived cookie (same expiry as token) and redirect to phpMyAdmin root
-setcookie('pma_token', $sig, intval($exp), '/', '', true, true);
+// Issue a short-lived cookie that the rewrite rule looks for.
+// This cookie acts as the temporary pass.
+setcookie('pma_access_granted', $sig, intval($exp), '/', '', true, true);
 header('Location: /');
 exit;
 ?>
@@ -102,5 +144,13 @@ PHP
 sudo chown litespeed:litespeed "$GATEWAY_FILE"
 sudo chmod 644 "$GATEWAY_FILE"
 
+# Restart LiteSpeed if we modified the config
+if [[ "${NEEDS_RESTART:-0}" -eq 1 ]]; then
+    echo "Applying security rules and restarting LiteSpeed..." >&2
+    if ! sudo systemctl restart lsws; then
+        echo "Warning: LiteSpeed restart failed. Manual restart may be required." >&2
+    fi
+fi
+
 URL="https://$ENV_HOST:8443/access-db-$SLUG.php?token=$token"
 echo "$URL"