From 53098e34b3a5c75b836804b823518bfc68c88ee5 Mon Sep 17 00:00:00 2001 From: Raido Kaju Date: Mon, 13 Oct 2025 15:52:42 +0300 Subject: [PATCH 1/4] feat: add multiple token support to autologin script --- src/autologin/source/common/autologin.expect | 91 ++++++++++++++++---- 1 file changed, 74 insertions(+), 17 deletions(-) diff --git a/src/autologin/source/common/autologin.expect b/src/autologin/source/common/autologin.expect index 5a5bd44679..b19332486d 100755 --- a/src/autologin/source/common/autologin.expect +++ b/src/autologin/source/common/autologin.expect @@ -3,6 +3,41 @@ set XROAD_UTIL_PATH /usr/share/xroad/autologin set CUSTOM_SCRIPT $XROAD_UTIL_PATH/custom-fetch-pin.sh set DEFAULT_SCRIPT $XROAD_UTIL_PATH/default-fetch-pin.sh +proc log_in_to_token {token_id pin} { + global XROAD_UTIL_PATH + set result 0 + + puts "Attempting to log in to token $token_id" + + spawn $XROAD_UTIL_PATH/signer-console login-token $token_id + expect { + "PIN:" { + send "$pin\r" + exp_continue + } "Signer.TokenNotAvailable" { + set result 1 + } "HttpError" { + set result 1 + } timeout { + set result 1 + } "Signer.PinIncorrect" { + set result 127 + } eof { + ; + } + } + + if {$result == 127} { + puts stderr "\nFATAL: Incorrect PIN for token $token_id" + } elseif {$result == 1} { + puts stderr "WARNING: Failed to login to token $token_id (token not available or connection error)" + } else { + puts "Successfully logged into token $token_id" + } + + return $result +} + if {[file exists $CUSTOM_SCRIPT]} { set runcmd [list exec $CUSTOM_SCRIPT 2>@stderr] } elseif {[file exists $DEFAULT_SCRIPT]} { @@ -21,26 +56,48 @@ if {[catch $runcmd res]} { } } -set pin $res +set pin_output $res set result 0 -spawn $XROAD_UTIL_PATH/signer-console login-token 0 -expect { - "PIN:" { - send "$pin\r"; - exp_continue; - } "Signer.TokenNotAvailable" { - set result 1 - } "HttpError" { - set result 1 - } timeout { - set result 1 - } "Signer.PinIncorrect" { - set result 127 - puts stderr "\nFATAL: Incorrect PIN" - } eof { - ; +# Check if we have multiple tokens or one +set lines [split $pin_output "\n"] +set line_count 0 +foreach line $lines { + if {[string length [string trim $line]] > 0} { + incr line_count + if {$line_count >= 2} { + break } + } } + +if {$line_count == 1} { + set pin $pin_output + set result [log_in_to_token 0 $pin] +} else { + foreach line $lines { + if {[string length [string trim $line]] == 0} { + continue + } + + # Expect the line to be in the format [token-id]:[token-pin] + set colon_pos [string first ":" $line] + if {$colon_pos == -1} { + puts stderr "\nFATAL: Invalid format in multi-token mode. Expected 'token-id:token-pin', got: $line" + exit 127 + } + + set token_id [string trim [string range $line 0 [expr {$colon_pos - 1}]]] + set pin [string range $line [expr {$colon_pos + 1}] end] + + set token_result [log_in_to_token $token_id $pin] + + # Always return the code of the most severe error that has occurred + if {$token_result > $result} { + set result $token_result + } + } +} + exit $result From 20ae226b47250252b0739044c0e25df10b1f0727 Mon Sep 17 00:00:00 2001 From: Raido Kaju Date: Tue, 14 Oct 2025 13:21:29 +0300 Subject: [PATCH 2/4] feat: improve autologin use in sidecar * Change compose environment to rely on autologin rather than Hurl scripts for logging into tokens * Improve autologin so that uninitialized tokens don't cause the script to succeed * Improve sidecar environment variable handling to support passing pins for multiple tokens --- Docker/securityserver/Dockerfile | 6 +-- Docker/securityserver/files/ss-entrypoint.sh | 7 --- .../files/ss-hwtoken-login-inactive-token.sh | 10 ----- .../files/ss-hwtoken-xroad.conf | 8 ---- .../share/xroad/autologin/custom-fetch-pin.sh | 43 +++++++++++++++++++ Docker/xrd-dev-stack/compose.dev.yaml | 5 ++- .../ss1/init-token-and-run-entrypoint.sh | 3 +- development/hurl/scenarios/setup.hurl | 30 ------------- sidecar/files/custom-fetch-pin.sh | 31 ++++++++++++- src/autologin/source/common/autologin.expect | 2 + 10 files changed, 81 insertions(+), 64 deletions(-) delete mode 100755 Docker/securityserver/files/ss-hwtoken-login-inactive-token.sh delete mode 100644 Docker/securityserver/files/ss-hwtoken-xroad.conf create mode 100755 Docker/securityserver/files/usr/share/xroad/autologin/custom-fetch-pin.sh diff --git a/Docker/securityserver/Dockerfile b/Docker/securityserver/Dockerfile index e55bcf25cd..4bb5df4ae3 100644 --- a/Docker/securityserver/Dockerfile +++ b/Docker/securityserver/Dockerfile @@ -90,16 +90,14 @@ RUN useradd xrd-sec && adduser xrd-sec xroad-security-officer && sh -c "echo 'xr && adduser xroad softhsm COPY --chown=xroad:xroad files/etc /etc/ +COPY --chown=xroad:xroad files/usr/share/xroad/autologin/custom-fetch-pin.sh /usr/share/xroad/autologin/custom-fetch-pin.sh COPY --chown=xroad:xroad build/libs /usr/share/xroad/jlib/ COPY files/ss-entrypoint.sh /root/entrypoint.sh COPY --chown=xroad:xroad files/override-docker.ini /etc/xroad/conf.d/ COPY --chown=root:root files/ss-xroad.conf /etc/supervisor/conf.d/xroad.conf -COPY --chown=root:root files/ss-hwtoken-xroad.conf /etc/supervisor/conf.d/hwtoken-xroad.conf -COPY --chown=root:root files/ss-hwtoken-login-inactive-token.sh /usr/share/xroad/autologin/login-inactive-token.sh -RUN chmod 755 /usr/share/xroad/autologin/login-inactive-token.sh CMD ["/root/entrypoint.sh"] VOLUME ["/etc/xroad", "/var/lib/xroad", "/var/lib/postgresql/16/main/", "/var/lib/softhsm/tokens"] -EXPOSE 8080 8443 4000 5432 5500 5577 5558 80 \ No newline at end of file +EXPOSE 8080 8443 4000 5432 5500 5577 5558 80 diff --git a/Docker/securityserver/files/ss-entrypoint.sh b/Docker/securityserver/files/ss-entrypoint.sh index dc52e488f8..06084ad43b 100755 --- a/Docker/securityserver/files/ss-entrypoint.sh +++ b/Docker/securityserver/files/ss-entrypoint.sh @@ -29,13 +29,6 @@ else echo "WARN: Installed version ($INSTALLED_VERSION) does not match packaged version ($PACKAGED_VERSION)" >&2 fi -if [ -n "$XROAD_TOKEN_PIN" ] -then - echo "XROAD_TOKEN_PIN variable set, writing to /etc/xroad/autologin" - echo "$XROAD_TOKEN_PIN" > /etc/xroad/autologin - unset XROAD_TOKEN_PIN -fi - log "Enabling public postgres access.." sed -i 's/#listen_addresses = \x27localhost\x27/listen_addresses = \x27*\x27/g' /etc/postgresql/*/main/postgresql.conf sed -ri 's/host replication all 127.0.0.1\/32/host all all 0.0.0.0\/0/g' /etc/postgresql/*/main/pg_hba.conf diff --git a/Docker/securityserver/files/ss-hwtoken-login-inactive-token.sh b/Docker/securityserver/files/ss-hwtoken-login-inactive-token.sh deleted file mode 100755 index 8e2e56e38a..0000000000 --- a/Docker/securityserver/files/ss-hwtoken-login-inactive-token.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -INACTIVE_TOKEN=$( - sudo -u xroad -i signer-console list-tokens | awk '/inactive/ {print $2; exit}' -) - -if [[ -n "${INACTIVE_TOKEN}" ]]; then - echo "Logging in inactive token: ${INACTIVE_TOKEN}" - sudo -u xroad -i signer-console login-token "${INACTIVE_TOKEN}" <<< "Secret1234" -fi \ No newline at end of file diff --git a/Docker/securityserver/files/ss-hwtoken-xroad.conf b/Docker/securityserver/files/ss-hwtoken-xroad.conf deleted file mode 100644 index 06b202e1da..0000000000 --- a/Docker/securityserver/files/ss-hwtoken-xroad.conf +++ /dev/null @@ -1,8 +0,0 @@ -[program:token-login] -command=/usr/share/xroad/autologin/login-inactive-token.sh -user=root -autostart=true -autorestart=false -stdout_logfile=/dev/stdout -stdout_logfile_maxbytes=0 -priority=200 diff --git a/Docker/securityserver/files/usr/share/xroad/autologin/custom-fetch-pin.sh b/Docker/securityserver/files/usr/share/xroad/autologin/custom-fetch-pin.sh new file mode 100755 index 0000000000..fdfe0c2872 --- /dev/null +++ b/Docker/securityserver/files/usr/share/xroad/autologin/custom-fetch-pin.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +file="/etc/xroad/autologin" + +declare -a token_ids +declare -a token_pins +count=0 + +for var in $(compgen -e | grep '^XROAD_TOKEN_.\+_PIN$' | sort -V); do + token_id="${var#XROAD_TOKEN_}" + token_id="${token_id%_PIN}" + pin_value="${!var}" + + if [ -n "$pin_value" ]; then + token_ids+=("$token_id") + token_pins+=("$pin_value") + ((count++)) + fi +done + +if [ -n "$XROAD_TOKEN_PIN" ]; then + echo "${XROAD_TOKEN_PIN}" + exit 0 +elif [ "$count" -eq 1 ] && [ "${token_ids[0]}" = "0" ]; then + echo "${token_pins[0]}" + exit 0 +elif [ "$count" -eq 1 ] && [ "${token_ids[0]}" != "0" ]; then + >&2 echo "ERROR: Found XROAD_TOKEN_${token_ids[0]}_PIN but no other token PINs. Multiple token PINs are expected when using numbered tokens (other than 0)." + exit 127 +elif [ "$count" -gt 1 ]; then + for i in "${!token_ids[@]}"; do + echo "${token_ids[$i]}:${token_pins[$i]}" + done + exit 0 +elif [ -f "$file" ] +then + >&2 echo "XROAD_TOKEN_PIN variable is not set, returning PIN code at $file" + cat $file + exit 0 +else + >&2 echo "PIN code not available at $file" + exit 127 +fi diff --git a/Docker/xrd-dev-stack/compose.dev.yaml b/Docker/xrd-dev-stack/compose.dev.yaml index 4ba5db9089..154e742f8f 100644 --- a/Docker/xrd-dev-stack/compose.dev.yaml +++ b/Docker/xrd-dev-stack/compose.dev.yaml @@ -36,7 +36,8 @@ services: ss1: container_name: ss1 environment: - - XROAD_TOKEN_PIN=Secret1234 + - XROAD_TOKEN_0_PIN=Secret1234 + - XROAD_TOKEN_31_PIN=Secret1234 ports: - "4300:4000" # Frontend - "4310:8080" # Proxy @@ -91,4 +92,4 @@ networks: # Use implicitly named network so that is easier to add container outside the compose xroad-network: name: xroad-network - driver: bridge \ No newline at end of file + driver: bridge diff --git a/Docker/xrd-dev-stack/ss1/init-token-and-run-entrypoint.sh b/Docker/xrd-dev-stack/ss1/init-token-and-run-entrypoint.sh index ca2d93ba76..b6f748117c 100755 --- a/Docker/xrd-dev-stack/ss1/init-token-and-run-entrypoint.sh +++ b/Docker/xrd-dev-stack/ss1/init-token-and-run-entrypoint.sh @@ -13,10 +13,11 @@ if ! grep -q "\[softhsm2\]" /etc/xroad/devices.ini 2>/dev/null; then printf "\n[softhsm2]\n\ library = /usr/lib/softhsm/libsofthsm2.so\n\ slot_ids = %s\n\ + token_id_format = 1\n\ os_locking_ok = true\n\ library_cant_create_os_threads = true\n" "$slot_id" >> /etc/xroad/devices.ini fi chown -R xroad /var/lib/softhsm/tokens -exec /root/entrypoint.sh \ No newline at end of file +exec /root/entrypoint.sh diff --git a/development/hurl/scenarios/setup.hurl b/development/hurl/scenarios/setup.hurl index f992473d13..a2e7ca42f9 100644 --- a/development/hurl/scenarios/setup.hurl +++ b/development/hurl/scenarios/setup.hurl @@ -233,16 +233,6 @@ Content-Type: application/json HTTP 201 -# Log in to the Security Servers token -PUT https://{{ss0_host}}:4000/api/v1/tokens/0/login -X-XSRF-TOKEN: {{ss0_xsrf_token}} -Content-Type: application/json -{ - "password": "Secret1234" -} - -HTTP * - # Get the CA name GET https://{{ss0_host}}:4000/api/v1/certificate-authorities X-XSRF-TOKEN: {{ss0_xsrf_token}} @@ -593,16 +583,6 @@ Content-Type: application/json HTTP 201 -# Log in to the Security Servers token -PUT https://{{ss1_host}}:4000/api/v1/tokens/0/login -X-XSRF-TOKEN: {{ss1_xsrf_token}} -Content-Type: application/json -{ - "password": "Secret1234" -} - -HTTP * - # Add auth key to the Security Server token POST https://{{ss1_host}}:4000/api/v1/tokens/0/keys-with-csrs X-XSRF-TOKEN: {{ss1_xsrf_token}} @@ -681,16 +661,6 @@ HTTP 200 [Captures] ss1_token_id: jsonpath "$[?(@.type == 'HARDWARE')].id" nth 0 -# Log in to the Security Servers token -PUT https://{{ss1_host}}:4000/api/v1/tokens/{{ss1_token_id}}/login -X-XSRF-TOKEN: {{ss1_xsrf_token}} -Content-Type: application/json -{ - "password": "Secret1234" -} - -HTTP * - # Add sign key to the Security Server token POST https://{{ss1_host}}:4000/api/v1/tokens/{{ss1_token_id}}/keys-with-csrs X-XSRF-TOKEN: {{ss1_xsrf_token}} diff --git a/sidecar/files/custom-fetch-pin.sh b/sidecar/files/custom-fetch-pin.sh index 55300fb3e2..fdfe0c2872 100755 --- a/sidecar/files/custom-fetch-pin.sh +++ b/sidecar/files/custom-fetch-pin.sh @@ -1,10 +1,37 @@ #!/bin/bash file="/etc/xroad/autologin" -if [ -n "$XROAD_TOKEN_PIN" ] -then + +declare -a token_ids +declare -a token_pins +count=0 + +for var in $(compgen -e | grep '^XROAD_TOKEN_.\+_PIN$' | sort -V); do + token_id="${var#XROAD_TOKEN_}" + token_id="${token_id%_PIN}" + pin_value="${!var}" + + if [ -n "$pin_value" ]; then + token_ids+=("$token_id") + token_pins+=("$pin_value") + ((count++)) + fi +done + +if [ -n "$XROAD_TOKEN_PIN" ]; then echo "${XROAD_TOKEN_PIN}" exit 0 +elif [ "$count" -eq 1 ] && [ "${token_ids[0]}" = "0" ]; then + echo "${token_pins[0]}" + exit 0 +elif [ "$count" -eq 1 ] && [ "${token_ids[0]}" != "0" ]; then + >&2 echo "ERROR: Found XROAD_TOKEN_${token_ids[0]}_PIN but no other token PINs. Multiple token PINs are expected when using numbered tokens (other than 0)." + exit 127 +elif [ "$count" -gt 1 ]; then + for i in "${!token_ids[@]}"; do + echo "${token_ids[$i]}:${token_pins[$i]}" + done + exit 0 elif [ -f "$file" ] then >&2 echo "XROAD_TOKEN_PIN variable is not set, returning PIN code at $file" diff --git a/src/autologin/source/common/autologin.expect b/src/autologin/source/common/autologin.expect index b19332486d..58783d31c4 100755 --- a/src/autologin/source/common/autologin.expect +++ b/src/autologin/source/common/autologin.expect @@ -16,6 +16,8 @@ proc log_in_to_token {token_id pin} { exp_continue } "Signer.TokenNotAvailable" { set result 1 + } "signer.token_not_initialized" { + set result 1 } "HttpError" { set result 1 } timeout { From cda13acb5ca9f71349baf4471c7ca0c35824dcdb Mon Sep 17 00:00:00 2001 From: Raido Kaju Date: Tue, 14 Oct 2025 13:51:14 +0300 Subject: [PATCH 3/4] chore: update autologin change related documentation --- Docker/securityserver/README.md | 17 +++++++++- ...utologin_x-road_v6_autologin_user_guide.md | 32 +++++++++++++++---- ...etes_security_server_sidecar_user_guide.md | 1 + .../security_server_sidecar_user_guide.md | 27 ++++++++++++++-- 4 files changed, 67 insertions(+), 10 deletions(-) diff --git a/Docker/securityserver/README.md b/Docker/securityserver/README.md index f03c756889..2f00f1f0e9 100644 --- a/Docker/securityserver/README.md +++ b/Docker/securityserver/README.md @@ -21,13 +21,21 @@ Alternatively, it's possible to use the image (`niis/xroad-security-server`) ava ## Running Publish the container ports (`8080` and/or `8443`, `4000`, and optionally `5500` and `5577`) to localhost (loopback address). -Also, it's possible to pass the token pin code for autologin using the `XROAD_TOKEN_PIN` environment variable. +Also, it's possible to pass the token pin code for autologin using environment variables. Use `XROAD_TOKEN_PIN` for token 0, or `XROAD_TOKEN__PIN` for specific token IDs. Running a locally built image: ```shell docker run -p 127.0.0.1:4000:4000 -p 127.0.0.1:8080:8080 --name my-ss -e XROAD_TOKEN_PIN=1234 xroad-security-server ``` +For multiple tokens: +```shell +docker run -p 127.0.0.1:4000:4000 -p 127.0.0.1:8080:8080 --name my-ss \ + -e XROAD_TOKEN_0_PIN=1234 \ + -e XROAD_TOKEN_1_PIN=5678 \ + xroad-security-server +``` + Running an image available on [Docker Hub](https://hub.docker.com/r/niis/xroad-security-server): ```shell docker run -p 127.0.0.1:4000:4000 -p 127.0.0.1:8080:8080 --name my-ss -e XROAD_TOKEN_PIN=1234 niis/xroad-security-server:focal-7.1.0 @@ -97,3 +105,10 @@ One can create the autologin file by hand after initializing the Security Server docker exec my-ss su -c 'echo 1234 >/etc/xroad/autologin' xroad docker exec my-ss supervisorctl start xroad-autologin ``` + +For multiple tokens, use one line per token in the format `token-id:token-pin`: + +```shell +docker exec my-ss su -c 'echo -e "0:1234\n1:5678" >/etc/xroad/autologin' xroad +docker exec my-ss supervisorctl start xroad-autologin +``` diff --git a/doc/Manuals/Utils/ug-autologin_x-road_v6_autologin_user_guide.md b/doc/Manuals/Utils/ug-autologin_x-road_v6_autologin_user_guide.md index 51644305ef..854b3e1b0a 100644 --- a/doc/Manuals/Utils/ug-autologin_x-road_v6_autologin_user_guide.md +++ b/doc/Manuals/Utils/ug-autologin_x-road_v6_autologin_user_guide.md @@ -1,6 +1,6 @@ # X-Road: Autologin User Guide -Version: 1.4 +Version: 1.5 Doc. ID: UG-AUTOLOGIN @@ -11,6 +11,7 @@ Doc. ID: UG-AUTOLOGIN | 15.11.2018 | 1.2 | Ubuntu 18.04 updates | | 11.09.2019 | 1.3 | Remove Ubuntu 14.04 support | | 26.09.2022 | 1.4 | Remove Ubuntu 18.04 support | +| 14.10.2025 | 1.5 | Add multiple token support documentation | ## Table of Contents @@ -44,23 +45,42 @@ See X-Road terms and abbreviations documentation \[[TA-TERMS](#Ref_TERMS)\]. * Ubuntu: apt install xroad-autologin * RedHat: yum install xroad-autologin -2. If storing the PIN code on the server in plaintext is acceptable, create file `/etc/xroad/autologin` that contains the PIN code. +2. If storing the PIN code on the server in plaintext is acceptable, create file `/etc/xroad/autologin` that contains the PIN code(s). * File should be readable by user `xroad` * If `/etc/xroad/autologin` does not exists, and you have not implemented `custom-fetch-pin.sh`, the service will not start -3. If you do not want to store PIN code in plaintext, implement bash script + * For a single token (token ID 0), the file should contain just the PIN code: + ``` + 1234 + ``` + * For multiple tokens, each line should be in the format `token-id:token-pin`: + ``` + 0:1234 + 1:5678 + ``` +3. If you do not want to store PIN code in plaintext, implement bash script `/usr/share/xroad/autologin/custom-fetch-pin.sh` - * The script needs to output the PIN code to stdout + * The script needs to output the PIN code(s) to stdout * Script should be readable and executable by user `xroad` * Script should exit with exit code * 0 if it was able to fetch PIN code successfully * 127 if it was not able to fetch PIN code, but this is not an actual error that should cause the service to fail (default implementation uses this if `/etc/xroad/autologin` does not exist) * other exit codes in error situations that should cause the service to fail + * Single token example: ```bash #!/bin/bash - PIN_CODE=$(curl https://some-address) + PIN_CODE=$(curl https://some-address/token-pin) echo "${PIN_CODE}" exit 0 ``` + * Multiple tokens example (output one `token-id:token-pin` per line): + ```bash + #!/bin/bash + TOKEN_0_PIN=$(curl https://some-address/token-0-pin) + TOKEN_1_PIN=$(curl https://some-address/token-1-pin) + echo "0:${TOKEN_0_PIN}" + echo "1:${TOKEN_1_PIN}" + exit 0 + ``` ### 2.2 Implementation details @@ -70,4 +90,4 @@ See X-Road terms and abbreviations documentation \[[TA-TERMS](#Ref_TERMS)\]. * Wrapper script handles retries in error situations. * Service tries to enter the PIN code using script `signer-console` * If the PIN was correct or incorrect, it exits - * If an error occurred (for example because `xroad-signer` has not yet fully started), it keeps retrying indefinitely + * If an error occurred (for example because `xroad-signer` has not yet fully started or been initialised), it keeps retrying indefinitely diff --git a/doc/Sidecar/kubernetes_security_server_sidecar_user_guide.md b/doc/Sidecar/kubernetes_security_server_sidecar_user_guide.md index dec65084a0..a6f371a762 100644 --- a/doc/Sidecar/kubernetes_security_server_sidecar_user_guide.md +++ b/doc/Sidecar/kubernetes_security_server_sidecar_user_guide.md @@ -289,6 +289,7 @@ For example the following configuration could be stored as a Kubernetes secret: * Sensitive Sidecar environment variables: * Software token PIN code: * `XROAD_TOKEN_PIN` + * `XROAD_TOKEN_X_PIN` (in case of multiple tokens) * Security server GUI admin user: * `XROAD_ADMIN_USER` * `XROAD_ADMIN_PASSWORD` diff --git a/doc/Sidecar/security_server_sidecar_user_guide.md b/doc/Sidecar/security_server_sidecar_user_guide.md index 7fe97dd9f5..41dbc373eb 100644 --- a/doc/Sidecar/security_server_sidecar_user_guide.md +++ b/doc/Sidecar/security_server_sidecar_user_guide.md @@ -1,6 +1,6 @@ # Security Server Sidecar User Guide -Version: 1.19 +Version: 1.20 Doc. ID: UG-SS-SIDECAR ## Version history @@ -27,6 +27,7 @@ Doc. ID: UG-SS-SIDECAR | 26.03.2025 | 1.17 | Syntax and styling | Pauline Dimmek | | 02.04.2025 | 1.18 | Added autologin paragraph | Mikk-Erik Bachmann | | 28.08.2025 | 1.19 | Added paragraph about custom ACME challenge port number | Mikk-Erik Bachmann | +| 14.10.2025 | 1.20 | Document multiple token autologin support | Raido Kaju | ## License @@ -374,9 +375,29 @@ The memory allocation for the Proxy Service can be configured using helper scrip ### 3.4 Autologin -The Autologin feature logs onto the Signer keys' token automatically when the container has been restarted (for more info see [Autologin User Guide](../Manuals/Utils/ug-autologin_x-road_v6_autologin_user_guide.md)). +The Autologin feature logs onto the Signer keys' token automatically when the container has been restarted (for more info see [Autologin User Guide](../Manuals/Utils/ug-autologin_x-road_v6_autologin_user_guide.md)). -For Sidecar, Autologin uses a custom script `custom-fetch-pin.sh` which looks at the environment variable `XROAD_TOKEN_PIN` first. This is set in the above example with a flag `-e XROAD_TOKEN_PIN=`. When the Security Server is initialized for the first time, the token pin configured in the third step needs to match this variable. Given that for the autologin to succeed the token needs to be initialized and xroad-signer needs to be running, there can be retry statements in the logs when the autologin process starts before one of these things has happened. Eventually the autologin process should exit with a log message `xroad-autologin (exit status 0; expected)` which indicates that the autologin has succeeded. When the environment variable is not set, autologin might fail because by default the sidecar container doesn't have the token pin in its fallback location `/etc/xroad/autologin`. This file can be manually added with the correct pin if having the pin as plain text in that file is acceptable. +For Sidecar, Autologin uses a custom script `custom-fetch-pin.sh` which supports both single and multiple token configurations: + +Single token configuration: + +* Set the environment variable `XROAD_TOKEN_PIN` (e.g., `-e XROAD_TOKEN_PIN=`) +* This PIN will be used for token ID 0 +* When the Security Server is initialized for the first time, the token pin configured needs to match this variable + +Multiple tokens configuration: + +* Set environment variables in the format `XROAD_TOKEN__PIN` where `` is the token ID +* Example: `-e XROAD_TOKEN_0_PIN=1234 -e XROAD_TOKEN_1_PIN=5678` +* Each token will be logged in with its respective PIN +* If using numbered tokens (other than 0), multiple token PINs must be provided + +Fallback configuration: + +* If no environment variables are set, the script will read from `/etc/xroad/autologin` +* This file can contain either a single PIN (for token 0) or multiple lines in the format `token-id:token-pin` + +Given that for the autologin to succeed the token needs to be initialized and xroad-signer needs to be running, there can be retry statements in the logs when the autologin process starts before one of these things has happened. Eventually the autologin process should exit with a log message `xroad-autologin (exit status 0; expected)` which indicates that the autologin has succeeded. ## 4 Upgrading From 4c6ea1678665d057d150a48296eaa11b6918c709 Mon Sep 17 00:00:00 2001 From: Raido Kaju Date: Wed, 15 Oct 2025 08:51:44 +0300 Subject: [PATCH 4/4] chore: include autologin pins for e2e --- Docker/xrd-dev-stack/compose.e2e.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Docker/xrd-dev-stack/compose.e2e.yaml b/Docker/xrd-dev-stack/compose.e2e.yaml index 19bff3da7e..90676c1f89 100644 --- a/Docker/xrd-dev-stack/compose.e2e.yaml +++ b/Docker/xrd-dev-stack/compose.e2e.yaml @@ -1,9 +1,15 @@ # E2E specific hurl execution on boot. services: + ss0: + environment: + - XROAD_TOKEN_PIN=Secret1234 ss1: entrypoint: [ "/usr/local/bin/init-token-and-run-entrypoint.sh" ] volumes: - ./ss1/init-token-and-run-entrypoint.sh:/usr/local/bin/init-token-and-run-entrypoint.sh:ro + environment: + - XROAD_TOKEN_0_PIN=Secret1234 + - XROAD_TOKEN_31_PIN=Secret1234 hurl: command: >