From c807bb238815de7f3fe4102cd4b4268d3b81f114 Mon Sep 17 00:00:00 2001
From: kqjy <jun@jzwsite.com>
Date: Fri, 20 Mar 2026 17:51:00 +0800
Subject: [PATCH] Update install/uninstall scripts for encrypted IAM config

---
 scripts/install.sh   | 47 +++++++++++++++++++++-----------------------
 scripts/uninstall.sh |  5 ++++-
 2 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/scripts/install.sh b/scripts/install.sh
index 8fdad2b..50094d2 100644
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -379,29 +379,25 @@ if [[ "$SKIP_SYSTEMD" != true ]]; then
         echo "  ---------------"
         if systemctl is-active --quiet myfsio; then
             echo "  [OK] MyFSIO is running"
-
-            IAM_FILE="$DATA_DIR/.myfsio.sys/config/iam.json"
-            if [[ -f "$IAM_FILE" ]]; then
-                echo ""
-                echo "  ============================================"
-                echo "  ADMIN CREDENTIALS (save these securely!)"
-                echo "  ============================================"
-                if command -v jq &>/dev/null; then
-                    ACCESS_KEY=$(jq -r '.users[0].access_key' "$IAM_FILE" 2>/dev/null)
-                    SECRET_KEY=$(jq -r '.users[0].secret_key' "$IAM_FILE" 2>/dev/null)
-                else
-                    ACCESS_KEY=$(grep -o '"access_key"[[:space:]]*:[[:space:]]*"[^"]*"' "$IAM_FILE" | head -1 | sed 's/.*"\([^"]*\)"$/\1/')
-                    SECRET_KEY=$(grep -o '"secret_key"[[:space:]]*:[[:space:]]*"[^"]*"' "$IAM_FILE" | head -1 | sed 's/.*"\([^"]*\)"$/\1/')
-                fi
-                if [[ -n "$ACCESS_KEY" && -n "$SECRET_KEY" ]]; then
-                    echo "  Access Key: $ACCESS_KEY"
-                    echo "  Secret Key: $SECRET_KEY"
-                else
-                    echo "  [!] Could not parse credentials from $IAM_FILE"
-                    echo "      Check the file manually or view service logs."
-                fi
-                echo "  ============================================"
+            echo ""
+            echo "  ============================================"
+            echo "  ADMIN CREDENTIALS (save these securely!)"
+            echo "  ============================================"
+            CRED_OUTPUT=$(journalctl -u myfsio --no-pager -n 50 2>/dev/null | grep -A 5 "FIRST RUN - ADMIN CREDENTIALS")
+            ACCESS_KEY=$(echo "$CRED_OUTPUT" | grep "Access Key:" | head -1 | sed 's/.*Access Key: //' | awk '{print $1}')
+            SECRET_KEY=$(echo "$CRED_OUTPUT" | grep "Secret Key:" | head -1 | sed 's/.*Secret Key: //' | awk '{print $1}')
+            if [[ -n "$ACCESS_KEY" && "$ACCESS_KEY" != *"from"* && -n "$SECRET_KEY" && "$SECRET_KEY" != *"from"* ]]; then
+                echo "  Access Key: $ACCESS_KEY"
+                echo "  Secret Key: $SECRET_KEY"
+            else
+                echo "  [!] Could not extract credentials from service logs."
+                echo "      Check startup output: journalctl -u myfsio --no-pager | grep -A 5 'ADMIN CREDENTIALS'"
+                echo "      Or reset credentials: $INSTALL_DIR/myfsio reset-cred"
             fi
+            echo "  ============================================"
+            echo ""
+            echo "  NOTE: The IAM config file is encrypted at rest."
+            echo "  Credentials are only shown on first run or after reset."
         else
             echo "  [WARNING] MyFSIO may not have started correctly"
             echo "            Check logs with: journalctl -u myfsio -f"
@@ -427,12 +423,13 @@ echo "  API:  http://$(hostname -I 2>/dev/null | awk '{print $1}' || echo "local
 echo "  UI:   http://$(hostname -I 2>/dev/null | awk '{print $1}' || echo "localhost"):$UI_PORT/ui"
 echo ""
 echo "Credentials:"
-echo "  Admin credentials were shown above (if service was started)."
-echo "  You can also find them in: $DATA_DIR/.myfsio.sys/config/iam.json"
+echo "  Admin credentials are shown on first service start (see above)."
+echo "  The IAM config is encrypted at rest and cannot be read directly."
+echo "  To reset credentials: $INSTALL_DIR/myfsio reset-cred"
 echo ""
 echo "Configuration Files:"
 echo "  Environment:     $INSTALL_DIR/myfsio.env"
-echo "  IAM Users:       $DATA_DIR/.myfsio.sys/config/iam.json"
+echo "  IAM Users:       $DATA_DIR/.myfsio.sys/config/iam.json (encrypted)"
 echo "  Bucket Policies: $DATA_DIR/.myfsio.sys/config/bucket_policies.json"
 echo "  Secret Key:      $DATA_DIR/.myfsio.sys/config/.secret (auto-generated)"
 echo ""
diff --git a/scripts/uninstall.sh b/scripts/uninstall.sh
index a920eb2..24fd3e6 100644
--- a/scripts/uninstall.sh
+++ b/scripts/uninstall.sh
@@ -230,11 +230,14 @@ if [[ "$KEEP_DATA" == true ]]; then
     echo ""
     echo "Preserved files include:"
     echo "  - All buckets and objects"
-    echo "  - IAM configuration: $DATA_DIR/.myfsio.sys/config/iam.json"
+    echo "  - IAM configuration: $DATA_DIR/.myfsio.sys/config/iam.json (encrypted at rest)"
     echo "  - Bucket policies:   $DATA_DIR/.myfsio.sys/config/bucket_policies.json"
     echo "  - Secret key:        $DATA_DIR/.myfsio.sys/config/.secret"
     echo "  - Encryption keys:   $DATA_DIR/.myfsio.sys/keys/ (if encryption was enabled)"
     echo ""
+    echo "NOTE: The IAM config is encrypted and requires the SECRET_KEY to read."
+    echo "      Keep the .secret file intact for reinstallation."
+    echo ""
     echo "To reinstall MyFSIO with existing data:"
     echo "  ./install.sh --data-dir $DATA_DIR"
     echo ""