From f907abf10fc842abdc9c89b85a9fbc51aa0a023d Mon Sep 17 00:00:00 2001 From: Jason Kulatunga Date: Mon, 31 Oct 2022 23:08:42 -0700 Subject: [PATCH] modifications to support JWT auth locally. --- CONTRIBUTING.md | 6 + Dockerfile | 4 + docker/couchdb/Dockerfile | 6 +- docker/couchdb/fasten.ini | 54 +++++++++ docker/couchdb/local.ini | 108 ------------------ .../rootfs/etc/cont-init.d/05-couchdb-config | 32 ++++++ 6 files changed, 101 insertions(+), 109 deletions(-) create mode 100644 docker/couchdb/fasten.ini delete mode 100644 docker/couchdb/local.ini create mode 100644 docker/rootfs/etc/cont-init.d/05-couchdb-config diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 4d0d043a..6a8aeb2f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -214,3 +214,9 @@ a CDN or minimal Nginx deployment. - ng test --include='**/base_client.spec.ts' - ng test --include='lib/**/*.spec.ts' + + +### How do I change the default encryption key and admin credentials +- FASTEN_ISSUER_JWT_KEY +- FASTEN_COUCHDB_ADMIN_USERNAME +- FASTEN_COUCHDB_ADMIN_PASSWORD diff --git a/Dockerfile b/Dockerfile index 2f2bca7a..e085a739 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,6 +15,10 @@ RUN yarn run build -- --configuration sandbox --output-path=../dist # Backend Build ######################################################################################################### FROM golang:1.18 as backend-build +ENV FASTEN_COUCHDB_ADMIN_USERNAME=admin +ENV FASTEN_COUCHDB_ADMIN_PASSWORD=mysecretpassword +ENV FASTEN_ISSUER_JWT_KEY=mysessionpassword + WORKDIR /go/src/github.com/fastenhealth/fastenhealth-onprem COPY . . diff --git a/docker/couchdb/Dockerfile b/docker/couchdb/Dockerfile index cce27785..765320ad 100644 --- a/docker/couchdb/Dockerfile +++ b/docker/couchdb/Dockerfile @@ -4,12 +4,16 @@ ######################################################################################################### FROM couchdb:3.2 +ENV FASTEN_COUCHDB_ADMIN_USERNAME=admin +ENV FASTEN_COUCHDB_ADMIN_PASSWORD=mysecretpassword +ENV FASTEN_ISSUER_JWT_KEY=mysessionpassword + ARG S6_ARCH=amd64 RUN curl https://github.com/just-containers/s6-overlay/releases/download/v1.21.8.0/s6-overlay-${S6_ARCH}.tar.gz -L -s --output /tmp/s6-overlay-${S6_ARCH}.tar.gz \ && tar xzf /tmp/s6-overlay-${S6_ARCH}.tar.gz -C / \ && rm -rf /tmp/s6-overlay-${S6_ARCH}.tar.gz -COPY /docker/couchdb/local.ini /opt/couchdb/etc/local.ini +COPY /docker/couchdb/fasten.ini /opt/couchdb/etc/local.ini COPY /docker/rootfs / RUN rm -rf /etc/services.d/fasten #delete the fasten app from the couchdbase container. diff --git a/docker/couchdb/fasten.ini b/docker/couchdb/fasten.ini new file mode 100644 index 00000000..7b82eeb7 --- /dev/null +++ b/docker/couchdb/fasten.ini @@ -0,0 +1,54 @@ +; CouchDB Configuration Settings +; Custom settings should be made in this file. They will override settings +; in default.ini, but unlike changes made to default.ini, this file won't be +; overwritten on server upgrade. + +[couch_peruser] + +; fasten requires that each user have a private database. These databases are writable only by the corresponding user. +; Databases are in the following form: userdb-{hex encoded username} +enable = true + +[chttpd_auth] + +; require_valid_user must be set to false because Fasten will check session endpoint to determine if user is authenticated. +; if this option is not disabled, user is prompted with basic auth. +require_valid_user = false + +[httpd] + +; enable CORS support, required because the database is hosted on a different node. +enable_cors = true + +; ------------------------------------------ DOCKER MODIFICATIONS +; ------------------------------------------ DOCKER MODIFICATIONS +; ------------------------------------------ DOCKER MODIFICATIONS +; ------------------------------------------ DOCKER MODIFICATIONS + +; always use single node in docker +[couchdb] +;max_document_size = 4294967296 ; bytes +;os_process_timeout = 5000 +single_node = true + +; when running in docker, allow cors for all domains +; TODO, we should find a more secure way to do this +[cors] +origins = * +headers = accept, authorization, content-type, origin, referer +credentials = true +methods = GET, PUT, POST, HEAD, DELETE +max_age = 3600 + +# make sure the databse is listening to all traffic, not just from localhost within the container. +[chttpd] +;port = 5984 +;bind_address = 127.0.0.1 +bind_address = 0.0.0.0 +enable_cors = true +x_forwarded_host = X-Forwarded-Host +; require_valid_user must be set to false because Fasten will check session endpoint to determine if user is authenticated. +; if this option is not disabled, user is prompted with basic auth. +require_valid_user = false +; fasten uses JWT tokens to authenticate against the database. we override the authentication_handlers to add jwt_authentication_handler +authentication_handlers = {chttpd_auth, jwt_authentication_handler}, {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler} diff --git a/docker/couchdb/local.ini b/docker/couchdb/local.ini deleted file mode 100644 index fada0515..00000000 --- a/docker/couchdb/local.ini +++ /dev/null @@ -1,108 +0,0 @@ -; CouchDB Configuration Settings - -; Custom settings should be made in this file. They will override settings -; in default.ini, but unlike changes made to default.ini, this file won't be -; overwritten on server upgrade. - -[cors] -origins = * -headers = accept, authorization, content-type, origin, referer -credentials = true -methods = GET, PUT, POST, HEAD, DELETE - -[couchdb] -;max_document_size = 4294967296 ; bytes -;os_process_timeout = 5000 -single_node=true - -[couch_peruser] -; If enabled, couch_peruser ensures that a private per-user database -; exists for each document in _users. These databases are writable only -; by the corresponding user. Databases are in the following form: -; userdb-{hex encoded username} -enable = true -; If set to true and a user is deleted, the respective database gets -; deleted as well. -;delete_dbs = true -; Set a default q value for peruser-created databases that is different from -; cluster / q -;q = 1 - -[chttpd] -;port = 5984 -;bind_address = 127.0.0.1 -; Options for the MochiWeb HTTP server. -;server_options = [{backlog, 128}, {acceptor_pool_size, 16}] -; For more socket options, consult Erlang's module 'inet' man page. -;socket_options = [{sndbuf, 262144}, {nodelay, true}] -bind_address = 0.0.0.0 -enable_cors = true -x_forwarded_host = X-Forwarded-Host - -[httpd] -; NOTE that this only configures the "backend" node-local port, not the -; "frontend" clustered port. You probably don't want to change anything in -; this section. -; Uncomment next line to trigger basic-auth popup on unauthorized requests. -;WWW-Authenticate = Basic realm="administrator" - -; Uncomment next line to set the configuration modification whitelist. Only -; whitelisted values may be changed via the /_config URLs. To allow the admin -; to change this value over HTTP, remember to include {httpd,config_whitelist} -; itself. Excluding it from the list would require editing this file to update -; the whitelist. -;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}] -enable_cors = true - -[chttpd_auth] -; If you set this to true, you should also uncomment the WWW-Authenticate line -; above. If you don't configure a WWW-Authenticate header, CouchDB will send -; Basic realm="server" in order to prevent you getting logged out. -; require_valid_user = false -allow_persistent_cookies = true -;cookie_domain = localhost:5984 - -[ssl] -;enable = true -;cert_file = /full/path/to/server_cert.pem -;key_file = /full/path/to/server_key.pem -;password = somepassword -; set to true to validate peer certificates -;verify_ssl_certificates = false -; Set to true to fail if the client does not send a certificate. Only used if verify_ssl_certificates is true. -;fail_if_no_peer_cert = false -; Path to file containing PEM encoded CA certificates (trusted -; certificates used for verifying a peer certificate). May be omitted if -; you do not want to verify the peer. -;cacert_file = /full/path/to/cacertf -; The verification fun (optional) if not specified, the default -; verification fun will be used. -;verify_fun = {Module, VerifyFun} -; maximum peer certificate depth -;ssl_certificate_max_depth = 1 -; -; Reject renegotiations that do not live up to RFC 5746. -;secure_renegotiate = true -; The cipher suites that should be supported. -; Can be specified in erlang format "{ecdhe_ecdsa,aes_128_cbc,sha256}" -; or in OpenSSL format "ECDHE-ECDSA-AES128-SHA256". -;ciphers = ["ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA"] -; The SSL/TLS versions to support -;tls_versions = [tlsv1, 'tlsv1.1', 'tlsv1.2'] - -; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to -; the Virual Host will be redirected to the path. In the example below all requests -; to http://example.com/ are redirected to /database. -; If you run CouchDB on a specific port, include the port number in the vhost: -; example.com:5984 = /database -[vhosts] -;example.com = /database/ - -; To create an admin account uncomment the '[admins]' section below and add a -; line in the format 'username = password'. When you next start CouchDB, it -; will change the password to a hash (so that your passwords don't linger -; around in plain-text files). You can add more admin accounts with more -; 'username = password' lines. Don't forget to restart CouchDB after -; changing this. -[admins] -admin = mysecretpassword diff --git a/docker/rootfs/etc/cont-init.d/05-couchdb-config b/docker/rootfs/etc/cont-init.d/05-couchdb-config new file mode 100644 index 00000000..7f012a68 --- /dev/null +++ b/docker/rootfs/etc/cont-init.d/05-couchdb-config @@ -0,0 +1,32 @@ +#!/usr/bin/with-contenv bash + +if [ -f "/opt/couchdb/data/.config_complete" ]; then + echo "Couchdb config has already completed, skipping" +else + + FASTEN_ISSUER_JWT_KEY_BASE64=$(echo "${FASTEN_ISSUER_JWT_KEY}" | base64) + + +cat << EOF >> /opt/couchdb/etc/local.ini + +; ------------------------------------------ GENERATED MODIFICATIONS +; ------------------------------------------ GENERATED MODIFICATIONS +; ------------------------------------------ GENERATED MODIFICATIONS +; +[jwt_auth] +required_claims = exp, {iss, "docker-fastenhealth"} + +[jwt_keys] +hmac:_default = ${FASTEN_ISSUER_JWT_KEY_BASE64} + + +; users should change this default password +[admins] +${FASTEN_COUCHDB_ADMIN_USERNAME} = ${FASTEN_COUCHDB_ADMIN_PASSWORD} +EOF + + # create the config complete flag + echo "Couchdb config: complete" + touch /opt/couchdb/data/.config_complete + +fi