PR#119: Require basic authentication for POST requests - taskotron/resultsdb

taskotron / resultsdb

#119 Require basic authentication for POST requests

Merged 4 years ago by frantisekz. Opened 6 years ago by csomh.

taskotron/ csomh/resultsdb basic-auth into develop

Require basic authentication for POST requests

Hunor Csomortáni • 4 years ago

a96a26c

openshift/README.md

file modified

+4 -3

		`@@ -21,10 +21,11 @@`
		`There are two volumes expected to be mounted, holding configuration for`
		`ResultsDB and httpd:`

		- 1. The volume mounted at `/etc/resultsdb` should have `settings.py`, holding
		- ResultsDB configuration. For an example, see `settings.py` in
		+ 1. The volume mounted at `/etc/resultsdb` should have `settings.py` and `.htpasswd`.
		+ The former holds ResultsDB configuration. For an example, see `settings.py` in
		`resultsdb-test-template.yaml`, or `conf/settings.py.example`
		`- for a full list of configuration options.`
		`+ for a full list of configuration options.`
		+ `.htpasswd` holds user data for basic auth, and it's generated using `htpasswd`.

		2. The volume mounted at `/etc/httpd/conf.d` should have `resultsdb.conf`,
		holding httpd configuration to be used by `mod_wsgi-express`. For an

openshift/resultsdb-test-template.yaml

file modified

+25 -98

		`@@ -65,32 +65,36 @@`
		`MESSAGE_BUS_PLUGIN = 'fedmsg'`
		`MESSAGE_BUS_KWARGS = {'modname': 'resultsdb'}`
		`ADDITIONAL_RESULT_OUTCOMES = ${RESULTSDB_ADDITIONAL_RESULT_OUTCOMES}`
		`+ # Credentials are resultsdb-updater:password`
		`+ .htpasswd: \|-`
		`+ resultsdb-updater:$2y$05$yAlqAYWqfMoxAMrFgFMfpuQsDw.v5b4tuS8x43h6tcPP1gIXBRutq`
		`- apiVersion: v1`
		`kind: ConfigMap`
		`metadata:`
		`- name: "resultsdb-test-${TEST_ID}-public-httpd-config"`
		`- labels:`
		`- environment: "test-${TEST_ID}"`
		`- app: resultsdb`
		`- data:`
		`- resultsdb.conf: \|-`
		`- <Location "/">`
		`- # <RequireAny>`
		`- # # allow only GET`
		`- # Require method GET`
		`- # </RequireAny>`
		`- </Location>`
		`- - apiVersion: v1`
		`- kind: ConfigMap`
		`- metadata:`
		`- name: "resultsdb-test-${TEST_ID}-internal-httpd-config"`
		`+ name: "resultsdb-test-${TEST_ID}-httpd-config"`
		`labels:`
		`environment: "test-${TEST_ID}"`
		`app: resultsdb`
		`data:`
		`resultsdb.conf: \|-`
		`+ <IfModule !auth_basic_module>`
		`+ LoadModule auth_basic_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_auth_basic.so'`
		`+ </IfModule>`
		`+ <IfModule !authn_file_module>`
		`+ LoadModule authn_file_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_authn_file.so'`
		`+ </IfModule>`
		`+ <IfModule !authz_user_module>`
		`+ LoadModule authz_user_module '${MOD_WSGI_MODULES_DIRECTORY}/mod_authz_user.so'`
		`+ </IfModule>`
		`+`
		`<Location "/">`
		`- # allow all methods`
		`+ AuthType Basic`
		`+ AuthName "Authentication Required"`
		`+ AuthBasicProvider file`
		`+ AuthUserFile "/etc/resultsdb/.htpasswd"`
		`+ <LimitExcept GET>`
		`+ Require valid-user`
		`+ </LimitExcept>`
		`</Location>`
		`- apiVersion: v1`
		`kind: Service`
		`@@ -197,22 +201,6 @@`
		`termination: edge`
		`insecureEdgeTerminationPolicy: Redirect`
		`- apiVersion: v1`
		`- kind: Service`
		`- metadata:`
		`- name: "resultsdb-test-${TEST_ID}-internal-api"`
		`- labels:`
		`- environment: "test-${TEST_ID}"`
		`- app: resultsdb`
		`- spec:`
		`- selector:`
		`- app: resultsdb`
		`- environment: "test-${TEST_ID}"`
		`- service: internal-api`
		`- ports:`
		`- - name: api`
		`- port: 5001`
		`- targetPort: 5001`
		`- - apiVersion: v1`
		`kind: DeploymentConfig`
		`metadata:`
		`name: "resultsdb-test-${TEST_ID}-api"`
		`@@ -221,73 +209,11 @@`
		`service: api`
		`app: resultsdb`
		`spec:`
		`- replicas: 1`
		`+ replicas: 2`
		`selector:`
		`app: resultsdb`
		`environment: "test-${TEST_ID}"`
		`service: api`
		`- template:`
		`- metadata:`
		`- labels:`
		`- environment: "test-${TEST_ID}"`
		`- service: api`
		`- app: resultsdb`
		`- spec:`
		`- containers:`
		`- - name: api`
		`- image: "${RESULTSDB_IMAGE}"`
		`- imagePullPolicy: Always`
		`- ports:`
		`- - containerPort: 5001`
		`- volumeMounts:`
		`- - name: config-volume`
		`- mountPath: /etc/resultsdb`
		`- readOnly: true`
		`- - name: httpd-config-volume`
		`- mountPath: /etc/httpd/conf.d`
		`- readOnly: true`
		`- readinessProbe:`
		`- timeoutSeconds: 1`
		`- initialDelaySeconds: 5`
		`- httpGet:`
		`- path: /api/v2.0/`
		`- port: 5001`
		`- livenessProbe:`
		`- timeoutSeconds: 1`
		`- initialDelaySeconds: 30`
		`- httpGet:`
		`- path: /api/v2.0/`
		`- port: 5001`
		`- # Limit to 384MB memory. This is probably not enough but it is`
		`- # necessary in the current environment to allow for 2 replicas and`
		`- # rolling updates, without hitting the (very aggressive) memory quota.`
		`- resources:`
		`- limits:`
		`- memory: 384Mi`
		`- cpu: 0.3`
		`- volumes:`
		`- - name: config-volume`
		`- secret:`
		`- secretName: "resultsdb-test-${TEST_ID}-config"`
		`- - name: httpd-config-volume`
		`- configMap:`
		`- name: "resultsdb-test-${TEST_ID}-public-httpd-config"`
		`- triggers:`
		`- - type: ConfigChange`
		`- - apiVersion: v1`
		`- kind: DeploymentConfig`
		`- metadata:`
		`- name: "resultsdb-test-${TEST_ID}-internal-api"`
		`- labels:`
		`- environment: "test-${TEST_ID}"`
		`- service: internal-api`
		`- app: resultsdb`
		`- spec:`
		`- replicas: 1`
		`- selector:`
		`- app: resultsdb`
		`- environment: "test-${TEST_ID}"`
		`- service: internal-api`
		`strategy:`
		`type: Rolling`
		`rollingParams:`
		`@@ -317,7 +243,7 @@`
		`metadata:`
		`labels:`
		`environment: "test-${TEST_ID}"`
		`- service: internal-api`
		`+ service: api`
		`app: resultsdb`
		`spec:`
		`containers:`
		`@@ -356,8 +282,9 @@`
		`- name: config-volume`
		`secret:`
		`secretName: "resultsdb-test-${TEST_ID}-config"`
		`+ defaultMode: 0600`
		`- name: httpd-config-volume`
		`configMap:`
		`- name: "resultsdb-test-${TEST_ID}-internal-httpd-config"`
		`+ name: "resultsdb-test-${TEST_ID}-httpd-config"`
		`triggers:`
		`- type: ConfigChange`

csomh commented 6 years ago

This updates the OpenShift test template to require basic authentication for POST requests.

rebased onto 2e77df614241c7528bf9b4599deea037ec0af0ac

6 years ago

mcurlej commented 6 years ago

@csomh can you please rebase this?

rebased onto 60a75288aa52b7efb7b2dc1bebcba3e1781e4a68

6 years ago

csomh commented 6 years ago

@mcurlej better late, then never :) Rebased.

rebased onto 94287e36afca06824354fe7e543ce01b64fcf136

5 years ago

csomh commented 5 years ago

This is a very old PR, but still relevant.

@lholacek @ralph is it ok to merge?

lholecek commented on line 6 of openshift/resultsdb-test-template.yaml 5 years ago

Can you make the file readable only by httpd/apache? (owner=apache group=apache mode=0600)

lholecek commented 5 years ago

+1 but someone else should also review.

csomh commented on line 6 of openshift/resultsdb-test-template.yaml 5 years ago

Hm, I don't know how I would do that in OpenShift....

This file is mounted as a volume created from a secret. defaultMode could be set to 0600, but I'm not sure what the ownership of the files will be.

rebased onto 51921971312d252705bd531237849058cfe888a1

5 years ago

csomh commented 5 years ago

Updated so that defaultMode is 0600 for files mounted in /etc/resultsdb.

Also updated README.md to tell about .htpasswd.

lholecek commented 5 years ago

rebased onto f4671ed01043a6951a85116d40a3cc6c9b4699fb

5 years ago

lholecek commented 4 years ago

@frantisekz Can you help review this? This may be required in the future to allow resultsdb-listener to create results in ResultsDB. I think the access is currently based on IP/allowed_hosts filter which means it would not be possible to move resultsdb-listener to OpenShift.

cc @vmaljulin