Merge pull request #650 from JiscSD/OC-867

OC-867: Secure docker-compose file
JiscSD · May 2, 2024 · f201838 · f201838
2 parents c99928c + ae5eb4f
commit f201838
Show file tree

Hide file tree

Showing 9 changed files with 116 additions and 99 deletions.
diff --git a/.github/workflows/api-tests.yml b/.github/workflows/api-tests.yml
@@ -32,7 +32,7 @@ jobs:
         run: docker compose -f "docker-compose.yml" up -d --build
 
       - name: Wait for API and DB to be ready
-        run: docker exec -t api-test dockerize -wait tcp://db:5432 -wait tcp://api-test:4003 -wait tcp://mailhog:8025 -wait tcp://localstack:4566 -timeout 120s
+        run: docker exec -t api-test dockerize -wait tcp://db:5432 -wait tcp://api-test:4003 -wait tcp://mailpit:8025 -wait tcp://localstack:4566 -timeout 120s
 
       - name: Run test suite
         working-directory: ./api

diff --git a/api/docker-compose.yml b/api/docker-compose.yml
@@ -1,9 +1,7 @@
-version: '3.2'
-
 services:
     db:
         container_name: api-test-db
-        image: postgres:14.5
+        image: postgres:14.11-alpine
         command: postgres -c 'max_connections=1000'
         restart: always
         environment:
@@ -13,13 +11,13 @@ services:
         ports:
             - '5432:5432'
 
-    mailhog:
-        container_name: api-test-mailhog
-        image: mailhog/mailhog:latest
+    mailpit:
+        container_name: api-test-mailpit
+        image: axllent/mailpit:latest
         restart: always
         ports:
-            - 1025:1025
-            - 8025:8025
+            - '1025:1025'
+            - '8025:8025'
 
     localstack:
         container_name: api-test-localstack
@@ -28,24 +26,15 @@ services:
             - '4510-4559:4510-4559'
             - '4567:4566'
         environment:
-            - SERVICES=s3
+            - SERVICES=s3,sqs
             - DEBUG=1
             - DATA_DIR=/tmp/localstack/data
         volumes:
-            - './.localstack:/var/lib/localstack'
+            - '${LOCALSTACK_VOLUME_DIR:-./volume}:/var/lib/localstack'
             - '/var/run/docker.sock:/var/run/docker.sock'
 
-    adminer:
-        container_name: api-test-adminer
-        image: adminer
-        restart: always
-        ports:
-            - 8080:8080
-        depends_on:
-            - db
-
     opensearch-node1: # This is also the hostname of the container within the Docker network (i.e. https://opensearch-node1/)
-        image: opensearchproject/opensearch:2.7.0
+        image: opensearchproject/opensearch:2.13.0
         container_name: api-test-opensearch-node1
         environment:
             - cluster.name=opensearch-cluster # Name the cluster
@@ -63,21 +52,19 @@ services:
                 soft: 65536 # maximum number of open files for the OpenSearch user, set to at least 65536 on modern systems
                 hard: 65536
         ports:
-            - 9200:9200 # REST API
-            - 9600:9600 # Performance Analyzer
+            - '9200:9200' # REST API
+            - '9600:9600' # Performance Analyzer
         healthcheck:
             test: ['CMD', 'curl', '-f', 'http://localhost:9200']
             interval: 30s
             timeout: 10s
             retries: 5
 
     opensearch-dashboards:
-        image: opensearchproject/opensearch-dashboards:2.7.0
+        image: opensearchproject/opensearch-dashboards:2.13.0
         container_name: api-test-opensearch-dashboards
         ports:
-            - 5601:5601 # Map host port 5601 to container port 5601
-        expose:
-            - '5601' # Expose port 5601 for web access to OpenSearch Dashboards
+            - '5601:5601' # Map host port 5601 to container port 5601
         environment:
             - 'OPENSEARCH_HOSTS=["http://opensearch-node1:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query
             - 'DISABLE_SECURITY_DASHBOARDS_PLUGIN=true' # disables security dashboards plugin in OpenSearch Dashboards
@@ -103,7 +90,7 @@ services:
             - BASE_URL=https://localhost:3001
             - AUTHORISATION_CALLBACK_URL=https://localhost:3001/login
             - JWT_SECRET=PUT_JWT_SECRET_HERE
-            - MAIL_SERVER=mailhog
+            - MAIL_SERVER=mailpit
             - LOCALSTACK_SERVER=http://localstack:4566
             - STAGE=local
             - EMAIL_SENDER_ADDRESS=no-reply@local.ac

diff --git a/api/src/components/verification/__tests__/confirmCode.test.ts b/api/src/components/verification/__tests__/confirmCode.test.ts
@@ -1,5 +1,4 @@
 import * as testUtils from 'lib/testUtils';
-import * as cheerio from 'cheerio';
 
 describe('Confirm a verification code', () => {
     beforeEach(async () => {
@@ -36,16 +35,14 @@ describe('Confirm a verification code', () => {
     });
 
     test('User can confirm a correct verification code', async () => {
-        const email = 'example@domain.com';
-
-        await testUtils.agent.get('/verification/0000-0000-0000-0001').query({ apiKey: 123456789, email });
+        const address = 'example@domain.com';
 
-        const inbox = await testUtils.getEmails(email);
-        const emailContent = inbox.items[0].Content.Body.replace(/3D"/g, '"'); // get rid of email encoding "3D"
+        await testUtils.agent.get('/verification/0000-0000-0000-0001').query({ apiKey: 123456789, email: address });
 
-        // get verification code using cheerio
-        const $ = cheerio.load(emailContent);
-        const code = $('p[id="verification-code"]').text();
+        const emails = await testUtils.getEmails(address);
+        const emailId = emails.messages[0].ID;
+        const email = await testUtils.getEmail(emailId);
+        const code = email.Text.slice(-7); // Get code from end of email text body.
 
         const confirm = await testUtils.agent.post('/verification/0000-0000-0000-0001').send({ code });
 

diff --git a/api/src/components/verification/__tests__/requestCode.test.ts b/api/src/components/verification/__tests__/requestCode.test.ts
@@ -14,6 +14,6 @@ describe('Request a verification code', () => {
         const inbox = await testUtils.getEmails(email);
 
         expect(request.status).toEqual(200);
-        expect(inbox.items[0].Content.Headers.Subject).toContain('Verify your Octopus account');
+        expect(inbox.messages[0].Subject).toContain('Verify your Octopus account');
     });
 });
diff --git a/api/src/lib/testUtils.ts b/api/src/lib/testUtils.ts
@@ -116,24 +116,69 @@ export const clearDB = async (): Promise<void> => {
     }
 };
 
-interface Inbox {
-    items: {
-        Content: {
-            Headers: {
-                Subject: string;
-            };
-            Body: string;
-        };
-    };
+interface MailpitEmailAddress {
+    Name: string;
+    Address: string;
+}
+interface MailpitEmailSearchResponse {
+    total: number;
+    unread: number;
+    count: number;
+    messages_count: number;
+    start: number;
+    tags: string[];
+    messages: {
+        ID: string;
+        MessageID: string;
+        Read: boolean;
+        From: MailpitEmailAddress;
+        To: MailpitEmailAddress[];
+        Cc: MailpitEmailAddress[];
+        Bcc: MailpitEmailAddress[];
+        ReplyTo: MailpitEmailAddress[];
+        Subject: string;
+        Created: string;
+        Tags: string[];
+        Size: number;
+        Attachments: number;
+        Snippet: string;
+    }[];
 }
 
-export const getEmails = async (query: string): Promise<Inbox> => {
-    const emails = await axios.get(`http://${process.env.MAIL_SERVER}:8025/api/v2/search`, {
+export const getEmails = async (query: string): Promise<MailpitEmailSearchResponse> => {
+    const emails = await axios.get(`http://${process.env.MAIL_SERVER}:8025/api/v1/search`, {
         params: {
-            kind: 'to',
             query
         }
     });
 
-    return emails?.data as Inbox;
+    return emails?.data as MailpitEmailSearchResponse;
+};
+
+interface MailpitEmailResponse {
+    ID: string;
+    MessageID: string;
+    From: MailpitEmailAddress;
+    To: MailpitEmailAddress[];
+    Cc: MailpitEmailAddress[];
+    Bcc: MailpitEmailAddress[];
+    ReplyTo: MailpitEmailAddress[];
+    Subject: string;
+    ListUnsubscribe: {
+        Header: string;
+        Links: string[];
+        Errors: string;
+        HeaderPost: string;
+    };
+    Date: string;
+    Tags: string[];
+    Text: string;
+    HTML: string;
+    Size: number;
+}
+
+export const getEmail = async (id = 'latest'): Promise<MailpitEmailResponse> => {
+    const email = await axios.get(`http://${process.env.MAIL_SERVER}:8025/api/v1/message/${id}`);
+
+    return email?.data as MailpitEmailResponse;
 };
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,8 +1,6 @@
-version: "3.2"
-
 services:
   db:
-    image: postgres:14.5
+    image: postgres:14.11-alpine
     command: postgres -c 'max_connections=1000'
     restart: always
     environment:
@@ -12,20 +10,12 @@ services:
     ports:
       - "5435:5432"
 
-  adminer:
-    image: adminer
-    restart: always
-    ports:
-      - 8080:8080
-    depends_on:
-      - db
-
-  mailhog:
-    image: mailhog/mailhog:latest
+  mailpit:
+    image: axllent/mailpit:latest
     restart: always
     ports:
-      - 1025:1025
-      - 8025:8025
+      - "1025:1025"
+      - "8025:8025"
 
   localstack:
     image: localstack/localstack:${LOCALSTACK_IMAGE_VERSION:-latest}
@@ -34,15 +24,15 @@ services:
       - "4510-4559:4510-4559"
       - "4566:4566"
     environment:
-      - SERVICES=s3
+      - SERVICES=s3,sqs
       - DEBUG=1
       - DATA_DIR=/tmp/localstack/data
     volumes:
-      - "./.localstack:/tmp/localstack"
+      - "${LOCALSTACK_VOLUME_DIR:-./volume}:/var/lib/localstack"
       - "/var/run/docker.sock:/var/run/docker.sock"
 
   opensearch-node1: # This is also the hostname of the container within the Docker network (i.e. https://opensearch-node1/)
-    image: opensearchproject/opensearch:2.7.0
+    image: opensearchproject/opensearch:2.13.0
     restart: always
     container_name: opensearch-node1
     environment:
@@ -61,26 +51,24 @@ services:
         soft: 65536 # maximum number of open files for the OpenSearch user, set to at least 65536 on modern systems
         hard: 65536
     ports:
-      - 9200:9200 # REST API
-      - 9600:9600 # Performance Analyzer
+      - "9200:9200" # REST API
+      - "9600:9600" # Performance Analyzer
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:9200"]
       interval: 30s
       timeout: 10s
       retries: 5
     networks:
-      - opensearch-net # All of the containers will join the same Docker bridge network
+      - opensearch-net
 
   opensearch-dashboards:
-    image: opensearchproject/opensearch-dashboards:2.7.0
+    image: opensearchproject/opensearch-dashboards:2.13.0
     restart: always
     container_name: opensearch-dashboards
     depends_on:
       - opensearch-node1
     ports:
-      - 5601:5601 # Map host port 5601 to container port 5601
-    expose:
-      - "5601" # Expose port 5601 for web access to OpenSearch Dashboards
+      - "5601:5601" # Map host port 5601 to container port 5601
     environment:
       - 'OPENSEARCH_HOSTS=["http://opensearch-node1:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query
       - "DISABLE_SECURITY_DASHBOARDS_PLUGIN=true" # disables security dashboards plugin in OpenSearch Dashboards

diff --git a/e2e/.env.example b/e2e/.env.example
@@ -18,5 +18,5 @@ ORCID_TEST_PASS4=
 ORCID_TEST_FIRST_NAME4=
 ORCID_TEST_LAST_NAME4=
 
-MAIL_HOG=http://localhost:8025/
+MAILPIT=http://localhost:8025/
 UI_BASE=https://localhost:3001