Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(#9706): use Proxy Auth for communicating with Couch #9740

Draft
wants to merge 16 commits into
base: master
Choose a base branch
from
+159 −77
Draft

feat(#9706): use Proxy Auth for communicating with Couch #9740

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
7c5b4d0
feat: Added couch configs to enable proxy authentication
rmayore Nov 26, 2024
6dc4e7b
Remove unnecessary config from Couch
jkuester Jan 9, 2025
eba99b3
Update API Pouch `fetch` to use Proxy Auth
jkuester Jan 9, 2025
3b2adae
Add proxyAuth to couch-request
jkuester Jan 9, 2025
b93d2fc
Setup couch-request at beginning of server start so that server check…
jkuester Jan 9, 2025
b06dc15
Remove now unused username and password from environment
jkuester Jan 9, 2025
1db7bda
Remove now unused username and password from environment
jkuester Jan 9, 2025
8cf3c21
Do not pass proxy auth headers for login/auth requests
jkuester Jan 9, 2025
4cd3784
Move proxy auth header config to environment lib
jkuester Jan 9, 2025
3c35183
Load secret dynamically
jkuester Jan 10, 2025
9b3f65e
Remove unnecessary null roles
jkuester Jan 10, 2025
cf4a07f
Add system username to dbs as member on startup.
jkuester Jan 10, 2025
1dfdee5
Cleanup
jkuester Jan 11, 2025
dcaaa12
Merge branch 'master' into 9706_simplify_api_users
jkuester Jan 16, 2025
5d01a50
Move system user initialization to setup/databases file
jkuester Jan 16, 2025
8f1cf70
Make all couch-request calls member-level by default.
jkuester Jan 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 7 additions & 6 deletions api/src/auth.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,17 @@ const { roles, users } = require('@medic/user-management')(config, db, dataConte

const contentLengthRegex = /^content-length$/i;

const get = (path, headers) => {
const get = async (path, headers) => {
const getHeaders = { ...headers };
Object
.keys(getHeaders)
.filter(header => contentLengthRegex.test(header))
.forEach(header => delete getHeaders[header]);

const url = new URL(path, environment.serverUrlNoAuth);
const url = new URL(path, environment.serverUrl);
return request.get({
url: url.toString(),
headers: getHeaders,
headers: { ...getHeaders, ...(await request.getAuthHeaders(null)) },
json: true
});
};
Expand Down Expand Up @@ -100,13 +100,14 @@ module.exports = {
*
* @param {Object} Credentials object as created by basicAuthCredentials
*/
validateBasicAuth: ({ username, password }) => {
const authUrl = new URL(environment.serverUrlNoAuth);
validateBasicAuth: async ({ username, password }) => {
const authUrl = new URL(environment.serverUrl);
authUrl.username = username;
authUrl.password = password;
return request.head({
uri: authUrl.toString(),
resolveWithFullResponse: true
resolveWithFullResponse: true,
headers: await request.getAuthHeaders(null),
})
.then(res => {
if (res.statusCode !== 200) {
Expand Down
5 changes: 3 additions & 2 deletions api/src/controllers/login.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,16 +166,17 @@ const getSessionCookie = res => {
);
};

const createSession = req => {
const createSession = async (req) => {
const user = req.body.user;
const password = req.body.password;
return request.post({
url: new URL('/_session', environment.serverUrlNoAuth).toString(),
url: new URL('/_session', environment.serverUrl).toString(),
json: true,
resolveWithFullResponse: true,
simple: false, // doesn't throw an error on non-200 responses
body: { name: user, password: password },
auth: { user: user, pass: password },
headers: await request.getAuthHeaders(null)
});
};

Expand Down
1 change: 0 additions & 1 deletion api/src/db-batch.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ const runBatch = (ddoc, view, viewParams, iteratee) => {
return request.get({
url: fullUrl,
json: true,
auth: { user: environment.username, pass: environment.password },
})
.then(result => {
logger.info(` Processing doc ${result.offset}`);
Expand Down
39 changes: 23 additions & 16 deletions api/src/db.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,12 @@ if (UNIT_TEST_ENV) {
module.exports[fn] = () => notStubbed(fn);
});
} else {
const fetch = (url, opts) => {
const makeFetch = (promisedAuthHeaders) => async (url, opts) => {
// Add Couch Proxy Auth headers
Object
.entries(await promisedAuthHeaders)
.forEach(([name, value]) => opts.headers.set(name, value));

// Adding audit flag (haproxy) Service that made the request initially.
opts.headers.set('X-Medic-Service', 'api');
const requestId = asyncLocalStorage.getRequestId();
Expand All @@ -82,18 +87,21 @@ if (UNIT_TEST_ENV) {
}
return PouchDB.fetch(url, opts);
};
const fetch = makeFetch(request.getAuthHeaders(environment.username));
const adminFetch = makeFetch(request.getAuthHeaders(environment.username, '_admin'));

const DB = new PouchDB(environment.couchUrl, { fetch });
const getDbUrl = name => `${environment.serverUrl}/${name}`;

DB.setMaxListeners(0);
module.exports.medic = DB;
module.exports.medicAsAdmin = new PouchDB(environment.couchUrl, { fetch: adminFetch });
module.exports.medicUsersMeta = new PouchDB(`${environment.couchUrl}-users-meta`, { fetch });
module.exports.medicLogs = new PouchDB(`${environment.couchUrl}-logs`, { fetch });
module.exports.sentinel = new PouchDB(`${environment.couchUrl}-sentinel`, { fetch });
module.exports.vault = new PouchDB(`${environment.couchUrl}-vault`, { fetch });
module.exports.vault = new PouchDB(`${environment.couchUrl}-vault`, { fetch: adminFetch });
module.exports.createVault = () => module.exports.vault.info();
module.exports.users = new PouchDB(getDbUrl('_users'), { fetch });
module.exports.users = new PouchDB(getDbUrl('_users'), { fetch: adminFetch });
module.exports.builds = new PouchDB(environment.buildsUrl);

// Get the DB with the given name
Expand Down Expand Up @@ -193,34 +201,33 @@ if (UNIT_TEST_ENV) {
roles: [],
});

const addRoleToSecurity = async (dbname, role, addAsAdmin) => {
if (!dbname || !role) {
throw new Error(`Cannot add security: invalid db name ${dbname} or role ${role}`);
const addToSecurity = async (dbname, value, securityField) => {
if (!dbname || !value) {
throw new Error(`Cannot add security: invalid db name ${dbname} or ${securityField} ${value}`);
}

const securityUrl = new URL(environment.serverUrl);
securityUrl.pathname = `${dbname}/_security`;

const securityObject = await request.get({ url: securityUrl.toString(), json: true });
const property = addAsAdmin ? 'admins' : 'members';

if (!securityObject[property]) {
securityObject[property] = getDefaultSecurityStructure();
if (!securityObject.members) {
securityObject.members = getDefaultSecurityStructure();
}

if (!securityObject[property].roles || !Array.isArray(securityObject[property].roles)) {
securityObject[property].roles = [];
if (!securityObject.members[securityField] || !Array.isArray(securityObject.members[securityField])) {
securityObject.members[securityField] = [];
}

if (securityObject[property].roles.includes(role)) {
if (securityObject.members[securityField].includes(value)) {
return;
}

logger.info(`Adding "${role}" role to ${dbname} ${property}`);
securityObject[property].roles.push(role);
logger.info(`Adding "${value}" role to ${dbname} members`);
securityObject.members[securityField].push(value);
await request.put({ url: securityUrl.toString(), json: true, body: securityObject });
};

module.exports.addRoleAsAdmin = (dbname, role) => addRoleToSecurity(dbname, role, true);
jkuester marked this conversation as resolved.
Show resolved Hide resolved
module.exports.addRoleAsMember = (dbname, role) => addRoleToSecurity(dbname, role, false);
module.exports.addUserAsMember = (dbname, name) => addToSecurity(dbname, name, 'names');
module.exports.addRoleAsMember = (dbname, role) => addToSecurity(dbname, role, 'roles');
}
4 changes: 0 additions & 4 deletions api/src/migrations/restrict-access-to-audit-db.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,6 @@ const addMemberToDb = () => {
port: environment.port,
pathname: `${environment.db}-audit/_security`,
}),
auth: {
user: environment.username,
pass: environment.password
},
json: true,
body: securityObject
});
Expand Down
4 changes: 0 additions & 4 deletions api/src/migrations/restrict-access-to-sentinel-db.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,6 @@ const addSecurityToDb = () => {
port: environment.port,
pathname: `${environment.db}-sentinel/_security`,
}),
auth: {
user: environment.username,
pass: environment.password
},
json: true,
body: securityObject
});
Expand Down
4 changes: 0 additions & 4 deletions api/src/migrations/restrict-access-to-vault-db.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,6 @@ const addSecurityToDb = () => {
port: environment.port,
pathname: `${environment.db}-vault/_security`,
}),
auth: {
user: environment.username,
pass: environment.password
},
json: true,
body: securityObject
});
Expand Down
4 changes: 2 additions & 2 deletions api/src/server-utils.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,8 @@ const promptForBasicAuth = res => {
};

module.exports = {
MEDIC_BASIC_AUTH: MEDIC_BASIC_AUTH,
REQUEST_ID_HEADER: REQUEST_ID_HEADER,
MEDIC_BASIC_AUTH,
REQUEST_ID_HEADER,

/*
* Attempts to determine the correct response given the error code.
Expand Down
20 changes: 13 additions & 7 deletions api/src/services/config-watcher.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ const environment = require('@medic/environment');
const dataContext = require('./data-context');
const extensionLibs = require('./extension-libs');
const deployInfo = require('./deploy-info');
const { DATABASES } = require('./setup/databases');

const MEDIC_DDOC_ID = '_design/medic';

Expand Down Expand Up @@ -143,14 +144,19 @@ const updateServiceWorker = () => {
});
};

const load = () => {
const addSystemUserToDbs = () => Promise.all([...DATABASES, { name: `${environment.db}-purged-cache` }]
jkuester marked this conversation as resolved.
Show resolved Hide resolved
.filter(({ name }) => name !== '_users')
.map(({ name }) => db.addUserAsMember(name, environment.username)));

const load = async () => {
await addSystemUserToDbs();
loadViewMaps();
return loadTranslations()
.then(() => loadSettings())
.then(() => addUserRolesToDb())
.then(() => initTransitionLib())
.then(() => db.createVault())
.then(() => deployInfo.store());
await loadTranslations();
await loadSettings();
await addUserRolesToDb();
await initTransitionLib();
await db.createVault();
await deployInfo.store();
};

const listen = () => {
Expand Down
4 changes: 2 additions & 2 deletions api/src/services/generate-xform.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,7 +264,7 @@ module.exports = {
const doc = docs.length && docs[0];
if (doc) {
logger.info(`Updating form with ID "${docId}"`);
return db.medic.put(doc);
return db.medicAsAdmin.put(doc);
}
logger.info(`Form with ID "${docId}" does not need to be updated.`);
});
Expand All @@ -287,7 +287,7 @@ module.exports = {
if (!toSave.length) {
return;
}
return db.saveDocs(db.medic, toSave).then(results => {
return db.saveDocs(db.medicAsAdmin, toSave).then(results => {
const failures = results.filter(result => !result.ok);
if (failures.length) {
logger.error('Bulk save failed with: %o', failures);
Expand Down
4 changes: 0 additions & 4 deletions api/src/services/user-db.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,10 +79,6 @@ module.exports = {
port: environment.port,
pathname: `${dbName}/_security`,
}),
auth: {
user: environment.username,
pass: environment.password
},
json: true,
body: {
admins: { names: [ username ], roles: [] },
Expand Down
4 changes: 4 additions & 0 deletions couchdb/10-docker-default.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,10 @@ bind_address = 0.0.0.0
server_options = [{recbuf, 262144}]
socket_options = [{sndbuf, 262144}, {nodelay, true}]
require_valid_user = true
authentication_handlers = {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, proxy_authentication_handler}, {chttpd_auth, default_authentication_handler}
jkuester marked this conversation as resolved.
Show resolved Hide resolved

[chttpd_auth]
proxy_use_secret = true

[httpd]
secure_rewrites = false
Expand Down
17 changes: 11 additions & 6 deletions sentinel/src/db.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,17 +61,22 @@ if (UNIT_TEST_ENV) {

const couchUrl = environment.couchUrl;

const fetchFn = (url, opts) => {
const makeFetch = (promisedAuthHeaders) => async (url, opts) => {
// Add Couch Proxy Auth headers
Object
.entries(await promisedAuthHeaders)
.forEach(([name, value]) => opts.headers.set(name, value));
// Adding audit flags (haproxy) Service and user that made the request initially.
opts.headers.set('X-Medic-Service', 'sentinel');
opts.headers.set('X-Medic-User', 'sentinel');
return PouchDB.fetch(url, opts);
};
const fetch = makeFetch(request.getAuthHeaders(environment.username));
const adminFetch = makeFetch(request.getAuthHeaders(environment.username, '_admin'));

module.exports.medic = new PouchDB(couchUrl, { fetch: fetchFn });
module.exports.sentinel = new PouchDB(`${couchUrl}-sentinel`, {
fetch: fetchFn,
});

module.exports.medic = new PouchDB(couchUrl, { fetch });
module.exports.sentinel = new PouchDB(`${couchUrl}-sentinel`, { fetch });

module.exports.allDbs = () => request.get({ url: `${environment.serverUrl}/_all_dbs`, json: true });
module.exports.get = db => new PouchDB(`${environment.serverUrl}/${db}`);
Expand All @@ -86,7 +91,7 @@ if (UNIT_TEST_ENV) {
logger.error('Error when closing db: %o', err);
}
};
module.exports.users = new PouchDB(`${environment.serverUrl}/_users`, { fetch: fetchFn });
module.exports.users = new PouchDB(`${environment.serverUrl}/_users`, { fetch: adminFetch });
module.exports.users = new PouchDB(`${environment.serverUrl}/_users`);
module.exports.queryMedic = (viewPath, queryParams, body) => {
const [ddoc, view] = viewPath.split('/');
Expand Down
14 changes: 9 additions & 5 deletions shared-libs/couch-request/src/couch-request.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
const request = require('request-promise-native');
const isPlainObject = require('lodash/isPlainObject');
const environment = require('@medic/environment');
const { getAuthHeaders, getCouchSecret } = require('./proxy-auth');

const servername = environment.host;
let asyncLocalStorage;
let requestIdHeader;
Expand All @@ -18,18 +20,19 @@ const methods = {
HEAD: 'HEAD'
};

const promisedAdminAuthHeaders = getAuthHeaders('cht-api', '_admin');

const mergeOptions = (target, source, exclusions = []) => {
const mergeOptions = async (target, source, exclusions = []) => {
for (const [key, value] of Object.entries(source)) {
if (Array.isArray(exclusions) && exclusions.includes(key)) {
continue;
}
target[key] = value; // locally, mutation is preferable to spreading as it doesn't
// make new objects in memory. Assuming this is a hot path.
}
target.headers = { ...(await promisedAdminAuthHeaders), ...target.headers };
const requestId = asyncLocalStorage?.getRequestId();
if (requestId) {
target.headers = target.headers || {};
target.headers[requestIdHeader] = requestId;
}

Expand Down Expand Up @@ -65,7 +68,7 @@ const validate = (firstIsString, method, first, second = {}) => {
};


const req = (method, first, second = {}) => {
const req = async (method, first, second = {}) => {

const firstIsString = isString(first);

Expand All @@ -79,8 +82,7 @@ const req = (method, first, second = {}) => {

const exclusions = firstIsString ? ['url', 'uri', 'method'] : ['method'];
const target = addServername ? { servername } : { };

const mergedOptions = mergeOptions(target, chosenOptions, exclusions);
const mergedOptions = await mergeOptions(target, chosenOptions, exclusions);

return firstIsString ? getRequestType(method)(first, mergedOptions) : getRequestType(method)(mergedOptions);
};
Expand Down Expand Up @@ -117,6 +119,8 @@ module.exports = {
asyncLocalStorage = store;
requestIdHeader = header;
},
getCouchSecret,
getAuthHeaders,

get: (first, second = {}) => req(methods.GET, first, second),
post: (first, second = {}) => req(methods.POST, first, second),
Expand Down
Loading
Loading