feat(#174): bastion Dockerfile and compose file

.gitignore

@@ -6,3 +6,4 @@ node_modules
 /.eslintcache
 /tests/data/json_docs
 /deploy/cht_sync/values.yaml
+/bastion/authorized_keys

bastion/Dockerfile

@@ -0,0 +1,31 @@
+# NOSONAR for "don't run docker images as root" - because sshd requires root https://superuser.com/a/1548482 :(
+# Deep link to Sonar "safe": https://sonarcloud.io/project/security_hotspots?status=SAFE&pullRequest=177&id=medic_cht-sync&tab=activity
+
+FROM alpine:3.20
+
+ARG HOME=/var/lib/bastion
+
+ARG USER=bastion
+ARG GROUP=bastion
+ARG UID=4096
+ARG GID=4096
+
+ENV HOST_KEYS_PATH_PREFIX="/usr"
+ENV HOST_KEYS_PATH="${HOST_KEYS_PATH_PREFIX}/etc/ssh"
+
+COPY bastion /usr/sbin/bastion
+
+RUN addgroup -S -g ${GID} ${GROUP} \
+    && adduser -D -h ${HOME} -s /bin/false -g "${USER} service" \
+           -u ${UID} -G ${GROUP} ${USER} \
+    && sed -i "s/${USER}:!/${USER}:*/g" /etc/shadow \
+    && set -x \
+    && apk add --no-cache openssh-server curl \
+    && echo -e "\nLogin Successful! \n\nHowever, interactive sessions not allowed. Use \"-N\" with ssh tunnel command instead: \n" > /etc/motd \
+    && echo -e "\tssh -N -L 5432:CONTAINER-NAME:5432 bastion@PUBLIC-IP-OR-DNS -p 22222\n" >> /etc/motd \
+    && chmod +x /usr/sbin/bastion \
+    && mkdir -p ${HOST_KEYS_PATH} \
+    && mkdir /etc/ssh/auth_principals \
+    && echo "bastion" > /etc/ssh/auth_principals/bastion
+
+ENTRYPOINT ["bastion"]

bastion/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2018 Mark
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

bastion/README.md

@@ -0,0 +1,9 @@
+This project hard forked from [docker-bastion](https://github.com/binlab/docker-bastion/tree/master) at version [1.2.0](https://github.com/binlab/docker-bastion/releases/tag/v1.2.0)
+
+Per MIT license, copyright of this `bastion` sub-directory is Mark/binlab/mark.binlab@gmail.com and MIT license file persists.
+
+Sample SSH tunnel to connect to container called `cht-sync-postgres-1` on remote server with IP `44.33.22.11`:
+
+```shell
+ssh -N -L 5432:cht-sync-postgres-1:5432 bastion@44.33.22.11 -p 22222
+```

bastion/authorized_keys.example

@@ -0,0 +1 @@
+# add external users' keys here

bastion/bastion

@@ -0,0 +1,52 @@
+#!/usr/bin/env sh
+
+HOST_KEYS_PATH_PREFIX="${HOST_KEYS_PATH_PREFIX:='/'}"
+HOST_KEYS_PATH="${HOST_KEYS_PATH:='/etc/ssh'}"
+
+if [ -n "$TRUSTED_USER_CA_KEYS" ]; then
+    CONFIG_TRUSTED_USER_CA_KEYS="-o TrustedUserCAKeys=$TRUSTED_USER_CA_KEYS"
+    CONFIG_AUTHORIZED_PRINCIPALS_FILE="-o AuthorizedPrincipalsFile=/etc/ssh/auth_principals/%u"
+fi
+
+if [ ! -f "$HOST_KEYS_PATH/ssh_host_rsa_key" ]; then
+    /usr/bin/ssh-keygen -A -f "$HOST_KEYS_PATH_PREFIX"
+fi
+
+if [ -n "$LISTEN_ADDRESS" ]; then
+    CONFIG_LISTEN_ADDRESS="-o ListenAddress=$LISTEN_ADDRESS"
+else
+    CONFIG_LISTEN_ADDRESS="-o ListenAddress=0.0.0.0"
+fi
+
+if [ -n "$LISTEN_PORT" ]; then
+    CONFIG_LISTEN_PORT="-o Port=$LISTEN_PORT"
+else
+    CONFIG_LISTEN_PORT="-o Port=22"
+fi
+
+# todo - original project has this as "assumes your authorized_keys file with 644 permissions
+# and mounted under /var/lib/bastion/authorized_keys." - but this simply doesn't work
+# without this hack
+cp /var/lib/bastion/authorized_keys-tmp /var/lib/bastion/authorized_keys
+chown bastion /var/lib/bastion/authorized_keys
+chmod 600 /var/lib/bastion/authorized_keys
+
+/usr/sbin/sshd -D -e -4 \
+    -o "HostKey=$HOST_KEYS_PATH/ssh_host_rsa_key" \
+    -o "HostKey=$HOST_KEYS_PATH/ssh_host_ecdsa_key" \
+    -o "HostKey=$HOST_KEYS_PATH/ssh_host_ed25519_key" \
+    -o "PasswordAuthentication=no" \
+    -o "PermitEmptyPasswords=no" \
+    -o "PermitRootLogin=no" \
+    -o "X11Forwarding=no" \
+    -o "AllowAgentForwarding=yes" \
+    -o "GatewayPorts=yes" \
+    -o "PermitTunnel=yes" \
+    -o "PubkeyAuthentication=yes" \
+    -o "AllowTcpForwarding=yes" \
+    -o "AuthorizedKeysFile=/var/lib/bastion/authorized_keys" \
+    -o "AuthorizedKeysCommandUser=nobody" \
+    $CONFIG_TRUSTED_USER_CA_KEYS \
+    $CONFIG_AUTHORIZED_PRINCIPALS_FILE \
+    $CONFIG_LISTEN_ADDRESS \
+    $CONFIG_LISTEN_PORT

docker-compose.bastion.yml

@@ -0,0 +1,12 @@
+services:
+  bastion:
+    build: ./bastion/
+    restart: unless-stopped
+    ports:
+      - ${BASTION_PORT:-22222}:22/tcp
+    volumes:
+      - ${BASTION_AUTHORIZED_KEYS_FILE:-$PWD/bastion/authorized_keys}:/var/lib/bastion/authorized_keys-tmp
+      - bastion:/usr/etc/ssh:rw
+
+volumes:
+  bastion:

docker-compose.pgadmin.yml

@@ -0,0 +1,13 @@
+services:
+  postgres:
+    ports:
+      - 5432:${POSTGRES_PORT:-5432}
+
+  pgadmin:
+    image: dpage/pgadmin4
+    environment:
+      PGADMIN_DEFAULT_EMAIL: ${PGADMIN_DEFAULT_EMAIL:-pgadmin4@pgadmin.org}
+      PGADMIN_DEFAULT_PASSWORD: ${PGADMIN_DEFAULT_PASSWORD:-admin}
+      PGADMIN_CONFIG_SERVER_MODE: 'False'
+    ports:
+      - "${PGADMIN_PORT:-5050}:80"

docker-compose.postgres.yml

@@ -2,22 +2,11 @@ services:
   postgres:
     image: postgres:16
     restart: always
-    ports:
-      - 5432:5432
     volumes:
       - ./postgres/init-dbt-resources.sh:/docker-entrypoint-initdb.d/init-dbt-resources.sh:z
     environment:
       - POSTGRES_USER=${POSTGRES_USER}
       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
       - POSTGRES_DB=${POSTGRES_DB}
       - POSTGRES_TABLES=${COUCHDB_DBS}
-      - POSTGRES_SCHEMA=${POSTGRES_SCHEMA}
-
-  pgadmin:
-    image: dpage/pgadmin4
-    environment:
-      PGADMIN_DEFAULT_EMAIL: ${PGADMIN_DEFAULT_EMAIL:-pgadmin4@pgadmin.org}
-      PGADMIN_DEFAULT_PASSWORD: ${PGADMIN_DEFAULT_PASSWORD:-admin}
-      PGADMIN_CONFIG_SERVER_MODE: 'False'
-    ports:
-      - "${PGADMIN_PORT:-5050}:80"
+      - POSTGRES_SCHEMA=${POSTGRES_SCHEMA}

env.template

@@ -21,3 +21,6 @@ COUCHDB_SECURE=false
 
 # (Optional) project wide
 #COMPOSE_PROJECT_NAME=cht-sync
+
+#BASTION_PORT=22222 # default is 22222 uncomment to change
+#BASTION_AUTHORIZED_KEYS_FILE=  # uncomment to change

package.json

@@ -5,10 +5,11 @@
   "main": "",
   "scripts": {
     "postinstall": "cd couch2pg && npm ci",
-    "test:e2e": "npm run test:e2e-data && npm run test:e2e-containers && mocha tests/**/*.spec.js --timeout 50000 && npm run test:e2e-stop-containers ",
+    "test:e2e": "npm run test:e2e-data && npm run test:e2e-stop-containers && npm run test:e2e-containers && npm run test:e2e-mocha && npm run test:e2e-stop-containers ",
+    "test:e2e-mocha": "mocha tests/**/*.spec.js --timeout 50000",
     "lint": "eslint --color --cache .",
-    "test:e2e-stop-containers": "docker compose --env-file ./tests/.e2e-env -f docker-compose.yml -f docker-compose.couchdb.yml -f docker-compose.postgres.yml -f tests/dbt/docker-compose.yml down -v",
-    "test:e2e-containers": "docker compose --env-file ./tests/.e2e-env -f docker-compose.yml -f docker-compose.couchdb.yml -f docker-compose.postgres.yml -f tests/dbt/docker-compose.yml up -d --build --force-recreate && npm run wait-for-couchdb",
+    "test:e2e-stop-containers": "docker compose --env-file ./tests/.e2e-env -f docker-compose.yml -f docker-compose.couchdb.yml -f docker-compose.postgres.yml -f tests/dbt/docker-compose.yml -f docker-compose.bastion.yml kill && docker compose --env-file ./tests/.e2e-env -f docker-compose.yml -f docker-compose.couchdb.yml -f docker-compose.postgres.yml -f tests/dbt/docker-compose.yml -f docker-compose.bastion.yml rm -f",
+    "test:e2e-containers": "docker compose --env-file ./tests/.e2e-env -f docker-compose.yml -f docker-compose.couchdb.yml -f docker-compose.postgres.yml -f tests/dbt/docker-compose.yml -f docker-compose.bastion.yml up -d --build --force-recreate && npm run wait-for-couchdb",
     "test:e2e-data": "cd tests/data && rm -rf ./json_docs && cht csv-to-docs",
     "test": "cd couch2pg && npm run test",
     "wait-for-couchdb": "bash -c 'until nc -z localhost 5984; do sleep 1; done; echo \"CouchDB is ready\"'"
@@ -36,6 +37,7 @@
     "pouchdb-adapter-http": "^8.0.1",
     "pouchdb-core": "^8.0.1",
     "sinon": "^18.0.0",
+    "tunnel-ssh": "^5.1.2",
     "uuid": "^9.0.1"
   },
   "private": true