From 8ba540a6b5cfee2a04a3e6cc3fe07bd1a0dd1678 Mon Sep 17 00:00:00 2001 From: Remco van 't Veer Date: Thu, 5 Dec 2024 09:37:56 +0100 Subject: [PATCH] Protect redis access with username and password --- README.org | 15 +++++++++++++-- config/system.config.yml | 2 ++ test/config/redis.Dockerfile | 3 +++ test/config/redis.conf | 2 ++ test/integration.environment.js | 9 ++++++++- vendor/express-gateway-lite | 2 +- 6 files changed, 29 insertions(+), 4 deletions(-) create mode 100644 test/config/redis.Dockerfile create mode 100644 test/config/redis.conf diff --git a/README.org b/README.org index f156e3f8..cb549596 100644 --- a/README.org +++ b/README.org @@ -346,6 +346,7 @@ to ~proxyOptionsEncoded~ using the key in ~SECRETS_KEY_FILE~. When ~validateResponses~ is ~true~, responses are validated when the request has an ~X-Validate-Response: true~ header. + *** OOAPI V4 & V5 configuration & validation There are example configurations for handling and validating OOAPI v4 @@ -449,13 +450,23 @@ brew: deployable docker image, including the configuration provided in the [[./config][./config]] directory. - Ensure [[https://www.docker.com/][Docker]] is installed and do the usual + Ensure [[https://www.docker.com/][Docker]] is installed and do the usual: #+begin_src sh docker build . #+end_src - To build the image + to build the image. + + Use the following environment variables to setup the Redis username + and password in ~config/system.config.yml~: + + - ~REDIS_USERNAME~ + - ~REDIS_PASSWORD~ + + Note that not using authorization for Redis is also possible by + editing ~config/system.config.yml~ to delete the ~db.redis.username~ + and ~db.redis.password~ properties before building the docker image. ** Location of system.config and gateway.config files and docker mounts diff --git a/config/system.config.yml b/config/system.config.yml index b5ee35ac..a3130a90 100644 --- a/config/system.config.yml +++ b/config/system.config.yml @@ -4,6 +4,8 @@ db: namespace: '${REDIS_NAMESPACE:-EG}' host: '${REDIS_HOST:-redis}' port: '${REDIS_PORT:-6379}' + username: '${REDIS_USERNAME}' + password: '${REDIS_PASSWORD}' #plugins: # express-gateway-plugin-example: diff --git a/test/config/redis.Dockerfile b/test/config/redis.Dockerfile new file mode 100644 index 00000000..bd09a8b8 --- /dev/null +++ b/test/config/redis.Dockerfile @@ -0,0 +1,3 @@ +FROM redis +COPY redis.conf /usr/local/etc/redis/redis.conf +CMD [ "redis-server", "/usr/local/etc/redis/redis.conf" ] diff --git a/test/config/redis.conf b/test/config/redis.conf new file mode 100644 index 00000000..da05789e --- /dev/null +++ b/test/config/redis.conf @@ -0,0 +1,2 @@ +user default off +user fred on +@all ~* >wilma diff --git a/test/integration.environment.js b/test/integration.environment.js index d293ca9e..a6a35993 100644 --- a/test/integration.environment.js +++ b/test/integration.environment.js @@ -108,7 +108,12 @@ module.exports = { badBackend = require('../scripts/bad-backend').run(TEST_BAD_BACKEND_PORT) slowBackend = require('../scripts/slow-backend').run(TEST_SLOW_BACKEND_PORT) - redis = await new GenericContainer('redis') + const redisImage = await GenericContainer + .fromDockerfile(path.resolve(__dirname, 'config'), 'redis.Dockerfile') + .build() + + redis = await redisImage + .withName('redis') .withWaitStrategy(Wait.forLogMessage('Ready to accept connections')) .withExposedPorts(REDIS_PORT) .start() @@ -144,6 +149,8 @@ module.exports = { LOG_LEVEL: process.env.LOG_LEVEL || 'info', REDIS_HOST, REDIS_PORT: redisPort, + REDIS_USERNAME: 'fred', + REDIS_PASSWORD: 'wilma', SECRETS_KEY_FILE: 'config/test-secret.txt' }) .withWaitStrategy(Wait.forLogMessage('gateway http server listening')) diff --git a/vendor/express-gateway-lite b/vendor/express-gateway-lite index 86734840..2eadce6c 160000 --- a/vendor/express-gateway-lite +++ b/vendor/express-gateway-lite @@ -1 +1 @@ -Subproject commit 867348402b3b7ae3428abbe14797def4349da9a7 +Subproject commit 2eadce6c3e97bf1cd0042407f2903786cfd7a7f5