Protect redis access with username and password

SURFnet · Dec 5, 2024 · efe0c78 · efe0c78
1 parent 0717b68
commit efe0c78
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 4 deletions.
diff --git a/README.org b/README.org
@@ -346,6 +346,7 @@ to ~proxyOptionsEncoded~ using the key in ~SECRETS_KEY_FILE~.
 
    When ~validateResponses~ is ~true~, responses are validated when
    the request has an ~X-Validate-Response: true~ header.
+
 *** OOAPI V4 & V5 configuration & validation
 
 There are example configurations for handling and validating OOAPI v4
@@ -449,13 +450,23 @@ brew:
   deployable docker image, including the configuration provided in the
   [[./config][./config]] directory.
 
-  Ensure [[https://www.docker.com/][Docker]] is installed and do the usual
+  Ensure [[https://www.docker.com/][Docker]] is installed and do the usual:
 
   #+begin_src sh
   docker build .
   #+end_src
 
-  To build the image
+  to build the image.
+
+  Use the following environment variables to setup the Redis username
+  and password in ~config/system.config.yml~:
+
+  - ~REDIS_USERNAME~
+  - ~REDIS_PASSWORD~
+
+  Note that not using authorization for Redis is also possible by
+  editing ~config/system.config.yml~ to delete the ~db.redis.username~
+  and ~db.redis.password~ properties before building the docker image.
 
 ** Location of system.config and gateway.config files and docker mounts
 

diff --git a/config/system.config.yml b/config/system.config.yml
@@ -4,6 +4,8 @@ db:
     namespace: '${REDIS_NAMESPACE:-EG}'
     host: '${REDIS_HOST:-redis}'
     port: '${REDIS_PORT:-6379}'
+    username: '${REDIS_USERNAME}'
+    password: '${REDIS_PASSWORD}'
 
 #plugins:
   # express-gateway-plugin-example:

diff --git a/test/config/redis.Dockerfile b/test/config/redis.Dockerfile
@@ -0,0 +1,3 @@
+FROM redis
+COPY redis.conf /usr/local/etc/redis/redis.conf
+CMD [ "redis-server", "/usr/local/etc/redis/redis.conf" ]
diff --git a/test/config/redis.conf b/test/config/redis.conf
@@ -0,0 +1,2 @@
+user default off
+user fred on +@all ~* >wilma
diff --git a/test/integration.environment.js b/test/integration.environment.js
@@ -108,7 +108,12 @@ module.exports = {
     badBackend = require('../scripts/bad-backend').run(TEST_BAD_BACKEND_PORT)
     slowBackend = require('../scripts/slow-backend').run(TEST_SLOW_BACKEND_PORT)
 
-    redis = await new GenericContainer('redis')
+    const redisImage = await GenericContainer
+      .fromDockerfile(path.resolve(__dirname, 'config'), 'redis.Dockerfile')
+      .build()
+
+    redis = await redisImage
+      .withName('redis')
       .withWaitStrategy(Wait.forLogMessage('Ready to accept connections'))
       .withExposedPorts(REDIS_PORT)
       .start()
@@ -144,6 +149,8 @@ module.exports = {
           LOG_LEVEL: process.env.LOG_LEVEL || 'info',
           REDIS_HOST,
           REDIS_PORT: redisPort,
+          REDIS_USERNAME: 'fred',
+          REDIS_PASSWORD: 'wilma',
           SECRETS_KEY_FILE: 'config/test-secret.txt'
         })
         .withWaitStrategy(Wait.forLogMessage('gateway http server listening'))

diff --git a/vendor/express-gateway-lite b/vendor/express-gateway-lite
+6 −0		lib/config/schemas/system.config.json
+2 −0		lib/config/system.config.yml
+1 −1		test/conditions.test.js