narra auth instead .htpasswd

dopos · Oct 1, 2017 · 394c248 · 394c248
1 parent 14d46f4
commit 394c248
Show file tree

Hide file tree

Showing 5 changed files with 205 additions and 46 deletions.
diff --git a/apps/cis/Makefile b/apps/cis/Makefile
@@ -13,14 +13,22 @@ CIS_WEBTAIL_VER    ?= $(CIS_WEBTAIL_VER0)
 CIS_WEBHOOK_VER0   ?= 0.4
 # Webtail Docker image version
 CIS_WEBHOOK_VER    ?= $(CIS_WEBHOOK_VER0)
+# Narra Docker image version by dcape
+CIS_NARRA_VER0     ?= 0.2
+# Webtail Docker image version
+CIS_NARRA_VER    ?= $(CIS_NARRA_VER0)
 # CIS hostname prefix
 CIS_HOST_PREFIX    ?= cis
 # CIS hostname
 CIS_HOST           ?= $(CIS_HOST_PREFIX).$(DOMAIN)
-# Login of admin user in CIR restricted areas
-CIS_AREA_LOGIN     ?= admin
-# Password of admin user in CIS restricted areas
-CIS_AREA_PASS      ?= $(shell < /dev/urandom tr -dc A-Za-z0-9 | head -c8; echo)
+# Gitea host for auth
+CIS_GITEA_HOST     ?= http://gitea:3000
+# Gitea organization for users who has access to CIS
+CIS_GITEA_ORG      ?= dcape
+# Key to sign CIS token
+CIS_SIGN_KEY       ?= $(shell < /dev/urandom tr -dc A-Za-z0-9 | head -c32; echo)
+# Key to crypt CIS token
+CIS_CRYPT_KEY      ?= $(shell < /dev/urandom tr -dc A-Za-z0-9 | head -c32; echo)
 # Webhook access password
 CIS_DEPLOY_PASS    ?= $(shell < /dev/urandom tr -dc A-Za-z0-9 | head -c8; echo)
 # For webhook container
@@ -32,9 +40,15 @@ define CONFIG_CIS
 # App hostname
 CIS_HOST=$(CIS_HOST)
 
-# Private admin site part (traefik, consul, webtail, dns)
-CIS_AREA_LOGIN=$(CIS_AREA_LOGIN)
-CIS_AREA_PASS=$(CIS_AREA_PASS)
+# Private admin site part (traefik, consul, webtail, dns) token
+# Gitea host for auth
+CIS_GITEA_HOST=$(CIS_GITEA_HOST)
+# Gitea organization for users who has access to CIS
+CIS_GITEA_ORG=$(CIS_GITEA_ORG)
+# Key to sign CIS token
+CIS_SIGN_KEY=$(CIS_SIGN_KEY)
+# Key to crypt CIS token
+CIS_CRYPT_KEY=$(CIS_CRYPT_KEY)
 
 # Webhook access password
 CIS_DEPLOY_PASS=$(CIS_DEPLOY_PASS)
@@ -43,6 +57,8 @@ CIS_DEPLOY_PASS=$(CIS_DEPLOY_PASS)
 CIS_WEBTAIL_VER=$(CIS_WEBTAIL_VER)
 # Webhook Docker image version
 CIS_WEBHOOK_VER=$(CIS_WEBHOOK_VER)
+# Narra Docker image version
+CIS_NARRA_VER=$(CIS_NARRA_VER)
 
 # CIS webhook must have same root
 DCAPE_ROOT=$(DCAPE_ROOT)
@@ -51,11 +67,9 @@ endef
 export CONFIG_CIS
 
 cis-init:
-	@grep CIS_AREA .env || \
+	@grep CIS_DEPLOY .env || \
 	{ \
 	  echo "$$CONFIG_CIS" >> .env ; \
-	  echo "** CIS AREA LOGIN:      $$CIS_AREA_LOGIN" ; \
-	  echo "** CIS AREA PASSWORD:   $$CIS_AREA_PASS" ; \
 	  echo "** CIS DEPLOY PASSWORD: $$CIS_DEPLOY_PASS" ; \
 	}
 	@if [[ "$$CIS_WEBTAIL_VER0" != "$$CIS_WEBTAIL_VER" ]] ; then \
@@ -64,19 +78,17 @@ cis-init:
 	@if [[ "$$CIS_WEBHOOK_VER0" != "$$CIS_WEBHOOK_VER" ]] ; then \
 	  echo "Warning: CIS_WEBHOOK_VER in dcape ($$CIS_WEBHOOK_VER0) differs from yours ($$CIS_WEBHOOK_VER)" ; \
 	fi
+	@if [[ "$$CIS_NARRA_VER0" != "$$CIS_NARRA_VER" ]] ; then \
+	  echo "Warning: CIS_NARRA_VER in dcape ($$CIS_NARRA_VER0) differs from yours ($$CIS_NARRA_VER)" ; \
+	fi
 
-cis-apply: var/data/cis var/data/cis/htpasswd var/data/cis/hook.pub
+cis-apply: var/data/cis var/data/cis/hook.pub
 	@echo "*** $@ ***"
 
 var/data/cis:
 	@echo "*** $@ ***"
 	@[ -d var/data/cis ] || mkdir var/data/cis
 
-# the only file needed in var. While gogs auth client does not written
-var/data/cis/htpasswd:
-	@echo "*** $@ ***"
-	@P=$$(echo $$CIS_AREA_PASS | openssl passwd -stdin) && echo "$$CIS_AREA_LOGIN:$$P" > var/data/cis/htpasswd
-
 var/data/cis/hook.pub:
 	@echo "*** $@ ***"
 	ssh-keygen -t rsa -b 1024 -f var/data/cis/hook -N "" -C webhook@$$DOMAIN

diff --git a/apps/cis/docker-compose.inc.yml b/apps/cis/docker-compose.inc.yml
@@ -11,12 +11,12 @@
       - webhook
       - traefik-fl
       - enfist
+      - narra
     volumes:
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
       - ./apps/cis/html:/usr/share/nginx/html:ro
       - ./apps/cis/nginx.conf:/etc/nginx/conf.d/default.conf:ro
-      - ./var/data/cis/htpasswd:/etc/nginx/htpasswd:ro
       - ./var/data/cis/hook.pub:/data/hook.pub:ro
 
 
@@ -58,3 +58,16 @@
     restart: always
     labels:
       - "traefik.enable=false"
+
+  # ------------------------------------------------------------------------------
+  narra:
+    image: narra
+#    image: dopos/webhook:${CIS_NARRA_VER}
+    restart: always
+    labels:
+      - "traefik.enable=false"
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    command:
+      --gitea_host ${CIS_GITEA_HOST} --cookie_sign ${CIS_SIGN_KEY} --cookie_crypt ${CIS_CRYPT_KEY} --gitea_org ${GITEA_ORG}
diff --git a/apps/cis/html/401.html b/apps/cis/html/401.html
@@ -0,0 +1,52 @@
+<!DOCTYPE html>
+<html xml:lang="ru" xmlns="http://www.w3.org/1999/xhtml" lang="ru">
+<head>
+  <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
+  <meta charset="utf-8">
+  <title>DCAPE CIS login</title>
+
+  <!-- Mobile Specific Metas
+  –––––––––––––––––––––––––––––––––––––––––––––––––– -->
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+
+  <!-- CSS
+  –––––––––––––––––––––––––––––––––––––––––––––––––– -->
+  <link rel="stylesheet" href="/css/normalize.css">
+  <link rel="stylesheet" href="/css/skeleton.css">
+
+  <!-- Favicon
+  –––––––––––––––––––––––––––––––––––––––––––––––––– -->
+  <link rel="icon" type="image/png" href="/images/favicon.png">
+
+</head>
+<body>
+  <!-- Primary Page Layout
+  –––––––––––––––––––––––––––––––––––––––––––––––––– -->
+  <div class="container">
+    <div class="row">
+      <div class="column" style="margin-top: 5%">
+        <h4>Gitea login</h4>
+    <form method="post" action="/login">
+  <div class="row">
+    <div class="four columns">
+        <input class="u-full-width" type="text" name="name" placeholder="Username" required="required" />
+    </div>
+  </div>
+  <div class="row">
+    <div class="four columns">
+      <input class="u-full-width" type="password" name="pass" placeholder="Password" required="required" id="passInput">
+    </div>
+  </div>
+  <label class="example-send-yourself-copy">
+    <input type="checkbox" name="keep" title="Remember me" />
+    <span class="label-body">Remember me</span>
+  </label>
+  <input class="button-primary" type="submit" value="Submit">
+</form>
+      </div>
+    </div>
+  </div>
+<!-- End Document
+  –––––––––––––––––––––––––––––––––––––––––––––––––– -->
+</body>
+</html>
diff --git a/apps/cis/html/index.html b/apps/cis/html/index.html
@@ -26,20 +26,33 @@
   <div class="container">
     <div class="row">
       <div class="column" style="margin-top: 5%">
-        <h4>Welcome to <a href="https://github.com/dopos/dcape">DCAPE</a> Continuous Integration Server</h4>
-        <p>Our resources:
+        <h4><a href="https://github.com/dopos/dcape">DCAPE</a> Continuous Integration Server</h4>
+        <h5>Our resources</h5>
+          <div id="anon">
+            You must athenticate with Gitea account for access these pages.
+          </div>
+          <div id="user" style="display: none">
+            You athenticated for access these pages.
+            <div id="key_off">
+              <button onclick="keyShow()">Show config access key</button>
+            </div>
+            <div id="key_on" style="display: none">
+              <button onclick="keyHide()">Hide config access key</button>
+              <a href="/logout">Delete auth cookie</a>
+              <input class="u-full-width" type="text" id="key" />
+            </div>
+          </div>
           <ul>
             <li><a href="/logs/" target="_blank">Application logs</a>
             <li><a href="/conf/rpc/tag" target="_blank">Config store</a>
             <li><a href="/dashboard/" target="_blank">Traefik dashboard</a>
-            <li><a href="/hook.pub">Hook public key</a> (for use in <a href="http://gogs.io">Gogs</a> remove last CR)</li>
+            <li><a href="/hook.pub">Hook public key</a> (for use in Gitea remove last CR)</li>
           </ul>
         </p>
-        <p>Hosted projects:
+        <h5>Hosted projects</h5>
           <ul id='sites'>
           </ul>
         </p>
-
       </div>
     </div>
   </div>
@@ -53,6 +66,21 @@ <h4>Welcome to <a href="https://github.com/dopos/dcape">DCAPE</a> Continuous Int
     Httpreq.send(null);
     return Httpreq.responseText;
   }
+  // https://stackoverflow.com/a/15724300
+  function getCookie(name) {
+    var value = "; " + document.cookie;
+    var parts = value.split("; " + name + "=");
+    if (parts.length == 2) return parts.pop().split(";").shift();
+  }
+
+  function keyShow() {
+    document.getElementById('key_off').style.display = "none";
+    document.getElementById('key_on').style.display = "block";
+  }
+  function keyHide() {
+    document.getElementById('key_off').style.display = "block";
+    document.getElementById('key_on').style.display = "none";
+  }
 
   function ready() {
     document.title = location.host + ' - ' + document.title;
@@ -74,6 +102,12 @@ <h4>Welcome to <a href="https://github.com/dopos/dcape">DCAPE</a> Continuous Int
         ul.appendChild(li);
       }
     }
+    var token = getCookie('narra_token');
+    if (token != undefined) {
+      document.getElementById('key').value = token;
+      document.getElementById('user').style.display = "block";
+      document.getElementById('anon').style.display = "none";
+    }
   }
   document.addEventListener("DOMContentLoaded", ready);
 </script>

diff --git a/apps/cis/nginx.conf b/apps/cis/nginx.conf
@@ -3,15 +3,16 @@ map $http_upgrade $connection_upgrade {
     '' close;
 }
 
+log_format narra '$remote_addr - $narra_user [$time_local] "$request" '
+                 '$status $body_bytes_sent "$http_referer" '
+                 '"$http_user_agent" "$http_x_forwarded_for"';
+
+
 server {
   listen 80 default_server;
 
   server_name  localhost;
-
-#  server_name {{env "NODENAME"}}.{{env "CONSUL_DOMAIN"}};
-
-#  access_log  /var/log/nginx/{{env "NODENAME"}}-access.log  main;
-#  error_log   /var/log/nginx/{{env "NODENAME"}}-error.log;
+  access_log                    /dev/stdout narra;
 
   # hook.pub only
   location /hook.pub {
@@ -29,52 +30,95 @@ server {
         root   /usr/share/nginx/html;
     }
 
+  # traefik-fl
+  location /frontends.json {
+    proxy_pass http://traefik-fl:8080/;
+    proxy_buffering off;
+  }
+  # narra
+  error_page                    401 = /401.html;
+
+  location /login {
+    proxy_pass                  http://narra:8080;
+    proxy_cache                 off;
+    proxy_redirect              off;
+    proxy_buffering             off;
+    proxy_pass_header           Set-Cookie;
+    proxy_intercept_errors      on;
+  }
+
+  location = /auth {
+    internal;
+    proxy_pass                  http://narra:8080;
+    proxy_pass_request_body     off;
+    proxy_pass_request_headers  on;
+    proxy_set_header            Content-Length "";
+  }
+
+  location = /logout {
+    add_header Set-Cookie       "narra_token=;Path=/;Expires=Wed, 10 Aug 2016 00:10:10 GMT";
+    return     302              $scheme://$host/;
+  }
+
   # webhook
   location /hooks/ {
     proxy_pass http://webhook:9000/hooks/;
     proxy_http_version 1.1;
     proxy_read_timeout 600;
+    if_modified_since           off;
+    etag                        off;
+    expires                     -1;
+    add_header                  Last-Modified "";
   }
 
   # enfist
   location /conf/rpc/ {
-    auth_basic           "DCAPE CIS";
-    auth_basic_user_file /etc/nginx/htpasswd;
+    auth_request                /auth;
+    auth_request_set            $narra_user $upstream_http_x_username;
     proxy_pass http://enfist:8080/rpc/;
     proxy_buffering off;
+    if_modified_since           off;
+    etag                        off;
+    expires                     -1;
+    add_header                  Last-Modified "";
   }
 
-  # traefik-fl
-  location /frontends.json {
-    proxy_pass http://traefik-fl:8080/;
-    proxy_buffering off;
-  }
-
- # traefik
+  # traefik
   location /dashboard/ {
-    auth_basic           "DCAPE CIS";
-    auth_basic_user_file /etc/nginx/htpasswd;
+    auth_request                /auth;
+    auth_request_set            $narra_user $upstream_http_x_username;
     proxy_pass http://traefik:8080;
     proxy_buffering off;
+    if_modified_since           off;
+    etag                        off;
+    expires                     -1;
+    add_header                  Last-Modified "";
   }
-
   location /api/ {
-    auth_basic           "DCAPE CIS";
-    auth_basic_user_file /etc/nginx/htpasswd;
+    auth_request                /auth;
+    auth_request_set            $narra_user $upstream_http_x_username;
     proxy_pass http://traefik:8080;
     proxy_buffering off;
+    if_modified_since           off;
+    etag                        off;
+    expires                     -1;
+    add_header                  Last-Modified "";
   }
   location /health {
-    auth_basic           "DCAPE CIS";
-    auth_basic_user_file /etc/nginx/htpasswd;
+    auth_request                /auth;
+    auth_request_set            $narra_user $upstream_http_x_username;
     proxy_pass http://traefik:8080;
     proxy_buffering off;
+    if_modified_since           off;
+    etag                        off;
+    expires                     -1;
+    add_header                  Last-Modified "";
   }
 
- #logs
+  # logs
   location /logs/ {
-    auth_basic           "DCAPE CIS";
-    auth_basic_user_file /etc/nginx/htpasswd;
+    auth_request                /auth;
+    auth_request_set            $narra_user $upstream_http_x_username;
 
     proxy_pass http://webtail:8080/;
     proxy_buffering off;
@@ -85,6 +129,10 @@ server {
 #    proxy_set_header Connection $connection_upgrade;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_read_timeout 950s;
+    if_modified_since           off;
+    etag                        off;
+    expires                     -1;
+    add_header                  Last-Modified "";
   }
 
 }