Require username and password for mongodb (#1813)

* Use MongoDB auth from env vars if available

If MONGODB_USER and MONGODB_PASS are set, they will be used to
authenticate to the MongoDB server. If they are not set, then a
connection request with no authentication will be sent (as per the
existing behavior). This allows us to deploy this change, then set
MONGODB_USER and MONGODB_PASS later and have those changes picked up
without a redeployment.

Note that a corresponding change to LfMerge will also be needed.

* Add auth env vars for LfMerge, other containers

LfMerge env vars won't be used until we deploy a new build of LfMerge
that looks for them, which will be in a PR on the LfMerge repo.

* Use alpha build of LfMerge that handles auth

LfMerge now has an alpha build that handles auth. Once we've proved that
it works, we'll release a full build of LfMerge and bump this version
number again.

* Add commented-out lines to turn on MongoDB auth

Uncommenting these two lines will enable MongoDB auth on local dev. Do
not do so until you have created the `admin` user or you may end up
locked out of your local MongoDB.

* Uncomment MongoDB auth lines

This was needed to make tests pass in CI

* Pass authSource as a separate env var

This will allow us to change the name of the Mongo database we store our
auth in, if in the future we decide not to go with the default name.

* Add Kubernetes secrets for Mongo auth

---------

Co-authored-by: Christopher Hirt <chris@hirtfamily.net>

docker-compose.yml

@@ -57,6 +57,9 @@ services:
       - WEBSITE=localhost
       - DATABASE=scriptureforge
       - MONGODB_CONN=mongodb://lf-db:27017
+      - MONGODB_AUTHSOURCE=admin
+      - MONGODB_USER=admin
+      - MONGODB_PASS=pass
       - MAIL_HOST=mail
       - GOOGLE_CLIENT_ID=bogus-development-token
       - GOOGLE_CLIENT_SECRET=bogus-development-token
@@ -104,6 +107,7 @@ services:
       - ENVIRONMENT=development
       - DATABASE=scriptureforge
       - MONGODB_CONN=mongodb://db:27017
+      - MONGODB_AUTHSOURCE=admin
       - LANGUAGE_DEPOT_API_TOKEN=bogus-development-token
       - LANGUAGE_DEPOT_HG_USERNAME=admin
       - LANGUAGE_DEPOT_TRUST_TOKEN=pass
@@ -115,6 +119,9 @@ services:
       - LFMERGE_TEMPLATES_DIR=Templates
       - LFMERGE_MONGO_HOSTNAME=db
       - LFMERGE_MONGO_PORT=27017
+      - LFMERGE_MONGO_AUTHSOURCE=admin
+      - LFMERGE_MONGO_USER=admin
+      - LFMERGE_MONGO_PASS=pass
       - LFMERGE_MONGO_MAIN_DB_NAME=scriptureforge
       - LFMERGE_MONGO_DB_NAME_PREFIX=sf_
       - LFMERGE_VERBOSE_PROGRESS=true
@@ -222,6 +229,8 @@ services:
     restart: always
     environment:
       - MONGO_INITDB_DATABASE=scriptureforge
+      - MONGO_INITDB_ROOT_USERNAME=admin
+      - MONGO_INITDB_ROOT_PASSWORD=pass
 
   ld-db:
     image: mariadb:10.10
@@ -277,6 +286,9 @@ services:
       - WEBSITE=localhost
       - DATABASE=e2e_test
       - MONGODB_CONN=mongodb://db:27017
+      - MONGODB_AUTHSOURCE=admin
+      - MONGODB_USER=admin
+      - MONGODB_PASS=pass
       - MAIL_HOST=mail
       - REMEMBER_ME_SECRET=bogus-development-key
       - LANGUAGE_DEPOT_API_TOKEN=bogus-development-token
@@ -311,6 +323,9 @@ services:
       - WEBSITE=localhost.languageforge.org
       - DATABASE=scriptureforge_test
       - MONGODB_CONN=mongodb://db:27017
+      - MONGODB_AUTHSOURCE=admin
+      - MONGODB_USER=admin
+      - MONGODB_PASS=pass
       - MAIL_HOST=mail
       - LANGUAGE_DEPOT_API_TOKEN=bogus-development-token
       - XDEBUG_MODE=develop,debug

docker/deployment/base/app-deployment.yaml

@@ -97,6 +97,21 @@ spec:
               secretKeyRef:
                 key: MONGODB_CONN
                 name: app
+          - name: MONGODB_AUTHSOURCE
+            valueFrom:
+              secretKeyRef:
+                key: MONGODB_AUTHSOURCE
+                name: mongo-auth
+          - name: MONGODB_USER
+            valueFrom:
+              secretKeyRef:
+                key: MONGODB_USER
+                name: mongo-auth
+          - name: MONGODB_PASS
+            valueFrom:
+              secretKeyRef:
+                key: MONGODB_PASS
+                name: mongo-auth
           - name: REMEMBER_ME_SECRET
             valueFrom:
               secretKeyRef:

docker/deployment/base/lfmerge-deployment.yaml

@@ -99,6 +99,21 @@ spec:
             value: "27017"
           - name: LFMERGE_MONGO_MAIN_DB_NAME
             value: scriptureforge
+          - name: LFMERGE_MONGO_AUTHSOURCE
+            valueFrom:
+              secretKeyRef:
+                key: MONGODB_AUTHSOURCE
+                name: mongo-auth
+          - name: LFMERGE_MONGO_USER
+            valueFrom:
+              secretKeyRef:
+                key: MONGODB_USER
+                name: mongo-auth
+          - name: LFMERGE_MONGO_PASS
+            valueFrom:
+              secretKeyRef:
+                key: MONGODB_PASS
+                name: mongo-auth
           - name: LFMERGE_MONGO_DB_NAME_PREFIX
             value: sf_
           - name: LFMERGE_VERBOSE_PROGRESS

docker/deployment/base/secrets.yaml

@@ -10,6 +10,18 @@ data:
 
 ---
 
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mongo-auth
+  namespace: languageforge
+data:
+  MONGODB_AUTHSOURCE: ''
+  MONGODB_USER: ''
+  MONGODB_PASS: ''
+
+---
+
 apiVersion: v1
 kind: Secret
 metadata:

docker/lfmerge/Dockerfile

@@ -1,2 +1,2 @@
-FROM ghcr.io/sillsdev/lfmerge:2.0.138
+FROM ghcr.io/sillsdev/lfmerge:2.0.139-alpha.43
 # Do not add anything to this Dockerfile, it should stay empty

scripts/scriptsConfig.php

@@ -10,4 +10,7 @@
 
 define("DATABASE", Env::requireEnv("DATABASE"));
 define("MONGODB_CONN", Env::requireEnv("MONGODB_CONN"));
+define("MONGODB_AUTHSOURCE", Env::get("MONGODB_AUTHSOURCE"));
+define("MONGODB_USER", Env::get("MONGODB_USER"));
+define("MONGODB_PASS", Env::get("MONGODB_PASS"));
 define("BCRYPT_COST", 7);

src/Api/Model/Shared/Mapper/MongoStore.php

@@ -18,9 +18,19 @@ public static function connect($databaseName)
         if (static::$_mongoClient == null) {
             // MongoDB Client that will unserialize everything as PHP Arrays consistent with the legacy driver (which our code was built on)
             // see http://mongodb.github.io/mongo-php-library/classes/client/#example
+            $options = [];
+            if (defined('MONGODB_USER') && defined('MONGODB_PASS')) {
+                if (MONGODB_USER != null && MONGODB_PASS != null) {
+                    $options = [ 'username' => MONGODB_USER, 'password' => MONGODB_PASS ];
+                }
+            }
+            $options['authSource'] = 'admin';
+            if (defined('MONGODB_AUTHSOURCE') && MONGODB_AUTHSOURCE != null) {
+                $options['authSource'] = MONGODB_AUTHSOURCE;
+            }
             static::$_mongoClient = new Client(
                 MONGODB_CONN,
-                [],
+                $options,
                 ["typeMap" => ["root" => "array", "document" => "array", "array" => "array"]]
             );
         }

src/config.php

@@ -5,6 +5,9 @@
 define("ENVIRONMENT", Env::requireEnv("ENVIRONMENT"));
 define("DATABASE", Env::requireEnv("DATABASE"));
 define("MONGODB_CONN", Env::requireEnv("MONGODB_CONN"));
+define("MONGODB_AUTHSOURCE", Env::get("MONGODB_AUTHSOURCE"));
+define("MONGODB_USER", Env::get("MONGODB_USER"));
+define("MONGODB_PASS", Env::get("MONGODB_PASS"));
 define("LANGUAGE_DEPOT_API_TOKEN", Env::requireEnv("LANGUAGE_DEPOT_API_TOKEN"));
 
 define("BCRYPT_COST", 7);

test/php/TestConfig.php

@@ -19,6 +19,9 @@
 
 define("DATABASE", Env::requireEnv("DATABASE"));
 define("MONGODB_CONN", Env::requireEnv("MONGODB_CONN"));
+define("MONGODB_AUTHSOURCE", Env::get("MONGODB_AUTHSOURCE"));
+define("MONGODB_USER", Env::get("MONGODB_USER"));
+define("MONGODB_PASS", Env::get("MONGODB_PASS"));
 define("SF_TESTPROJECT", "Test Project");
 define("SF_TESTPROJECTCODE", "testcode1");
 define("SF_TESTPROJECT2", "Test Project2");