From 93255b52362d4967495814c983c60b8000145d0f Mon Sep 17 00:00:00 2001
From: Robin Munn <rmunn@pobox.com>
Date: Thu, 23 May 2024 16:06:08 +0700
Subject: [PATCH] Require username and password for mongodb (#1813)

* Use MongoDB auth from env vars if available

If MONGODB_USER and MONGODB_PASS are set, they will be used to
authenticate to the MongoDB server. If they are not set, then a
connection request with no authentication will be sent (as per the
existing behavior). This allows us to deploy this change, then set
MONGODB_USER and MONGODB_PASS later and have those changes picked up
without a redeployment.

Note that a corresponding change to LfMerge will also be needed.

* Add auth env vars for LfMerge, other containers

LfMerge env vars won't be used until we deploy a new build of LfMerge
that looks for them, which will be in a PR on the LfMerge repo.

* Use alpha build of LfMerge that handles auth

LfMerge now has an alpha build that handles auth. Once we've proved that
it works, we'll release a full build of LfMerge and bump this version
number again.

* Add commented-out lines to turn on MongoDB auth

Uncommenting these two lines will enable MongoDB auth on local dev. Do
not do so until you have created the `admin` user or you may end up
locked out of your local MongoDB.

* Uncomment MongoDB auth lines

This was needed to make tests pass in CI

* Pass authSource as a separate env var

This will allow us to change the name of the Mongo database we store our
auth in, if in the future we decide not to go with the default name.

* Add Kubernetes secrets for Mongo auth

---------

Co-authored-by: Christopher Hirt <chris@hirtfamily.net>
---
 docker-compose.yml                             | 15 +++++++++++++++
 docker/deployment/base/app-deployment.yaml     | 15 +++++++++++++++
 docker/deployment/base/lfmerge-deployment.yaml | 15 +++++++++++++++
 docker/deployment/base/secrets.yaml            | 12 ++++++++++++
 docker/lfmerge/Dockerfile                      |  2 +-
 scripts/scriptsConfig.php                      |  3 +++
 src/Api/Model/Shared/Mapper/MongoStore.php     | 12 +++++++++++-
 src/config.php                                 |  3 +++
 test/php/TestConfig.php                        |  3 +++
 9 files changed, 78 insertions(+), 2 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 3c64e90012..8bfaa8e555 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -57,6 +57,9 @@ services:
       - WEBSITE=localhost
       - DATABASE=scriptureforge
       - MONGODB_CONN=mongodb://lf-db:27017
+      - MONGODB_AUTHSOURCE=admin
+      - MONGODB_USER=admin
+      - MONGODB_PASS=pass
       - MAIL_HOST=mail
       - GOOGLE_CLIENT_ID=bogus-development-token
       - GOOGLE_CLIENT_SECRET=bogus-development-token
@@ -104,6 +107,7 @@ services:
       - ENVIRONMENT=development
       - DATABASE=scriptureforge
       - MONGODB_CONN=mongodb://db:27017
+      - MONGODB_AUTHSOURCE=admin
       - LANGUAGE_DEPOT_API_TOKEN=bogus-development-token
       - LANGUAGE_DEPOT_HG_USERNAME=admin
       - LANGUAGE_DEPOT_TRUST_TOKEN=pass
@@ -115,6 +119,9 @@ services:
       - LFMERGE_TEMPLATES_DIR=Templates
       - LFMERGE_MONGO_HOSTNAME=db
       - LFMERGE_MONGO_PORT=27017
+      - LFMERGE_MONGO_AUTHSOURCE=admin
+      - LFMERGE_MONGO_USER=admin
+      - LFMERGE_MONGO_PASS=pass
       - LFMERGE_MONGO_MAIN_DB_NAME=scriptureforge
       - LFMERGE_MONGO_DB_NAME_PREFIX=sf_
       - LFMERGE_VERBOSE_PROGRESS=true
@@ -222,6 +229,8 @@ services:
     restart: always
     environment:
       - MONGO_INITDB_DATABASE=scriptureforge
+      - MONGO_INITDB_ROOT_USERNAME=admin
+      - MONGO_INITDB_ROOT_PASSWORD=pass
 
   ld-db:
     image: mariadb:10.10
@@ -277,6 +286,9 @@ services:
       - WEBSITE=localhost
       - DATABASE=e2e_test
       - MONGODB_CONN=mongodb://db:27017
+      - MONGODB_AUTHSOURCE=admin
+      - MONGODB_USER=admin
+      - MONGODB_PASS=pass
       - MAIL_HOST=mail
       - REMEMBER_ME_SECRET=bogus-development-key
       - LANGUAGE_DEPOT_API_TOKEN=bogus-development-token
@@ -311,6 +323,9 @@ services:
       - WEBSITE=localhost.languageforge.org
       - DATABASE=scriptureforge_test
       - MONGODB_CONN=mongodb://db:27017
+      - MONGODB_AUTHSOURCE=admin
+      - MONGODB_USER=admin
+      - MONGODB_PASS=pass
       - MAIL_HOST=mail
       - LANGUAGE_DEPOT_API_TOKEN=bogus-development-token
       - XDEBUG_MODE=develop,debug
diff --git a/docker/deployment/base/app-deployment.yaml b/docker/deployment/base/app-deployment.yaml
index 7c743d15e5..925f68b7e2 100644
--- a/docker/deployment/base/app-deployment.yaml
+++ b/docker/deployment/base/app-deployment.yaml
@@ -97,6 +97,21 @@ spec:
               secretKeyRef:
                 key: MONGODB_CONN
                 name: app
+          - name: MONGODB_AUTHSOURCE
+            valueFrom:
+              secretKeyRef:
+                key: MONGODB_AUTHSOURCE
+                name: mongo-auth
+          - name: MONGODB_USER
+            valueFrom:
+              secretKeyRef:
+                key: MONGODB_USER
+                name: mongo-auth
+          - name: MONGODB_PASS
+            valueFrom:
+              secretKeyRef:
+                key: MONGODB_PASS
+                name: mongo-auth
           - name: REMEMBER_ME_SECRET
             valueFrom:
               secretKeyRef:
diff --git a/docker/deployment/base/lfmerge-deployment.yaml b/docker/deployment/base/lfmerge-deployment.yaml
index 70412cf477..006e842dee 100644
--- a/docker/deployment/base/lfmerge-deployment.yaml
+++ b/docker/deployment/base/lfmerge-deployment.yaml
@@ -99,6 +99,21 @@ spec:
             value: "27017"
           - name: LFMERGE_MONGO_MAIN_DB_NAME
             value: scriptureforge
+          - name: LFMERGE_MONGO_AUTHSOURCE
+            valueFrom:
+              secretKeyRef:
+                key: MONGODB_AUTHSOURCE
+                name: mongo-auth
+          - name: LFMERGE_MONGO_USER
+            valueFrom:
+              secretKeyRef:
+                key: MONGODB_USER
+                name: mongo-auth
+          - name: LFMERGE_MONGO_PASS
+            valueFrom:
+              secretKeyRef:
+                key: MONGODB_PASS
+                name: mongo-auth
           - name: LFMERGE_MONGO_DB_NAME_PREFIX
             value: sf_
           - name: LFMERGE_VERBOSE_PROGRESS
diff --git a/docker/deployment/base/secrets.yaml b/docker/deployment/base/secrets.yaml
index 294b8f0f3c..9af12c3493 100644
--- a/docker/deployment/base/secrets.yaml
+++ b/docker/deployment/base/secrets.yaml
@@ -10,6 +10,18 @@ data:
 
 ---
 
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mongo-auth
+  namespace: languageforge
+data:
+  MONGODB_AUTHSOURCE: ''
+  MONGODB_USER: ''
+  MONGODB_PASS: ''
+
+---
+
 apiVersion: v1
 kind: Secret
 metadata:
diff --git a/docker/lfmerge/Dockerfile b/docker/lfmerge/Dockerfile
index 276dab9940..bc3114637a 100644
--- a/docker/lfmerge/Dockerfile
+++ b/docker/lfmerge/Dockerfile
@@ -1,2 +1,2 @@
-FROM ghcr.io/sillsdev/lfmerge:2.0.138
+FROM ghcr.io/sillsdev/lfmerge:2.0.139-alpha.43
 # Do not add anything to this Dockerfile, it should stay empty
diff --git a/scripts/scriptsConfig.php b/scripts/scriptsConfig.php
index 1dc6f522c9..140cdcccff 100644
--- a/scripts/scriptsConfig.php
+++ b/scripts/scriptsConfig.php
@@ -10,4 +10,7 @@
 
 define("DATABASE", Env::requireEnv("DATABASE"));
 define("MONGODB_CONN", Env::requireEnv("MONGODB_CONN"));
+define("MONGODB_AUTHSOURCE", Env::get("MONGODB_AUTHSOURCE"));
+define("MONGODB_USER", Env::get("MONGODB_USER"));
+define("MONGODB_PASS", Env::get("MONGODB_PASS"));
 define("BCRYPT_COST", 7);
diff --git a/src/Api/Model/Shared/Mapper/MongoStore.php b/src/Api/Model/Shared/Mapper/MongoStore.php
index aa3b82cb43..8c9ad0c315 100644
--- a/src/Api/Model/Shared/Mapper/MongoStore.php
+++ b/src/Api/Model/Shared/Mapper/MongoStore.php
@@ -18,9 +18,19 @@ public static function connect($databaseName)
         if (static::$_mongoClient == null) {
             // MongoDB Client that will unserialize everything as PHP Arrays consistent with the legacy driver (which our code was built on)
             // see http://mongodb.github.io/mongo-php-library/classes/client/#example
+            $options = [];
+            if (defined('MONGODB_USER') && defined('MONGODB_PASS')) {
+                if (MONGODB_USER != null && MONGODB_PASS != null) {
+                    $options = [ 'username' => MONGODB_USER, 'password' => MONGODB_PASS ];
+                }
+            }
+            $options['authSource'] = 'admin';
+            if (defined('MONGODB_AUTHSOURCE') && MONGODB_AUTHSOURCE != null) {
+                $options['authSource'] = MONGODB_AUTHSOURCE;
+            }
             static::$_mongoClient = new Client(
                 MONGODB_CONN,
-                [],
+                $options,
                 ["typeMap" => ["root" => "array", "document" => "array", "array" => "array"]]
             );
         }
diff --git a/src/config.php b/src/config.php
index 8ebe5a2e7d..6f52eb43e2 100644
--- a/src/config.php
+++ b/src/config.php
@@ -5,6 +5,9 @@
 define("ENVIRONMENT", Env::requireEnv("ENVIRONMENT"));
 define("DATABASE", Env::requireEnv("DATABASE"));
 define("MONGODB_CONN", Env::requireEnv("MONGODB_CONN"));
+define("MONGODB_AUTHSOURCE", Env::get("MONGODB_AUTHSOURCE"));
+define("MONGODB_USER", Env::get("MONGODB_USER"));
+define("MONGODB_PASS", Env::get("MONGODB_PASS"));
 define("LANGUAGE_DEPOT_API_TOKEN", Env::requireEnv("LANGUAGE_DEPOT_API_TOKEN"));
 
 define("BCRYPT_COST", 7);
diff --git a/test/php/TestConfig.php b/test/php/TestConfig.php
index 811b1e6427..30408c4b23 100644
--- a/test/php/TestConfig.php
+++ b/test/php/TestConfig.php
@@ -19,6 +19,9 @@
 
 define("DATABASE", Env::requireEnv("DATABASE"));
 define("MONGODB_CONN", Env::requireEnv("MONGODB_CONN"));
+define("MONGODB_AUTHSOURCE", Env::get("MONGODB_AUTHSOURCE"));
+define("MONGODB_USER", Env::get("MONGODB_USER"));
+define("MONGODB_PASS", Env::get("MONGODB_PASS"));
 define("SF_TESTPROJECT", "Test Project");
 define("SF_TESTPROJECTCODE", "testcode1");
 define("SF_TESTPROJECT2", "Test Project2");