cht-core
cht-core copied to clipboard
medic
Arch v3: Don't default CouchDB password to empty string
Describe the issue
When you don't specify the CouchDB password in COUCHDB_PASSWORD, you get a warning that: COUCHDB_PASSWORD variable is not set. Defaulting to a blank string.
Found in this docker compose file in a branch and also confirmed it's systemic for all three docker compose files (core, couchdb, and couchdb-clustered) .
Describe the improvement you'd like We should ensure CouchDB is secure by default and not allow insecure deployments.
Describe alternatives you've considered NA
updated to denote presence in all three compose files (core, couchdb, and couchdb-clustered)
Hi @garethbowen / @dianabarsan / @mrjones-plip,
~I am trying to test this ticket, but I am not seeing the difference between the behavior that it is showing in master and the one it is showing in the branch 7812-require-password-2.
Maybe I am missing something, not sure.~
~These are the files that I am using:~
cht-core.yml
version: '3.9'
services:
haproxy:
image: 720541322708.dkr.ecr.eu-west-2.amazonaws.com/medic/cht-haproxy:4.0.0-7812-require-password-2
container_name: cht-haproxy
hostname: haproxy
environment:
- "HAPROXY_IP=${HAPROXY_IP:-haproxy}"
- "COUCHDB_USER=${COUCHDB_USER:-admin}"
- "COUCHDB_PASSWORD=${COUCHDB_PASSWORD}"
- "COUCHDB_SERVERS=${COUCHDB_SERVERS:-couchdb}"
- "HAPROXY_PORT=${HAPROXY_PORT:-5984}"
logging:
driver: "json-file"
options:
max-size: "${LOG_MAX_SIZE:-50m}"
max-file: "${LOG_MAX_FILES:-20}"
networks:
- cht-net
expose:
- ${HAPROXY_PORT:-5984}
healthcheck:
image: 720541322708.dkr.ecr.eu-west-2.amazonaws.com/medic/cht-haproxy-healthcheck:4.0.0-7812-require-password-2
container_name: cht-haproxy-healthcheck
environment:
- "COUCHDB_SERVERS=${COUCHDB_SERVERS:-couchdb}"
- "COUCHDB_USER=${COUCHDB_USER:-admin}"
- "COUCHDB_PASSWORD=${COUCHDB_PASSWORD}"
logging:
driver: "json-file"
options:
max-size: "${LOG_MAX_SIZE:-50m}"
max-file: "${LOG_MAX_FILES:-20}"
networks:
- cht-net
cht-api:
image: 720541322708.dkr.ecr.eu-west-2.amazonaws.com/medic/cht-api:4.0.0-7812-require-password-2
container_name: cht-api
depends_on:
- haproxy
expose:
- "${API_PORT:-5988}"
environment:
- COUCH_URL=http://${COUCHDB_USER:-admin}:password@haproxy:${HAPROXY_PORT:-5984}/medic
- BUILDS_URL=${MARKET_URL_READ:-https://staging.dev.medicmobile.org}/${BUILDS_SERVER:-_couch/builds}
- UPGRADE_SERVICE_URL=${UPGRADE_SERVICE_URL:-http://localhost:5100}
logging:
driver: "json-file"
options:
max-size: "${LOG_MAX_SIZE:-50m}"
max-file: "${LOG_MAX_FILES:-20}"
networks:
- cht-net
cht-sentinel:
image: 720541322708.dkr.ecr.eu-west-2.amazonaws.com/medic/cht-sentinel:4.0.0-7812-require-password-2
container_name: cht-sentinel
depends_on:
- haproxy
environment:
- COUCH_URL=http://${COUCHDB_USER:-admin}:password@haproxy:${HAPROXY_PORT:-5984}/medic
- API_HOST=cht-api
logging:
driver: "json-file"
options:
max-size: "${LOG_MAX_SIZE:-50m}"
max-file: "${LOG_MAX_FILES:-20}"
networks:
- cht-net
cht-nginx:
image: public.ecr.aws/s5s3h4s7/cht-nginx:4.0.0-7812-require-password-2
depends_on:
- cht-api
- haproxy
ports:
- "${NGINX_HTTP_PORT:-80}:80"
- "${NGINX_HTTPS_PORT:-443}:443"
volumes:
- cht-ssl:/root/.acme.sh/
environment:
- "CERTIFICATE_MODE=${CERTIFICATE_MODE:-SELF_SIGNED}"
- "SSL_CERT_FILE_PATH=${SSL_CERT_FILE_PATH:-/etc/nginx/private/cert.pem}"
- "SSL_KEY_FILE_PATH=${SSL_KEY_FILE_PATH:-/etc/nginx/private/key.pem}"
- "COMMON_NAME=${COMMON_NAME:-test-nginx.dev.medicmobile.org}"
- "EMAIL=${EMAIL:[email protected]}"
- "COUNTRY=${COUNTRY:-US}"
- "STATE=${STATE:-California}"
- "LOCALITY=${LOCALITY:-San_Francisco}"
- "ORGANISATION=${ORGANISATION:-medic}"
- "DEPARTMENT=${DEPARTMENT:-Information_Security}"
networks:
- cht-net
networks:
cht-net:
name: cht-net
volumes:
cht-ssl:
name: cht-ssl
cht-couchdb.yml
version: '3.9'
services:
couchdb:
image: 720541322708.dkr.ecr.eu-west-2.amazonaws.com/medic/cht-couchdb:4.0.0-7812-require-password-2
container_name: cht-couchdb
volumes:
- "/Users/tlepiz/Documents/Medic/dockerData/couchdb/data:/opt/couchdb/data"
- cht-credentials:/opt/couchdb/etc/local.d/
environment:
- "COUCHDB_USER=${COUCHDB_USER:-admin}"
- "COUCHDB_PASSWORD=${COUCHDB_PASSWORD}"
- "COUCHDB_SECRET=${COUCHDB_SECRET:-6c1953b6-e64d-4b0c-9268-2528396f2f58}"
- "COUCHDB_UUID=${COUCHDB_UUID:-5c265815-b9e3-47f1-ba8d-c1d50495eeb2}"
- "SVC_NAME=${SVC_NAME:-couchdb}"
- "COUCHDB_LOG_LEVEL=${COUCHDB_LOG_LEVEL:-error}"
restart: always
networks:
cht-net:
volumes:
cht-credentials:
networks:
cht-net:
name: cht-net
~And this is the result when I try to execute the files:~
video
NOTE: In fact, I was missing something, I was using the wrong files. Thanks again @mrjones-plip for the help
@tatilepizs - per our slack thread, you're using the wrong compose files. Use the ones compiled in CI and pushed to staging.
Using the files provided by @mrjones-plip in the previous comment and the correct branch 7812-require-password-2, it failed quickly as expected.
@tatilepizs - this is ready to merge, yes? If so, can you update the status?
@dianabarsan - can you sit in for Gareth while he's out mash that like, subscribe and merge button? I see the build isn't passing - might need a bit of nudging in the CI dept.
I was already on this, thanks for the nudge :) The old build was stuck because of a bug in how we push over already deleted docs.
Thanks Diana!
Related to this ticket - I was testing another issue and saw this WARNING from docker-compose_cht-couchdb-clustered.yml I believe. Is it of concern such that I should open another issue?
WARNING: The COUCHDB_SECRET variable is not set. Defaulting to a blank string.
WARNING: The COUCHDB_UUID variable is not set. Defaulting to a blank string.
I don't think that there's any way to avoid these warnings while not also providing a default value.