feat: add mongod auth on preview (#858)

* feat: add mongod auth on preview

* fix: require authentification for preview & local mongoDB

---------

Co-authored-by: Moroine <[email protected]>

.bin/scripts/seed-apply.sh

@@ -3,7 +3,7 @@
 set -euo pipefail
 
 if [ -z "${1:-}" ]; then
-    readonly TARGET_DB="mongodb://localhost:27017"
+    readonly TARGET_DB="mongodb://__system:password@localhost:27017/?authSource=local&directConnection=true"
 else
     readonly TARGET_DB="$1"
     shift
@@ -35,3 +35,8 @@ ansible-vault view --vault-password-file="$ROOT_DIR/.bin/scripts/get-vault-passw
 rm -f "$SEED_GZ"
 gpg -d --batch --passphrase-file "$PASSPHRASE" -o "$SEED_GZ" "$SEED_GPG"
 cat "$SEED_GZ" | docker compose -f "$ROOT_DIR/docker-compose.yml" exec -iT mongodb mongorestore --archive --nsInclude="labonnealternance.*" --uri="${TARGET_DB}" --drop --gzip
+
+yarn build:dev
+yarn cli migrations:up
+yarn cli mongodb:indexes:create
+yarn cli index

.bin/scripts/seed-update.sh

@@ -3,7 +3,7 @@
 set -euo pipefail
 
 if [ -z "${1:-}" ]; then
-    readonly TARGET_DB="mongodb://localhost:27017"
+    readonly TARGET_DB="mongodb://__system:password@localhost:27017/?authSource=local&directConnection=true"
 else
     readonly TARGET_DB="$1"
     shift
@@ -34,6 +34,12 @@ ansible-vault view --vault-password-file="$ROOT_DIR/.bin/scripts/get-vault-passw
 
 docker compose -f "$ROOT_DIR/docker-compose.yml" up mongodb -d
 mkdir -p "$ROOT_DIR/.infra/files/mongodb"
+
+yarn build:dev
+yarn cli migrations:up
+yarn cli mongodb:indexes:create
+yarn cli index
+
 docker compose -f "$ROOT_DIR/docker-compose.yml" exec -it mongodb mongodump --uri "$TARGET_DB" --gzip --archive > "$SEED_GZ" 
 rm -f "$SEED_GPG"
 gpg  -c --cipher-algo twofish --batch --passphrase-file "$PASSPHRASE" -o "$SEED_GPG" "$SEED_GZ"

.bin/scripts/setup-local-env.sh

@@ -22,7 +22,9 @@ echo "NEXT_PUBLIC_VERSION=0.0.0-local" >> "${ROOT_DIR}/ui/.env"
 echo "NEXT_PUBLIC_API_PORT=5001" >> "${ROOT_DIR}/ui/.env"
 
 yarn
+chmod 400 "${ROOT_DIR}/.infra/local/mongo_keyfile"
 yarn services:start
+yarn setup:mongodb
 yarn build:dev
 yarn cli migrations:up
 yarn cli mongodb:indexes:create

.github/workflows/ci.yml

@@ -11,11 +11,7 @@ jobs:
     timeout-minutes: 10
     name: "Tests"
     runs-on: ubuntu-latest
-    services:
-      mongodb:
-        image: mongo:6.0.2-focal
-        ports:
-          - "27017:27017"
+
     steps:
       - name: Checkout project
         uses: actions/checkout@v4
@@ -46,6 +42,13 @@ jobs:
       - name: typecheck
         run: yarn typecheck:ci
 
+      - name: start mongodb service
+        run: |
+          chmod 400 .infra/local/mongo_keyfile
+          sudo chown 999:999 .infra/local/mongo_keyfile
+          docker compose up -d --wait mongodb
+          yarn setup:mongodb
+
       - name: test
         run: yarn test:ci
 

.infra/ansible/preview.yml

@@ -12,6 +12,12 @@
         chdir: /opt/app
         cmd: docker compose -f docker-compose.preview-system.yml up -d --wait
 
+    - name: Setup MongoDB ReplicaSet
+      shell:
+        chdir: /opt/app
+        cmd: 'docker compose exec -it mongodb mongosh --eval "try { rs.status().ok } catch (e) { if (e.code === 94) {rs.initiate();} else {throw e} }" --quiet'
+      when: env_type == 'preview'
+
     - include_tasks: ./tasks/preview_pr.yml
       vars:
         build: true

.infra/ansible/tasks/files_copy.yml

@@ -23,6 +23,7 @@
     - item.path | basename != '.DS_Store'
     # seed.gpg should not be template replaced
     - item.path | basename != 'seed.gpg'
+    - item.path | basename != 'mongo_keyfile.txt'
     - item.path | basename != 'seed.gz'
     # /app/tools is managed by infra
     - item.path | regex_search('^tools/?') == none
@@ -35,6 +36,15 @@
     mode: "700"
   when: env_type == 'preview'
 
+- name: Copie du fichier mongodb keyfile
+  ansible.builtin.template:
+    src: "{{inventory_dir}}/files/configs/mongodb/mongo_keyfile.txt"
+    dest: "/opt/app/configs/mongodb/mongo_keyfile.txt"
+    mode: "400"
+    owner: 999
+    group: 999
+  when: env_type == 'preview'
+
 - name: copy server env file
   ansible.builtin.template:
     src: "{{ item }}"

.infra/docker-compose.preview-system.yml

@@ -44,15 +44,18 @@ services:
   mongodb:
     <<: *default
     image: mongo:6.0.2-focal
+    hostname: mongodb
     container_name: lba_mongodb
-    ports:
-      - "127.0.0.1:27017:27017"
     deploy:
       resources:
         limits:
           memory: 2g
+    ports:
+      - "127.0.0.1:27017:27017"
+    command: ["-f", "/etc/mongod/mongod.conf"]
     volumes:
       - /opt/app/data/mongodb/db:/data/db
+      - /opt/app/configs/mongodb:/etc/mongod
     healthcheck:
       test: ["CMD", "mongosh", "--eval", '''db.runCommand("ping").ok''', "--quiet"]
       interval: 10s

.infra/files/configs/mongodb/mongo_keyfile.txt

@@ -0,0 +1 @@
+{{vault.MONGODB_KEYFILE}}

.infra/files/configs/mongodb/mongod.conf

@@ -0,0 +1,8 @@
+net:
+  bindIpAll: true
+
+replication:
+  replSetName: replica
+
+security:
+  keyFile: /etc/mongod/mongo_keyfile.txt

.infra/files/scripts/seed.sh

@@ -20,4 +20,4 @@ chmod 600 "$PASSPHRASE"
 rm -r "$SEED_ARCHIVE"
 gpg -d --batch --passphrase-file "$PASSPHRASE" -o "$SEED_ARCHIVE" "/opt/app/configs/mongodb/seed.gpg"
 chmod 600 "$SEED_ARCHIVE"
-cat "$SEED_ARCHIVE" | docker compose -f "/opt/app/docker-compose.preview-system.yml" exec -iT mongodb mongorestore --archive --nsFrom="labonnealternance.*" --nsTo="$TARGET_DB.*" --drop --gzip
+cat "$SEED_ARCHIVE" | docker compose -f "/opt/app/docker-compose.preview-system.yml" exec -iT mongodb mongorestore --archive --nsFrom="labonnealternance.*" --nsTo="$TARGET_DB.*" --drop --gzip "mongodb://__system:{{vault.MONGODB_KEYFILE}}@localhost:27017/?authSource=local&directConnection=true"

.infra/local/mongo_keyfile

@@ -0,0 +1 @@
+password

.infra/local/mongod.conf

@@ -0,0 +1,8 @@
+net:
+  bindIpAll: true
+
+replication:
+  replSetName: replica
+
+security:
+  keyFile: /tmp/mongo_keyfile