Added authentication when accessing Redis DB

README.md

@@ -83,6 +83,8 @@ we will use the regular URL as 'https://api.mailgun.net' as the default.
 Lastly, we have added the ability to specify your own AWSID lambda so that you may host your own. The setting is placed in
 `frontend.env` under `CANARY_AWSID_URL`. If this value is not specified, it will use our default hosted lambda.
 
+If you need to use authentication when connecting to a third-party Redis DB, then in addition to the `CANARY_REDIS_PASSWORD` parameter in `switchboard.env`, you can also use environment variable `REDIS_PASSWORD` (in this case, the parameter must not be specified in `switchboard.env`).
+
 ### Configuration of Outgoing SMTP
 
 When configuring outgoing SMTP please consider the following:

canarytokens/redismanager.py

@@ -13,35 +13,48 @@ class DB:
     __db: Optional[StrictRedis[str]] = None
     __hostname: Optional[str] = None
     __port: Optional[int] = None
+    __password: Optional[str] = None
 
     @classmethod
-    def set_db_details(cls, hostname: str, port: int) -> None:
+    def set_db_details(cls, hostname: str, port: int, password: str) -> None:
         cls.__db = None
         cls.__hostname = hostname
         cls.__port = port
+        cls.__password = password
 
     @classmethod
     def get_db(cls):
         if cls.__db:
             return cls.__db
         else:
             # TODO: Fix settings / config this needs a global re think.
-            return cls.create_db(hostname=cls.__hostname, port=cls.__port)
+            return cls.create_db(hostname=cls.__hostname, port=cls.__port, password=cls.__password)
 
     @classmethod
-    def create_db(cls, *, hostname, port, logical_db=0):
+    def create_db(cls, *, hostname, port, password, logical_db=0):
         if cls.__db:
             # TODO: rethink this. Should be fine but we may want to do better.
             raise RecreatingDBException("A db connection exists and we recreating it!")
 
-        cls.__db = redis.StrictRedis(
-            host=hostname,
-            port=port,
-            db=logical_db,
-            socket_timeout=10,
-            encoding="utf-8",
-            decode_responses=True,
-        )
+        if password=="auth_disabled":
+            cls.__db = redis.StrictRedis(
+                host=hostname,
+                port=port,
+                db=logical_db,
+                socket_timeout=10,
+                encoding="utf-8",
+                decode_responses=True,
+            )
+        else:
+            cls.__db = redis.StrictRedis(
+                host=hostname,
+                port=port,
+                db=logical_db,
+                socket_timeout=10,
+                encoding="utf-8",
+                decode_responses=True,
+                password=password,
+            )
         return cls.__db
 
 

canarytokens/settings.py

@@ -22,6 +22,7 @@ class SwitchboardSettings(BaseSettings):
     REDIS_HOST: str = "localhost" if strtobool(os.getenv("CI", "False")) else "redis"
     REDIS_PORT: Port = Port(6379)
     REDIS_DB: str = "0"
+    REDIS_PASSWORD: str = os.getenv("REDIS_PASSWORD", "auth_disabled")
 
     REAL_IP_HEADER: str = "x-real-ip"
 

frontend/app.py

@@ -314,7 +314,7 @@ def get_canarydrop_and_authenticate(token: str, auth: str = Security(auth_key)):
 @app.on_event("startup")
 def startup_event():
     DB.set_db_details(
-        hostname=switchboard_settings.REDIS_HOST, port=switchboard_settings.REDIS_PORT
+        hostname=switchboard_settings.REDIS_HOST, port=switchboard_settings.REDIS_PORT, password=switchboard_settings.REDIS_PASSWORD
     )
     remove_canary_domain()
     remove_canary_domain()

switchboard/switchboard.env.dist

@@ -12,6 +12,7 @@ CANARY_SWITCHBOARD_SCHEME=http
 #CANARY_REDIS_HOST=
 #CANARY_REDIS_PORT=
 #CANARY_REDIS_DB=
+#CANARY_REDIS_PASSWORD=
 #CANARY_REAL_IP_HEADER=
 
 CANARY_WG_PRIVATE_KEY_SEED=vk/GD+frlhve/hDTTSUvqpQ/WsQtioKAri0Rt5mg7dw=

switchboard/switchboard.tac

@@ -89,7 +89,7 @@ if switchboard_settings.SENTRY_DSN and switchboard_settings.SENTRY_ENABLE:
     globalLogPublisher.addObserver(sentry_observer)
     log.debug(f"Sentry enabled. Environment: {switchboard_settings.SENTRY_ENVIRONMENT}")
 
-DB.set_db_details(switchboard_settings.REDIS_HOST, switchboard_settings.REDIS_PORT)
+DB.set_db_details(switchboard_settings.REDIS_HOST, switchboard_settings.REDIS_PORT, switchboard_settings.REDIS_PASSWORD)
 set_template_env(Path(switchboard_settings.TEMPLATES_PATH))
 add_return_for_token(switchboard_settings.TOKEN_RETURN)