software/headless-chromium: add username/password authentication for frontend

3cefc93e · Eric Zheng · 7686f0c1 · 3cefc93e · 3cefc93e · 3cefc93e
Commit 3cefc93e authored Jul 16, 2021 by Eric Zheng
5 changed files
--- a/software/headless-chromium/buildout.hash.cfg
+++ b/software/headless-chromium/buildout.hash.cfg
 [template-cfg]
 filename = instance.cfg.in
-md5sum = e6ee9b5303b0b40d7e2ed8bcc810b159
+md5sum = cf56bcbabe4dfc8eed62d9687c06925f

 [instance-headless-chromium]
-_update_hash_filename_ = instance_headless-chromium.cfg.in
-md5sum = 8488504d6dd687d953d9a55330ac1fc4
+_update_hash_filename_ = instance-headless-chromium.cfg.in
+md5sum = 2c00054e7055b841b7b289fc548bef9d

 [template-nginx-conf]
 _update_hash_filename_ = templates/nginx.conf.in
-md5sum = c94c00141a078a2ec9fa3ede6313abb8
+md5sum = aafa500604bcd8b29bfabc1d622014f8
--- a/software/headless-chromium/instance_headless-chromium.cfg.in
+++ b/software/headless-chromium/instance_headless-chromium.cfg.in
@@ -3,6 +3,7 @@
 [buildout]
 parts =
  chromium-launcher
+  generate-passwd-file
  nginx-config
  nginx-launcher
  publish-connection-information
@@ -34,13 +35,14 @@ nginx-pid-path = ${directory:log}/nginx.pid
 nginx-temp-path = ${directory:tmp}
 nginx-error-log = ${directory:log}/nginx-error.log
 nginx-access-log = ${directory:log}/nginx-access.log
+nginx-htpasswd-file = ${directory:etc}/.htpasswd

 # Create a launcher script for the headless shell executable.
 # TODO: get rid of --no-sandbox after testing is done
 # TODO: change --remote-debugging-address to actual IP address?
 [chromium-launcher]
 recipe = slapos.cookbook:wrapper
-command-line =  {{ parameter_list['chromium-wrapper'] }} --remote-debugging-address=0.0.0.0 --remote-debugging-port=${headless-chromium:remote-debugging-port} --no-sandbox ${headless-chromium:url}
+command-line =  {{ parameter_list['chromium-wrapper'] }} --remote-debugging-address=${headless-chromium:ipv4} --remote-debugging-port=${headless-chromium:remote-debugging-port} --no-sandbox ${headless-chromium:url}
 wrapper-path = ${directory:service}/chromium
 environment =
  FONTCONFIG_FILE=${font-config:rendered}
@@ -76,11 +78,27 @@ fonts =
 includes =
  {{ parameter_list['fontconfig-location'] }}/etc/fonts/conf.d

+[frontend-instance-password]
+recipe = slapos.cookbook:generate.password
+username = admin
+bytes = 12
+
+# TODO: If we need to add replicate instances, I'm not sure that storing all the passwords in etc/.htpasswd will do, especially given that they all have the same default username...
+[generate-passwd-file]
+recipe = plone.recipe.command
+command =
+  echo -n '${frontend-instance-password:username}:' > ${headless-chromium:nginx-htpasswd-file}
+  openssl passwd -apr1 '${frontend-instance-password:passwd}' >> ${headless-chromium:nginx-htpasswd-file}
+environment =
+  PATH={{ parameter_list['openssl-location'] }}/bin:%(PATH)s
+
 [publish-connection-information]
 recipe = slapos.cookbook:publish
 remote-debug-url = http://${headless-chromium:remote-debugging-address}
 proxy-url = http://${headless-chromium:proxy-address}
 frontend-url = ${remote-debugging-frontend:connection-secure_access}
+username = ${frontend-instance-password:username}
+password = ${frontend-instance-password:passwd}

 # Request a frontend URL from the CDN for the remote debugging interface.
 [remote-debugging-frontend]

--- a/software/headless-chromium/instance.cfg.in
+++ b/software/headless-chromium/instance.cfg.in
@@ -7,6 +7,7 @@ develop-eggs-directory = {{ buildout['develop-eggs-directory'] }}
 offline = true

 [profile-common]
+openssl-location = {{ openssl_location }}
 nginx-location = {{ nginx_location }}
 liberation-fonts-location = {{ liberation_fonts_location }}
 fontconfig-location = {{ fontconfig_location }}

--- a/software/headless-chromium/software.cfg
+++ b/software/headless-chromium/software.cfg
@@ -3,6 +3,7 @@ extends =
  buildout.hash.cfg
  ../../stack/slapos.cfg
  ../../component/headless-chromium-test/buildout.cfg
+  ../../component/openssl/buildout.cfg
  ../../component/nginx/buildout.cfg
  ../../component/fonts/buildout.cfg
  ../../component/fontconfig/buildout.cfg
@@ -18,6 +19,7 @@ template = ${:_profile_base_location_}/${:filename}
 mode = 0644
 context =
  section buildout buildout
+  key openssl_location openssl:location
  key nginx_location nginx:location
  key liberation_fonts_location liberation-fonts:location
  key fontconfig_location fontconfig:location

--- a/software/headless-chromium/templates/nginx.conf.in
+++ b/software/headless-chromium/templates/nginx.conf.in
@@ -11,6 +11,9 @@ http {
  server {
    listen {{ param_headless_chromium['proxy-address'] }};

+    auth_basic "Remote Debugging";
+    auth_basic_user_file {{ param_headless_chromium['nginx-htpasswd-file'] }};
+
    client_body_temp_path {{ param_headless_chromium['nginx-temp-path'] }};
    proxy_temp_path {{ param_headless_chromium['nginx-temp-path'] }};
    fastcgi_temp_path {{ param_headless_chromium['nginx-temp-path'] }};