Implement AUTH. Closes #58

This change makes password authentication required for redis usage, and removes anonymous access. Users will need to change their underlying clients to enable writing the auth token for authenticating, otherwise requests will fail. This is a non-optional change, and improves security for users who wish to expose their redis installations outside of their network.
2016-08-27 23:39:31 -04:00
parent 92c2957bfc
commit 919832ba2a
7 changed files with 35 additions and 18 deletions
--- a/10
+++ b/10
@@ -22,8 +22,12 @@ service_create() {
  mkdir -p "$SERVICE_ROOT" || dokku_log_fail "Unable to create service directory"
  mkdir -p "$SERVICE_ROOT/data" || dokku_log_fail "Unable to create service data directory"
  mkdir -p "$SERVICE_ROOT/config" || dokku_log_fail "Unable to create service config directory"
-  touch "$LINKS_FILE"
  curl -sSL "https://raw.githubusercontent.com/antirez/redis/${REDIS_IMAGE_VERSION:0:3}/redis.conf" > "$SERVICE_ROOT/config/redis.conf" || dokku_log_fail "Unable to download the default redis.conf to the config directory"
+  PASSWORD=$(openssl rand -hex 32)
+  echo "$PASSWORD" > "$SERVICE_ROOT/PASSWORD"
+  chmod 640 "$SERVICE_ROOT/PASSWORD"
+  sed -i.bak "s/# requirepass.*/requirepass ${PASSWORD}/" "$SERVICE_ROOT/config/redis.conf" && rm "$SERVICE_ROOT/config/redis.conf.bak"
+  touch "$LINKS_FILE"

  if [[ -n $REDIS_CUSTOM_ENV ]]; then
    echo "$REDIS_CUSTOM_ENV" | tr ';' "\n" > "$SERVICE_ROOT/ENV"
@@ -102,8 +106,10 @@ service_start() {

 service_url() {
  local SERVICE="$1"
+  local SERVICE_ROOT="$PLUGIN_DATA_ROOT/$SERVICE"
+  local PASSWORD="$(cat "$SERVICE_ROOT/PASSWORD")"
  local SERVICE_ALIAS="$(service_alias "$SERVICE")"
-  echo "$PLUGIN_SCHEME://$SERVICE_ALIAS:${PLUGIN_DATASTORE_PORTS[0]}"
+  echo "$PLUGIN_SCHEME://$SERVICE:$PASSWORD@$SERVICE_ALIAS:${PLUGIN_DATASTORE_PORTS[0]}"
 }

 update_plugin_scheme_for_app() {