Merge pull request #1546 from govuk-one-login/AUT-1984/revert

Revert "Merge pull request #1470 from govuk-one-login/AUT-1984/do-it-again"
govuk-one-login · Apr 10, 2024 · 9ed2a4d · 9ed2a4d
2 parents 09e19ef + 12f9301
commit 9ed2a4d
Show file tree

Hide file tree

Showing 13 changed files with 80 additions and 1,191 deletions.
diff --git a/.github/workflows/pre-merge-checks.yml b/.github/workflows/pre-merge-checks.yml
@@ -36,8 +36,6 @@ jobs:
         run: yarn lint
       - name: Build app
         run: yarn build
-      - name: Run sidecar tests
-        run: yarn test:sidecar
       - name: Run unit tests
         run: yarn test:unit
       - name: Run integration tests

diff --git a/.github/workflows/test-sidecar.yml b/.github/workflows/test-sidecar.yml
diff --git a/basic-auth-sidecar/Caddyfile b/basic-auth-sidecar/Caddyfile
diff --git a/basic-auth-sidecar/Dockerfile b/basic-auth-sidecar/Dockerfile
@@ -1,12 +1,12 @@
-FROM caddy:2.7-alpine
+FROM nginx:alpine
 
 ENV NGINX_PORT=8080
 
-RUN apk add --no-cache --update jq
+RUN apk add --no-cache --update \
+      apache2-utils jq
 
 COPY entrypoint.sh /entrypoint.sh
+COPY nginx.conf /etc/nginx/templates/default.conf.template
 
-COPY Caddyfile /etc/caddy/Caddyfile
-
-CMD ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"]
+CMD ["nginx", "-g", "daemon off;"]
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/basic-auth-sidecar/entrypoint.sh b/basic-auth-sidecar/entrypoint.sh
@@ -1,37 +1,31 @@
 #!/bin/sh
 set -euo
 
-if [ -z "${BASIC_AUTH_USERNAME}" ]; then
+if [ -z "$BASIC_AUTH_USERNAME" ]; then
   echo >&2 "BASIC_AUTH_USERNAME must be set"
   exit 1
 fi
 
-if [ -z "${BASIC_AUTH_PASSWORD}" ]; then
+if [ -z "$BASIC_AUTH_PASSWORD" ]; then
   echo >&2 "BASIC_AUTH_PASSWORD must be set"
   exit 1
 fi
 
-if [ -z "${PROXY_PASS}" ]; then
+if [ -z "$PROXY_PASS" ]; then
   echo >&2 "PROXY_PASS must be set"
   exit 1
 fi
 
-IP_BLOCK_MATCHER="private_ranges"
-if [ -n "${IP_ALLOW_LIST:-}" ]; then
-  IP_BLOCK_MATCHER="$(echo "${IP_ALLOW_LIST}" | jq -r '. | join(" ")')"
+touch /etc/nginx/allow-list.conf
+if [ -n "$IP_ALLOW_LIST" ]; then
+  echo "${IP_ALLOW_LIST}" | jq -r '"allow " + .[] + ";"' >>/etc/nginx/allow-list.conf
 fi
-unset IP_ALLOW_LIST
-export IP_BLOCK_MATCHER
 
-TRUSTED_PROXIES_IPS=""
-if [ -n "${TRUSTED_PROXIES:-}" ]; then
-  TRUSTED_PROXIES_IPS="$(echo "${TRUSTED_PROXIES}" | jq -r '. | join(" ")')"
+touch /etc/nginx/trusted-proxies.conf
+if [ -n "$TRUSTED_PROXIES" ]; then
+  echo "${TRUSTED_PROXIES}" | jq -r '"set_real_ip_from " + .[] + ";"' >>/etc/nginx/trusted-proxies.conf
 fi
-unset TRUSTED_PROXIES
-export TRUSTED_PROXIES_IPS
 
-HASHED_PASSWORD="$(caddy hash-password --plaintext "${BASIC_AUTH_PASSWORD}")"
-unset BASIC_AUTH_PASSWORD
-export HASHED_PASSWORD
+htpasswd -bBc /etc/nginx/.htpasswd "${BASIC_AUTH_USERNAME}" "${BASIC_AUTH_PASSWORD}"
 
-exec "$@"
+exec /docker-entrypoint.sh "$@"
diff --git a/basic-auth-sidecar/nginx.conf b/basic-auth-sidecar/nginx.conf
@@ -0,0 +1,29 @@
+server {
+    listen ${NGINX_PORT};
+    server_name ${NGINX_HOST};
+
+    location / {
+      proxy_pass ${PROXY_PASS};
+
+      satisfy any;
+
+      real_ip_header X-Forwarded-For;
+      real_ip_recursive on;
+      include /etc/nginx/trusted-proxies.conf;
+
+      include /etc/nginx/allow-list.conf;
+      deny all;
+
+      auth_basic "Restricted";
+      auth_basic_user_file /etc/nginx/.htpasswd;
+
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header Authorization "";
+      proxy_redirect off;
+    }
+
+    location /healthcheck {
+        add_header Content-Type text/plain;
+        return 200 'OK';
+    }
+}
diff --git a/ci/terraform/ecs.tf b/ci/terraform/ecs.tf
@@ -6,14 +6,8 @@ locals {
   application_port = var.basic_auth_password == "" ? var.app_port : local.nginx_port
 
   frontend_container_definition = {
-    name  = local.container_name
-    image = "${var.image_uri}:${var.image_tag}@${var.image_digest}"
-
-    cpu            = 0
-    mountpoints    = []
-    systemControls = []
-    volumesFrom    = []
-
+    name      = local.container_name
+    image     = "${var.image_uri}:${var.image_tag}@${var.image_digest}"
     essential = true
     logConfiguration = {
       logDriver = "awslogs"
@@ -189,14 +183,8 @@ locals {
   }
 
   sidecar_container_definition = {
-    name  = "nginx-sidecar"
-    image = "${var.sidecar_image_uri}:${var.sidecar_image_tag}@${var.sidecar_image_digest}"
-
-    cpu            = 0
-    mountpoints    = []
-    systemControls = []
-    volumesFrom    = []
-
+    name      = "nginx-sidecar"
+    image     = "${var.sidecar_image_uri}:${var.sidecar_image_tag}@${var.sidecar_image_digest}"
     essential = true
     logConfiguration = {
       logDriver = "awslogs"
@@ -235,7 +223,7 @@ locals {
       },
       {
         name  = "IP_ALLOW_LIST"
-        value = length(var.basic_auth_bypass_cidr_blocks) == 0 ? "[]" : jsonencode(var.basic_auth_bypass_cidr_blocks)
+        value = length(var.basic_auth_bypass_cidr_blocks) == 0 ? "" : jsonencode(var.basic_auth_bypass_cidr_blocks)
       },
       {
         name  = "TRUSTED_PROXIES"

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -59,7 +59,3 @@ services:
 
 networks:
   di-net:
-  ingress:
-    ipam:
-      config:
-        - subnet: 172.100.0.0/16
diff --git a/package.json b/package.json
@@ -26,7 +26,6 @@
     "test:integration": "rm -rf test/coverage && NODE_ENV=development nyc mocha -r dotenv/config  \"src/**/*-integration.test.ts\"",
     "test:integration-no-clear-cov": "NODE_ENV=development nyc --no-clean mocha -r dotenv/config  \"src/**/*-integration.test.ts\"",
     "test:integration-nocov": "NODE_ENV=development mocha -r dotenv/config  \"src/**/*-integration.test.ts\"",
-    "test:sidecar": "mocha --exclude \"src/**/*-integration.test.ts\"  \"test/basic-auth-sidecar/*.test.ts\"",
     "test:unit": "rm -rf test/coverage && NODE_ENV=development nyc mocha --exclude \"src/**/*-integration.test.ts\"  \"test/unit/**/*.test.ts\" --recursive \"src/**/*.test.ts\"",
     "test:unit-nocov": "NODE_ENV=development mocha --exclude \"src/**/*-integration.test.ts\"  \"test/unit/**/*.test.ts\" --recursive \"src/**/*.test.ts\"",
     "test:u1": "rm -rf test/coverage && NODE_ENV=development nyc mocha --exclude \"src/**/*-integration.test.ts\" --recursive \"src/**/your-test*.test.ts\"",
@@ -118,7 +117,6 @@
     "@typescript-eslint/parser": "^7.1.0",
     "chai": "^4.3.6",
     "chai-as-promised": "^7.1.1",
-    "chai-http": "^4.4.0",
     "cheerio": "^1.0.0-rc.10",
     "concurrently": "^8.2.2",
     "copyfiles": "^2.4.1",
@@ -139,7 +137,6 @@
     "sinon": "^13.0.1",
     "sinon-chai": "^3.7.0",
     "supertest": "^6.3.4",
-    "testcontainers": "^10.7.2",
     "ts-node": "^10.5.0",
     "typescript": "^4.5.4",
     "uglify-js": "^3.14.5"

diff --git a/scripts/dev_deploy_common.sh b/scripts/dev_deploy_common.sh
@@ -6,16 +6,9 @@ set -euo pipefail
     exit 1
 }
 
-IMAGE_TAG=latest
-
 REPO_NAME="frontend-image-repository"
 REPO_URL="706615647326.dkr.ecr.eu-west-2.amazonaws.com/frontend-image-repository"
-
-SIDECAR_REPO_NAME="basic-auth-sidecar-image-repository"
-SIDECAR_REPO_URL="706615647326.dkr.ecr.eu-west-2.amazonaws.com/basic-auth-sidecar-image-repository"
-BASIC_AUTH_USERNAME="${BASIC_AUTH_USERNAME:-testuser}"
-BASIC_AUTH_PASSWORD="${BASIC_AUTH_PASSWORD:-testpassword}"
-BASIC_AUTH_BYPASS_CIDR_BLOCKS="${BASIC_AUTH_BYPASS_CIDR_BLOCKS:-[]}"
+IMAGE_TAG=latest
 
 function usage() {
     cat <<USAGE
@@ -27,7 +20,6 @@ function usage() {
 
   Options:
     -b, --build               run docker build and push new version (default)
-    -s, --sidecar             run docker build and push new sidecar version
     -t, --terraform           run terraform to deploy changes (default)
     --destroy                 run terraform with the -destroy flag (destroys all managed resources)
     -p, --prompt              will prompt for plan review before applying any terraform
@@ -37,9 +29,8 @@ USAGE
 }
 
 BUILD=0
-SIDECAR=0
 TERRAFORM=0
-TERRAFORM_OPTS=("-auto-approve")
+TERRAFORM_OPTS="-auto-approve"
 if [[ $# == 0 ]]; then
     BUILD=1
     TERRAFORM=1
@@ -54,13 +45,10 @@ while [[ $# -gt 0 ]]; do
         TERRAFORM=1
         ;;
     --destroy)
-        TERRAFORM_OPTS=("-destroy")
+        TERRAFORM_OPTS="-destroy"
         ;;
     -p | --prompt)
-        TERRAFORM_OPTS=()
-        ;;
-    -s | --sidecar)
-        SIDECAR=1
+        TERRAFORM_OPTS=""
         ;;
     *)
         usage
@@ -82,35 +70,21 @@ aws ecr get-login-password --region eu-west-2 |
     docker login --username AWS --password-stdin "${REPO_URL}"
 
 if [[ $BUILD == "1" ]]; then
-    echo "Building frontend image..."
-    docker buildx build --platform=linux/amd64 --file sandpit.Dockerfile \
-        -t "${REPO_NAME}:latest" \
-        -t "${REPO_URL}:${IMAGE_TAG}" \
-        .
+    echo "Building image..."
+    docker buildx build --platform=linux/amd64 --file sandpit.Dockerfile -t "${REPO_NAME}" .
+    echo "Tagging image..."
+    docker tag "${REPO_NAME}:latest" "${REPO_URL}:${IMAGE_TAG}"
 
-    echo "Pushing frontend image..."
+    echo "Pushing image..."
     docker push "${REPO_URL}:${IMAGE_TAG}"
+    IMAGE_DIGEST="$(docker inspect "${REPO_URL}:${IMAGE_TAG}" | jq -r '.[0].RepoDigests[0] | split("@") | .[1]')"
+    echo "Digest = ${IMAGE_DIGEST}"
     echo "Complete"
-
-    if [[ "${SIDECAR}" == "1" ]]; then
-        echo "Building sidecar image..."
-        docker buildx build --platform=linux/amd64 \
-            -t "${SIDECAR_REPO_NAME}:latest" \
-            -t "${SIDECAR_REPO_URL}:${IMAGE_TAG}" \
-            basic-auth-sidecar
-
-        echo "Pushing sidecar image..."
-        docker push "${SIDECAR_REPO_URL}:${IMAGE_TAG}"
-        echo "Complete"
-    fi
 else
     docker pull "${REPO_URL}:${IMAGE_TAG}"
-    [[ "${SIDECAR}" == "1" ]] && docker pull "${SIDECAR_REPO_URL}:${IMAGE_TAG}"
+    IMAGE_DIGEST="$(docker inspect "${REPO_URL}:${IMAGE_TAG}" | jq -r '.[0].RepoDigests[0] | split("@") | .[1]')"
 fi
 
-IMAGE_DIGEST="$(docker inspect "${REPO_URL}:${IMAGE_TAG}" | jq -r '.[0].RepoDigests[0] | split("@") | .[1]')"
-[[ "${SIDECAR}" == "1" ]] && SIDECAR_IMAGE_DIGEST="$(docker inspect "${SIDECAR_REPO_URL}:${IMAGE_TAG}" | jq -r '.[].RepoDigests[0] | split("@") | .[1]')"
-
 if [[ $TERRAFORM == "1" ]]; then
     unset AWS_ACCESS_KEY_ID
     unset AWS_SECRET_ACCESS_KEY
@@ -123,25 +97,14 @@ if [[ $TERRAFORM == "1" ]]; then
     pushd "${DIR}/ci/terraform" >/dev/null
     rm -rf .terraform/
     terraform init -backend-config="${DEPLOY_ENV}.hcl"
-    TERRAFORM_OPTS+=("-var-file" "${DEPLOY_ENV}.tfvars" "-var" "image_uri=${REPO_URL}" "-var" "image_digest=${IMAGE_DIGEST}")
-    [[ "${SIDECAR}" == "1" ]] &&
-        TERRAFORM_OPTS+=(
-            "-var" "sidecar_image_uri=${SIDECAR_REPO_URL}"
-            "-var" "sidecar_image_digest=${SIDECAR_IMAGE_DIGEST}"
-            "-var" "basic_auth_username=${BASIC_AUTH_USERNAME}"
-            "-var" "basic_auth_password=${BASIC_AUTH_PASSWORD}"
-            "-var" "basic_auth_bypass_cidr_blocks=${BASIC_AUTH_BYPASS_CIDR_BLOCKS:-[]}")
-
-    terraform apply "${TERRAFORM_OPTS[@]}"
-
-    if [[ "${TERRAFORM_OPTS[1]}" != "-destroy" ]]; then
+    terraform apply ${TERRAFORM_OPTS} -var-file "${DEPLOY_ENV}.tfvars" -var "image_uri=${REPO_URL}" -var "image_digest=${IMAGE_DIGEST}"
+
+    if [[ $TERRAFORM_OPTS != "-destroy" ]]; then
         echo -n "Waiting for ECS deployment to complete ... "
         aws ecs wait services-stable --services "${DEPLOY_ENV}-frontend-ecs-service" --cluster "${DEPLOY_ENV}-app-cluster"
         echo "done!"
     fi
     popd >/dev/null
 fi
 
-[[ "${SIDECAR}" == "1" ]] && echo "Basic auth credentials: testuser/testpassword"
-
 echo "Deployment complete!"