From dced8579f8e21128e4164b5e27f154afd60edb39 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 5 Mar 2013 14:03:29 +0100 Subject: no auto update - migrate the couch before --- .travis.yml | 1 + config/couchdb.yml | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 config/couchdb.yml diff --git a/.travis.yml b/.travis.yml index 6b9a119..5821fda 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,3 +2,4 @@ services: - couchdb notifications: email: false +before_script: "bundle exec rake couchrest:migrate_with_proxies" diff --git a/config/couchdb.yml b/config/couchdb.yml new file mode 100644 index 0000000..2345dc3 --- /dev/null +++ b/config/couchdb.yml @@ -0,0 +1,2 @@ +test: + auto_update_design_doc: false -- cgit v1.2.3 From eb6cd0962108412fe92ac8ee2d013d22c0e709d4 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 5 Mar 2013 14:21:46 +0100 Subject: restrict couch access to admin --- .travis.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 5821fda..44da3cb 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,4 +2,7 @@ services: - couchdb notifications: email: false -before_script: "bundle exec rake couchrest:migrate_with_proxies" +before_script: + - "bundle exec rake couchrest:migrate_with_proxies" + - 'HOST="http://localhost:5984"' + - "curl -X PUT $HOST/_config/admins/anna -d '\"secret\"'" -- cgit v1.2.3 From 3caa4dd1bdf2ddc3c32baf4e3add8cd06c37f9f5 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 5 Mar 2013 14:51:44 +0100 Subject: make sure couchrest actually finds our models in the engines --- .travis.yml | 1 + core/lib/extensions/couchrest.rb | 52 +++++++++++++++++++++++++++++----------- 2 files changed, 39 insertions(+), 14 deletions(-) diff --git a/.travis.yml b/.travis.yml index 44da3cb..1d0939d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,5 +4,6 @@ notifications: email: false before_script: - "bundle exec rake couchrest:migrate_with_proxies" + - "bundle exec rake couchrest:migrate_with_proxies" # looks like this needs to run twice - 'HOST="http://localhost:5984"' - "curl -X PUT $HOST/_config/admins/anna -d '\"secret\"'" diff --git a/core/lib/extensions/couchrest.rb b/core/lib/extensions/couchrest.rb index ca4b608..57bb837 100644 --- a/core/lib/extensions/couchrest.rb +++ b/core/lib/extensions/couchrest.rb @@ -1,26 +1,50 @@ module CouchRest - module Model::Designs + module Model + module Designs - class View + class View - # so we can called Ticket.method.descending or Ticket.method.ascending - def ascending - self + # so we can called Ticket.method.descending or Ticket.method.ascending + def ascending + self + end end - end - class DesignMapper - def load_views(dir) - Dir.glob("#{dir}/*.js") do |js| - name = File.basename(js, '.js') - file = File.open(js, 'r') - view name.to_sym, - :map => file.read, - :reduce => "function(key, values, rereduce) { return sum(values); }" + class DesignMapper + def load_views(dir) + Dir.glob("#{dir}/*.js") do |js| + name = File.basename(js, '.js') + file = File.open(js, 'r') + view name.to_sym, + :map => file.read, + :reduce => "function(key, values, rereduce) { return sum(values); }" + end end end end + class Migrate + def self.load_all_models_with_engines + self.load_all_models_without_engines + return unless defined?(Rails) + Dir[Rails.root + '**/models/**/*.rb'].each do |path| + require path + end + end + + def self.all_models_and_proxies + callbacks = migrate_each_model(find_models) + callbacks += migrate_each_proxying_model(find_proxying_models) + cleanup(callbacks) + end + + + + class << self + alias_method_chain :load_all_models, :engines + end + + end end class ModelRailtie -- cgit v1.2.3 From a285e20602bbffbf1436be2036ecf103bb898dfb Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 5 Mar 2013 14:52:49 +0100 Subject: create sessions db - it's not a CouchRest Model db. --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 1d0939d..63b69b1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,4 +6,5 @@ before_script: - "bundle exec rake couchrest:migrate_with_proxies" - "bundle exec rake couchrest:migrate_with_proxies" # looks like this needs to run twice - 'HOST="http://localhost:5984"' + - "curl -X PUT $HOST/sessions" - "curl -X PUT $HOST/_config/admins/anna -d '\"secret\"'" -- cgit v1.2.3 From c3bf76fcacb9576f674895a57fd3a47a2872fd8e Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 5 Mar 2013 15:56:02 +0100 Subject: setup user and restrict db access --- .travis.yml | 6 ++++++ config/couchdb.yml | 2 -- config/couchdb.yml.admin | 3 +++ config/couchdb.yml.user | 5 +++++ 4 files changed, 14 insertions(+), 2 deletions(-) delete mode 100644 config/couchdb.yml create mode 100644 config/couchdb.yml.admin create mode 100644 config/couchdb.yml.user diff --git a/.travis.yml b/.travis.yml index 63b69b1..445be1a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,8 +3,14 @@ services: notifications: email: false before_script: + - "mv config/couchdb.yml.admin config/couchdb.yml" - "bundle exec rake couchrest:migrate_with_proxies" - "bundle exec rake couchrest:migrate_with_proxies" # looks like this needs to run twice - 'HOST="http://localhost:5984"' + - "curl -HContent-Type:application/json -vXPUT $HOST/_users/org.couchdb.user:me --data-binary '{\"_id\": \"org.couchdb.user:me\",\"name\": \"me\",\"roles\": [],\"type\": \"user\",\"password\": \"pwd\"}'" - "curl -X PUT $HOST/sessions" + - "curl -vX PUT $HOST/sessions/_security -Hcontent-type:application/json --data-binary '{\"admins\":{\"names\":[],\"roles\":[]},\"members\":{\"names\":[\"me\"],\"roles\":[]}}'" + - "curl -vX PUT $HOST/users/_security -Hcontent-type:application/json --data-binary '{\"admins\":{\"names\":[],\"roles\":[]},\"members\":{\"names\":[\"me\"],\"roles\":[]}}'" + - "curl -vX PUT $HOST/tickets/_security -Hcontent-type:application/json --data-binary '{\"admins\":{\"names\":[],\"roles\":[]},\"members\":{\"names\":[\"me\"],\"roles\":[]}}'" - "curl -X PUT $HOST/_config/admins/anna -d '\"secret\"'" + - "mv config/couchdb.yml.user config/couchdb.yml" diff --git a/config/couchdb.yml b/config/couchdb.yml deleted file mode 100644 index 2345dc3..0000000 --- a/config/couchdb.yml +++ /dev/null @@ -1,2 +0,0 @@ -test: - auto_update_design_doc: false diff --git a/config/couchdb.yml.admin b/config/couchdb.yml.admin new file mode 100644 index 0000000..d3cb72c --- /dev/null +++ b/config/couchdb.yml.admin @@ -0,0 +1,3 @@ +test: + auto_update_design_doc: false + prefix: "" diff --git a/config/couchdb.yml.user b/config/couchdb.yml.user new file mode 100644 index 0000000..9c8b67b --- /dev/null +++ b/config/couchdb.yml.user @@ -0,0 +1,5 @@ +test: + auto_update_design_doc: false + username: "me" + password: "pwd" + prefix: "" -- cgit v1.2.3 From f70366e27aaac985c876d1d0260d7aab8b7ed8b5 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 6 Mar 2013 11:43:49 +0100 Subject: simulate couch migration workflow on travis * first setup couch similar to what we'll have on the platform * then run migrations as admin * then drop admin privileges * then proceed with the normal test script --- .travis.yml | 14 ++++---------- config/couchdb.yml.admin | 3 --- config/couchdb.yml.user | 5 ----- test/config/couchdb.yml.admin | 6 ++++++ test/config/couchdb.yml.user | 5 +++++ test/setup_couch.sh | 15 +++++++++++++++ 6 files changed, 30 insertions(+), 18 deletions(-) delete mode 100644 config/couchdb.yml.admin delete mode 100644 config/couchdb.yml.user create mode 100644 test/config/couchdb.yml.admin create mode 100644 test/config/couchdb.yml.user create mode 100755 test/setup_couch.sh diff --git a/.travis.yml b/.travis.yml index 445be1a..232467c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,15 +2,9 @@ services: - couchdb notifications: email: false -before_script: - - "mv config/couchdb.yml.admin config/couchdb.yml" +before_script: + - "test/setup_couch.sh" + - "mv test/config/couchdb.yml.admin config/couchdb.yml" - "bundle exec rake couchrest:migrate_with_proxies" - "bundle exec rake couchrest:migrate_with_proxies" # looks like this needs to run twice - - 'HOST="http://localhost:5984"' - - "curl -HContent-Type:application/json -vXPUT $HOST/_users/org.couchdb.user:me --data-binary '{\"_id\": \"org.couchdb.user:me\",\"name\": \"me\",\"roles\": [],\"type\": \"user\",\"password\": \"pwd\"}'" - - "curl -X PUT $HOST/sessions" - - "curl -vX PUT $HOST/sessions/_security -Hcontent-type:application/json --data-binary '{\"admins\":{\"names\":[],\"roles\":[]},\"members\":{\"names\":[\"me\"],\"roles\":[]}}'" - - "curl -vX PUT $HOST/users/_security -Hcontent-type:application/json --data-binary '{\"admins\":{\"names\":[],\"roles\":[]},\"members\":{\"names\":[\"me\"],\"roles\":[]}}'" - - "curl -vX PUT $HOST/tickets/_security -Hcontent-type:application/json --data-binary '{\"admins\":{\"names\":[],\"roles\":[]},\"members\":{\"names\":[\"me\"],\"roles\":[]}}'" - - "curl -X PUT $HOST/_config/admins/anna -d '\"secret\"'" - - "mv config/couchdb.yml.user config/couchdb.yml" + - "mv test/config/couchdb.yml.user config/couchdb.yml" diff --git a/config/couchdb.yml.admin b/config/couchdb.yml.admin deleted file mode 100644 index d3cb72c..0000000 --- a/config/couchdb.yml.admin +++ /dev/null @@ -1,3 +0,0 @@ -test: - auto_update_design_doc: false - prefix: "" diff --git a/config/couchdb.yml.user b/config/couchdb.yml.user deleted file mode 100644 index 9c8b67b..0000000 --- a/config/couchdb.yml.user +++ /dev/null @@ -1,5 +0,0 @@ -test: - auto_update_design_doc: false - username: "me" - password: "pwd" - prefix: "" diff --git a/test/config/couchdb.yml.admin b/test/config/couchdb.yml.admin new file mode 100644 index 0000000..0988bc1 --- /dev/null +++ b/test/config/couchdb.yml.admin @@ -0,0 +1,6 @@ +test: + auto_update_design_doc: false + username: "anna" + password: "secret" + prefix: "" + diff --git a/test/config/couchdb.yml.user b/test/config/couchdb.yml.user new file mode 100644 index 0000000..9c8b67b --- /dev/null +++ b/test/config/couchdb.yml.user @@ -0,0 +1,5 @@ +test: + auto_update_design_doc: false + username: "me" + password: "pwd" + prefix: "" diff --git a/test/setup_couch.sh b/test/setup_couch.sh new file mode 100755 index 0000000..39e264f --- /dev/null +++ b/test/setup_couch.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +HOST="http://localhost:5984" +echo "creating user :" +curl -HContent-Type:application/json -XPUT $HOST/_users/org.couchdb.user:me --data-binary '{"_id": "org.couchdb.user:me","name": "me","roles": [],"type": "user","password": "pwd"}' +echo "creating databases :" +curl -X PUT $HOST/sessions +curl -X PUT $HOST/users +curl -X PUT $HOST/tickets +echo "restricting database access :" +curl -X PUT $HOST/sessions/_security -Hcontent-type:application/json --data-binary '{"admins":{"names":[],"roles":[]},"members":{"names":["me"],"roles":[]}}' +curl -X PUT $HOST/users/_security -Hcontent-type:application/json --data-binary '{"admins":{"names":[],"roles":[]},"members":{"names":["me"],"roles":[]}}' +curl -X PUT $HOST/tickets/_security -Hcontent-type:application/json --data-binary '{"admins":{"names":[],"roles":[]},"members":{"names":["me"],"roles":[]}}' +echo "adding admin :" +curl -X PUT $HOST/_config/admins/anna -d '"secret"' -- cgit v1.2.3 From 1f874dc62e0d0add285f6ab5ff1b6d8fccaa1912 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 6 Mar 2013 12:29:45 +0100 Subject: updated deploy documentation INSTALL is mostly for development and we do not include couch security advices in there --- DEPLOY.md | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/DEPLOY.md b/DEPLOY.md index 8ef2a7a..f61301c 100644 --- a/DEPLOY.md +++ b/DEPLOY.md @@ -9,8 +9,8 @@ These instructions are targeting a Debian GNU/Linux system. You might need to ch The following packages need to be installed: * git -* ruby1.8 -* rubygems1.8 +* ruby1.9 +* rubygems1.9 * couchdb (if you want to use a local couch) ### Setup Capistrano ### @@ -25,5 +25,18 @@ run `cap deploy` to deploy to the server. Please make sure your deploy includes the following files: -* config/cert * public/config/provider.json +* config/couchdb.yml + +## Couch Security ## + +We recommend against using an admin user for running the webapp. To avoid this couch design documents need to be created ahead of time and the auto update mechanism needs to be disabled. +Take a look at test/setup_couch.sh for an example of securing the couch. After securing the couch migrations need to be run with admin permissions. The before_script block in .travis.yml illustrates how to do this: + +``` +mv test/config/couchdb.yml.admin config/couchdb.yml # use admin privileges +bundle exec rake couchrest:migrate_with_proxies # run the migrations +bundle exec rake couchrest:migrate_with_proxies # looks like this needs to run twice +mv test/config/couchdb.yml.user config/couchdb.yml # drop admin privileges +``` + -- cgit v1.2.3