feat: add per-deployment authentication for external domains

jeremi · jeremi · commit 63df1db3f1cf · 2025-08-14T11:08:40.000+02:00
- Added auth_password field to Deployment model
- Generate 16-character random passwords on deployment creation
- Create htpasswd files for nginx basic authentication
- Separate nginx server blocks for external (with auth) and internal (no auth) domains
- Display credentials in UI (both deployment card and management view)
- Clean up htpasswd files on deployment removal

Security improvements:
- External domains (*.test.openspp.org) require basic auth
- Internal domains (*.openspp-test.internal) remain auth-free for convenience
- Each deployment has unique credentials (username: deployment-id, password: random)
- Credentials are displayed in the management UI for easy access
diff --git a/app.py b/app.py
@@ -218,6 +218,18 @@ def show_deployment_card(deployment, col_actions):
         with st.expander("📝 Notes"):
             st.text(deployment.notes)
     
+    # Show auth credentials if available
+    config = load_config()
+    if config.nginx_enabled and deployment.auth_password:
+        with st.expander("🔐 Credentials"):
+            col1, col2 = st.columns(2)
+            with col1:
+                st.text("Username:")
+                st.code(deployment.id)
+            with col2:
+                st.text("Password:")
+                st.code(deployment.auth_password)
+    
     st.divider()
 
 def show_create_deployment_form():
@@ -482,6 +494,19 @@ def show_deployment_management(deployment_id):
         with col2:
             st.code(url)
     
+    # Display authentication credentials for external access
+    if config.nginx_enabled and deployment.auth_password:
+        st.markdown("### 🔐 Authentication Credentials")
+        st.info(f"External domains (*.test.openspp.org) require authentication")
+        col1, col2 = st.columns(2)
+        with col1:
+            st.text("Username:")
+            st.code(deployment.id)
+        with col2:
+            st.text("Password:")
+            st.code(deployment.auth_password)
+        st.caption("💡 Internal domains (*.openspp-test.internal) do not require authentication")
+    
     st.divider()
     
     # Create tabs for different management sections
diff --git a/src/deployment_manager.py b/src/deployment_manager.py
@@ -78,6 +78,12 @@ def create_deployment(self, params: DeploymentParams, progress_callback=None) ->
         # Get port mappings
         port_mappings = get_port_mappings(port_base)
         
+        # Generate random password for nginx auth
+        import secrets
+        import string
+        alphabet = string.ascii_letters + string.digits
+        auth_password = ''.join(secrets.choice(alphabet) for _ in range(16))
+        
         # Create deployment object
         deployment = Deployment(
             id=deployment_id,
@@ -90,7 +96,8 @@ def create_deployment(self, params: DeploymentParams, progress_callback=None) ->
             port_base=port_base,
             port_mappings=port_mappings,
             subdomain=self._generate_subdomain(deployment_id),
-            notes=params.notes
+            notes=params.notes,
+            auth_password=auth_password
         )
         
         # Save initial deployment record
diff --git a/src/domain_manager.py b/src/domain_manager.py
@@ -1,5 +1,5 @@
 # ABOUTME: Domain and Nginx configuration manager for deployment subdomains
-# ABOUTME: Handles automatic nginx config generation and SSL setup
+# ABOUTME: Handles automatic nginx config generation and SSL setup with per-deployment auth
 
 import os
 import logging
@@ -28,18 +28,90 @@ def generate_subdomain(self, deployment_id: str) -> str:
         # Simple subdomain: deployment-id.base-domain
         return f"{deployment_id}.{self.config.base_domain}"
     
+    def create_htpasswd_file(self, deployment: Deployment) -> bool:
+        """Create htpasswd file for basic auth"""
+        if not deployment.auth_password:
+            logger.warning(f"No auth password for deployment {deployment.id}")
+            return False
+            
+        htpasswd_path = Path(f"/etc/nginx/htpasswd-{deployment.id}")
+        
+        try:
+            # Generate APR1-MD5 hash (nginx compatible)
+            import crypt
+            # Use deployment.id as username
+            username = deployment.id
+            # Create htpasswd entry
+            htpasswd_entry = f"{username}:{crypt.crypt(deployment.auth_password, crypt.mksalt(crypt.METHOD_MD5))}\n"
+            
+            # Write to temporary file first
+            with tempfile.NamedTemporaryFile(mode='w', delete=False) as tmp:
+                tmp.write(htpasswd_entry)
+                tmp_path = tmp.name
+            
+            # Move to nginx directory (requires sudo)
+            result = run_command(
+                ["sudo", "mv", tmp_path, str(htpasswd_path)]
+            )
+            
+            if result.returncode != 0:
+                logger.error(f"Failed to save htpasswd file: {result.stderr}")
+                if os.path.exists(tmp_path):
+                    os.unlink(tmp_path)
+                return False
+            
+            # Set proper permissions
+            run_command(["sudo", "chmod", "644", str(htpasswd_path)])
+            
+            logger.info(f"Created htpasswd file for {deployment.id}")
+            return True
+            
+        except Exception as e:
+            logger.error(f"Failed to create htpasswd file: {e}")
+            return False
+    
     def generate_nginx_config(self, deployment: Deployment) -> str:
-        """Generate Nginx reverse proxy configuration"""
-        # Support both external (test.openspp.org) and internal (openspp-test.internal) domains
+        """Generate Nginx reverse proxy configuration with auth for external domains only"""
         external_domain = deployment.subdomain  # e.g., test1.test.openspp.org
         internal_domain = f"{deployment.id}.openspp-test.internal"  # e.g., penn-qa-farmer.openspp-test.internal
+        odoo_port = deployment.port_mappings['odoo']
+        smtp_port = deployment.port_mappings.get('smtp', deployment.port_base + 25)
+        pgweb_port = deployment.port_mappings.get('pgweb', deployment.port_base + 81)
+        
+        # Common proxy configuration
+        proxy_config = f"""
+        proxy_pass http://localhost:{odoo_port};
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_redirect off;
+        client_max_body_size 100M;"""
+        
+        websocket_config = f"""
+        proxy_pass http://localhost:{odoo_port}/websocket;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 86400s;
+        proxy_send_timeout 86400s;"""
         
         config = f"""# Auto-generated Nginx configuration for {deployment.id}
 # Generated by OpenSPP Deployment Manager
 
+# ===== EXTERNAL DOMAIN WITH AUTHENTICATION =====
 server {{
     listen 80;
-    server_name {external_domain} {internal_domain};
+    server_name {external_domain};
+    
+    # Basic authentication (username: {deployment.id})
+    auth_basic "OpenSPP Deployment {deployment.id}";
+    auth_basic_user_file /etc/nginx/htpasswd-{deployment.id};
     
     # Security headers
     add_header X-Frame-Options "SAMEORIGIN" always;
@@ -51,84 +123,103 @@ def generate_nginx_config(self, deployment: Deployment) -> str:
     proxy_send_timeout 600s;
     proxy_read_timeout 600s;
     
-    # Main Odoo application
-    location / {{
-        proxy_pass http://localhost:{deployment.port_mappings['odoo']};
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-Host $host;
-        
-        # Odoo specific
-        proxy_redirect off;
-        
-        # Max upload size
-        client_max_body_size 100M;
+    location / {{{proxy_config}
+    }}
+    
+    location /websocket {{{websocket_config}
     }}
     
-    # Websocket support for live chat and real-time features
-    location /websocket {{
-        proxy_pass http://localhost:{deployment.port_mappings['odoo']}/websocket;
+    location /longpolling {{
+        proxy_pass http://localhost:{odoo_port}/longpolling;
         proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
-        
-        # Websocket timeouts
-        proxy_read_timeout 86400s;
-        proxy_send_timeout 86400s;
     }}
     
-    # Longpolling support
+    access_log /var/log/nginx/{deployment.id}_ext_access.log;
+    error_log /var/log/nginx/{deployment.id}_ext_error.log;
+}}
+
+# ===== INTERNAL DOMAIN WITHOUT AUTHENTICATION =====
+server {{
+    listen 80;
+    server_name {internal_domain};
+    
+    # No authentication for internal access
+    
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    
+    # Proxy timeouts
+    proxy_connect_timeout 600s;
+    proxy_send_timeout 600s;
+    proxy_read_timeout 600s;
+    
+    location / {{{proxy_config}
+    }}
+    
+    location /websocket {{{websocket_config}
+    }}
+    
     location /longpolling {{
-        proxy_pass http://localhost:{deployment.port_mappings['odoo']}/longpolling;
+        proxy_pass http://localhost:{odoo_port}/longpolling;
         proxy_http_version 1.1;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
     }}
     
-    # Static files with caching
-    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {{
-        proxy_pass http://localhost:{deployment.port_mappings['odoo']};
+    access_log /var/log/nginx/{deployment.id}_int_access.log;
+    error_log /var/log/nginx/{deployment.id}_int_error.log;
+}}
+
+# ===== MAILHOG SERVICE =====
+server {{
+    listen 80;
+    server_name mailhog-{external_domain};
+    
+    auth_basic "OpenSPP Mailhog {deployment.id}";
+    auth_basic_user_file /etc/nginx/htpasswd-{deployment.id};
+    
+    location / {{
+        proxy_pass http://localhost:{smtp_port};
         proxy_set_header Host $host;
-        proxy_cache_valid 200 90d;
-        proxy_cache_valid 404 1m;
-        expires 30d;
-        add_header Cache-Control "public, immutable";
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
     }}
+}}
+
+server {{
+    listen 80;
+    server_name mailhog-{deployment.id}.openspp-test.internal;
     
-    # Health check endpoint
-    location /health {{
-        access_log off;
-        return 200 "healthy\\n";
-        add_header Content-Type text/plain;
-    }}
+    # No auth for internal
     
-    # Deny access to sensitive files
-    location ~ /\. {{
-        deny all;
-        access_log off;
-        log_not_found off;
+    location / {{
+        proxy_pass http://localhost:{smtp_port};
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
     }}
-    
-    # Logging
-    access_log /var/log/nginx/{deployment.id}_access.log;
-    error_log /var/log/nginx/{deployment.id}_error.log;
 }}
 
-# Additional services on different ports
+# ===== PGWEB SERVICE =====
 server {{
     listen 80;
-    server_name mailhog-{external_domain} mailhog-{deployment.id}.openspp-test.internal;
+    server_name pgweb-{external_domain};
+    
+    auth_basic "OpenSPP PGWeb {deployment.id}";
+    auth_basic_user_file /etc/nginx/htpasswd-{deployment.id};
     
     location / {{
-        proxy_pass http://localhost:{deployment.port_mappings.get('smtp', deployment.port_base + 25)};
+        proxy_pass http://localhost:{pgweb_port};
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -138,10 +229,12 @@ def generate_nginx_config(self, deployment: Deployment) -> str:
 
 server {{
     listen 80;
-    server_name pgweb-{external_domain} pgweb-{deployment.id}.openspp-test.internal;
+    server_name pgweb-{deployment.id}.openspp-test.internal;
+    
+    # No auth for internal
     
     location / {{
-        proxy_pass http://localhost:{deployment.port_mappings.get('pgweb', deployment.port_base + 81)};
+        proxy_pass http://localhost:{pgweb_port};
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -294,6 +387,11 @@ def reload_nginx(self) -> bool:
     
     def setup_deployment_domain(self, deployment: Deployment) -> bool:
         """Complete domain setup for a deployment"""
+        # Create htpasswd file for authentication
+        if deployment.auth_password:
+            if not self.create_htpasswd_file(deployment):
+                logger.warning(f"Failed to create htpasswd file for {deployment.id}, continuing...")
+        
         # Save nginx config
         if not self.save_nginx_config(deployment):
             return False
@@ -310,6 +408,15 @@ def setup_deployment_domain(self, deployment: Deployment) -> bool:
     
     def cleanup_deployment_domain(self, deployment_id: str) -> bool:
         """Clean up domain configuration for a deployment"""
+        # Remove htpasswd file
+        htpasswd_path = Path(f"/etc/nginx/htpasswd-{deployment_id}")
+        if htpasswd_path.exists():
+            try:
+                run_command(["sudo", "rm", str(htpasswd_path)])
+                logger.info(f"Removed htpasswd file for {deployment_id}")
+            except Exception as e:
+                logger.warning(f"Failed to remove htpasswd file: {e}")
+        
         # Remove nginx config
         if not self.remove_nginx_config(deployment_id):
             return False
diff --git a/src/models.py b/src/models.py
@@ -34,6 +34,7 @@ class Deployment:
     modules_installed: List[str] = field(default_factory=list)  # Installed modules
     last_action: str = ""      # Last executed action
     notes: str = ""            # Tester notes
+    auth_password: str = ""    # Random password for nginx basic auth
     
     def to_dict(self) -> dict:
         """Convert deployment to dictionary for JSON serialization"""
@@ -52,7 +53,8 @@ def to_dict(self) -> dict:
             "subdomain": self.subdomain,
             "modules_installed": self.modules_installed,
             "last_action": self.last_action,
-            "notes": self.notes
+            "notes": self.notes,
+            "auth_password": self.auth_password
         }
     
     @classmethod
