From 44804e0a4b636f30ff540d6be2065bd6456b476b Mon Sep 17 00:00:00 2001
From: Ed <emalinowski@uchicago.edu>
Date: Mon, 24 Nov 2025 06:47:51 -0600
Subject: [PATCH] Allowed indexd to be hidden behind authz

---
 helm/gen3/Chart.yaml                          |  4 +-
 helm/gen3/README.md                           |  4 +-
 helm/revproxy/Chart.yaml                      |  2 +-
 helm/revproxy/README.md                       |  3 +-
 .../indexd-private/indexd-service.conf        | 69 +++++++++++++++++++
 .../{ => indexd}/indexd-service.conf          |  0
 helm/revproxy/templates/configMaps.yaml       |  7 ++
 helm/revproxy/values.yaml                     |  2 +
 8 files changed, 85 insertions(+), 6 deletions(-)
 create mode 100644 helm/revproxy/gen3.nginx.conf/indexd-private/indexd-service.conf
 rename helm/revproxy/gen3.nginx.conf/{ => indexd}/indexd-service.conf (100%)

diff --git a/helm/gen3/Chart.yaml b/helm/gen3/Chart.yaml
index 9c9ed51b5..bf349b63b 100644
--- a/helm/gen3/Chart.yaml
+++ b/helm/gen3/Chart.yaml
@@ -100,7 +100,7 @@ dependencies:
     repository: "file://../requestor"
     condition: requestor.enabled
   - name: revproxy
-    version: 0.1.48
+    version: 0.1.49
     repository: "file://../revproxy"
     condition: revproxy.enabled
   - name: sheepdog
@@ -173,7 +173,7 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 0.2.96
+version: 0.2.97
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/helm/gen3/README.md b/helm/gen3/README.md
index 33e6be575..7b9a88842 100644
--- a/helm/gen3/README.md
+++ b/helm/gen3/README.md
@@ -1,6 +1,6 @@
 # gen3
 
-![Version: 0.2.96](https://img.shields.io/badge/Version-0.2.96-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
+![Version: 0.2.97](https://img.shields.io/badge/Version-0.2.97-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
 
 Helm chart to deploy Gen3 Data Commons
 
@@ -48,7 +48,7 @@ Helm chart to deploy Gen3 Data Commons
 | file://../peregrine | peregrine | 0.1.35 |
 | file://../portal | portal | 0.1.49 |
 | file://../requestor | requestor | 0.1.27 |
-| file://../revproxy | revproxy | 0.1.48 |
+| file://../revproxy | revproxy | 0.1.49 |
 | file://../sheepdog | sheepdog | 0.1.35 |
 | file://../sower | sower | 0.1.38 |
 | file://../ssjdispatcher | ssjdispatcher | 0.1.37 |
diff --git a/helm/revproxy/Chart.yaml b/helm/revproxy/Chart.yaml
index 5c1a5335f..75e8ec128 100644
--- a/helm/revproxy/Chart.yaml
+++ b/helm/revproxy/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.48
+version: 0.1.49
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/helm/revproxy/README.md b/helm/revproxy/README.md
index 3ce73484a..feae96199 100644
--- a/helm/revproxy/README.md
+++ b/helm/revproxy/README.md
@@ -1,6 +1,6 @@
 # revproxy
 
-![Version: 0.1.48](https://img.shields.io/badge/Version-0.1.48-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
+![Version: 0.1.49](https://img.shields.io/badge/Version-0.1.49-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
 
 A Helm chart for gen3 revproxy
 
@@ -84,6 +84,7 @@ A Helm chart for gen3 revproxy
 | postgres.password | string | `nil` | Password for Postgres. Will be autogenerated if left empty. |
 | postgres.port | string | `"5432"` | Port for Postgres. |
 | postgres.username | string | `nil` | Username for postgres. This is a service override, defaults to <serviceName>-<releaseName> |
+| privateIndexdEnabled | bool | `false` |  |
 | release | string | `"production"` | Valid options are "production" or "dev". If invalid option is set- the value will default to "dev". |
 | replicaCount | int | `1` | Number of replicas for the deployment. |
 | resources | map | `{"limits":{"memory":"512Mi"},"requests":{"memory":"12Mi"}}` | Resource requests and limits for the containers in the pod |
diff --git a/helm/revproxy/gen3.nginx.conf/indexd-private/indexd-service.conf b/helm/revproxy/gen3.nginx.conf/indexd-private/indexd-service.conf
new file mode 100644
index 000000000..d73b05f30
--- /dev/null
+++ b/helm/revproxy/gen3.nginx.conf/indexd-private/indexd-service.conf
@@ -0,0 +1,69 @@
+
+          # GA4GH endpoint for DOS resolver and DRS server
+          location /ga4gh/ {
+              error_page 403 @errorworkspace;
+              if ($csrf_check !~ ^ok-\S.+$) {
+                return 403 "failed csrf check";
+              }
+              set $authz_resource "/indexd_access";
+              set $authz_method "access";
+              set $authz_service "indexd_access";
+              # be careful - sub-request runs in same context as thsis request
+              auth_request /gen3-authz;
+                            
+              set $proxy_service  "indexd";
+              set $upstream http://indexd-service$des_domain;
+              proxy_pass $upstream;
+              proxy_redirect http://$host/ https://$host/;
+          }
+
+          location /index/ {
+              error_page 403 @errorworkspace;
+              if ($csrf_check !~ ^ok-\S.+$) {
+                return 403 "failed csrf check";
+              }
+              set $authz_resource "/indexd_access";
+              set $authz_method "access";
+              set $authz_service "indexd_access";
+              # be careful - sub-request runs in same context as this request
+              auth_request /gen3-authz;
+              
+              set $proxy_service  "indexd";
+              set $upstream http://indexd-service$des_domain;
+              rewrite ^/index/(.*) /$1 break;
+              proxy_pass $upstream;
+              proxy_redirect http://$host/ https://$host/index/;
+          }
+
+          location /index-admin/ {
+              if ($csrf_check !~ ^ok-\S.+$) {
+                return 403 "failed csrf check";
+              }
+              set $authz_resource "/indexd_gateway";
+              set $authz_method "access";
+              set $authz_service "indexd_gateway";
+              # be careful - sub-request runs in same context as this request
+              auth_request /gen3-authz;
+
+              #
+              # For some reason nginx breaks the proxy body
+              # if we try to set Authorization from a perl_set variable
+              # that samples the environment ... ugh!
+              #
+              set $indexd_password "Basic ${indexd_b64}";
+
+              # For testing:
+              #add_header Set-Cookie "X-Frickjack=${indexd_password};Path=/;Max-Age=600";
+              set $proxy_service  "indexd";
+              set $upstream http://indexd-service$des_domain;
+              rewrite ^/index-admin/(.*) /$1 break;
+              proxy_set_header   Host $host;
+              proxy_set_header   X-Forwarded-For "$realip";
+              proxy_set_header   X-UserId "$userid";
+              proxy_set_header   X-SessionId "$session_id";
+              proxy_set_header   X-VisitorId "$visitor_id";
+              proxy_set_header   Authorization "$indexd_password";
+
+              proxy_pass $upstream;
+              proxy_redirect http://$host/ https://$host/index-admin/;
+          }
diff --git a/helm/revproxy/gen3.nginx.conf/indexd-service.conf b/helm/revproxy/gen3.nginx.conf/indexd/indexd-service.conf
similarity index 100%
rename from helm/revproxy/gen3.nginx.conf/indexd-service.conf
rename to helm/revproxy/gen3.nginx.conf/indexd/indexd-service.conf
diff --git a/helm/revproxy/templates/configMaps.yaml b/helm/revproxy/templates/configMaps.yaml
index eb0d5655e..701fccb1b 100644
--- a/helm/revproxy/templates/configMaps.yaml
+++ b/helm/revproxy/templates/configMaps.yaml
@@ -18,6 +18,13 @@ data:
   {{ "portal-service.conf" }}: |
   {{- .Files.Get "gen3.nginx.conf/portal-as-root/portal-service.conf" | nindent 4}}
 {{- end }}
+{{- if .Values.privateIndexdEnabled }}
+  {{ "indexd-service.conf" }}: |
+  {{- .Files.Get "gen3.nginx.conf/indexd-private/indexd-service.conf" | nindent 4}}
+{{- else }}
+  {{ "indexd-service.conf" }}: |
+  {{- .Files.Get "gen3.nginx.conf/indexd/indexd-service.conf" | nindent 4}}
+{{- end }}
 {{- range .Values.extraServices }}
   {{ printf "%s-service.conf" .name }}: |
     location {{ .path }}/ {
diff --git a/helm/revproxy/values.yaml b/helm/revproxy/values.yaml
index f169ae61b..701845f4e 100644
--- a/helm/revproxy/values.yaml
+++ b/helm/revproxy/values.yaml
@@ -254,3 +254,5 @@ extraServices:
 #  - name: "protein-paint"
 #    path: /protein-paint
 #    serviceName: protein-paint
+
+privateIndexdEnabled: false