Allowed indexd to be hidden behind authz

helm/gen3/Chart.yaml

@@ -100,7 +100,7 @@ dependencies:
     repository: "file://../requestor"
     condition: requestor.enabled
   - name: revproxy
-    version: 0.1.48
+    version: 0.1.49
     repository: "file://../revproxy"
     condition: revproxy.enabled
   - name: sheepdog
@@ -173,7 +173,7 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 0.2.96
+version: 0.2.97
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

helm/gen3/README.md

@@ -1,6 +1,6 @@
 # gen3
 
-![Version: 0.2.96](https://img.shields.io/badge/Version-0.2.96-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
+![Version: 0.2.97](https://img.shields.io/badge/Version-0.2.97-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
 
 Helm chart to deploy Gen3 Data Commons
 
@@ -48,7 +48,7 @@ Helm chart to deploy Gen3 Data Commons
 | file://../peregrine | peregrine | 0.1.35 |
 | file://../portal | portal | 0.1.49 |
 | file://../requestor | requestor | 0.1.27 |
-| file://../revproxy | revproxy | 0.1.48 |
+| file://../revproxy | revproxy | 0.1.49 |
 | file://../sheepdog | sheepdog | 0.1.35 |
 | file://../sower | sower | 0.1.38 |
 | file://../ssjdispatcher | ssjdispatcher | 0.1.37 |

helm/revproxy/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.48
+version: 0.1.49
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

helm/revproxy/README.md

@@ -1,6 +1,6 @@
 # revproxy
 
-![Version: 0.1.48](https://img.shields.io/badge/Version-0.1.48-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
+![Version: 0.1.49](https://img.shields.io/badge/Version-0.1.49-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: master](https://img.shields.io/badge/AppVersion-master-informational?style=flat-square)
 
 A Helm chart for gen3 revproxy
 
@@ -84,6 +84,7 @@ A Helm chart for gen3 revproxy
 | postgres.password | string | `nil` | Password for Postgres. Will be autogenerated if left empty. |
 | postgres.port | string | `"5432"` | Port for Postgres. |
 | postgres.username | string | `nil` | Username for postgres. This is a service override, defaults to <serviceName>-<releaseName> |
+| privateIndexdEnabled | bool | `false` |  |
 | release | string | `"production"` | Valid options are "production" or "dev". If invalid option is set- the value will default to "dev". |
 | replicaCount | int | `1` | Number of replicas for the deployment. |
 | resources | map | `{"limits":{"memory":"512Mi"},"requests":{"memory":"12Mi"}}` | Resource requests and limits for the containers in the pod |

helm/revproxy/gen3.nginx.conf/indexd-private/indexd-service.conf

@@ -0,0 +1,69 @@
+
+          # GA4GH endpoint for DOS resolver and DRS server
+          location /ga4gh/ {
+              error_page 403 @errorworkspace;
+              if ($csrf_check !~ ^ok-\S.+$) {
+                return 403 "failed csrf check";
+              }
+              set $authz_resource "/indexd_access";
+              set $authz_method "access";
+              set $authz_service "indexd_access";
+              # be careful - sub-request runs in same context as thsis request
+              auth_request /gen3-authz;
+
+              set $proxy_service  "indexd";
+              set $upstream http://indexd-service$des_domain;
+              proxy_pass $upstream;
+              proxy_redirect http://$host/ https://$host/;
+          }
+
+          location /index/ {
+              error_page 403 @errorworkspace;
+              if ($csrf_check !~ ^ok-\S.+$) {
+                return 403 "failed csrf check";
+              }
+              set $authz_resource "/indexd_access";
+              set $authz_method "access";
+              set $authz_service "indexd_access";
+              # be careful - sub-request runs in same context as this request
+              auth_request /gen3-authz;
+
+              set $proxy_service  "indexd";
+              set $upstream http://indexd-service$des_domain;
+              rewrite ^/index/(.*) /$1 break;
+              proxy_pass $upstream;
+              proxy_redirect http://$host/ https://$host/index/;
+          }
+
+          location /index-admin/ {
+              if ($csrf_check !~ ^ok-\S.+$) {
+                return 403 "failed csrf check";
+              }
+              set $authz_resource "/indexd_gateway";
+              set $authz_method "access";
+              set $authz_service "indexd_gateway";
+              # be careful - sub-request runs in same context as this request
+              auth_request /gen3-authz;
+
+              #
+              # For some reason nginx breaks the proxy body
+              # if we try to set Authorization from a perl_set variable
+              # that samples the environment ... ugh!
+              #
+              set $indexd_password "Basic ${indexd_b64}";
+
+              # For testing:
+              #add_header Set-Cookie "X-Frickjack=${indexd_password};Path=/;Max-Age=600";
+              set $proxy_service  "indexd";
+              set $upstream http://indexd-service$des_domain;
+              rewrite ^/index-admin/(.*) /$1 break;
+              proxy_set_header   Host $host;
+              proxy_set_header   X-Forwarded-For "$realip";
+              proxy_set_header   X-UserId "$userid";
+              proxy_set_header   X-SessionId "$session_id";
+              proxy_set_header   X-VisitorId "$visitor_id";
+              proxy_set_header   Authorization "$indexd_password";
+
+              proxy_pass $upstream;
+              proxy_redirect http://$host/ https://$host/index-admin/;
+          }

helm/revproxy/templates/configMaps.yaml

@@ -18,6 +18,13 @@ data:
   {{ "portal-service.conf" }}: |
   {{- .Files.Get "gen3.nginx.conf/portal-as-root/portal-service.conf" | nindent 4}}
 {{- end }}
+{{- if .Values.privateIndexdEnabled }}
+  {{ "indexd-service.conf" }}: |
+  {{- .Files.Get "gen3.nginx.conf/indexd-private/indexd-service.conf" | nindent 4}}
+{{- else }}
+  {{ "indexd-service.conf" }}: |
+  {{- .Files.Get "gen3.nginx.conf/indexd/indexd-service.conf" | nindent 4}}
+{{- end }}
 {{- range .Values.extraServices }}
   {{ printf "%s-service.conf" .name }}: |
     location {{ .path }}/ {

helm/revproxy/values.yaml

@@ -254,3 +254,5 @@ extraServices:
 #  - name: "protein-paint"
 #    path: /protein-paint
 #    serviceName: protein-paint
+
+privateIndexdEnabled: false