✨(backend) add url to download media attachments with access rights

We make use of nginx subrequests to block media file downloads while we check for access rights. The request is then proxied to the object storage engine and authorization is added via the "Authorization" header. This way the media urls are static and can be stored in the document's json content without compromising on security: access control is done on all requests based on the user cookie session.
2024-08-19 22:38:41 +02:00
parent c9f1356d3e
commit 67a20f249e
12 changed files with 514 additions and 8 deletions
--- a/src/helm/env.d/dev/values.impress.yaml.gotmpl
+++ b/src/helm/env.d/dev/values.impress.yaml.gotmpl
@@ -103,3 +103,17 @@ ingressWS:
 ingressAdmin:
  enabled: true
  host: impress.127.0.0.1.nip.io
+
+ingressMedia:
+  enabled: true
+  host: impress.127.0.0.1.nip.io
+
+  annotations:
+    nginx.ingress.kubernetes.io/auth-url: https://impress.127.0.0.1.nip.io/api/v1.0/documents/retrieve-auth/
+    nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Amz-Date, X-Amz-Content-SHA256"
+    nginx.ingress.kubernetes.io/upstream-vhost: minio.impress.svc.cluster.local:9000
+    nginx.ingress.kubernetes.io/rewrite-target: /impress-media-storage/$1
+
+serviceMedia:
+  host: minio.impress.svc.cluster.local
+  port: 9000
--- a/src/helm/env.d/preprod/values.impress.yaml.gotmpl
+++ b/src/helm/env.d/preprod/values.impress.yaml.gotmpl
@@ -154,3 +154,24 @@ ingressAdmin:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/start
    nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/auth
+
+ingressMedia:
+  enabled: true
+  host: impress-preprod.beta.numerique.gouv.fr
+
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/auth-url: https://impress-preprod.beta.numerique.gouv.fr/api/v1.0/documents/retrieve-auth/
+    nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Amz-Date, X-Amz-Content-SHA256"
+    nginx.ingress.kubernetes.io/upstream-vhost:
+      secretKeyRef:
+        name: impress-media-storage.bucket.libre.sh
+        key: url
+    nginx.ingress.kubernetes.io/rewrite-target: /impress-media-storage/$1
+
+serviceMedia:
+  host:
+    secretKeyRef:
+      name: impress-media-storage.bucket.libre.sh
+      key: url
+  port: 9000
--- a/src/helm/env.d/production/values.impress.yaml.gotmpl
+++ b/src/helm/env.d/production/values.impress.yaml.gotmpl
@@ -154,3 +154,24 @@ ingressAdmin:
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy.beta.numerique.gouv.fr/oauth2/start
    nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy.beta.numerique.gouv.fr/oauth2/auth
+
+ingressMedia:
+  enabled: true
+  host: docs.numerique.gouv.fr
+
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/auth-url: https://docs.numerique.gouv.fr/api/v1.0/documents/retrieve-auth/
+    nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Amz-Date, X-Amz-Content-SHA256"
+    nginx.ingress.kubernetes.io/upstream-vhost:
+      secretKeyRef:
+        name: impress-media-storage.bucket.libre.sh
+        key: url
+    nginx.ingress.kubernetes.io/rewrite-target: /impress-media-storage/$1
+
+serviceMedia:
+  host:
+    secretKeyRef:
+      name: impress-media-storage.bucket.libre.sh
+      key: url
+  port: 9000
--- a/src/helm/env.d/staging/values.impress.yaml.gotmpl
+++ b/src/helm/env.d/staging/values.impress.yaml.gotmpl
@@ -154,3 +154,24 @@ ingressAdmin:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/auth-signin: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/start
    nginx.ingress.kubernetes.io/auth-url: https://oauth2-proxy-preprod.beta.numerique.gouv.fr/oauth2/auth
+
+ingressMedia:
+  enabled: true
+  host: impress-staging.beta.numerique.gouv.fr
+
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/auth-url: https://impress-staging.beta.numerique.gouv.fr/api/v1.0/documents/retrieve-auth/
+    nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Amz-Date, X-Amz-Content-SHA256"
+    nginx.ingress.kubernetes.io/upstream-vhost:
+      secretKeyRef:
+        name: impress-media-storage.bucket.libre.sh
+        key: url
+    nginx.ingress.kubernetes.io/rewrite-target: /impress-media-storage/$1
+
+serviceMedia:
+  host:
+    secretKeyRef:
+      name: impress-media-storage.bucket.libre.sh
+      key: url
+  port: 9000
--- a/src/helm/impress/templates/ingress_media.yaml
+++ b/src/helm/impress/templates/ingress_media.yaml
@@ -0,0 +1,83 @@
+{{- if .Values.ingressMedia.enabled -}}
+{{- $fullName := include "impress.fullname" . -}}
+{{- if and .Values.ingressMedia.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingressMedia.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingressMedia.annotations "kubernetes.io/ingress.class" .Values.ingressMedia.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-media
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "impress.labels" . | nindent 4 }}
+  {{- with .Values.ingressMedia.annotations }}
+  annotations:
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingressMedia.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingressMedia.className }}
+  {{- end }}
+  {{- if .Values.ingressMedia.tls.enabled }}
+  tls:
+    {{- if .Values.ingressMedia.host }}
+    - secretName: {{ $fullName }}-tls
+      hosts:
+        - {{ .Values.ingressMedia.host | quote }}
+    {{- end }}
+    {{- range .Values.ingressMedia.tls.additional }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- if .Values.ingressMedia.host }}
+    - host: {{ .Values.ingressMedia.host | quote }}
+      http:
+        paths:
+          - path: {{ .Values.ingressMedia.path | quote }}
+            {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}-media
+                port:
+                  number: {{ .Values.serviceMedia.port }}
+              {{- else }}
+              serviceName: {{ $fullName }}-media
+              servicePort: {{ .Values.serviceMedia.port }}
+            {{- end }}
+    {{- end }}
+    {{- range .Values.ingressMedia.hosts }}
+    - host: {{ . | quote }}
+      http:
+        paths:
+          - path: {{ $.Values.ingressMedia.path | quote }}
+            {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}-media
+                port:
+                  number: {{ .Values.serviceMedia.port }}
+              {{- else }}
+              serviceName: {{ $fullName }}-media
+              servicePort: {{ .Values.serviceMedia.port }}
+            {{- end }}
+    {{- end }}
+{{- end }}
--- a/src/helm/impress/templates/media_svc.yaml
+++ b/src/helm/impress/templates/media_svc.yaml
@@ -0,0 +1,14 @@
+{{- $fullName := include "impress.fullname" . -}}
+{{- $component := "media" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ $fullName }}-media
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "impress.common.labels" (list . $component) | nindent 4 }}
+  annotations:
+    {{- toYaml $.Values.serviceMedia.annotations | nindent 4 }}
+spec:
+  type: ExternalName
+  externalName: {{ $.Values.serviceMedia.host }}
--- a/src/helm/impress/values.yaml
+++ b/src/helm/impress/values.yaml
@@ -37,7 +37,7 @@ ingress:
  ## @param ingress.hosts Additional host to configure for the Ingress
  hosts: []
  #  - chart-example.local
-  ## @param ingress.tls.enabled Weather to enable TLS for the Ingress
+  ## @param ingress.tls.enabled Wether to enable TLS for the Ingress
  ## @skip ingress.tls.additional
  ## @extra ingress.tls.additional[].secretName Secret name for additional TLS config
  ## @extra ingress.tls.additional[].hosts[] Hosts for additional TLS config
@@ -60,7 +60,7 @@ ingressWS:
  ## @param ingress.hosts Additional host to configure for the Ingress
  hosts: []
  #  - chart-example.local
-  ## @param ingressWS.tls.enabled Weather to enable TLS for the Ingress
+  ## @param ingressWS.tls.enabled Wether to enable TLS for the Ingress
  ## @skip ingressWS.tls.additional
  ## @extra ingressWS.tls.additional[].secretName Secret name for additional TLS config
  ## @extra ingressWS.tls.additional[].hosts[] Hosts for additional TLS config
@@ -87,7 +87,7 @@ ingressAdmin:
  ## @param ingressAdmin.hosts Additional host to configure for the Ingress
  hosts: [ ]
  #  - chart-example.local
-  ## @param ingressAdmin.tls.enabled Weather to enable TLS for the Ingress
+  ## @param ingressAdmin.tls.enabled Wether to enable TLS for the Ingress
  ## @skip ingressAdmin.tls.additional
  ## @extra ingressAdmin.tls.additional[].secretName Secret name for additional TLS config
  ## @extra ingressAdmin.tls.additional[].hosts[] Hosts for additional TLS config
@@ -95,6 +95,36 @@ ingressAdmin:
    enabled: true
    additional: []

+## @param ingressMedia.enabled whether to enable the Ingress or not
+## @param ingressMedia.className IngressClass to use for the Ingress
+## @param ingressMedia.host Host for the Ingress
+## @param ingressMedia.path Path to use for the Ingress
+ingressMedia:
+  enabled: false
+  className: null
+  host: impress.example.com
+  path: /media/(.*)
+  ## @param ingressMedia.hosts Additional host to configure for the Ingress
+  hosts: [ ]
+  #  - chart-example.local
+  ## @param ingressMedia.tls.enabled Wether to enable TLS for the Ingress
+  ## @skip ingressMedia.tls.additional
+  ## @extra ingressMedia.tls.additional[].secretName Secret name for additional TLS config
+  ## @extra ingressMedia.tls.additional[].hosts[] Hosts for additional TLS config
+  tls:
+    enabled: true
+    additional: []
+
+  annotations:
+    nginx.ingress.kubernetes.io/auth-url: https://impress.example.com/api/v1.0/documents/retrieve-auth/
+    nginx.ingress.kubernetes.io/auth-response-headers: "Authorization, X-Amz-Date, X-Amz-Content-SHA256"
+    nginx.ingress.kubernetes.io/upstream-vhost: minio.impress.svc.cluster.local:9000
+
+serviceMedia:
+  host: minio.impress.svc.cluster.local
+  port: 9000
+  annotations: {}
+

 ## @section backend