refactor(config)!: re-design and clean-up configuration

.github/workflows/_test_int.yml

@@ -37,7 +37,12 @@ jobs:
         uses: supercharge/[email protected]
         with:
           mongodb-version: ${{ inputs.mongodb }}
-          mongodb-replica-set: test-rs
+          mongodb-username: root
+          mongodb-password: root
+          # FIXME: Currently we cannot configure this action to use authentication together with replica sets as mentioned here: 
+          # https://github.com/supercharge/mongodb-github-action#with-authentication-mongodb---auth-flag
+          # Apparently, the solution is to write a script that sets up the user beforehand.
+          #mongodb-replica-set: test-rs
 
       - name: Test DB
         uses: actions-rs/cargo@v1

README.md

@@ -19,3 +19,16 @@ The changelog can be created using the following command (requires the [`convent
 ```sh
 conventional-changelog -p conventionalcommits -i CHANGELOG.md -s
 ```
+
+## Docker deployment configuration of credentials through environment variables
+
+Docker compose will automatically load credentials for different services from a `.env` file that must either be located in the same directory as the `docker-compose.yml` file, or specified using the `--env-file` flag. You therefore must create such a file before you do a `docker compose up`. An example `.env` file could look like this:
+
+```ini
+MONGODB_USERNAME=root
+MONGODB_PASSWORD=root
+INFLUXDB_USERNAME=root
+INFLUXDB_PASSWORD=password
+JWT_PASSWORD=password
+JWT_SALT=saltines
+```

docker/docker-compose.yml

@@ -8,8 +8,8 @@ services:
     volumes:
       - ./data/chronicle/mongodb:/data/db
     environment:
-      - MONGO_INITDB_ROOT_USERNAME=root
-      - MONGO_INITDB_ROOT_PASSWORD=root
+      - MONGO_INITDB_ROOT_USERNAME=${MONGODB_USERNAME}
+      - MONGO_INITDB_ROOT_PASSWORD=${MONGODB_PASSWORD}
     ports:
       - 27017:27017
 
@@ -29,17 +29,18 @@ services:
     ports:
       - "8042:8042/tcp" # REST API
       - "9100:9100/tcp" # Metrics
-    environment:
-      - RUST_LOG=warn,inx_chronicle=debug
     tty: true
     command:
-      - "--config=config.toml"
-      - "--inx-url=http://hornet:9029"
       - "--mongodb-conn-str=mongodb://mongo:27017"
+      - "--mongodb-username=${MONGODB_USERNAME}"
+      - "--mongodb-password=${MONGODB_PASSWORD}"
       - "--influxdb-url=http://influx:8086"
+      - "--influxdb-username=${INFLUXDB_USERNAME}"
+      - "--influxdb-password=${INFLUXDB_PASSWORD}"
+      - "--inx-url=http://hornet:9029"
+      - "--jwt-password=${JWT_PASSWORD}"
+      - "--jwt-salt=${JWT_SALT}"
       - "--loki-url=http://loki:3100"
-    volumes:
-      - ../config.template.toml:/app/config.toml:ro
 
   influx:
     image: influxdb:1.8
@@ -48,8 +49,8 @@ services:
       - ./data/chronicle/influxdb:/var/lib/influxdb
       - ./assets/influxdb/init.iql:/docker-entrypoint-initdb.d/influx_init.iql
     environment:
-      - INFLUXDB_ADMIN_USER=root
-      - INFLUXDB_ADMIN_PASSWORD=password
+      - INFLUXDB_ADMIN_USER=${INFLUXDB_USERNAME}
+      - INFLUXDB_ADMIN_PASSWORD=${INFLUXDB_PASSWORD}
       - INFLUXDB_HTTP_AUTH_ENABLED=true
       # The following variables are used to scale InfluxDB to larger amounts of data. It remains to be seen how this 
       # will affect performance in the long run.

src/bin/inx-chronicle/api/auth.rs

@@ -9,22 +9,22 @@ use axum::{
     TypedHeader,
 };
 
-use super::{config::ApiData, error::RequestError, ApiError, AuthError};
+use super::{config::ApiConfigData, error::RequestError, ApiError, AuthError};
 
 pub struct Auth;
 
 #[async_trait]
 impl<S: Send + Sync> FromRequestParts<S> for Auth
 where
-    ApiData: FromRef<S>,
+    ApiConfigData: FromRef<S>,
 {
     type Rejection = ApiError;
 
     async fn from_request_parts(req: &mut axum::http::request::Parts, state: &S) -> Result<Self, Self::Rejection> {
         // Unwrap: <OriginalUri as FromRequest>::Rejection = Infallable
         let OriginalUri(uri) = OriginalUri::from_request_parts(req, state).await.unwrap();
 
-        let config = ApiData::from_ref(state);
+        let config = ApiConfigData::from_ref(state);
 
         if config.public_routes.is_match(&uri.to_string()) {
             return Ok(Auth);
@@ -37,10 +37,10 @@ where
 
         jwt.validate(
             Validation::default()
-                .with_issuer(ApiData::ISSUER)
-                .with_audience(ApiData::AUDIENCE)
+                .with_issuer(ApiConfigData::ISSUER)
+                .with_audience(ApiConfigData::AUDIENCE)
                 .validate_nbf(true),
-            config.secret_key.as_ref(),
+            config.jwt_secret_key.as_ref(),
         )
         .map_err(AuthError::InvalidJwt)?;
 

src/bin/inx-chronicle/api/config.rs

@@ -10,71 +10,83 @@ use tower_http::cors::AllowOrigin;
 
 use super::{error::ConfigError, SecretKey};
 
+pub const DEFAULT_ENABLED: bool = true;
+pub const DEFAULT_PORT: u16 = 8042;
+pub const DEFAULT_ALLOW_ORIGINS: &str = "0.0.0.0";
+pub const DEFAULT_PUBLIC_ROUTES: &str = "api/core/v2/*";
+pub const DEFAULT_MAX_PAGE_SIZE: usize = 1000;
+pub const DEFAULT_JWT_PASSWORD: &str = "password";
+pub const DEFAULT_JWT_SALT: &str = "saltines";
+pub const DEFAULT_JWT_EXPIRATION: &str = "72h";
+
 /// API configuration
 #[derive(Clone, PartialEq, Eq, Debug, Serialize, Deserialize)]
 #[serde(default, deny_unknown_fields)]
 pub struct ApiConfig {
     pub enabled: bool,
     pub port: u16,
     pub allow_origins: SingleOrMultiple<String>,
-    pub password_hash: String,
-    pub password_salt: String,
-    #[serde(with = "humantime_serde")]
-    pub jwt_expiration: Duration,
     pub public_routes: Vec<String>,
-    pub identity_path: Option<String>,
     pub max_page_size: usize,
-    pub argon_config: ArgonConfig,
+    pub jwt_password: String,
+    pub jwt_salt: String,
+    pub jwt_identity_file: Option<String>,
+    #[serde(with = "humantime_serde")]
+    pub jwt_expiration: Duration,
 }
 
 impl Default for ApiConfig {
     fn default() -> Self {
         Self {
-            enabled: true,
-            port: 8042,
-            allow_origins: "*".to_string().into(),
-            password_hash: "c42cf2be3a442a29d8cd827a27099b0c".to_string(),
-            password_salt: "saltines".to_string(),
-            // 72 hours
-            jwt_expiration: Duration::from_secs(72 * 60 * 60),
-            public_routes: Default::default(),
-            identity_path: None,
-            max_page_size: 1000,
-            argon_config: Default::default(),
+            enabled: DEFAULT_ENABLED,
+            port: DEFAULT_PORT,
+            allow_origins: SingleOrMultiple::Single(DEFAULT_ALLOW_ORIGINS.to_string()),
+            public_routes: vec![DEFAULT_PUBLIC_ROUTES.to_string()],
+            max_page_size: DEFAULT_MAX_PAGE_SIZE,
+            jwt_identity_file: None,
+            jwt_password: DEFAULT_JWT_PASSWORD.to_string(),
+            jwt_salt: DEFAULT_JWT_SALT.to_string(),
+            jwt_expiration: DEFAULT_JWT_EXPIRATION.parse::<humantime::Duration>().unwrap().into(),
         }
     }
 }
 
 #[derive(Clone, Debug)]
-pub struct ApiData {
+pub struct ApiConfigData {
     pub port: u16,
     pub allow_origins: AllowOrigin,
-    pub password_hash: Vec<u8>,
-    pub password_salt: String,
-    pub jwt_expiration: Duration,
     pub public_routes: RegexSet,
-    pub secret_key: SecretKey,
     pub max_page_size: usize,
-    pub argon_config: ArgonConfig,
+    pub jwt_password_hash: Vec<u8>,
+    pub jwt_password_salt: String,
+    pub jwt_secret_key: SecretKey,
+    pub jwt_expiration: Duration,
+    pub jwt_argon_config: JwtArgonConfig,
 }
 
-impl ApiData {
+impl ApiConfigData {
     pub const ISSUER: &'static str = "chronicle";
     pub const AUDIENCE: &'static str = "api";
 }
 
-impl TryFrom<ApiConfig> for ApiData {
+impl TryFrom<ApiConfig> for ApiConfigData {
     type Error = ConfigError;
 
     fn try_from(config: ApiConfig) -> Result<Self, Self::Error> {
         Ok(Self {
             port: config.port,
             allow_origins: AllowOrigin::try_from(config.allow_origins)?,
-            password_hash: hex::decode(config.password_hash)?,
-            password_salt: config.password_salt,
-            jwt_expiration: config.jwt_expiration,
             public_routes: RegexSet::new(config.public_routes.iter().map(route_to_regex).collect::<Vec<_>>())?,
-            secret_key: match &config.identity_path {
+            max_page_size: config.max_page_size,
+            jwt_password_hash: argon2::hash_raw(
+                config.jwt_password.as_bytes(),
+                config.jwt_salt.as_bytes(),
+                &Into::into(&JwtArgonConfig::default()),
+            )
+            // TODO: Replace this once we switch to a better error lib
+            .expect("invalid JWT config"),
+            jwt_password_salt: config.jwt_salt,
+            jwt_secret_key: match &config.jwt_identity_file {
                 Some(path) => SecretKey::from_file(path)?,
                 None => {
                     if let Ok(path) = std::env::var("IDENTITY_PATH") {
@@ -84,8 +96,8 @@ impl TryFrom<ApiConfig> for ApiData {
                     }
                 }
             },
-            max_page_size: config.max_page_size,
-            argon_config: config.argon_config,
+            jwt_expiration: config.jwt_expiration,
+            jwt_argon_config: JwtArgonConfig::default(),
         })
     }
 }
@@ -130,9 +142,27 @@ impl TryFrom<SingleOrMultiple<String>> for AllowOrigin {
     }
 }
 
+impl<T: Default> Default for SingleOrMultiple<T> {
+    fn default() -> Self {
+        Self::Single(Default::default())
+    }
+}
+
+impl<T: Clone> From<&Vec<T>> for SingleOrMultiple<T> {
+    fn from(value: &Vec<T>) -> Self {
+        if value.is_empty() {
+            unreachable!("Vec must have single or multiple elements")
+        } else if value.len() == 1 {
+            Self::Single(value[0].clone())
+        } else {
+            Self::Multiple(value.to_vec())
+        }
+    }
+}
+
 #[derive(Clone, PartialEq, Eq, Debug, Serialize, Deserialize)]
 #[serde(default)]
-pub struct ArgonConfig {
+pub struct JwtArgonConfig {
     /// The length of the resulting hash.
     hash_length: u32,
     /// The number of lanes in parallel.
@@ -149,7 +179,7 @@ pub struct ArgonConfig {
     version: argon2::Version,
 }
 
-impl Default for ArgonConfig {
+impl Default for JwtArgonConfig {
     fn default() -> Self {
         Self {
             hash_length: 32,
@@ -162,8 +192,8 @@ impl Default for ArgonConfig {
     }
 }
 
-impl<'a> From<&'a ArgonConfig> for argon2::Config<'a> {
-    fn from(val: &'a ArgonConfig) -> Self {
+impl<'a> From<&'a JwtArgonConfig> for argon2::Config<'a> {
+    fn from(val: &'a JwtArgonConfig) -> Self {
         Self {
             ad: &[],
             hash_length: val.hash_length,