From d621fb62dfde120c62ae4b75802a179231752f7e Mon Sep 17 00:00:00 2001
From: Brett <brett@kowh.ai>
Date: Wed, 31 May 2023 14:26:56 +0200
Subject: [PATCH] Initial Security updates

- Update database user names and passwords
- The CKAN database is created with a new SQL script in the docker-entrypoint-initdb.d/ directory
- Remove host port for CKAN container
- now has a front-end network for NGINX and a back-end network for the rest of the containers, plus NGINX
---
 .env                                          | 10 ++++----
 docker-compose.yml                            | 23 ++++++++++++++++---
 postgresql/Dockerfile                         |  7 +++---
 .../10_create_ckandb.sql                      |  4 ++++
 ..._datastore.sql => 20_create_datastore.sql} |  2 +-
 .../20_setup_test_databases.sql               |  2 --
 .../30_setup_test_databases.sql               |  2 ++
 7 files changed, 37 insertions(+), 13 deletions(-)
 create mode 100755 postgresql/docker-entrypoint-initdb.d/10_create_ckandb.sql
 rename postgresql/docker-entrypoint-initdb.d/{10_create_datastore.sql => 20_create_datastore.sql} (74%)
 delete mode 100755 postgresql/docker-entrypoint-initdb.d/20_setup_test_databases.sql
 create mode 100755 postgresql/docker-entrypoint-initdb.d/30_setup_test_databases.sql

diff --git a/.env b/.env
index 21d25d4..bde6805 100644
--- a/.env
+++ b/.env
@@ -13,13 +13,15 @@ NGINX_PORT_HOST=81
 NGINX_SSLPORT_HOST=8443
 
 # CKAN databases
-POSTGRES_USER=ckan
-POSTGRES_PASSWORD=ckan
+POSTGRES_USER=admindbuser
+POSTGRES_PASSWORD=admindbpassword
+CKAN_DB_USER=ckandbuser
+CKAN_DB_PASSWORD=ckandbpassword
 DATASTORE_READONLY_USER=datastore_ro
 DATASTORE_READONLY_PASSWORD=datastore
 POSTGRES_HOST=db
-CKAN_SQLALCHEMY_URL=postgresql://ckan:ckan@db/ckan
-CKAN_DATASTORE_WRITE_URL=postgresql://ckan:ckan@db/datastore
+CKAN_SQLALCHEMY_URL=postgresql://ckandbuser:ckandbpassword@db/ckandb
+CKAN_DATASTORE_WRITE_URL=postgresql://ckandbuser:ckandbpassword@db/datastore
 CKAN_DATASTORE_READ_URL=postgresql://datastore_ro:datastore@db/datastore
 
 # Test database connections
diff --git a/docker-compose.yml b/docker-compose.yml
index 8548f0e..029e591 100755
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -12,6 +12,9 @@ services:
     build:
       context: nginx/
       dockerfile: Dockerfile
+    networks:
+      - frontend
+      - backend
     depends_on:
       ckan:
         condition: service_healthy
@@ -26,6 +29,8 @@ services:
       dockerfile: Dockerfile
       args:
         - TZ=${TZ}
+    networks:
+      - backend
     env_file:
       - .env
     depends_on:
@@ -35,8 +40,6 @@ services:
         condition: service_healthy
       redis:
         condition: service_healthy
-    ports:
-      - "0.0.0.0:${CKAN_PORT_HOST}:${CKAN_PORT}" 
     volumes:
       - ckan_storage:/var/lib/ckan
     restart: unless-stopped
@@ -45,6 +48,8 @@ services:
     
   datapusher:
     container_name: ${DATAPUSHER_CONTAINER_NAME}
+    networks:
+      - backend
     image: ckan/ckan-base-datapusher:${DATAPUSHER_VERSION}
     restart: unless-stopped
     healthcheck:
@@ -57,18 +62,24 @@ services:
       args:
        - DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD}
        - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+       - CKAN_DB_PASSWORD=${CKAN_DB_PASSWORD}
+    networks:
+      - backend
     environment:
       - DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD}
       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+      - CKAN_DB_PASSWORD=${CKAN_DB_PASSWORD}
       - PGDATA=/var/lib/postgresql/data/db
     volumes:
       - pg_data:/var/lib/postgresql/data
     restart: unless-stopped
     healthcheck:
-      test: ["CMD", "pg_isready", "-U", "ckan"]
+      test: ["CMD", "pg_isready", "-U", "admindbuser", "-d", "admindb"]
      
   solr:
     container_name: ${SOLR_CONTAINER_NAME}
+    networks:
+      - backend
     image: ckan/ckan-solr:${SOLR_IMAGE_VERSION}
     volumes:
       - solr_data:/var/solr
@@ -78,7 +89,13 @@ services:
 
   redis:
     container_name: ${REDIS_CONTAINER_NAME}
+    networks:
+      - backend
     image: redis:${REDIS_VERSION}
     restart: unless-stopped
     healthcheck:
       test: ["CMD", "redis-cli", "-e", "QUIT"]
+    
+networks:
+  frontend:
+  backend:
diff --git a/postgresql/Dockerfile b/postgresql/Dockerfile
index e912383..f78bb92 100755
--- a/postgresql/Dockerfile
+++ b/postgresql/Dockerfile
@@ -4,10 +4,11 @@ FROM postgres:12-alpine
 RUN echo "host all  all    0.0.0.0/0  md5" >> /var/lib/postgresql/data/pg_hba.conf
 
 # Customize default user/pass/db
-ENV POSTGRES_DB ckan
-ENV POSTGRES_USER ckan
+ENV POSTGRES_DB admindb
+ENV POSTGRES_USER admindbuser
 ARG POSTGRES_PASSWORD
+ARG CKAN_DB_PASSWORD
 ARG DATASTORE_READONLY_PASSWORD
 
 # Include extra setup scripts (eg datastore)
-ADD docker-entrypoint-initdb.d /docker-entrypoint-initdb.d
+ADD docker-entrypoint-initdb.d /docker-entrypoint-initdb.d
\ No newline at end of file
diff --git a/postgresql/docker-entrypoint-initdb.d/10_create_ckandb.sql b/postgresql/docker-entrypoint-initdb.d/10_create_ckandb.sql
new file mode 100755
index 0000000..5ac296d
--- /dev/null
+++ b/postgresql/docker-entrypoint-initdb.d/10_create_ckandb.sql
@@ -0,0 +1,4 @@
+\set ckan_db_password '\'' `echo $CKAN_DB_PASSWORD` '\''
+
+CREATE ROLE ckandbuser NOSUPERUSER CREATEDB CREATEROLE LOGIN PASSWORD :ckan_db_password;
+CREATE DATABASE ckandb OWNER ckandbuser ENCODING 'utf-8';
diff --git a/postgresql/docker-entrypoint-initdb.d/10_create_datastore.sql b/postgresql/docker-entrypoint-initdb.d/20_create_datastore.sql
similarity index 74%
rename from postgresql/docker-entrypoint-initdb.d/10_create_datastore.sql
rename to postgresql/docker-entrypoint-initdb.d/20_create_datastore.sql
index 8038de0..8cee4fd 100755
--- a/postgresql/docker-entrypoint-initdb.d/10_create_datastore.sql
+++ b/postgresql/docker-entrypoint-initdb.d/20_create_datastore.sql
@@ -1,4 +1,4 @@
 \set datastore_ro_password '\'' `echo $DATASTORE_READONLY_PASSWORD` '\''
 
 CREATE ROLE datastore_ro NOSUPERUSER NOCREATEDB NOCREATEROLE LOGIN PASSWORD :datastore_ro_password;
-CREATE DATABASE datastore OWNER ckan ENCODING 'utf-8';
+CREATE DATABASE datastore OWNER ckandbuser ENCODING 'utf-8';
diff --git a/postgresql/docker-entrypoint-initdb.d/20_setup_test_databases.sql b/postgresql/docker-entrypoint-initdb.d/20_setup_test_databases.sql
deleted file mode 100755
index 140f2e5..0000000
--- a/postgresql/docker-entrypoint-initdb.d/20_setup_test_databases.sql
+++ /dev/null
@@ -1,2 +0,0 @@
-CREATE DATABASE ckan_test OWNER ckan ENCODING 'utf-8';
-CREATE DATABASE datastore_test OWNER ckan ENCODING 'utf-8';
diff --git a/postgresql/docker-entrypoint-initdb.d/30_setup_test_databases.sql b/postgresql/docker-entrypoint-initdb.d/30_setup_test_databases.sql
new file mode 100755
index 0000000..8babb2f
--- /dev/null
+++ b/postgresql/docker-entrypoint-initdb.d/30_setup_test_databases.sql
@@ -0,0 +1,2 @@
+CREATE DATABASE ckan_test OWNER ckandbuser ENCODING 'utf-8';
+CREATE DATABASE datastore_test OWNER ckandbuser ENCODING 'utf-8';