From 8298ce4755a7ccd5f182d97489082969eaecfa1a Mon Sep 17 00:00:00 2001 From: cesine Date: Tue, 9 Dec 2025 17:28:10 -0500 Subject: [PATCH 1/4] turn back on ssl on couchdb --- .github/workflows/node.js.yml | 2 +- Dockerfile-couchdb | 1 + docker-compose.yml | 1 + etc/local.ini | 17 +++++++++++++++++ package.json | 2 +- 5 files changed, 21 insertions(+), 2 deletions(-) diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml index 048b287f..b64cea8a 100644 --- a/.github/workflows/node.js.yml +++ b/.github/workflows/node.js.yml @@ -31,7 +31,7 @@ jobs: - name: Create local config for tests run: | - echo 'module.exports = { usersDbConnection: { url: "http://localhost:5984" }};' > config/local.js + echo 'module.exports = { usersDbConnection: { url: "https://localhost:6984" }};' > config/local.js - name: Run Integration tests run: DEBUG=replay* npm run coverage || echo 'Test run failed replay no longer is working with latest nano which uses node fetch' diff --git a/Dockerfile-couchdb b/Dockerfile-couchdb index 1fdd4ef0..0904369b 100644 --- a/Dockerfile-couchdb +++ b/Dockerfile-couchdb @@ -3,6 +3,7 @@ FROM couchdb:3.5.1 WORKDIR / COPY etc/* /opt/couchdb/etc/ +COPY config/ssl_debug.* /opt/couchdb/etc/ RUN set +x; \ curl -X PUT http://admin:none@127.0.0.1:5984/_users; \ diff --git a/docker-compose.yml b/docker-compose.yml index 3920923f..41d59512 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -13,6 +13,7 @@ services: dockerfile: ./Dockerfile-couchdb ports: - 5984:5984 + - 6984:6984 environment: - COUCHDB_USER=admin - COUCHDB_PASSWORD=none diff --git a/etc/local.ini b/etc/local.ini index b0d2906a..c3a7ae8a 100644 --- a/etc/local.ini +++ b/etc/local.ini @@ -14,3 +14,20 @@ admin = -pbkdf2-3f04b4318f9a5b3c20ff99fa9194744d0cffa603,e5fbfb69d2a5db31325d234 [replicator] auth_plugins = couch_replicator_auth_noop + +[daemons] +; enable SSL support by uncommenting the following line and supply the PEM's below. +; the default ssl port CouchDB listens on is 6984 +httpsd = {couch_httpd, start_link, [https]} + +[ssl] +enable = true +; ciphers = undefined +;tls_versions = undefined +; secure_renegotiate = undefined +cert_file = /opt/couchdb/etc/ssl_debug.crt +key_file = /opt/couchdb/etc/ssl_debug.key +; set to true to validate peer certificates +verify_ssl_certificates = false +; maximum peer certificate depth +ssl_certificate_max_depth = 1 \ No newline at end of file diff --git a/package.json b/package.json index 6c66d86e..a369c62f 100644 --- a/package.json +++ b/package.json @@ -64,7 +64,7 @@ "docker:build": "docker build -t fielddb-auth .", "docker:test": "echo 'module.exports = { usersDbConnection: { url: \"http://localhost:5984\" } };' > config/local.js && docker compose up -d && sleep 3 && docker compose logs && npm run setup && npm run test:deprecated", "docker:test:no-cache": "echo 'module.exports = { usersDbConnection: { url: \"http://localhost:5984\" } };' > config/local.js && docker compose build --no-cache && docker compose up -d && sleep 15 && docker compose logs && npm run setup && npm run test:deprecated", - "coverage": "NODE_ENV=test BUNYAN_LOG_LEVEL=FATAL NODE_TLS_REJECT_UNAUTHORIZED=0 nyc npm test", + "coverage": "NODE_ENV=test BUNYAN_LOG_LEVEL=FATAL nyc npm test", "lint": "eslint ", "lint:ci": "eslint .", "setup": "REPLAY=bloody SOURCE_URL=${SOURCE_URL:-https://public:none@corpusdev.example.org} mocha --timeout 20000 test/integration/install.js", From cc1776843d9d5979f634db8521c394c27b333a3a Mon Sep 17 00:00:00 2001 From: cesine Date: Tue, 9 Dec 2025 17:48:22 -0500 Subject: [PATCH 2/4] use fielddb_debug certs --- Dockerfile-couchdb | 8 +++----- config/ssl_debug.crt | 26 -------------------------- config/ssl_debug.key | 27 --------------------------- etc/local.ini | 6 ++---- package.json | 4 ++-- test/integration/install.js | 2 +- 6 files changed, 8 insertions(+), 65 deletions(-) delete mode 100644 config/ssl_debug.crt delete mode 100644 config/ssl_debug.key diff --git a/Dockerfile-couchdb b/Dockerfile-couchdb index 0904369b..7ca7380e 100644 --- a/Dockerfile-couchdb +++ b/Dockerfile-couchdb @@ -3,13 +3,11 @@ FROM couchdb:3.5.1 WORKDIR / COPY etc/* /opt/couchdb/etc/ -COPY config/ssl_debug.* /opt/couchdb/etc/ +COPY config/fielddb_debug.* /opt/couchdb/etc/ RUN set +x; \ - curl -X PUT http://admin:none@127.0.0.1:5984/_users; \ - curl -X PUT http://admin:none@127.0.0.1:5984/_replicator; \ + curl -Xk PUT https://admin:none@127.0.0.1:6984/_users; \ + curl -Xk PUT https://admin:none@127.0.0.1:6984/_replicator; \ ls -alt /opt/couchdb/etc; \ cat /opt/couchdb/etc/local.ini; \ ls /opt/couchdb/etc/local.d; - -# COPY fielddb_debug.* /usr/local/etc/couchdb diff --git a/config/ssl_debug.crt b/config/ssl_debug.crt deleted file mode 100644 index cbf6e32c..00000000 --- a/config/ssl_debug.crt +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEdDCCA1ygAwIBAgIJAK3RoPAW9GfuMA0GCSqGSIb3DQEBBQUAMIGCMQswCQYD -VQQGEwJDQTEPMA0GA1UECBMGUXVlYmVjMREwDwYDVQQHEwhNb250cmVhbDEnMCUG -A1UEChMeQXV0aGVudGljYXRlZCBTeXN0ZW1zIFdvcmtzaG9wMRIwEAYDVQQLEwls -b2NhbGhvc3QxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xNjA3MTEwNDM3MTdaFw0x -NzA3MTEwNDM3MTdaMIGCMQswCQYDVQQGEwJDQTEPMA0GA1UECBMGUXVlYmVjMREw -DwYDVQQHEwhNb250cmVhbDEnMCUGA1UEChMeQXV0aGVudGljYXRlZCBTeXN0ZW1z -IFdvcmtzaG9wMRIwEAYDVQQLEwlsb2NhbGhvc3QxEjAQBgNVBAMTCWxvY2FsaG9z -dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCia/l+qk6+lBb+ogB5 -hnz+d/MnPWxJDQrygewAcXWAyLL0Z0ClSkJcDJExbn+/bk5viedS9xEmzEh+z0Io -JcK++h7lfVAsPk8TLmNPB+4jHW/3MxchGdG6v7GWaGSvTCq9JzV8Au0OfN3/DTlv -srXFHy3TpAqh0frDlGW8jR9+oA6UV3/gZmK4rupbadkIm2wUa0/UBFsATcywKned -B3VV0aUANFtXcWbcBB1wKnfnkF6fSt3zJCYDiS/adrUOovvPv3gnqTtN4FKH7hCV -ukDK0Ee4SV52QfyImY40zt+tp59hJraJ9DNCrdHJR9wjkUNo5+dXCz+8kRayEjcB -AoECAwEAAaOB6jCB5zAdBgNVHQ4EFgQUfNpmRkodPd7HB3od9RONzJhJcfgwgbcG -A1UdIwSBrzCBrIAUfNpmRkodPd7HB3od9RONzJhJcfihgYikgYUwgYIxCzAJBgNV -BAYTAkNBMQ8wDQYDVQQIEwZRdWViZWMxETAPBgNVBAcTCE1vbnRyZWFsMScwJQYD -VQQKEx5BdXRoZW50aWNhdGVkIFN5c3RlbXMgV29ya3Nob3AxEjAQBgNVBAsTCWxv -Y2FsaG9zdDESMBAGA1UEAxMJbG9jYWxob3N0ggkArdGg8Bb0Z+4wDAYDVR0TBAUw -AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAXOIZlTfl6wgadjK18KUJyTLmhR9rgwhH -W97L7fPh29Vg4A+GhvScF1Ab6I/ctJFgl2HqJdS/Txso8VJwdSezOp4LH7yTgh6H -fkdtXp8CkmRjK0X2EBfIZrYK3deCTuCn0lMN6o8+MxskB7Br9sXoNhBBHV1t+HbY -Z3GyHarWzTMWkC8yOhS64JBDQNN8eoGay57HQuKxvLWQ+rd+Rss32xnu77dbMz+E -kXU9lMUJIwQGyTSU0Th4FtHxEctFFjCQf8QRzLUc1ZQ/nrbEVWoOpymLnj1SYhiO -0U7D3LQj5QRdB06QhR4ukasTU7mbwkarS4IkVn3pYJgB8FUtW2Kv4w== ------END CERTIFICATE----- diff --git a/config/ssl_debug.key b/config/ssl_debug.key deleted file mode 100644 index 16ec201b..00000000 --- a/config/ssl_debug.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA0KJr+X6qTr6UFv6iAHmGfP538yc9bEkNCvKB7ABxdYDIsvRn -QKVKQlwMkTFuf79uTm+J51L3ESbMSH7PQiglwr76HuV9UCw+TxMuY08H7iMdb/cz -FyEZ0bq/sZZoZK9MKr0nNXwC7Q583f8NOW+ytcUfLdOkCqHR+sOUZbyNH36gDpRX -f+BmYriu6ltp2QibbBRrT9QEWwBNzLAqd50HdVXRpQA0W1dxZtwEHXAqd+eQXp9K -3fMkJgOJL9p2tQ6i+8+/eCepO03gUofuEJW6QMrQR7hJXnZB/IiZjjTO362nn2Em -ton0M0Kt0clH3CORQ2jn51cLP7yRFrISNwECgQIDAQABAoIBAFxNHzvX//yqb9Xk -fUN8gDVYVzTpzVDU2MJZG4WPhKKZgTE601tURRAqrRynI928kU5+JiKDH+8knQgN -oiAApwQLfZihqtkHWeGd+M3Srw1515IraRz4dfXFiv1EL5crvqTB3lDZNmouGKwW -JIGemw+zz+F0WoShpsYsNMD1s/GURNq2Oe4a+MdFpMq0Btla1HSNmjuiosMn8LD0 -roMxuGcrGEpyLdxLG3HsdMU3W2PNkUbpfqJS0bfWWMrFHZeQsQ0lh308ERy60vEd -r9LglkvDCX3sR8j8nw7lTUQfJGiMH5QsjMysoEYk+0TiUdexaVY/KvRCnzkVNFyq -rYRau4ECgYEA9XxPJyoTv/avv3YqaaCwFSTcjLybgvk0BjjCnmUhGEEyn5+W50aW -z3x6mpTefIgUBCkG3XHpaTUdVYUKSdX7EsrVGDyntG8JSXdGVnVzuIsNe7Xnc/Gs -G0j4HkWidDSea2avLaoUwB4VA2xmaxZmh6+1VwQTU+EEVTI3udWK8gkCgYEA2ZIM -f5E/rAADG33ujf2ZBCffkYBD38m2xcKI/B5ZSpSKnDmx6Vb/9Zd0nnE0jyEsoH6/ -xnoic8UoYa0glyLdu9Pk8eekWRfQHVQ2sDwtfgHfZpvCesnmq3b5SQgT+6GScG+c -7r4lYI76Viok+r1Ezpl4rkt0kK6fQGoOyKD1yrkCgYAX4v2suOptDmrxfWUJHCqm -FA0l4KBdMTR/unwtf3el7YoogBXl8TdxfxJLAltX0MHp2bgiShhFNXbiQGzM3HZu -0K/FiPlklD1aGbINbaZR+a3ZMM0Ruh1eFk6WW35AQnJ7zuUS027rdsHisGSS3P4j -C9TgX7QlwEp0o8tKWN4JSQKBgQC7s8CMnebsoOYNZcvVPCAy8aNzh9EG1KOWYYqE -2Dn4mcYrmarfwGr6mjvGJaxOfzRdEnyo4t2uOz3nZtFjEnVxghFWkZ28L0sgwnKc -AI7O0xbFE0PpYx5adz4Bv7JduLr5vZEKd4kPkMpwY9ObboZaJxVyaS6bU8uYaudu -N09WIQKBgDzKXjHXWyzJHdfqELjMuhChWsP+jXLGNs3cfgCx2diqjuaqoUCPpH68 -EK6MaSa97BQptc/kkPQfi/AdSBcpQwIIIST6KYOp1E+NY+2olrNSJeLszbOiFR4V -qs73H7ozZ2VcMb2ax/FU3nPetz4v07hONlwDdGtEGsCEoKpgc9ZC ------END RSA PRIVATE KEY----- diff --git a/etc/local.ini b/etc/local.ini index c3a7ae8a..961b231f 100644 --- a/etc/local.ini +++ b/etc/local.ini @@ -22,11 +22,9 @@ httpsd = {couch_httpd, start_link, [https]} [ssl] enable = true -; ciphers = undefined -;tls_versions = undefined ; secure_renegotiate = undefined -cert_file = /opt/couchdb/etc/ssl_debug.crt -key_file = /opt/couchdb/etc/ssl_debug.key +cert_file = /opt/couchdb/etc/fielddb_debug.crt +key_file = /opt/couchdb/etc/fielddb_debug.key ; set to true to validate peer certificates verify_ssl_certificates = false ; maximum peer certificate depth diff --git a/package.json b/package.json index a369c62f..0222ac61 100644 --- a/package.json +++ b/package.json @@ -67,11 +67,11 @@ "coverage": "NODE_ENV=test BUNYAN_LOG_LEVEL=FATAL nyc npm test", "lint": "eslint ", "lint:ci": "eslint .", - "setup": "REPLAY=bloody SOURCE_URL=${SOURCE_URL:-https://public:none@corpusdev.example.org} mocha --timeout 20000 test/integration/install.js", + "setup": "REPLAY=bloody NODE_TLS_REJECT_UNAUTHORIZED=0 SOURCE_URL=${SOURCE_URL:-https://public:none@corpusdev.example.org} mocha --timeout 20000 test/integration/install.js", "start": "node ./bin/www.js", "test": "SOURCE_URL=${SOURCE_URL:-https://public:none@corpusdev.example.org} NODE_ENV=test NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --timeout 100000 --recursive test", "test:debug": "node-debug _mocha test/integration/oauth.js", - "test:deprecated": "DEBUG=${DEBUG:-lib:user} REPLAY=bloody nyc mocha --timeout 25000 test/routes/deprecated-spec.js", + "test:deprecated": "DEBUG=${DEBUG:-lib:user} REPLAY=bloody NODE_TLS_REJECT_UNAUTHORIZED=0 nyc mocha --timeout 25000 test/routes/deprecated-spec.js", "test:fielddb": "NODE_ENV=localhost jasmine-node node_modules/fielddb/tests", "test:production": "ls config/production.js", "watch": "nodemon ./bin/www.js" diff --git a/test/integration/install.js b/test/integration/install.js index 054a4853..b13a5989 100644 --- a/test/integration/install.js +++ b/test/integration/install.js @@ -10,7 +10,7 @@ const originalLocalhosts = replay._localhosts; // eslint-disable-next-line no-underscore-dangle debug('replay localhosts', replay._localhosts); -let destination = 'http://admin:none@localhost:5984'; +let destination = 'https://admin:none@localhost:6984'; if (!destination) { destination = url.parse(config.usersDbConnection.url); destination.auth = `${config.couchKeys.username}:${config.couchKeys.password}`; From 83a71fdd0396b295c5ca93513b94c4e42de972f7 Mon Sep 17 00:00:00 2001 From: cesine Date: Tue, 9 Dec 2025 17:59:08 -0500 Subject: [PATCH 3/4] replication on https is not working --- test/integration/install.js | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/test/integration/install.js b/test/integration/install.js index b13a5989..bc500c4a 100644 --- a/test/integration/install.js +++ b/test/integration/install.js @@ -10,7 +10,14 @@ const originalLocalhosts = replay._localhosts; // eslint-disable-next-line no-underscore-dangle debug('replay localhosts', replay._localhosts); -let destination = 'https://admin:none@localhost:6984'; +// FIXME: unable to use replication on https +/* + application: mochiweb, "Accept failed error", "{error, + {tls_alert, + {certificate_unknown, + \"TLS server: In state wait_finished received CLIENT ALERT: Fatal - Certificate Unknown\\n\"}}}" + */ +let destination = 'http://admin:none@localhost:5984'; if (!destination) { destination = url.parse(config.usersDbConnection.url); destination.auth = `${config.couchKeys.username}:${config.couchKeys.password}`; From 9f22941b1b305496fe6dca320843b8d417e42f6d Mon Sep 17 00:00:00 2001 From: cesine Date: Tue, 9 Dec 2025 18:01:36 -0500 Subject: [PATCH 4/4] reduce diff --- .github/workflows/node.js.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml index b64cea8a..048b287f 100644 --- a/.github/workflows/node.js.yml +++ b/.github/workflows/node.js.yml @@ -31,7 +31,7 @@ jobs: - name: Create local config for tests run: | - echo 'module.exports = { usersDbConnection: { url: "https://localhost:6984" }};' > config/local.js + echo 'module.exports = { usersDbConnection: { url: "http://localhost:5984" }};' > config/local.js - name: Run Integration tests run: DEBUG=replay* npm run coverage || echo 'Test run failed replay no longer is working with latest nano which uses node fetch'