service always requires credentials now

Andrei Neagu · Andrei Neagu · commit 4ac92b39e3b6 · 2025-04-25T13:04:34.000+02:00
diff --git a/.env-devel b/.env-devel
@@ -86,10 +86,10 @@ DIRECTOR_SERVICES_CUSTOM_CONSTRAINTS=null
 DIRECTOR_TRACING=null
 
 DOCKER_API_PROXY_HOST=docker-api-proxy
-DOCKER_API_PROXY_PASSWORD=null
+DOCKER_API_PROXY_PASSWORD=admin
 DOCKER_API_PROXY_PORT=8888
 DOCKER_API_PROXY_SECURE=False
-DOCKER_API_PROXY_USER=null
+DOCKER_API_PROXY_USER=admin
 
 EFS_USER_ID=8006
 EFS_USER_NAME=efs
diff --git a/packages/pytest-simcore/src/pytest_simcore/docker_api_proxy.py b/packages/pytest-simcore/src/pytest_simcore/docker_api_proxy.py
@@ -1,7 +1,7 @@
 import logging
 
 import pytest
-from aiohttp import ClientSession, ClientTimeout
+from aiohttp import BasicAuth, ClientSession, ClientTimeout
 from pydantic import TypeAdapter
 from settings_library.docker_api_proxy import DockerApiProxysettings
 from tenacity import before_sleep_log, retry, stop_after_delay, wait_fixed
@@ -22,7 +22,13 @@
 async def _wait_till_docker_api_proxy_is_responsive(
     settings: DockerApiProxysettings,
 ) -> None:
-    async with ClientSession(timeout=ClientTimeout(1, 1, 1, 1, 1)) as client:
+    async with ClientSession(
+        timeout=ClientTimeout(1, 1, 1, 1, 1),
+        auth=BasicAuth(
+            settings.DOCKER_API_PROXY_USER,
+            settings.DOCKER_API_PROXY_PASSWORD.get_secret_value(),
+        ),
+    ) as client:
         response = await client.get(f"{settings.base_url}/version")
         assert response.status == 200, await response.text()
 
@@ -44,6 +50,12 @@ async def docker_api_proxy_settings(
         {
             "DOCKER_API_PROXY_HOST": get_localhost_ip(),
             "DOCKER_API_PROXY_PORT": published_port,
+            "DOCKER_API_PROXY_USER": env_vars_for_docker_compose[
+                "DOCKER_API_PROXY_USER"
+            ],
+            "DOCKER_API_PROXY_PASSWORD": env_vars_for_docker_compose[
+                "DOCKER_API_PROXY_PASSWORD"
+            ],
         }
     )
 
diff --git a/packages/service-library/src/servicelib/fastapi/docker.py b/packages/service-library/src/servicelib/fastapi/docker.py
@@ -30,32 +30,20 @@ async def remote_docker_client_lifespan(
 ) -> AsyncIterator[State]:
     settings: DockerApiProxysettings = state[_DOCKER_API_PROXY_SETTINGS]
 
-    session: ClientSession | None = None
-    if settings.DOCKER_API_PROXY_USER and settings.DOCKER_API_PROXY_PASSWORD:
-        session = ClientSession(
-            auth=aiohttp.BasicAuth(
-                login=settings.DOCKER_API_PROXY_USER,
-                password=settings.DOCKER_API_PROXY_PASSWORD.get_secret_value(),
-            )
-        )
-
     async with AsyncExitStack() as exit_stack:
-        if settings.DOCKER_API_PROXY_USER and settings.DOCKER_API_PROXY_PASSWORD:
-            await exit_stack.enter_async_context(
-                ClientSession(
-                    auth=aiohttp.BasicAuth(
-                        login=settings.DOCKER_API_PROXY_USER,
-                        password=settings.DOCKER_API_PROXY_PASSWORD.get_secret_value(),
-                    )
+        session = await exit_stack.enter_async_context(
+            ClientSession(
+                auth=aiohttp.BasicAuth(
+                    login=settings.DOCKER_API_PROXY_USER,
+                    password=settings.DOCKER_API_PROXY_PASSWORD.get_secret_value(),
                 )
             )
+        )
 
-        client = await exit_stack.enter_async_context(
+        app.state.remote_docker_client = await exit_stack.enter_async_context(
             aiodocker.Docker(url=settings.base_url, session=session)
         )
 
-        app.state.remote_docker_client = client
-
         await wait_till_docker_api_proxy_is_responsive(app)
 
         # NOTE this has to be inside exit_stack scope
diff --git a/packages/settings-library/src/settings_library/docker_api_proxy.py b/packages/settings-library/src/settings_library/docker_api_proxy.py
@@ -15,8 +15,8 @@ class DockerApiProxysettings(BaseCustomSettings):
     )
     DOCKER_API_PROXY_SECURE: bool = False
 
-    DOCKER_API_PROXY_USER: str | None = None
-    DOCKER_API_PROXY_PASSWORD: SecretStr | None = None
+    DOCKER_API_PROXY_USER: str
+    DOCKER_API_PROXY_PASSWORD: SecretStr
 
     @cached_property
     def base_url(self) -> str:
diff --git a/services/docker-api-proxy/Dockerfile b/services/docker-api-proxy/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.21 AS base
+FROM caddy:2.10.0-alpine AS base
 
 LABEL maintainer=GitHK
 
@@ -29,10 +29,11 @@ HEALTHCHECK \
   --start-period=20s \
   --start-interval=1s \
   --retries=5 \
-  CMD curl http://localhost:8888/version || exit 1
+  CMD curl --fail-with-body -u ${DOCKER_API_PROXY_USER}:${DOCKER_API_PROXY_PASSWORD} http://localhost:8888/version
 
 COPY --chown=scu:scu services/docker-api-proxy/docker services/docker-api-proxy/docker
-RUN chmod +x services/docker-api-proxy/docker/*.sh
+RUN chmod +x services/docker-api-proxy/docker/*.sh && \
+  mv services/docker-api-proxy/docker/Caddyfile /etc/caddy/Caddyfile
 
 ENTRYPOINT [ "/bin/sh", "services/docker-api-proxy/docker/entrypoint.sh" ]
 CMD ["/bin/sh", "services/docker-api-proxy/docker/boot.sh"]
diff --git a/services/docker-api-proxy/docker/Caddyfile b/services/docker-api-proxy/docker/Caddyfile
@@ -0,0 +1,11 @@
+:8888 {
+    handle {
+        basicauth {
+            {$DOCKER_API_PROXY_USER} {$DOCKER_API_PROXY_ECRYPTED_PASSWORD}
+        }
+
+        reverse_proxy http://localhost:8889 {
+            health_uri /version
+        }
+    }
+}
diff --git a/services/docker-api-proxy/docker/boot.sh b/services/docker-api-proxy/docker/boot.sh
@@ -12,4 +12,7 @@ echo "$INFO" "User :$(id "$(whoami)")"
 #
 # RUNNING application
 #
-socat TCP-LISTEN:8888,fork,reuseaddr UNIX-CONNECT:/var/run/docker.sock
+socat TCP-LISTEN:8889,fork,reuseaddr UNIX-CONNECT:/var/run/docker.sock &
+
+DOCKER_API_PROXY_ECRYPTED_PASSWORD=$(caddy hash-password --plaintext "$DOCKER_API_PROXY_PASSWORD") \
+  caddy run --adapter caddyfile --config /etc/caddy/Caddyfile
diff --git a/services/docker-api-proxy/tests/integration/autentication-proxy-docker-compose.yaml b/services/docker-api-proxy/tests/integration/autentication-proxy-docker-compose.yaml
diff --git a/services/docker-api-proxy/tests/integration/test_docker_api_proxy.py b/services/docker-api-proxy/tests/integration/test_docker_api_proxy.py
@@ -7,6 +7,7 @@
 from pathlib import Path
 
 import aiodocker
+import pytest
 from pytest_simcore.helpers.monkeypatch_envs import EnvVarsDict
 from settings_library.docker_api_proxy import DockerApiProxysettings
 
@@ -17,7 +18,7 @@
 ]
 
 
-async def test_unauthenticated_docker_client(
+async def test_authenticated_docker_client(
     docker_swarm: None,
     docker_api_proxy_settings: DockerApiProxysettings,
     setup_docker_client: Callable[
@@ -27,7 +28,37 @@ async def test_unauthenticated_docker_client(
     envs = {
         "DOCKER_API_PROXY_HOST": "127.0.0.1",
         "DOCKER_API_PROXY_PORT": "8014",
+        "DOCKER_API_PROXY_USER": docker_api_proxy_settings.DOCKER_API_PROXY_USER,
+        "DOCKER_API_PROXY_PASSWORD": docker_api_proxy_settings.DOCKER_API_PROXY_PASSWORD.get_secret_value(),
     }
     async with setup_docker_client(envs) as working_docker:
         info = await working_docker.system.info()
         print(json.dumps(info, indent=2))
+
+
+@pytest.mark.parametrize(
+    "user, password",
+    [
+        ("wrong", "wrong"),
+        ("wrong", "admin"),
+    ],
+)
+async def test_unauthenticated_docker_client(
+    docker_swarm: None,
+    docker_api_proxy_settings: DockerApiProxysettings,
+    setup_docker_client: Callable[
+        [EnvVarsDict], AbstractAsyncContextManager[aiodocker.Docker]
+    ],
+    user: str,
+    password: str,
+):
+    envs = {
+        "DOCKER_API_PROXY_HOST": "127.0.0.1",
+        "DOCKER_API_PROXY_PORT": "8014",
+        "DOCKER_API_PROXY_USER": user,
+        "DOCKER_API_PROXY_PASSWORD": password,
+    }
+    async with setup_docker_client(envs) as working_docker:
+        with pytest.raises(aiodocker.exceptions.DockerError) as exc:
+            await working_docker.system.info()
+        assert exc.value.status == 401
diff --git a/services/docker-api-proxy/tests/integration/test_docker_api_proxy_autenticated.py b/services/docker-api-proxy/tests/integration/test_docker_api_proxy_autenticated.py
diff --git a/services/docker-compose.yml b/services/docker-compose.yml
@@ -585,6 +585,9 @@ services:
   docker-api-proxy:
     image: ${DOCKER_REGISTRY:-itisfoundation}/docker-api-proxy:${DOCKER_IMAGE_TAG:-latest}
     init: true
+    environment:
+      DOCKER_API_PROXY_PASSWORD: ${DOCKER_API_PROXY_PASSWORD}
+      DOCKER_API_PROXY_USER : ${DOCKER_API_PROXY_USER}
     deploy:
       placement:
         constraints:

Original file line number	Diff line number	Diff line change
`@@ -15,8 +15,8 @@ class DockerApiProxysettings(BaseCustomSettings):`
`15`	`15`	`)`
`16`	`16`	`DOCKER_API_PROXY_SECURE: bool = False`
`17`	`17`
`18`		`- DOCKER_API_PROXY_USER: str \| None = None`
`19`		`- DOCKER_API_PROXY_PASSWORD: SecretStr \| None = None`
	`18`	`+ DOCKER_API_PROXY_USER: str`
	`19`	`+ DOCKER_API_PROXY_PASSWORD: SecretStr`
`20`	`20`
`21`	`21`	`@cached_property`
`22`	`22`	`def base_url(self) -> str:`
Original file line number	Diff line number	Diff line change
`@@ -12,4 +12,7 @@ echo "$INFO" "User :$(id "$(whoami)")"`
`12`	`12`	`#`
`13`	`13`	`# RUNNING application`
`14`	`14`	`#`
`15`		`-socat TCP-LISTEN:8888,fork,reuseaddr UNIX-CONNECT:/var/run/docker.sock`
	`15`	`+socat TCP-LISTEN:8889,fork,reuseaddr UNIX-CONNECT:/var/run/docker.sock &`
	`16`	`+`
	`17`	`+DOCKER_API_PROXY_ECRYPTED_PASSWORD=$(caddy hash-password --plaintext "$DOCKER_API_PROXY_PASSWORD") \`
	`18`	`+ caddy run --adapter caddyfile --config /etc/caddy/Caddyfile`