implement support of unix socket for server

This feature can be used for unauthorized access to apis - e.g. for reporting service if it is run on the same machine. Since now it becomes recommended way for the interprocess communication, thus some options (e.g. creating user with as-service flag) are no longer available now
2025-06-28 06:41:43 +00:00 · 2022-11-29 01:18:01 +02:00
parent 4811dec759
commit 0161617e36
24 changed files with 247 additions and 134 deletions
--- a/docs/ahriman.1
+++ b/docs/ahriman.1
@ -1,4 +1,4 @@
-.TH AHRIMAN "1" "2022\-11\-16" "ahriman" "Generated Python Manual"
+.TH AHRIMAN "1" "2022\-11\-29" "ahriman" "Generated Python Manual"
 .SH NAME
 ahriman
 .SH SYNOPSIS
@ -128,7 +128,7 @@ run triggers
 update packages
 .TP
 \fBahriman\fR \fI\,shell\/\fR
-envoke python shell
+invoke python shell
 .TP
 \fBahriman\fR \fI\,user\-add\/\fR
 create or update user
@ -509,7 +509,7 @@ root path of the extracted files
 usage: ahriman repo\-setup [\-h] [\-\-build\-as\-user BUILD_AS_USER] [\-\-build\-command BUILD_COMMAND]
                          [\-\-from\-configuration FROM_CONFIGURATION] [\-\-multilib | \-\-no\-multilib] \-\-packager PACKAGER
                          \-\-repository REPOSITORY [\-\-sign\-key SIGN_KEY] [\-\-sign\-target {disabled,pacakges,repository}]
-                          [\-\-web\-port WEB_PORT]
+                          [\-\-web\-port WEB_PORT] [\-\-web\-unix\-socket WEB_UNIX_SOCKET]

 create initial service configuration, requires root

@ -550,6 +550,10 @@ sign options
 \fB\-\-web\-port\fR \fI\,WEB_PORT\/\fR
 port of the web service

+.TP
+\fB\-\-web\-unix\-socket\fR \fI\,WEB_UNIX_SOCKET\/\fR
+path to unix socket used for interprocess communications
+
 .SH COMMAND \fI\,'ahriman repo\-sign'\/\fR
 usage: ahriman repo\-sign [\-h] [package ...]

@ -633,7 +637,7 @@ drop into python shell while having created application
 instead of dropping into shell, just execute the specified code

 .SH COMMAND \fI\,'ahriman user\-add'\/\fR
-usage: ahriman user\-add [\-h] [\-\-as\-service] [\-p PASSWORD] [\-r {unauthorized,read,reporter,full}] [\-s] username
+usage: ahriman user\-add [\-h] [\-p PASSWORD] [\-r {unauthorized,read,reporter,full}] [\-s] username

 update user for web services with the given password and role. In case if password was not entered it will be asked interactively

@ -642,10 +646,6 @@ update user for web services with the given password and role. In case if passwo
 username for web service

 .SH OPTIONS \fI\,'ahriman user\-add'\/\fR
-.TP
-\fB\-\-as\-service\fR
-add user as service user
-
 .TP
 \fB\-p\fR \fI\,PASSWORD\/\fR, \fB\-\-password\fR \fI\,PASSWORD\/\fR
 user password. Blank password will be treated as empty password, which is in particular must be used for OAuth2
@ -678,7 +678,7 @@ return non\-zero exit status if result is empty
 filter users by role

 .SH COMMAND \fI\,'ahriman user\-remove'\/\fR
-usage: ahriman user\-remove [\-h] [\-s] username
+usage: ahriman user\-remove [\-h] username

 remove user from the user mapping and update the configuration

@ -686,11 +686,6 @@ remove user from the user mapping and update the configuration
 \fBusername\fR
 username for web service

-.SH OPTIONS \fI\,'ahriman user\-remove'\/\fR
-.TP
-\fB\-s\fR, \fB\-\-secure\fR
-set file permissions to user\-only
-
 .SH COMMAND \fI\,'ahriman version'\/\fR
 usage: ahriman version [\-h]

--- a/docs/architecture.rst
+++ b/docs/architecture.rst
@ -36,6 +36,7 @@ This package contains everything which is required for any time of application r
 * ``ahriman.core.database`` is everything including data and schema migrations for database.
 * ``ahriman.core.formatters`` package provides ``Printer`` sub-classes for printing data (e.g. package properties) to stdout which are used by some handlers.
 * ``ahriman.core.gitremote`` is a package with remote PKGBUILD triggers. Should not be called directly.
+* ``ahriman.core.log`` is a log utils package. It includes logger loader class, custom HTTP based logger and access logger for HTTP services with additional filters.
 * ``ahriman.core.report`` is a package with reporting triggers. Should not be called directly.
 * ``ahriman.core.repository`` contains several traits and base repository (``ahriman.core.repository.Repository`` class) implementation.
 * ``ahriman.core.sign`` package provides sign feature (only gpg calls are available).
@ -196,7 +197,9 @@ means that there is user ``username`` with ``read`` access and password ``passwo

 OAuth provider uses library definitions (``aioauth-client``) in order *authenticate* users. It still requires user permission to be set in database, thus it inherits mapping provider without any changes. Whereas we could override ``check_credentials`` (authentication method) by something custom, OAuth flow is a bit more complex than just forward request, thus we have to implement the flow in login form.

-OAuth's implementation also allows authenticating users via username + password (in the same way as mapping does) though it is not recommended for end-users and password must be left blank. In particular this feature is used by service reporting (aka robots).
+OAuth's implementation also allows authenticating users via username + password (in the same way as mapping does) though it is not recommended for end-users and password must be left blank. In particular this feature can be used by service reporting (aka robots).
+
+In addition, web service checks the source socket used. In case if it belongs to ``socket.AF_UNIX`` family, it will skip any furher checks considering the request to be performed in safe environment (e.g. on the same physical machine). This feature, in particular is being used by the reporter instances in case if socket address is set in configuration.

 In order to configure users there are special commands.

@ -244,6 +247,7 @@ Web application requires the following python packages to be installed:
 * In addition, ``aiohttp_debugtoolbar`` is required for debug panel. Please note that this option does not work together with authorization and basically must not be used in production.
 * In addition, authorization feature requires ``aiohttp_security``, ``aiohttp_session`` and ``cryptography``.
 * In addition to base authorization dependencies, OAuth2 also requires ``aioauth-client`` library.
+* In addition if you would like to disable authorization for local access (recommended way in order to run the application itself with reporting support), the ``requests-unixsocket`` library is required.

 Middlewares
 ^^^^^^^^^^^
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@ -240,4 +240,5 @@ Web server settings. If any of ``host``/``port`` is not set, web integration wil
 * ``port`` - port to bind, int, optional.
 * ``static_path`` - path to directory with static files, string, required.
 * ``templates`` - path to templates directory, string, required.
+* ``unix_socket`` - path to the listening unix socket, string, optional. If set, server will create the socket on the specified address which can (and will) be used by application. Note, that unlike usual host/port configuration, unix socket allows to perform requests without authorization.
 * ``username`` - username to authorize in web service in order to update service status, string, required in case if authorization enabled.  
--- a/docs/faq.rst
+++ b/docs/faq.rst
@ -350,13 +350,13 @@ The default action (in case if no arguments provided) is ``repo-update``. Basica

 .. code-block:: shell

-   docker run -v /path/to/local/repo:/var/lib/ahriman -v /path/to/overrides/overrides.ini:/etc/ahriman.ini.d/10-overrides.ini arcan1s/ahriman:latest
+   docker run --privileged -v /path/to/local/repo:/var/lib/ahriman -v /path/to/overrides/overrides.ini:/etc/ahriman.ini.d/10-overrides.ini arcan1s/ahriman:latest

 The action can be specified during run, e.g.:

 .. code-block:: shell

-   docker run arcan1s/ahriman:latest package-add ahriman --now
+   docker run --privileged -v /path/to/local/repo:/var/lib/ahriman arcan1s/ahriman:latest package-add ahriman --now

 For more details please refer to docker FAQ.

@ -374,13 +374,25 @@ The following environment variables are supported:
 * ``AHRIMAN_PORT`` - HTTP server port if any, default is empty.
 * ``AHRIMAN_REPOSITORY`` - repository name, default is ``aur-clone``.
 * ``AHRIMAN_REPOSITORY_ROOT`` - repository root. Because of filesystem rights it is required to override default repository root. By default, it uses ``ahriman`` directory inside ahriman's home, which can be passed as mount volume.
+* ``AHRIMAN_UNIX_SOCKET`` - full path to unix socket which is used by web server, default is empty. Note that more likely you would like to put it inside ``AHRIMAN_REPOSITORY_ROOT`` directory (e.g. ``/var/lib/ahriman/ahriman/ahriman-web.sock``) or to ``/tmp``.
 * ``AHRIMAN_USER`` - ahriman user, usually must not be overwritten, default is ``ahriman``. 

 You can pass any of these variables by using ``-e`` argument, e.g.:

 .. code-block:: shell

-   docker run -e AHRIMAN_PORT=8080 -v /path/to/local/repo:/var/lib/ahriman arcan1s/ahriman:latest
+   docker run --privileged -e AHRIMAN_PORT=8080 -v /path/to/local/repo:/var/lib/ahriman arcan1s/ahriman:latest
+
+Daemon service
+^^^^^^^^^^^^^^
+
+There is special ``daemon`` subcommand which emulates systemd timer and will perform repository update periodically:
+
+.. code-block:: shell
+
+   docker run --privileged -v /path/to/local/repo:/var/lib/ahriman arcan1s/ahriman:latest daemon
+
+This command uses same rules as ``repo-update``, thus, e.g. requires ``--privileged`` flag.

 Web service setup
 ^^^^^^^^^^^^^^^^^
@ -389,26 +401,23 @@ Well for that you would need to have web container instance running forever; it

 .. code-block:: shell

-   docker run -p 8080:8080 -e AHRIMAN_PORT=8080 -v /path/to/local/repo:/var/lib/ahriman arcan1s/ahriman:latest
+   docker run --privileged -p 8080:8080 -e AHRIMAN_PORT=8080 -e AHRIMAN_UNIX_SOCKET=/var/lib/ahriman/ahriman/ahriman-web.sock -v /path/to/local/repo:/var/lib/ahriman arcan1s/ahriman:latest

 Note about ``AHRIMAN_PORT`` environment variable which is required in order to enable web service. An additional port bind by ``-p 8080:8080`` is required to pass docker port outside of container.

-For every next container run use arguments ``-e AHRIMAN_PORT=8080 --net=host``, e.g.:
+The ``AHRIMAN_UNIX_SOCKET`` variable is not required, however, highly recommended as it can be used for interprocess communications. If you set this variable you would like to be sure that this path is available outside of container if you are going to use multiple docker instances.
+
+If you are using ``AHRIMAN_UNIX_SOCKET`` variable, for every next container run it has to be passed also, e.g.:

 .. code-block:: shell

-   docker run --privileged -e AHRIMAN_PORT=8080 --net=host -v /path/to/local/repo:/var/lib/ahriman arcan1s/ahriman:latest
+   docker run --privileged -e AHRIMAN_UNIX_SOCKET=/var/lib/ahriman/ahriman/ahriman-web.sock -v /path/to/local/repo:/var/lib/ahriman arcan1s/ahriman:latest

-Daemon service
-^^^^^^^^^^^^^^
-
-There is special subcommand which emulates systemd timer and will perform repository update periodically:
+Otherwise, you would need to pass ``AHRIMAN_PORT`` and mount container network to the host system (``--net=host``), e.g.:

 .. code-block:: shell

-   docker run --privileged -v /path/to/local/repo:/var/lib/ahriman arcan1s/ahriman:latest daemon
-
-This command uses same rules as ``repo-update``, thus, e.g. requires ``--privileged`` flag.
+   docker run --privileged --net=host -e AHRIMAN_PORT=8080 -v /path/to/local/repo:/var/lib/ahriman arcan1s/ahriman:latest

 Remote synchronization
 ----------------------
@ -666,19 +675,37 @@ How to enable basic authorization
      [auth]
      target = configuration

-#. 
-   Create user for the service:
+#.
+   In order to provide access for reporting from application instances you can (recommended way) use unix sockets by configuring the following (note, that it requires ``python-requests-unixsocket`` package to be installed):
+
+   .. code-block:: ini
+
+      [web]
+      unix_socket = /var/lib/ahriman/ahriman-web.sock
+
+   This socket path must be available for web service instance and must be available for application instances (e.g. in case if you are using docker container, see above, you need to be sure that the socket is passed to the root filesystem).
+
+   By the way, unix socket variable will be automatically set in case if ``--web-unix-socket`` argument is supplied to the ``setup`` subcommand.
+
+   Alternatively, you need to create user for the service:

   .. code-block:: shell

-      sudo -u ahriman ahriman user-add --as-service -r write api
+      sudo -u ahriman ahriman user-add -r write api

-   This command will ask for the password, just type it in stdin; *do not* leave the field blank, user will not be able to authorize.
+   This command will ask for the password, just type it in stdin; *do not* leave the field blank, user will not be able to authorize, and finally configure the application:

-#. 
+   .. code-block:: ini
+
+      [web]
+      username = api
+      password = pa55w0rd
+
+#.
   Create end-user ``sudo -u ahriman ahriman user-add -r write my-first-user`` with password.

-#. Restart web service ``systemctl restart ahriman-web@x86_64``.
+#.
+   Restart web service ``systemctl restart ahriman-web@x86_64``.

 How to enable OAuth authorization
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -717,7 +744,8 @@ How to enable OAuth authorization
 #. 
   Create end-user ``sudo -u ahriman ahriman user-add -r write my-first-user``. When it will ask for the password leave it blank.

-#. Restart web service ``systemctl restart ahriman-web@x86_64``.
+#.
+   Restart web service ``systemctl restart ahriman-web@x86_64``.

 Backup and restore
 ------------------