Skip to content

Security: MatthewJohn/terrareg

Security

docs/security.md

Security

Terrareg must be configured with a secret key, which is used for encrypting sessions, to enable authentication. This can be configured via SECRET_KEY.

By default, Terrareg administration is protected by an ADMIN_AUTHENTICATION_TOKEN, which is set via environment variable, which becomes the password used for authentication on the login page.

Authentication is required to perform tasks such as: creating namespaces, creating/deleting modules and managing additional user permissions, with a few exceptions:

Securing module creation/indexing

By default, indexing and publishing modules does not require authentication. To disable unauthorised indexing/publishing of modules, set up dedicated API keys for these functions, see UPLOAD_API_KEYS and PUBLISH_API_KEYS.

API keys can be specified in requests to API endpoing with an 'X-Terrareg-ApiKey' header.

Enabling access controls will disable unauthenticated indexing/publishing of modules, requiring authentication via SSO or Admin password or, once set, the upload/publish API keys.

Auto creation of namespaces/modules

By default, the module upload endpoint will create a namespace/module if it does not exist.

For a secure installation, it is recommended to disable this, forcing all namespaces/modules to be created by authenticated users.

The disable this functionality, set AUTO_CREATE_NAMESPACE and AUTO_CREATE_MODULE_PROVIDER

API authentication

Each protected API endpoint (generally all API endpoints that are non read-only actions) require API key authentication, with the exception of module upload/publish endpoints (see Security module creationg/indexing).

To authenticate to an API endpoint, you must either:

  • Pass the approrpriate API key for the endpoint (specifically for module upload/publishing), in a X-Terrareg-ApiKey header;
  • Pass the admin authentication token to the endpoint in a X-Terrareg-ApiKey header;
  • Authenticate via the authentication API endpoint and authenticate using session (not a programatic approach).

There will be future work to allow API key authentication for all endpoints in future: https://gitlab.dockstudios.co.uk/pub/terrareg/-/issues/353

Access controls

By default, all authenticated users will have global admin permissions, allowing the creation/deletion of all namespaces, modules and module versions.

Role based access controls (RBAC) can be enabled by setting ENABLE_ACCESS_CONTROLS.

This will remove any default privilges given to SSO users. The admin user will still retain global admin privileges.

For information about user groups, see Single Sign-on.

Single Sign-on

Single sign-on can be used to allow authentication via external authentication providers.

SSO groups can be assigned global admin permissions, or per-namespace permissions, allowing creation/deletion of modules and versions.

User groups and permissions can be configured on the 'User Groups' (/user-groups) page.

Once single sign-on has been setup, the ADMIN_AUTHENTICATION_TOKEN can be removed, stopping further sign-in via password authentication.

NOTE OpenID and SAML2 authentication is currently experimental.

It is advised to use with caution and avoid using on publicly hosted/accessible instances.

OpenID Connect

To configure OpenID connect, setup an application in an identity provider (IdP) with the following:

Grant type Authorization Code
Sign-in redirect URI https://<terrareg-instance-domain>/openid/callback
Sign-out URI https://<terrareg-instance-domain>/logout
Initiate login URI https://<terrareg-instance-domain>/openid/login
Login flow Redirect to app to initiate login

Obtain the client ID, client secret and issuer URL from the IdP provider and populate the following environment variables:

Note: Most IdP providers will require the terrareg installation to be accessed via https. The instance should be configured with SSL certificates (SSL_CERT_PRIVATE_KEY/SSL_CERT_PUBLIC_KEY) or be hosted behind a reverse-proxy/load balancer.

The text displayed on the login button can be customised by setting OPENID_CONNECT_LOGIN_TEXT

SAML2

Generate a public and a private key, using:

openssl genrsa -out private.key 4096
openssl req -new -x509 -key private.key -out publickey.cer -days 365

Set the folllowing environment variables:

In the IdP:

  • configure the Single signin URL to https://{terrareg_installation_domain}/saml/login?sso;
  • configure the request and response to be signed;
  • ensure at least one attribute is assigned.

Provider sources

Provider sources are a method of integrating with a Git provider for authentication and creating providers.

Provider sources allow users to authenticate to Terrareg. Information about their associated projects/organisations and repositories are used to allow providers to be created.

Currently, only Github is supported as a provider source.

NOTE: These may eventually be used for modules and eventually replace GIT_PROVIDERS.

Confguring provider sources

Provider sources are configured using PROVIDER_SOURCES configuration.

Each provider source must be configured with:

  • name - The name of the provider source, shown the users when selecting the source for creating a provider.
  • type - Must be one of the supported platforms. (See the configuration for a list of supported values)
  • login_button_text - The text displayed in the login button on the login page for the provider
  • auto_generate_namespaces - Determines if the namespaces are created for each of the organisations that the user is an owner of, when authenticating.
    • If this is disabled, namespaces must be created by a site admin.
Github

The following configurations must be configured (see CONFIG.md for details about how to generate them):

  • base_url - Base public URL, e.g. https://github.com
  • api_url - API URL, e.g. https://api.github.com
  • app_id - Github app ID
  • client_id - Github app client ID for Github authentication.
  • client_secret - Github App client secret for Github authentication.
  • private_key_path - Path to private key generated for Github app.
  • webhook_secret (optional) - Web hook secret that Github will provide to Terrareg when calling the webhook endpoint. This cannot be used for non-publicly accessible Terrareg installations.
  • default_access_key (optional) - Github access token, used for perform Github API requests for providers that are not authenticated via Github App.
  • default_installation_id (optional) - A default installation that provides access to Github APIs for providers that are not authenticated via Github App.

For self-hosted Github Enterprise installations, base_url and api_url can be set to match the github installation.

Github users are automatically mapped to any groups in Terrareg that are named after organisations that they are named after. E.g. User testuser, who is a member of the testorg organisation would be mapped to the groups testuser and testorg Terrareg group, if they exist.

Setup Github app

To setup the application for Github, goto https://github.com/settings/apps/new (or https://github.com/organizations/<organisation>/settings/apps)

Configure the following:

In this example, the "provider source" "name" will be "github-terra-example", be sure to replace this with the chosen provider source name.

From the created app landing page, obtain the App ID and Client ID from the "about" section of the page to populate the app_id and client_id configurations.

Generate a client secret:

  • Click "Generate a new client secret"
  • Copy the value from the client secret to populate client_secret

Once created, generate a private key (this is not currently used, but will be in future):

  • On the same page, find Private keys and click "Generate a private key"
  • Download the file and make the file accessible to the Terrareg installation, set in private_key_path
Github namespace mapping

If auto_generate_namespaces is enabled, namespaces are automatically created for the logged in Github user and all organisations that they are an owner of.

The user has full permissions to each of these namespaces, allowing them to create modules/providers in them.

Default Github authentication

Terrareg can be used in two use cases for using Github as a provider source:

  1. Owners of Terraform providers authenticate to Terrareg.
  • These users add their own providers to Terrareg and manage them.
  1. Terrareg administrators add providers from Github that they do not maintain.

Both of these can be used simulatiously and Terrareg will authenticate using the Github App authentication, when a user authenticates via Github and uses the default authentication for the second use case.

For the second case, authenticating to Terrareg via Github will not provide the necessary permissions to create providers and index versions. To achive this, Terrareg must be provided with a means to authenticate to Github to query the APIs.

This can be performed by setting one of the two provider source configurations:

  • default_installation_id - The created Github app for Terrareg can be 'installed' to a user/organisations profile. Once this has been performed, the "installation ID" can be provided to Terrareg.
  • default_access_token - A personal access token can be provided to Terrareg, which will be used.

Disable Unauthenticated Access

Unauthenticated access can be disabled, enforcing all users to authenticate to use Terrareg, by disabling the setting ALLOW_UNAUTHENTICATED_ACCESS.

Disabling unauthenticated access requires Terraform to authenticate to obtain modules, see below.

Enabling Terraform authentication

Terraform can authenticate to the registry via the built-in authentication mechanisms of Terrareg. That is, Terraform attempts to authenticate to Terrareg by redirecting the user to Terrareg. Terrareg ensures the user is authenticated and provides a redirect back to Terraform to finalise authentication using OpenIDC.

For Terrareg to be able to authenticate users, several configurations must be provided:

Consider reviewing the default values for:

Once these are configured, users can authenticate via terraform using:

terraform login <registry-fqdn>
# e.g. terraform login my-registry.example.com

There aren’t any published security advisories