Add secure S3 connection test.

Author: guzman-raphael

LNX-docker-compose.yml

@@ -18,7 +18,7 @@ services:
       - DJ_TEST_HOST=db
       - DJ_TEST_USER=datajoint
       - DJ_TEST_PASSWORD=datajoint
-      - S3_ENDPOINT=minio:9000
+      - S3_ENDPOINT=fakeminio.datajoint.io:9000
       - S3_ACCESS_KEY=datajoint
       - S3_SECRET_KEY=datajoint
       - S3_BUCKET=datajoint-test
@@ -70,5 +70,26 @@ services:
       timeout: 5s
       retries: 60
       interval: 1s
+  fakeminio.datajoint.io:
+    <<: *net
+    image: nginx:alpine
+    environment:
+      - URL=datajoint.io
+      - SUBDOMAINS=fakeminio
+      - MINIO_SERVER=http://minio:9000
+    entrypoint: /entrypoint.sh
+    healthcheck:
+      test: wget --quiet --tries=1 --spider https://fakeminio.datajoint.io:443/minio/health/live || exit 1
+      timeout: 5s
+      retries: 300
+      interval: 1s
+    # ports:
+    #   - "9000:9000"
+    #   - "443:443"
+    volumes:
+      - ./tests/nginx/base.conf:/base.conf
+      - ./tests/nginx/entrypoint.sh:/entrypoint.sh
+      - ./tests/nginx/fullchain.pem:/certs/fullchain.pem
+      - ./tests/nginx/privkey.pem:/certs/privkey.pem
 networks:
   main:

tests/nginx/base.conf

@@ -0,0 +1,47 @@
+server {
+  listen 9000;
+  server_name {{SUBDOMAINS}}.{{URL}};
+  client_max_body_size 0;
+  proxy_buffering off;
+  ignore_invalid_headers off;
+  
+  location / {
+    access_log off;
+    proxy_http_version 1.1;
+    proxy_set_header Host $http_host;
+    proxy_pass {{MINIO_SERVER}};
+  }
+}
+
+server {
+  listen 443 ssl;
+  server_name {{SUBDOMAINS}}.{{URL}};
+  client_max_body_size 0;
+  proxy_buffering off;
+  ignore_invalid_headers off;
+
+  ssl_certificate /certs/fullchain.pem;
+  ssl_certificate_key /certs/privkey.pem;
+
+  # session settings
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_tickets off;
+
+  # protocols
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_prefer_server_ciphers on;
+  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+
+  # OCSP Stapling
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  resolver 127.0.0.11 valid=30s; # Docker DNS Server
+
+  location / {
+    access_log off;
+    proxy_http_version 1.1;
+    proxy_set_header Host $http_host;
+    proxy_pass {{MINIO_SERVER}};
+  }
+}

tests/nginx/entrypoint.sh

@@ -0,0 +1,26 @@
+#! /bin/sh
+
+sed "s|{{SUBDOMAINS}}|${SUBDOMAINS}|g" /base.conf | tee /etc/nginx/conf.d/base.conf
+sed -i "s|{{URL}}|${URL}|g" /etc/nginx/conf.d/base.conf
+sed -i "s|{{MINIO_SERVER}}|${MINIO_SERVER}|g" /etc/nginx/conf.d/base.conf
+# tail -f /dev/null
+
+nginx -g "daemon off;"
+# nginx
+
+# echo "Waiting for initial certs"
+# while [ ! -d /etc/letsencrypt/archive/${SUBDOMAINS}.${URL} ]; do
+#     sleep 5
+# done
+
+# echo "Enabling SSL feature"
+# mv /ssl.conf /etc/nginx/conf.d/ssl.conf
+# nginx -s reload
+
+# inotifywait -m /etc/letsencrypt/archive/${SUBDOMAINS}.${URL} |
+#     while read path action file; do
+#         if [ "$(echo $action | grep MODIFY)" ] || [ "$(echo $action | grep CREATE)" ] || [ "$(echo $action | grep MOVE)" ]; then
+#             echo "Renewal: Reloading NGINX since $file issue $action event"
+#             nginx -s reload
+#         fi
+#     done

tests/nginx/fullchain.pem

@@ -0,0 +1,64 @@
+-----BEGIN CERTIFICATE-----
+MIIGZDCCBUygAwIBAgISA10k5JmyN2nyzqvMRyO2LntJMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTEwMjEyMTAwMjFaFw0y
+MDAxMTkyMTAwMjFaMCExHzAdBgNVBAMTFmZha2VtaW5pby5kYXRham9pbnQuaW8w
+ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDYwRR1YoZ1pJgZO+oU6zla
+47UiTnMO2KwYaS3VAPa1ks9nmQBInH7nA3i3wIzCiX+CeKCsiaKsjA5xlQmtmeM4
+FrL5U1ZBUyhroowRSluVyni9g3uJO/NG29BiWU+NBcwtsApbVUXRp4v9BQ2KgRZS
+KhK74XLXu1/6NRl3sjzye6MkfTo1rkzmm+pnFvBDkPEdI8/R7mBTQFXTSXzrqo+5
+ZNBY3sYWpGVrLOi+LRvFJR6kNs1z1cxOYGXQRMBFNMyu4xZAYDaowR+HVQ0OsQYw
+90PeuakMyB5qeIPe1zelfqP+/HO6L9MTZdLKBNm5YkJYrVm2YD5BcVCDJeUkAact
+DKW/AX2FL983D0WepM4mPm1MuRqpYVSEne3eeA4/Gm8TVpmqQyuW10HJbCsgZR9g
+X/gokz54uguHu7SZHvLuadoWzxMADFSvbOoM52rFgCsKeZecNDi9H54yAHlhjIj7
+Fs9zVRkELil5U2Fnolw8gOyfV/2ghqor8Y4950fcuy9DldcKeCmpjjGoemff/REL
+p4tgib+XAX/3bVmfgW4aTW1RoQ+duThfPovzumPXxffXNrRlstX7IaR/Asz0bhSJ
+C91vmemedgyExcUSuyqX2qzJrgdx5TCBpP+J47b5oHdjS9uWeg5BX7JpofiR/klP
+5OADP/F2a68aWgox7Z+CRQIDAQABo4ICazCCAmcwDgYDVR0PAQH/BAQDAgWgMB0G
+A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
+DgQWBBSZJjFCP4IjST+FfsC54OKupBDWYTAfBgNVHSMEGDAWgBSoSmpjBH3duubR
+ObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9v
+Y3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9j
+ZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMCEGA1UdEQQaMBiCFmZha2VtaW5p
+by5kYXRham9pbnQuaW8wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMB
+AQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEE
+BgorBgEEAdZ5AgQCBIH1BIHyAPAAdwCyHgXMi6LNiiBOh2b5K7mKJSBna9r6cOey
+SVMt74uQXgAAAW3wVdvZAAAEAwBIMEYCIQDeOafRS+nnooUWcFQlH82sK2lTrR3N
+uJqKJLIeoJdJVwIhAI+tVJJ103wbH6bC/ZwuRDlB/Omya0QwwO4m4Af4u/SEAHUA
+8JWkWfIA0YJAEC0vk4iOrUv+HUfjmeHQNKawqKqOsnMAAAFt8FXd3gAABAMARjBE
+AiAD8IITk6e1Ms01r2SUBUwaIwAA5z6NqYK8YBudhHRU6gIgBAzTx3OLwKo7aOjY
+8rf03Mcttz72VDI1dIDPt9vXxEcwDQYJKoZIhvcNAQELBQADggEBAFeAxIE70OgD
+1hx34hdJzfSOPUm3bjReUdfif6LTNYhEK1KjEKDwNK7r978t3wcOuxuJAwBdClzE
+dE/7EfuZilXWjVJ2La4J0DdQcrjt+O4bvFghNTWsOoYl5X0LzgKZLbl/9hvK8cE3
+/d3Pjf0zHflT0pJYjLP89ntwKJdFsAjFQc1+kX85SehYIj9c7t/W5/9MDhtebtvj
+Os1inUb4l15jbGTO3po8tPmmHLAvfTM6d/KIGueLHAn63EzCg1tmnQUjhhM1Zyzl
+Djdshrw0nr6BFOJvw/h/DYo6MqtLuTlrVjfdULjkqH5wq2wh7gqnGcQbqcI8Eixd
+SQbaP7xJreA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
+SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
+q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
+SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
+Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
+a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
+/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
+AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
+AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
+uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
+wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
+X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
+PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
+KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
+-----END CERTIFICATE-----

tests/nginx/privkey.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDYwRR1YoZ1pJgZ
+O+oU6zla47UiTnMO2KwYaS3VAPa1ks9nmQBInH7nA3i3wIzCiX+CeKCsiaKsjA5x
+lQmtmeM4FrL5U1ZBUyhroowRSluVyni9g3uJO/NG29BiWU+NBcwtsApbVUXRp4v9
+BQ2KgRZSKhK74XLXu1/6NRl3sjzye6MkfTo1rkzmm+pnFvBDkPEdI8/R7mBTQFXT
+SXzrqo+5ZNBY3sYWpGVrLOi+LRvFJR6kNs1z1cxOYGXQRMBFNMyu4xZAYDaowR+H
+VQ0OsQYw90PeuakMyB5qeIPe1zelfqP+/HO6L9MTZdLKBNm5YkJYrVm2YD5BcVCD
+JeUkAactDKW/AX2FL983D0WepM4mPm1MuRqpYVSEne3eeA4/Gm8TVpmqQyuW10HJ
+bCsgZR9gX/gokz54uguHu7SZHvLuadoWzxMADFSvbOoM52rFgCsKeZecNDi9H54y
+AHlhjIj7Fs9zVRkELil5U2Fnolw8gOyfV/2ghqor8Y4950fcuy9DldcKeCmpjjGo
+emff/RELp4tgib+XAX/3bVmfgW4aTW1RoQ+duThfPovzumPXxffXNrRlstX7IaR/
+Asz0bhSJC91vmemedgyExcUSuyqX2qzJrgdx5TCBpP+J47b5oHdjS9uWeg5BX7Jp
+ofiR/klP5OADP/F2a68aWgox7Z+CRQIDAQABAoICAQCUADqE8HJZL7r/N+7cu8Sc
+7/CFbUWY9I+F14OI9rB+SLE/zrPn4JuyB6fM6Df0uUgMgWtMhGpEIRnXqmlCVVpV
+uQIZxjKWRj7KR+IWCEzC2c5ZsMaQbRPu5TbDgLIV28iPxa08sdwLjLjEWkfls8DW
+9411JjpxXarqQImUNmrxM0SxLKSrdMljiUCjhYEm0XghaouDj53MGpi/vWUD0aFz
+eIfetrZRTY1GghKlkE1u7qqefCELIAfx2FaMv/T9DFFadQqDiG6qCbwKfyN8TZmp
+o5x/Hwx0Aszp7EI2zYNciD1YZW5ryi35B8THVkqID7S3sh4Yrlyz+Lh95EkyrcJE
+eavIuVLqEemApmXQTd04k8OI7o6ilY4WPUlfp2SNW0lLCTG24ynvQZVMUszNU2kN
+iRJVMhuL15H3CcmYrjYPSTW69DpmJH9YXfIRjeTm1uhCfxRNlSxVTcxBryBfXpzR
+XXK0vnZ6c9gnbGfESVUpoywiNNg2aqWkhVy+fYsFtfKZW3OvkXBeruXfQ+uyHAQn
+DPVcIqfolqqQ/iShMtqXC0TY3zhFsBUOJJANakSU4iYHWvcOgNiaPqQ4zFkv8ya5
+gUxEPmRXY9CWw3fyYNOIeNJtlAbHofh0ozjVS51usBriPoa+DTzKAZgTiPNB4b/l
+sdxMjZWp5Myyc75Pz4a7XQKCAQEA72+OcYlZwnX1EedlVf9MtSHxGxqEd3IOs95f
+Z1E6JRIf0JYAivApQVBQGwJx9lnbxuNLxv7sH/fjAeZ+2cTRHnTMmOXTSGB8MyNm
+c9cBCnshbwiPzuxZBldqY4vIKSxEMakBSjcg5R80+SazjN4ah+WQ3cY0jE3wWWDc
+GxaUss6Dm40ObTJTszkoGjOEsz27d8Op80gjQL271Q19X/XEZz+gL4GqDzqgTKKC
+/lAE5BNAmAlezwciAfRFWghT0WmumRhbRd91ubTqLbEZ9iBSi2K0K0QWSLGAjhym
+J88N14WTOHsOBYmGdnHw+IvN4g+WEdlH+kOP2tsBbL3WtFA+zwKCAQEA57/UcI9j
+yijAp4w3DkHaOQ89YGPZ5sNP4VsOlxE2uvYinrrGGHOGGKv48o2okVKwvqIxevUJ
+PvZyXfWzBbn9prd33SRD9UmLMs44v+m2ZiqCq90SEt+luKStnBqf7szBoyMx6VEy
+qNfEmpTb+XmzAp9mNLqyCSGMQfacqENRTmp3wg8cl+1OXYQiPzluRwDrRt9llMda
+aBLzEXu0nV9QOBzFLJnUJt85YMHHOEmUy84wRN8/2ME7bEC8XWKcesjz0HASKvMW
+oOTY2mmOR0BwdDZFRuAxUCsw6sguk58jqaGiQWampk63+tqxHsbbr4UoZD46BGL3
+hnb6ftkhbXUSqwKCAQAHd7c9m0cNZZhrIohqkjfWPmTCr6UKBKiou3rGQiZKGbKc
+UtFZg/wFaXfWH9FmGY9dOKGYZ0L+DEEsQgAa0qSjComHC0P3seqtvaDoZABIT2bP
+i7jQf1aXeAp9aFKp1hOaaOb9ZZLFEqAYVTisYBD7xBEsmY3yAkxIvVigD6g7m21H
+YLLefP9XS6UQjCLLZFWAer3GNK3EyyYckvsiDww9HCLm2GhxaSauvTLQs7YzVtZg
+54npcxOAdBnloPTcRyuG4teV6k5FqHrVSfzBTGjGqCFuaAU55y9XP1V/UFniKuxY
+ip35Vjy3XP5jAhk9v7ayf9Ba4diOvt3ggls77HTJAoIBAGuFPsTyYfP7MFcL4MdG
+mj566Zj8+q3r0/XUT1Kbc+8OH0XRlfLmNkLgFuJCAwFZghMQITDQ2vdRVAJv6h0w
+C5T77iq1lqoI8wIhV4cCodOIyZN/P9Ft3e9qx/lzCNy8NuK/g3qiZ4SahubJRb3b
+TshauAqiy9Mcs3wvNMOEaAafsuxgIn4CZadRlKoMtTNQI9h/8Rsz2qgKkqd743JY
+NFm0T26/+AQI8RAJF6rvyI8+HHr3sSGZlT5GUp5pD/yPmz8LoAI5QjhntIyxCIfa
+R9JDE6UsgvSU9V8YfTOUU/FxwlvhilQCla1XJXIIBQjMGM9ZZ4V9fSXvsYyEpNOp
+y30CggEAXXV+cfN34HLs9S/aDtAXm/EhzOmyu0mNG9lhHPkDd+8BjB81TyBc1xqm
+K9k4nk2MUeU/c76+faApBgUHdXz4uSTOS5bpWFZSIQE5mZIyu8PmJbVUvVb78fVa
+NecgVDyHBPf1PnkqNiEZCc+Xr6zETQAaXQ+up1ZtKMoD3HLOG0vTveUhWVuXUWJP
+J3bNJ5+mJJFqzmmBJBtwVUSnCx0R6huazS72MwGalD37k8r8hisSkNEUK+71shTu
+jaWJfTxTUxpbVIthSRKvNTaItViI2L1lj3QK3DV73Im14V95lFf0Mcwofh8yZYCh
+SpXBFze8WyIAus/apQ1sZX/fKnkNNg==
+-----END PRIVATE KEY-----

tests/test_s3.py

@@ -24,3 +24,21 @@ def test_connection():
             http_client=http_client)
 
         buckets = minio_client.list_buckets()
+
+    @staticmethod
+    def test_connection_secure():
+
+        # Initialize httpClient with relevant timeout.
+        http_client = urllib3.PoolManager(
+            timeout=30, cert_reqs='CERT_REQUIRED', ca_certs=certifi.where(),
+            retries=urllib3.Retry(total=3, backoff_factor=0.2, status_forcelist=[500, 502, 503, 504]))
+
+        # Initialize minioClient with an endpoint and access/secret keys.
+        minio_client = Minio(
+            S3_CONN_INFO['endpoint'].split(':')[0] + ':443',
+            access_key=S3_CONN_INFO['access_key'],
+            secret_key=S3_CONN_INFO['secret_key'],
+            secure=True,
+            http_client=http_client)
+
+        buckets = minio_client.list_buckets()