task(many): Investigate adding auth to redis connection

Because:
- We want a poc that auth can be added to redis

This Commit:
- Configures all configs to support a redis password
- Sets the standard env for redis auth to REDIS_PASSWORD
- Creates a default redis password of 'fxa123' for local dev
- Starts redis container with --requirepass fxa123

.circleci/config.yml

@@ -101,10 +101,12 @@ executors:
       - image: jdlk7/firestore-emulator
       - image: memcached
       - image: redis
+        command: --requirepass fxa123
     environment:
       NODE_ENV: development
       FIRESTORE_EMULATOR_HOST: localhost:9090
       CUSTOMS_SERVER_URL: none
+      REDIS_PASSWORD: fxa123
 
   # For anything that needs a full stack to run and needs browsers available for
   # ui test automation. This image requires a restored workspace state.
@@ -117,6 +119,7 @@ executors:
     docker:
       - image: mozilla/fxa-circleci:ci-functional-test-runner
       - image: redis
+        command: --requirepass fxa123
       - image: memcached
       - image: pafortin/goaws
       - image: cimg/mysql:8.0.28
@@ -142,6 +145,7 @@ executors:
       REACT_CONVERSION_POST_VERIFY_OTHER_ROUTES: true
       REACT_CONVERSION_POST_VERIFY_CAD_VIA_QR_ROUTES: true
       CUSTOMS_SERVER_URL: none
+      REDIS_PASSWORD: fxa123
 
   # Contains a pre-installed fxa stack and browsers for doing ui test
   # automation. Perfect for running smoke tests against remote targets.

_scripts/redis.sh

@@ -1,3 +1,3 @@
 #!/bin/bash -ex
 
-docker run --rm --name redis-server --net fxa -p 6379:6379 redis
+docker run --rm --name redis-server --net fxa -p 6379:6379 redis --requirepass fxa123

packages/123done/server.js

@@ -11,7 +11,9 @@ const version = require('./version');
 const logger = morgan('short');
 
 // create a connection to the redis datastore
-let db = new Redis();
+let db = new Redis({
+  password: process.env.REDIS_PASSWORD || 'fxa123',
+});
 
 db.on('error', function () {
   // eslint-disable-line handle-callback-err

packages/fxa-admin-server/src/database/database.service.ts

@@ -103,8 +103,16 @@ export class DatabaseService implements OnModuleDestroy {
     this.connectedServicesDb = new ConnectedServicesDb(
       mySqlOAuthShared,
       new ConnectedServicesCache(
-        new RedisShared(redisConfig.accessTokens, logger, metrics),
-        new RedisShared(redisConfig.refreshTokens, logger, metrics),
+        new RedisShared(
+          { password: redisConfig.password, ...redisConfig.accessTokens },
+          logger,
+          metrics
+        ),
+        new RedisShared(
+          { password: redisConfig.password, ...redisConfig.refreshTokens },
+          logger,
+          metrics
+        ),
         new RedisShared(
           { ...redisConfig, ...redisConfig.sessionTokens },
           logger,

packages/fxa-auth-server/lib/oauth/db/redis.js

@@ -32,13 +32,15 @@ class OAuthRedis extends ConnectedServicesCache {
   constructor() {
     super(
       redis({
+        password: config.get('redis.password'),
         ...config.get('redis.accessTokens'),
 
         // TOOD: Once validated, rely values present in redis.accessTokens instead.
         enabled: true,
         maxttl: config.get('oauthServer.expiration.accessToken'),
       }),
       redis({
+        password: config.get('redis.password'),
         ...config.get('redis.refreshTokens'),
       }),
       undefined,

packages/fxa-auth-server/test/local/payments/stripe.js

@@ -145,6 +145,7 @@ const mockConfig = {
 const mockRedisConfig = {
   host: process.env.REDIS_HOST || 'localhost',
   port: process.env.REDIS_PORT || 6379,
+  password: process.env.REDIS_PASSWORD || 'fxa123',
   maxPending: 1000,
   retryCount: 5,
   initialBackoff: '100 milliseconds',

packages/fxa-auth-server/test/local/redis.js

@@ -17,6 +17,7 @@ const redis = require('../../lib/redis')(
   {
     ...config.redis.accessTokens,
     ...config.redis.sessionTokens,
+    password: config.redis.password,
     prefix,
     recordLimit,
     maxttl,

packages/fxa-auth-server/test/remote/db_tests.js

@@ -77,6 +77,7 @@ describe('#integration - remote db', function () {
     redis = require('ioredis').createClient({
       host: config.redis.host,
       port: config.redis.port,
+      password: config.redis.password,
       prefix: config.redis.sessionTokens.prefix,
       enable_offline_queue: false,
     });

packages/fxa-content-server/server/lib/configuration.js

@@ -171,6 +171,13 @@ const conf = (module.exports = convict({
         env: 'FEATURE_FLAGS_REDIS_HOST',
         format: String,
       },
+      password: {
+        default: 'fxa123',
+        doc: 'Redis password',
+        env: 'REDIS_PASSWORD',
+        sensitive: true,
+        format: String,
+      },
       initialBackoff: {
         default: '100 milliseconds',
         doc: 'Initial backoff for feature-flagging Redis connection retries, increases exponentially with each attempt',

packages/fxa-profile-server/lib/config.js

@@ -287,6 +287,13 @@ const conf = convict({
         format: 'port',
         doc: 'port for redis server',
       },
+      password: {
+        default: 'fxa123',
+        env: 'REDIS_PASSWORD',
+        format: String,
+        sensitive: true,
+        doc: 'Redis password',
+      },
     },
     useRedis: {
       default: true,

packages/fxa-profile-server/lib/server/web.js

@@ -55,6 +55,7 @@ exports.create = async function createServer() {
     cacheProvider.options.host = config.serverCache.redis.host;
     cacheProvider.options.port = config.serverCache.redis.port;
     cacheProvider.options.partition = config.serverCache.redis.keyPrefix;
+    cacheProvider.options.password = config.serverCache.redis.password;
   }
   var isProd = config.env === 'production';
   var server = new Hapi.Server({

packages/fxa-shared/db/config.ts

@@ -76,6 +76,13 @@ export function makeRedisConfig() {
       format: String,
       doc: 'IP address or host name for Redis server',
     },
+    password: {
+      default: 'fxa123',
+      env: 'REDIS_PASSWORD',
+      format: String,
+      sensitive: true,
+      doc: `Password for connecting to redis`,
+    },
     port: {
       default: 6379,
       env: 'REDIS_PORT',

packages/fxa-shared/scripts/feature-flags.js

@@ -10,6 +10,7 @@ const Ajv = require('ajv');
 const ajv = new Ajv();
 const Redis = require('ioredis');
 const redis = new Redis({
+  password: process.env.REDIS_PASSWORD || 'fxa123',
   host: process.env.REDIS_HOST || 'localhost',
   port: process.env.REDIS_PORT || 6379,
   keyPrefix: 'featureFlags:',

packages/fxa-shared/test/feature-flags/integration.js

@@ -15,6 +15,7 @@ describe('#integration - featureFlags integration:', () => {
       interval: 10000,
       host: process.env.REDIS_HOST || 'localhost',
       port: process.env.REDIS_PORT || 6379,
+      password: process.env.REDIS_PASSWORD || 'fxa123',
     };
     log = { info() {}, warn() {}, error() {} };
     featureFlags = initialise(config, log, {});

packages/fxa-shared/test/scripts/feature-flags.js

@@ -37,6 +37,7 @@ describe('#integration - scripts/feature-flags:', function () {
 
   before(async () => {
     redis = new Redis({
+      password: process.env.REDIS_PASSWORD || 'fxa123',
       host: process.env.REDIS_HOST || 'localhost',
       port: process.env.REDIS_PORT || 6379,
       keyPrefix: 'featureFlags:',