From b2db75d3e806a3c2901b223a33c77b500938a3d7 Mon Sep 17 00:00:00 2001
From: Steve Wilkerson <wilkers.steve@gmail.com>
Date: Wed, 20 Feb 2019 10:50:03 -0600
Subject: [PATCH] Elasticsearch: Update locations for apache virtual host

This begins to break out the various location paths for the
Elasticsearch apache-proxy virtual host.  These include:

- Deny all access to the update document api
- Deny all access to the update by query api
- Deny all access to the delete by query api
- Prohibit the DELETE method on all document api endpoints

This helps ensure that documents can't be updated or deleted once
indexed into Elasticsearch

Change-Id: Iaa97a9f7699a47d13c25b9e2e4249c37c29e4559
---
 elasticsearch/values.yaml | 33 ++++++++++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 3 deletions(-)

diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml
index 15978c0c5..928502baf 100644
--- a/elasticsearch/values.yaml
+++ b/elasticsearch/values.yaml
@@ -244,6 +244,7 @@ conf:
 
     Listen 80
 
+    LoadModule allowmethods_module modules/mod_allowmethods.so
     LoadModule mpm_event_module modules/mod_mpm_event.so
     LoadModule authn_file_module modules/mod_authn_file.so
     LoadModule authn_core_module modules/mod_authn_core.so
@@ -324,8 +325,6 @@ conf:
       <Location />
           ProxyPass http://localhost:{{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
           ProxyPassReverse http://localhost:{{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
-      </Location>
-      <Proxy *>
           AuthName "Elasticsearch"
           AuthType Basic
           AuthBasicProvider file ldap
@@ -334,7 +333,35 @@ conf:
           AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }}
           AuthLDAPURL {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
           Require valid-user
-      </Proxy>
+      </Location>
+
+      # Restrict access to the Elasticsearch Update API endpoint to prevent modification of indexed documents
+      <Location /*/_doc/*/_update*>
+          Require all denied
+      </Location>
+      # Restrict access to the Elasticsearch Update By Query API Endpoint to prevent modification of indexed documents
+      <Location /*/_update_by_query*>
+          Require all denied
+      </Location>
+      # Restrict access to the Elasticsearch Delete By Query API Endpoint to prevent deletion of indexed documents
+      <Location /*/_delete_by_query*>
+          Require all denied
+      </Location>
+
+      # Prohibit DELETE methods on the document API endpoint
+      <Location /*/_doc/*>
+          AllowMethods GET POST OPTIONS
+          ProxyPass http://localhost:{{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
+          ProxyPassReverse http://localhost:{{ tuple "elasticsearch" "internal" "client" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}/
+          AuthName "Elasticsearch"
+          AuthType Basic
+          AuthBasicProvider file ldap
+          AuthUserFile /usr/local/apache2/conf/.htpasswd
+          AuthLDAPBindDN {{ .Values.endpoints.ldap.auth.admin.bind }}
+          AuthLDAPBindPassword {{ .Values.endpoints.ldap.auth.admin.password }}
+          AuthLDAPURL {{ tuple "ldap" "default" "ldap" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" | quote }}
+          Require valid-user
+      </Location>
     </VirtualHost>
   log4j2: |
     status = error