Production Architecture of the ReStructure Platform - consected/restructure GitHub Wiki

Production Architecture of the ReStructure Platform

Introduction

This document provides an overview of the architecture of ReStructure as it is typically deployed in a production environment.

ReStructure allows the configuration of multiple web apps, supporting distinct business needs. All the web apps have the same shared codebase, and are differentiated by the specific application configurations that they support, data they share, and the users that access them.

Communications and Storage

AWS Architecture

Application Server Environment

The application is implemented using Ruby on Rails with the following environment:

  • Ruby 2.7 (current patch)
  • Rails 5.2
  • Puma (or optionally Passenger Standalone) application server
  • NGINX reverse proxy
  • Memcached for local in memory data caching
  • Delayed Job background processing, mirroring the Rails environment
  • AWS Elastic Beanstalk running on an EC2 instance with Amazon Linux 2

Rails Architecture

Front-End Application

The front-end is a reactive Javascript application that pulls data from the application server. All the code for this is hosted by the application server, rather than a CDN. This is true also for third-party libraries, to ensure that changes externally can not unknowingly introduce security issues or cookie / session tracking.

User and Admin Authentication

Profiles for end-users and administrators are managed separately. A user that requires administrative access to the app must explicitly login to an admin specific login page using a separate admin profile. User and admin sessions are managed separately.

Both user and admin profile logins require the entry of a username, password and one-time token, generated using a smartphone authenticator app providing support for TOTP: Time-Based One-Time Password Algorithm (RFC 6238). Only administrators have the ability to create or reset two-factor authentication (2FA) secrets.

Users do not have the ability to reset forgotten user passwords, only change known passwords when they are logged in. They must contact an administrator to reset a forgotten password

Admins can create new user profiles, and reset user passwords. In both cases, the new user password is displayed in the app one time, and must be delivered to the end-user through a secure mechanism such as HMS Secure File Transfer (Accellion).

Admin profiles can not be created within the app environment. Only users with operating system sysadmin privileges can add new administrators and reset forgotten passwords, through the use of a specific script.

User and admin accounts are stored in the RDS database in the tables users and admins respectively. Passwords are securely hashed using bcrypt and can not be created outside of the app. Two-factor authentication secrets are encrypted with AES-256-GCM for storage.

Details of user and password management are found in the document User Management for AWS and Zeus Applications

App API

The app provides a JSON API, allowing batch / command line access to app functionality. API users are defined and granted access controls in the same manner as regular users. Authentication uses a shared secret, managed by a gem called simple_token_authentication.

Virus Scanning

Virus scanning is provided by Sophos Antivirus for Linux version 9. Details of the product are found at: https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx

Scanning is configured to scan files when stored or requested from the file system. The virus protections database is automatically updated hourly, direct from Sophos servers.

Exception Logging

Web / app server log files are disabled, except for fatal conditions that cause the termination of the application server, mitigating the leakage of secure information into logs.

Instead, any app exceptions that are reported to the end user are also stored to a table in the RDS database, which implements secured storage and backups.

Action Logging

Action logging is implemented for user and administrative actions, with actions stored to appropriate app database tables in the secure RDS. These tables indicate the action performed, and in the case of data changes, a history of all values at every commit through database triggers.

Any table that receives user or admin updates has a corresponding history table. On insert or update to the primary table <record_types>, the corresponding table named _<record_type>history has a row inserted by a database trigger. All records are time-stamped in both tables, and the id of the user that led to the update is recorded. The use of database triggers ensures that updates performed outside of the app are also recorded.

Every user action performed on the app that leads to a server request is recorded:

  • User authentication attempt

    User login, logout, password change, 2FA secret change and failed login attempts are recorded, with the source IP address, to the user_history table

  • Admin authentication attempt

    Admin login, logout, password change, 2FA secret change and failed login attempts are recorded, with the source IP address, to the admin_history table

  • Search records

    The action requested, and ids of records returned are recorded to the user_action_logs table

  • Show a record

    The action requested and for which record id are recorded to the user_action_logs table

  • Edit / Create a record

    The action requested and for which record id are recorded to the user_action_logs table. The specific _<record_type>history table is automatically updated through database triggers

It should be noted that no user or admin actions lead to records being deleted from the database. Where the effect of deletion is required, a disabled flag is set on a record, leading to its update in the database and it being appropriately hidden from regular viewing by the server.

Storage Encryption

All EC2 volumes are set to be encrypted by default. No instances can be created with unencrypted storage. This is set in the EC2 console under Account Attributes | Settings

Temp storage is used during the upload and download of files via the web UI. The entire local storage volume for the machine is encrypted, ensuring all local files, temp files and cached EFS/NFS files are encrypted at rest.

Appendices

Related Documents

GitHub repository managing ReStructure project

https://github.com/consected/restructure

Rails References

Securing Rails Applications

Official guide to Ruby on Rails

https://guides.rubyonrails.org/security.html

Devise Gem

Widely used component for managing user authentication

https://github.com/plataformatec/devise

Devise-two-factor

Extension to Devise to support two-factor authentication

https://github.com/tinfoil/devise-two-factor

Simple_token_authentication

Extension to Devise to support API tokens

https://github.com/philayres/simple_token_authentication

Amazon and App Specific Terms

VPC _Virtual Private Cloud _

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.

EC2 Elastic Compute Cloud (in this case represents a single virtual server instance)

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers.

Elastic Beanstalk

With Elastic Beanstalk, you can quickly deploy and manage applications in the AWS Cloud without worrying about the infrastructure that runs those applications. AWS Elastic Beanstalk provides pre-built application server environments with tools for deployment and configuration.

Security Group

A security group acts as a virtual firewall that controls the traffic for one or more EC2 instances. You can add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group. When AWS decides whether to allow traffic to reach an instance, it evaluates all the rules from all the security groups that are associated with the instance.

EFS Elastic File System

Provides a simple, scalable, elastic file system through a standard NFS 4.x connection. It is built to scale on demand growing and shrinking automatically as you add and remove files. Amazon EFS is a fully managed service that provides encryption in transit and encryption at rest.

RDS Relational Database Service

Makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups.

Simple Email Service

Amazon Simple Email Service (Amazon SES) is a cloud-based email sending service designed for notification and transactional emails.

Simple Notification Service (SNS)

Amazon Simple Notification Service (SNS) is a pub/sub messaging service. It provides push messaging via SMS.

S3

Amazon Simple Storage Service (Amazon S3) provides object storage service, with encryption of objects at rest. S3 is the default storage for database snapshots, application configurations and log backups.

Cloudwatch

Amazon CloudWatch is a monitoring and management service, used for monitoring of servers within the AWS VPC and access to logs generated by S3 and SNS.

Root Volume

The root volume for the EC2 instance provides the entire local storage for the machine. This is an AWS Elastic Block Storage (EBS) device, encrypted on creation when a specially configured Amazon Machine Image (AMI) is used for creation of the Elastic Beanstalk EC2 instance.

Puma

The application server running the Ruby on Rails application. Puma is automatically installed and managed by Amazon in the Elastic Beanstalk environment.

NOTE: previous Phusion Passenger Standalone was used as the app server, and in environments that require it, this may be used instead.

NGINX

NGINX acts as the web server, proxying all app requests to Puma, or to pull static assets from certain configured directories on the filesystem. NGINX is automatically installed and managed by Amazon in the Elastic Beanstalk environment.