Merge pull request #257 from GSA/jf/db-ssl

SSL for local dev DB

.env_example

@@ -1,36 +1,74 @@
 # JWT secret key: For local testing, the value doesn't matter. In production,
-# this needs to be populated with a randomly generated key (see README.md).
-# This will be used to sign the JWT.
+# this needs to be populated with a randomly generated key. This will be used
+# to sign the JWT.
+#
+# Deployment TL;DR: Set this in the app's environment secrets.
+
 JWT_SECRET="something_hard_to_guess"
 
+
+# Log level: Customize the logging level. By default, it's INFO. This can be
+# set to any of the Python logging module's levels.
+#
+# Deployment TL;DR: Don't set this manually anywhere.
+
+# LOG_LEVEL="INFO"
+
+
 # SMTP server to use for sending emails to users. For development, you can
 # create an Ethereal account to test emails (https://ethereal.email/). In
 # production, refer to the README.md file for instructions.
+#
+# Deployment TL;DR: Set these in the app's environment variables.
+
 SMTP_SERVER="smtp-relay.gmail.com"
 SMTP_PORT=587
 
-# SMTP authentication: Not needed if using a trusted SMTP relay
+
+# SMTP authentication: Not needed if using a trusted SMTP relay. For local
+# development, you can set these to the username/password of the test email
+# server (e.g., Ethereal Email).
+#
+# Deployment TL;DR: Don't set these manually anywhere.
+
 # SMTP_PASSWORD="EXAMPLE"
 # SMTP_USER="[email protected]"
 
-# These already have default values in config.py, but you can override them
-# here if needed.
+# Email settings: These already have default values in config.py, but you can
+# override them here if needed.
+#
+# Deployment TL;DR: Don't set these manually anywhere.
+
 # EMAIL_FROM="[email protected]"
 # EMAIL_FROM_NAME="GSA SmartPay"
 # EMAIL_SUBJECT="GSA SmartPay Training"
 
+
 # Datastores: For local testing, these defaults should be fine. In production,
 # these will be automatically populated from the cloud.gov VCAP_SERVICES data.
+#
+# Deployment TL;DR: Don't set these manually anywhere.
+
 REDIS_HOST="localhost"
 REDIS_PORT=6379
 REDIS_PASSWORD=""
 DB_URI="postgres://postgres:postgres@localhost:5432/postgres"
 
-# Base URL: The app needs to know what base URL to append to links. The default
-# is fine for local development. In production, this needs to be set to the
-# live website's URL.
+
+# Base URL: The app needs to know what base URL to append to links. In
+# production, this needs to be set to the live website's URL.
+#
+# Deployment TL;DR: Set this in the app's environment variables.
+
 BASE_URL="https://training.smartpay.gsa.gov"
 
-# These are configured via config.py, but you can override them here if needed.
+
+# OAuth server information. In production, AUTH_CLIENT_ID will be populated by
+# The VCAP_SERVICES data. AUTH_AUTHORITY_URL needs to be set appropriately in
+# each environment.
+#
+# Deployment TL;DR: Don't set AUTH_CLIENT_ID manually anywhere. Set
+# AUTH_AUTHORITY_URL in the app's environment variables.
+
 AUTH_CLIENT_ID="test_client_id"
 AUTH_AUTHORITY_URL="http://localhost:8080/uaa"

README.md

@@ -31,11 +31,9 @@ npm run build:frontend
 
 ### Service dependencies
 
-This app depends on Redis to support the temporary tokens used for verification emails. It also uses PostgreSQL as a main data store. For administrator logins, the app requires an OAuth server. To start up local services:
+This app depends on a few services. For local development, these services have been neatly packaged into a Docker Compose stack. First, optionally edit `dev/uaa/uaa.yml` to create your own test user accounts (see the `scim.users` section of that file). Then to run the services:
 
 ```sh
-docker-compose up
-# Or to run them in the background:
 docker-compose up -d
 ```
 

dev/db/Dockerfile

@@ -0,0 +1,6 @@
+# For best results, match version in use by cloud.gov RDS
+FROM postgres:12
+
+ADD generate-cert.sh /tmp/generate-cert.sh
+
+RUN /tmp/generate-cert.sh

dev/db/generate-cert.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+echo "Generating SSL certificate..."
+
+set -euo pipefail
+
+openssl req \
+  -new -x509 -days 3650 -nodes \
+  -subj /CN=localhost \
+  -out /var/lib/postgresql/server.crt \
+  -keyout /var/lib/postgresql/server.key
+
+chown postgres:postgres /var/lib/postgresql/server.{crt,key}
+chmod 600 /var/lib/postgresql/server.{crt,key}

docker-compose.yaml

@@ -1,43 +1,35 @@
 version: '3.8'
+
 services:
+
   redis:
     image: redis:6.2-alpine
     ports:
       - "6379:6379"
+
   db:
-    image: postgres:12  # For best results, match version in use by cloud.gov RDS
+    build:
+      context: ./dev/db
+    command: >
+      -c ssl=on
+      -c ssl_cert_file=/var/lib/postgresql/server.crt
+      -c ssl_key_file=/var/lib/postgresql/server.key
     ports:
       - "5432:5432"
     environment:
       - POSTGRES_PASSWORD=postgres
+
   adminer:
     image: adminer
     ports:
       - "8432:8080"
     depends_on:
       - db
+
   uaa:
     build:
-      context: .
-      dockerfile: Dockerfile.uaadev
+      context: ./dev/uaa
     ports:
       - "8080:8080"
     volumes:
-      - ./uaadev.yml:/tmp/uaa/uaa/src/main/resources/uaa.yml:ro
-  # api:
-  #   build:
-  #     context: .
-  #   ports:
-  #     - "8000:8000"
-  #   volumes:
-  #     - ./:/usr/src/app
-  #   depends_on:
-  #     - redis
-  #     - db
-  # web:
-  #   build:
-  #     context: ./training-front-end
-  #   ports:
-  #     - "3000:3000"
-  #   volumes:
-  #     - ./training-front-end:/usr/src/app
+      - ./dev/uaa/uaa.yml:/tmp/uaa/uaa/src/main/resources/uaa.yml:ro