diff --git a/Dockerfile b/Dockerfile index 4e53a23e3..f50c06895 100644 --- a/Dockerfile +++ b/Dockerfile @@ -68,3 +68,79 @@ USER app WORKDIR /app CMD /go/bin/autograph +# +# With SoftHSM set up for testing +# FIXME +FROM base as autograph-app-softhsm + +RUN apt-get update && \ + apt-get -y upgrade && \ + apt-get -y install jq yq softhsm2 python3 python3-ruamel.yaml && \ + apt-get clean + +# copy the config +ADD autograph.softhsm.yaml /app/ + +# give app access to dev db root cert +ADD db-root.crt /opt/db-root.crt +RUN chgrp -vR app /opt +RUN chmod -vR 0444 /opt/db-root.crt + +# Setup SoftHSM +RUN mkdir -p /var/lib/softhsm/tokens && \ + softhsm2-util --init-token --slot 0 --label test --pin 0000 --so-pin 0000 + +# load dev keys +ADD webextensions-rsa.pem /app/src/autograph/tools/softhsm/ +ADD extensions-ecdsa-pk8.pem /app/src/autograph/tools/softhsm/ + +# Import a key pair from the given path. The file must be in PKCS#8-format. Use with --slot or --token or --serial, --file-pin, --label, --id, --no-public-key, and --pxin. +RUN softhsm2-util --token test --pin 0000 --so-pin 0000 --label webextrsa4096 --id deadbeef --import /app/src/autograph/tools/softhsm/webextensions-rsa.pem +RUN softhsm2-util --token test --pin 0000 --so-pin 0000 --label ext-ecdsa-p384 --id 12345678 --import /app/src/autograph/tools/softhsm/extensions-ecdsa-pk8.pem +RUN softhsm2-util --token test --pin 0000 --so-pin 0000 --label ext-ecdsa-p384-2 --id 11111111 --import /app/src/autograph/tools/softhsm/extensions-ecdsa-2-pk8.pem + +# genkeys +RUN cd /app/src/autograph/tools/softhsm/ && go run genkeys.go + +# make a pki in softhsm +# then update the config +# then write the generated config and new root hash to /tmp +# we expect /tmp was mounted for exports to the monitor-hsm service +RUN cd /app/src/autograph/tools/genpki/ && \ + go run genpki.go > /app/genpki.out && \ + cd /app/src/autograph/tools/configurator && \ + python3 configurator.py -c /app/autograph.softhsm.yaml -i -s normandy \ + -p issuerprivkey -v "$(grep 'inter key name' /app/genpki.out | awk '{print $4}')" && \ + python3 configurator.py -c /app/autograph.softhsm.yaml -i -s normandy \ + -p issuercert -v "$(grep 'inter cert path' /app/genpki.out | awk '{print $4}')" && \ + python3 configurator.py -c /app/autograph.softhsm.yaml -i -s normandy \ + -p cacert -v "$(grep 'root cert path' /app/genpki.out | awk '{print $4}')" && \ + python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \ + -p issuerprivkey -v "$(grep 'inter key name' /app/genpki.out | awk '{print $4}')" && \ + python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \ + -p issuercert -v "$(grep 'inter cert path' /app/genpki.out | awk '{print $4}')" && \ + python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \ + -p cacert -v "$(grep 'root cert path' /app/genpki.out | awk '{print $4}')" && \ + cp /app/autograph.softhsm.yaml /tmp/ && \ + /bin/bash /app/src/autograph/tools/softhsm/hash_signer_cacert.sh /app/autograph.softhsm.yaml normandy > /tmp/normandy_dev_root_hash.txt && \ + cat /tmp/normandy_dev_root_hash.txt + +CMD /go/bin/autograph -c /app/autograph.softhsm.yaml + +# +# Lambda emulator +# FIXME +FROM base as autograph-lambda-emulator + +USER root + +RUN curl -Lo /usr/local/bin/aws-lambda-rie \ + https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie \ + && \ + chmod +x /usr/local/bin/aws-lambda-rie + +COPY lambda-selftest-entrypoint.sh /usr/local/bin/lambda-selftest-entrypoint.sh + +USER app +ENTRYPOINT ["/usr/local/bin/aws-lambda-rie"] +CMD ["/go/bin/autograph-monitor"] \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 237b99332..ad1279522 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -37,7 +37,8 @@ services: container_name: autograph-app-hsm image: autograph-app-hsm build: - context: tools/softhsm/ + context: . + target: autograph-app-softhsm environment: - AUTOGRAPH_DB_DSN=host=db user=myautographdbuser dbname=autograph password=myautographdbpassword sslmode=verify-full sslrootcert=/opt/db-root.crt links: @@ -94,8 +95,8 @@ services: container_name: autograph-monitor-hsm-lambda-emulator image: autograph-monitor-lambda-emulator build: - context: tools/autograph-monitor/ - dockerfile: Dockerfile.lambda-emulator + context: . + target: autograph-lambda-emulator environment: - AUTOGRAPH_URL=http://autograph-app-hsm:8001/ - AUTOGRAPH_KEY=19zd4w3xirb5syjgdx8atq6g91m03bdsmzjifs2oddivswlu9qs diff --git a/tools/autograph-monitor/Dockerfile.lambda-emulator b/tools/autograph-monitor/Dockerfile.lambda-emulator deleted file mode 100644 index 2bc095d3d..000000000 --- a/tools/autograph-monitor/Dockerfile.lambda-emulator +++ /dev/null @@ -1,14 +0,0 @@ -FROM autograph-app - -USER root - -RUN curl -Lo /usr/local/bin/aws-lambda-rie \ - https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie \ - && \ - chmod +x /usr/local/bin/aws-lambda-rie - -COPY lambda-selftest-entrypoint.sh /usr/local/bin/lambda-selftest-entrypoint.sh - -USER app -ENTRYPOINT ["/usr/local/bin/aws-lambda-rie"] -CMD ["/go/bin/autograph-monitor"] diff --git a/tools/softhsm/Dockerfile b/tools/softhsm/Dockerfile deleted file mode 100644 index 9175ce596..000000000 --- a/tools/softhsm/Dockerfile +++ /dev/null @@ -1,56 +0,0 @@ -FROM autograph-app - -USER root -RUN apt-get update && \ - apt-get -y upgrade && \ - apt-get -y install jq yq softhsm2 python3 python3-ruamel.yaml && \ - apt-get clean - -# copy the config -ADD autograph.softhsm.yaml /app/ - -# give app access to dev db root cert -ADD db-root.crt /opt/db-root.crt -RUN chgrp -vR app /opt -RUN chmod -vR 0444 /opt/db-root.crt - -# Setup SoftHSM -RUN mkdir -p /var/lib/softhsm/tokens && \ - softhsm2-util --init-token --slot 0 --label test --pin 0000 --so-pin 0000 - -# load dev keys -ADD webextensions-rsa.pem /app/src/autograph/tools/softhsm/ -ADD extensions-ecdsa-pk8.pem /app/src/autograph/tools/softhsm/ - -# Import a key pair from the given path. The file must be in PKCS#8-format. Use with --slot or --token or --serial, --file-pin, --label, --id, --no-public-key, and --pxin. -RUN softhsm2-util --token test --pin 0000 --so-pin 0000 --label webextrsa4096 --id deadbeef --import /app/src/autograph/tools/softhsm/webextensions-rsa.pem -RUN softhsm2-util --token test --pin 0000 --so-pin 0000 --label ext-ecdsa-p384 --id 12345678 --import /app/src/autograph/tools/softhsm/extensions-ecdsa-pk8.pem -RUN softhsm2-util --token test --pin 0000 --so-pin 0000 --label ext-ecdsa-p384-2 --id 11111111 --import /app/src/autograph/tools/softhsm/extensions-ecdsa-2-pk8.pem - -# genkeys -RUN cd /app/src/autograph/tools/softhsm/ && go run genkeys.go - -# make a pki in softhsm -# then update the config -# then write the generated config and new root hash to /tmp -# we expect /tmp was mounted for exports to the monitor-hsm service -RUN cd /app/src/autograph/tools/genpki/ && \ - go run genpki.go > /app/genpki.out && \ - cd /app/src/autograph/tools/configurator && \ - python3 configurator.py -c /app/autograph.softhsm.yaml -i -s normandy \ - -p issuerprivkey -v "$(grep 'inter key name' /app/genpki.out | awk '{print $4}')" && \ - python3 configurator.py -c /app/autograph.softhsm.yaml -i -s normandy \ - -p issuercert -v "$(grep 'inter cert path' /app/genpki.out | awk '{print $4}')" && \ - python3 configurator.py -c /app/autograph.softhsm.yaml -i -s normandy \ - -p cacert -v "$(grep 'root cert path' /app/genpki.out | awk '{print $4}')" && \ - python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \ - -p issuerprivkey -v "$(grep 'inter key name' /app/genpki.out | awk '{print $4}')" && \ - python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \ - -p issuercert -v "$(grep 'inter cert path' /app/genpki.out | awk '{print $4}')" && \ - python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \ - -p cacert -v "$(grep 'root cert path' /app/genpki.out | awk '{print $4}')" && \ - cp /app/autograph.softhsm.yaml /tmp/ && \ - /bin/bash /app/src/autograph/tools/softhsm/hash_signer_cacert.sh /app/autograph.softhsm.yaml normandy > /tmp/normandy_dev_root_hash.txt && \ - cat /tmp/normandy_dev_root_hash.txt - -CMD /go/bin/autograph -c /app/autograph.softhsm.yaml