From f26b9ee1a80e8be7b83c8b3a0d4deb1cd29cf1b3 Mon Sep 17 00:00:00 2001
From: Jeff Hodges <jeff@somethingsimilar.com>
Date: Mon, 29 Jul 2024 18:15:53 -0700
Subject: [PATCH] consolidate Dockerfiles into the main one

The Dockerfiles for the SoftHSM and AWS lambda emulator support were, in
certain contexts, fetching from the remote `autograph-app` dockerhub
repository.

We'd like to ensure that we're building those tools with the latest code
in our local repo. Now that docker supports multi-stage Dockerfiles, we
can consolidate those files into our main one.
---
 Dockerfile                                    | 76 +++++++++++++++++++
 docker-compose.yml                            |  7 +-
 .../Dockerfile.lambda-emulator                | 14 ----
 tools/softhsm/Dockerfile                      | 56 --------------
 4 files changed, 80 insertions(+), 73 deletions(-)
 delete mode 100644 tools/autograph-monitor/Dockerfile.lambda-emulator
 delete mode 100644 tools/softhsm/Dockerfile

diff --git a/Dockerfile b/Dockerfile
index 4e53a23e3..f50c06895 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -68,3 +68,79 @@ USER app
 WORKDIR /app
 CMD /go/bin/autograph
 
+#
+# With SoftHSM set up for testing
+# FIXME
+FROM base as autograph-app-softhsm
+
+RUN apt-get update && \
+      apt-get -y upgrade && \
+      apt-get -y install jq yq softhsm2 python3 python3-ruamel.yaml && \
+      apt-get clean
+
+# copy the config
+ADD autograph.softhsm.yaml /app/
+
+# give app access to dev db root cert
+ADD db-root.crt /opt/db-root.crt
+RUN chgrp -vR app /opt
+RUN chmod -vR 0444 /opt/db-root.crt
+
+# Setup SoftHSM
+RUN mkdir -p /var/lib/softhsm/tokens && \
+      softhsm2-util --init-token --slot 0 --label test --pin 0000 --so-pin 0000
+
+# load dev keys
+ADD webextensions-rsa.pem /app/src/autograph/tools/softhsm/
+ADD extensions-ecdsa-pk8.pem /app/src/autograph/tools/softhsm/
+
+# Import a key pair from the given path. The file must be in PKCS#8-format. Use with --slot or --token or --serial, --file-pin, --label, --id, --no-public-key, and --pxin.
+RUN softhsm2-util --token test --pin 0000 --so-pin 0000 --label webextrsa4096 --id deadbeef --import /app/src/autograph/tools/softhsm/webextensions-rsa.pem
+RUN softhsm2-util --token test --pin 0000 --so-pin 0000 --label ext-ecdsa-p384 --id 12345678 --import /app/src/autograph/tools/softhsm/extensions-ecdsa-pk8.pem
+RUN softhsm2-util --token test --pin 0000 --so-pin 0000 --label ext-ecdsa-p384-2 --id 11111111 --import /app/src/autograph/tools/softhsm/extensions-ecdsa-2-pk8.pem
+
+# genkeys
+RUN cd /app/src/autograph/tools/softhsm/ && go run genkeys.go
+
+# make a pki in softhsm
+# then update the config
+# then write the generated config and new root hash to /tmp
+# we expect /tmp was mounted for exports to the monitor-hsm service
+RUN cd /app/src/autograph/tools/genpki/ && \
+      go run genpki.go > /app/genpki.out && \
+      cd /app/src/autograph/tools/configurator && \
+      python3 configurator.py -c /app/autograph.softhsm.yaml -i -s normandy \
+      -p issuerprivkey -v "$(grep 'inter key name' /app/genpki.out | awk '{print $4}')" && \
+      python3 configurator.py -c /app/autograph.softhsm.yaml -i -s normandy \
+      -p issuercert -v "$(grep 'inter cert path' /app/genpki.out | awk '{print $4}')" && \
+      python3 configurator.py -c /app/autograph.softhsm.yaml -i -s normandy \
+      -p cacert -v "$(grep 'root cert path' /app/genpki.out | awk '{print $4}')" && \
+      python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \
+      -p issuerprivkey -v "$(grep 'inter key name' /app/genpki.out | awk '{print $4}')" && \
+      python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \
+      -p issuercert -v "$(grep 'inter cert path' /app/genpki.out | awk '{print $4}')" && \
+      python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \
+      -p cacert -v "$(grep 'root cert path' /app/genpki.out | awk '{print $4}')" && \
+      cp /app/autograph.softhsm.yaml /tmp/ && \
+      /bin/bash /app/src/autograph/tools/softhsm/hash_signer_cacert.sh /app/autograph.softhsm.yaml normandy > /tmp/normandy_dev_root_hash.txt && \
+      cat /tmp/normandy_dev_root_hash.txt
+
+CMD /go/bin/autograph -c /app/autograph.softhsm.yaml
+
+#
+# Lambda emulator
+# FIXME
+FROM base as autograph-lambda-emulator
+
+USER root
+
+RUN curl -Lo /usr/local/bin/aws-lambda-rie \
+    https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie \
+    && \
+    chmod +x /usr/local/bin/aws-lambda-rie
+
+COPY lambda-selftest-entrypoint.sh /usr/local/bin/lambda-selftest-entrypoint.sh
+
+USER app
+ENTRYPOINT ["/usr/local/bin/aws-lambda-rie"]
+CMD ["/go/bin/autograph-monitor"]
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 237b99332..ad1279522 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -37,7 +37,8 @@ services:
     container_name: autograph-app-hsm
     image: autograph-app-hsm
     build:
-      context: tools/softhsm/
+      context: .
+      target: autograph-app-softhsm
     environment:
       - AUTOGRAPH_DB_DSN=host=db user=myautographdbuser dbname=autograph password=myautographdbpassword sslmode=verify-full sslrootcert=/opt/db-root.crt
     links:
@@ -94,8 +95,8 @@ services:
     container_name: autograph-monitor-hsm-lambda-emulator
     image: autograph-monitor-lambda-emulator
     build:
-      context: tools/autograph-monitor/
-      dockerfile: Dockerfile.lambda-emulator
+      context: .
+      target: autograph-lambda-emulator
     environment:
       - AUTOGRAPH_URL=http://autograph-app-hsm:8001/
       - AUTOGRAPH_KEY=19zd4w3xirb5syjgdx8atq6g91m03bdsmzjifs2oddivswlu9qs
diff --git a/tools/autograph-monitor/Dockerfile.lambda-emulator b/tools/autograph-monitor/Dockerfile.lambda-emulator
deleted file mode 100644
index 2bc095d3d..000000000
--- a/tools/autograph-monitor/Dockerfile.lambda-emulator
+++ /dev/null
@@ -1,14 +0,0 @@
-FROM autograph-app
-
-USER root
-
-RUN curl -Lo /usr/local/bin/aws-lambda-rie \
-    https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie \
-    && \
-    chmod +x /usr/local/bin/aws-lambda-rie
-
-COPY lambda-selftest-entrypoint.sh /usr/local/bin/lambda-selftest-entrypoint.sh
-
-USER app
-ENTRYPOINT ["/usr/local/bin/aws-lambda-rie"]
-CMD ["/go/bin/autograph-monitor"]
diff --git a/tools/softhsm/Dockerfile b/tools/softhsm/Dockerfile
deleted file mode 100644
index 9175ce596..000000000
--- a/tools/softhsm/Dockerfile
+++ /dev/null
@@ -1,56 +0,0 @@
-FROM autograph-app
-
-USER root
-RUN apt-get update && \
-    apt-get -y upgrade && \
-    apt-get -y install jq yq softhsm2 python3 python3-ruamel.yaml && \
-    apt-get clean
-
-# copy the config
-ADD autograph.softhsm.yaml /app/
-
-# give app access to dev db root cert
-ADD db-root.crt /opt/db-root.crt
-RUN chgrp -vR app /opt
-RUN chmod -vR 0444 /opt/db-root.crt
-
-# Setup SoftHSM
-RUN mkdir -p /var/lib/softhsm/tokens && \
-      softhsm2-util --init-token --slot 0 --label test --pin 0000 --so-pin 0000
-
-# load dev keys
-ADD webextensions-rsa.pem /app/src/autograph/tools/softhsm/
-ADD extensions-ecdsa-pk8.pem /app/src/autograph/tools/softhsm/
-
-# Import a key pair from the given path. The file must be in PKCS#8-format. Use with --slot or --token or --serial, --file-pin, --label, --id, --no-public-key, and --pxin.
-RUN softhsm2-util --token test --pin 0000 --so-pin 0000 --label webextrsa4096 --id deadbeef --import /app/src/autograph/tools/softhsm/webextensions-rsa.pem
-RUN softhsm2-util --token test --pin 0000 --so-pin 0000 --label ext-ecdsa-p384 --id 12345678 --import /app/src/autograph/tools/softhsm/extensions-ecdsa-pk8.pem
-RUN softhsm2-util --token test --pin 0000 --so-pin 0000 --label ext-ecdsa-p384-2 --id 11111111 --import /app/src/autograph/tools/softhsm/extensions-ecdsa-2-pk8.pem
-
-# genkeys
-RUN cd /app/src/autograph/tools/softhsm/ && go run genkeys.go
-
-# make a pki in softhsm
-# then update the config
-# then write the generated config and new root hash to /tmp
-# we expect /tmp was mounted for exports to the monitor-hsm service
-RUN cd /app/src/autograph/tools/genpki/ && \
-      go run genpki.go > /app/genpki.out && \
-      cd /app/src/autograph/tools/configurator && \
-      python3 configurator.py -c /app/autograph.softhsm.yaml -i -s normandy \
-      -p issuerprivkey -v "$(grep 'inter key name' /app/genpki.out | awk '{print $4}')" && \
-      python3 configurator.py -c /app/autograph.softhsm.yaml -i -s normandy \
-      -p issuercert -v "$(grep 'inter cert path' /app/genpki.out | awk '{print $4}')" && \
-      python3 configurator.py -c /app/autograph.softhsm.yaml -i -s normandy \
-      -p cacert -v "$(grep 'root cert path' /app/genpki.out | awk '{print $4}')" && \
-      python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \
-      -p issuerprivkey -v "$(grep 'inter key name' /app/genpki.out | awk '{print $4}')" && \
-      python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \
-      -p issuercert -v "$(grep 'inter cert path' /app/genpki.out | awk '{print $4}')" && \
-      python3 configurator.py -c /app/autograph.softhsm.yaml -i -s kinto \
-      -p cacert -v "$(grep 'root cert path' /app/genpki.out | awk '{print $4}')" && \
-      cp /app/autograph.softhsm.yaml /tmp/ && \
-      /bin/bash /app/src/autograph/tools/softhsm/hash_signer_cacert.sh /app/autograph.softhsm.yaml normandy > /tmp/normandy_dev_root_hash.txt && \
-      cat /tmp/normandy_dev_root_hash.txt
-
-CMD /go/bin/autograph -c /app/autograph.softhsm.yaml