Add certfixer container to dev env

dev_utils/certfixer/Dockerfile

@@ -0,0 +1,12 @@
+FROM alpine:3.16
+
+RUN apk add openssl
+
+RUN mkdir -p /certfixer
+
+ADD ./make_certs.sh /certfixer/make_certs.sh
+ADD ./ssl.cnf /certfixer/ssl.cnf
+
+WORKDIR /certfixer
+
+CMD ["/bin/sh", "make_certs.sh"]

dev_utils/certfixer/make_certs.sh

@@ -0,0 +1,84 @@
+#!/bin/sh
+
+set -e
+
+out_dir="/cert_gen"
+
+# install openssl if it's missing
+if [ ! "$(command -v openssl)" ];
+then
+    apk add openssl
+fi
+
+script_dir="$(dirname "$0")"
+mkdir -p "$out_dir"
+
+# list all certificates we want, so that we can check if they already exist
+s3_certs="/s3_certs/CAs/public.crt /s3_certs/public.crt /s3_certs/private.key"
+mq_certs="/mq_certs/ca.crt /mq_certs/mq.crt /mq_certs/mq.key"
+pub_cert="/pubcert/public.crt"
+proxy_certs="/proxy_certs/ca.crt /proxy_certs/client.crt /proxy_certs/client.key /proxy_certs/proxy.crt /proxy_certs/proxy.key"
+targets="$s3_certs $mq_certs $pub_cert $proxy_certs"
+
+echo ""
+echo "Checking certificates"
+recreate="false"
+# check if certificates exist
+for target in $targets
+do
+    if [ ! -f "$target" ]
+    then
+        recreate="true"
+        break
+    fi
+done
+
+# only recreate certificates if any certificate is missing
+if [ "$recreate" = "false" ]
+then
+    echo "certificates already exists"
+    exit 0
+fi
+
+# create CA certificate
+openssl req -config "$script_dir/ssl.cnf" -new -sha256 -nodes -extensions v3_ca -out "$out_dir/ca.csr" -keyout "$out_dir/ca-key.pem"
+openssl req -config "$script_dir/ssl.cnf" -key "$out_dir/ca-key.pem" -x509 -new -days 7300 -sha256 -nodes -extensions v3_ca -out "$out_dir/ca.crt"
+
+# Create certificate for MQ
+openssl req -config "$script_dir/ssl.cnf" -new -nodes -newkey rsa:4096 -keyout "$out_dir/mq.key" -out "$out_dir/mq.csr" -extensions server_cert
+openssl x509 -req -in "$out_dir/mq.csr" -days 1200 -CA "$out_dir/ca.crt" -CAkey "$out_dir/ca-key.pem" -set_serial 01 -out "$out_dir/mq.crt" -extensions server_cert -extfile "$script_dir/ssl.cnf"
+
+# Create certificate for Proxy
+openssl req -config "$script_dir/ssl.cnf" -new -nodes -newkey rsa:4096 -keyout "$out_dir/proxy.key" -out "$out_dir/proxy.csr" -extensions server_cert
+openssl x509 -req -in "$out_dir/proxy.csr" -days 1200 -CA "$out_dir/ca.crt" -CAkey "$out_dir/ca-key.pem" -set_serial 01 -out "$out_dir/proxy.crt" -extensions server_cert -extfile "$script_dir/ssl.cnf"
+
+# Create certificate for minio
+openssl req -config "$script_dir/ssl.cnf" -new -nodes -newkey rsa:4096 -keyout "$out_dir/s3.key" -out "$out_dir/s3.csr" -extensions server_cert
+openssl x509 -req -in "$out_dir/s3.csr" -days 1200 -CA "$out_dir/ca.crt" -CAkey "$out_dir/ca-key.pem" -set_serial 01 -out "$out_dir/s3.crt" -extensions server_cert -extfile "$script_dir/ssl.cnf"
+
+# Create client certificate
+openssl req -config "$script_dir/ssl.cnf" -new -nodes -newkey rsa:4096 -keyout "$out_dir/client.key" -out "$out_dir/client.csr" -extensions client_cert -subj "/CN=admin"
+openssl x509 -req -in "$out_dir/client.csr" -days 1200 -CA "$out_dir/ca.crt" -CAkey "$out_dir/ca-key.pem" -set_serial 01 -out "$out_dir/client.crt" -extensions client_cert -extfile "$script_dir/ssl.cnf"
+
+# fix permissions
+chmod 644 "$out_dir"/*
+chown -R nobody.nobody "$out_dir"/*
+chmod 600 "$out_dir"/*-key.pem
+
+# move certificates to volumes
+mkdir -p /s3_certs/CAs
+cp -p "$out_dir/ca.crt" /s3_certs/CAs/public.crt
+cp -p "$out_dir/s3.crt" /s3_certs/public.crt
+cp -p "$out_dir/s3.key" /s3_certs/private.key
+
+cp -p "$out_dir/ca.crt" /mq_certs/ca.crt
+cp -p "$out_dir/mq.crt" /mq_certs/mq.crt
+cp -p "$out_dir/mq.key" /mq_certs/mq.key
+
+cp -p "$out_dir/ca.crt" /pubcert/public.crt
+
+cp -p "$out_dir/ca.crt" /proxy_certs/ca.crt
+cp -p "$out_dir/client.crt" /proxy_certs/client.crt
+cp -p "$out_dir/client.key" /proxy_certs/client.key
+cp -p "$out_dir/proxy.crt" /proxy_certs/proxy.crt
+cp -p "$out_dir/proxy.key" /proxy_certs/proxy.key

dev_utils/docker-compose.yml

@@ -1,66 +1,84 @@
-version: "3.7"
 services:
-  s3_backend:
-    command: server /data
+  certfixer:
+    build:
+      context: ./certfixer
+    volumes:
+      - pubcert:/pubcert
+      - s3_certs:/s3_certs
+      - mq_certs:/mq_certs
+      - proxy_certs:/proxy_certs
+
+  s3:
+    image: minio/minio:RELEASE.2022-09-25T15-44-53Z
+    command: server /data  --console-address ":9001"
     container_name: s3
     environment:
-      - MINIO_ACCESS_KEY=ElixirID
-      - MINIO_SECRET_KEY=987654321
+      - MINIO_ROOT_USER=ElixirID
+      - MINIO_ROOT_PASSWORD=987654321
+      - MINIO_SERVER_URL=https://127.0.0.1:9000
     healthcheck:
       test: ["CMD", "curl", "-fkq", "https://localhost:9000/minio/health/live"]
       interval: 5s
       timeout: 20s
       retries: 3
-    image: minio/minio:RELEASE.2021-02-14T04-01-33Z
+    depends_on:
+      certfixer:
+        condition: service_completed_successfully
     ports:
-      - "9000:9000"
+      - "9000:9001"
     volumes:
-      - ./certs/ca.crt:/root/.minio/certs/CAs/public.crt
-      - ./certs/s3.crt:/root/.minio/certs/public.crt
-      - ./certs/s3.key:/root/.minio/certs/private.key
+      - s3_certs:/root/.minio/certs
       - data:/data
+
   createbucket:
+    image: minio/mc:RELEASE.2022-10-01T07-56-14Z
     container_name: buckets
-    image: minio/mc
     depends_on:
-      - s3_backend
+      s3:
+        condition: service_healthy
     entrypoint: >
       /bin/sh -c "
       /usr/bin/mc config host add s3 https://s3:9000 ElixirID 987654321;
-      /usr/bin/mc rm -r --force s3/test;
-      /usr/bin/mc mb s3/test;
+      /usr/bin/mc mb -p s3/test;
       exit 0;
       "
     volumes:
-      - ./certs/ca.crt:/etc/ssl/certs/public.crt
+      - pubcert:/etc/ssl/certs
+
   mq_server:
+    image: rabbitmq:3.11.2-management-alpine
     container_name: mq
-    image: rabbitmq:3.7.8-management-alpine
+    depends_on:
+      certfixer:
+        condition: service_completed_successfully
     ports:
       - "15672:15672"
       - "5672:5672"
       - "5671:5671"
     volumes:
       - ./defs.json:/etc/rabbitmq/defs.json
       - ./rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf
-      - ./certs/ca.crt:/etc/rabbitmq/ssl/ca.crt
-      - ./certs/mq.crt:/etc/rabbitmq/ssl/mq.crt
-      - ./certs/mq.key:/etc/rabbitmq/ssl/mq.key
+      - mq_certs:/etc/rabbitmq/ssl
     healthcheck:
       test: [ "CMD", "nc", "-z", "localhost", "5672" ]
       interval: 30s
       timeout: 20s
       retries: 3
+
   s3_proxy:
     build:
       context: ../
-      args: 
-        GOLANG_VERSION: $GOLANG_VERSION
+      args:
+        GOLANG_VERSION: ${GOLANG_VERSION:-1.19}
     image: neicnordic/sda-inbox-s3proxy
     container_name: proxy
     depends_on:
-      - mq_server
-      - s3_backend
+      mq_server:
+        condition: service_healthy
+      s3:
+        condition: service_healthy
+      certfixer:
+        condition: service_completed_successfully
     restart: always
     environment:
       - LOG_LEVEL=info
@@ -90,18 +108,18 @@ services:
       - SERVER_JWTPUBEYURL=https://login.elixir-czech.org/oidc/jwk
       - LOG_FORMAT=json
     volumes:
-      - ./certs/ca.crt:/certs/ca.crt
-      - ./certs/client.crt:/certs/client.crt
-      - ./certs/client.key:/certs/client.key
-      - ./certs/proxy.crt:/certs/proxy.crt
-      - ./certs/proxy.key:/certs/proxy.key
+      - proxy_certs:/certs
       - ./users.csv:/users.csv
       - ./keys:/keys
     ports:
       - "8000:8000"
       - "8001:8001"
 
 volumes:
+  pubcert:
+  s3_certs:
+  mq_certs:
+  proxy_certs:
   data:
     # These settings only work on linux (including WSL2), and can be used to
     # test when the disk is full.

dev_utils/users.csv

@@ -1,3 +1,3 @@
-elixirid,987654321
+ElixirID,987654321
 anotherid,testpass
-username,testpass
+username,testpass

userauth_test.go

@@ -24,7 +24,7 @@ func TestUserFileAuthenticator_ReadFile(t *testing.T) {
 
 	assert := assert.New(t)
 
-	r, err := a.secretFromID("elixirid")
+	r, err := a.secretFromID("ElixirID")
 	if assert.Nil(err) {
 		assert.Equal(r, "987654321")
 	}