Add cats to the docker-compose setup

application.Dockerfile

@@ -42,9 +42,9 @@ STOPSIGNAL SIGWINCH
 COPY docker/apache-foreground /usr/local/bin/
 COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
 COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
-COPY testca/certs/test.cacert.localhost.crt.pem testca/certs/secure.test.cacert.localhost.crt.pem /etc/ssl/certs/
-COPY testca/certs/test.cacert.localhost.key.pem testca/certs/secure.test.cacert.localhost.key.pem /etc/ssl/private/
-COPY testca/certs/cachain.crt.pem /etc/ssl/certs/combined.crt
+COPY testca/certs/test.cacert.localhost.crt.pem testca/certs/secure.test.cacert.localhost.crt.pem /etc/apache2/ssl/certs/
+COPY testca/certs/test.cacert.localhost.key.pem testca/certs/secure.test.cacert.localhost.key.pem /etc/apache2/ssl/private/
+COPY testca/certs/cachain.crt.pem /etc/ssl/apache2/certs/combined.crt
 
 COPY docker/apache-virtualhost.conf /etc/apache2/sites-available/
 COPY docker/cacert.conf /etc/apache2/conf-available/

cats.Dockerfile

@@ -0,0 +1,42 @@
+FROM debian:jessie
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive \
+    apt-get install -y --no-install-recommends \
+    ca-certificates \
+    curl \
+    gettext \
+    libapache2-mod-php5 \
+    locales-all \
+    nullmailer \
+    php5-mysql \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+STOPSIGNAL SIGWINCH
+
+COPY docker/apache-cats-foreground /usr/local/bin/
+COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
+COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
+COPY testca/certs/cats.cacert.localhost.crt.pem /etc/apache2/ssl/certs/
+COPY testca/certs/cats.cacert.localhost.key.pem /etc/apache2/ssl/private/
+COPY testca/certs/cachain.crt.pem /etc/apache2/ssl/certs/combined.crt
+COPY testca/class3/ca.crt.pem /etc/apache2/ssl/certs/clientca.crt
+
+COPY docker/apache-cats-virtualhost.conf /etc/apache2/sites-available/cats.cacert.localhost.conf
+
+VOLUME /var/www/cats
+
+RUN a2ensite cats.cacert.localhost ; \
+    a2dissite 000-default ; \
+    a2enmod headers ; \
+    a2enmod rewrite ; \
+    a2enmod ssl ; \
+    cd /usr/local/share/ca-certificates ; \
+    curl -O http://www.cacert.org/certs/root_X0F.crt ; \
+    curl -O http://www.cacert.org/certs/class3_X0E.crt ; \
+    update-ca-certificates
+
+EXPOSE 443
+
+CMD ["/usr/local/bin/apache-cats-foreground"]

docker-compose.yml

@@ -7,6 +7,8 @@ services:
       dockerfile: mariadb.Dockerfile
     env_file:
       - ./.env
+    environment:
+      MYSQL_CATS_DATABASE: cats
     volumes:
       - db:/var/lib/mysql
     ports:
@@ -66,7 +68,23 @@ services:
       - db
       - mail
     volumes:
-      - ./cacert-mgr:/var/www
+      - ./cacert-mgr:/var/www/mgr
+  cats:
+    build:
+      context: .
+      dockerfile: cats.Dockerfile
+    env_file:
+      - ./.env
+    environment:
+      CATS_NORMAL_HOSTNAME: "cats.cacert.localhost:7443"
+      CATS_SECURE_HOSTNAME: "cats.cacert.localhost:7443"
+      MYSQL_CATS_DATABASE: cats
+    ports:
+      - "7443:443"
+    depends_on:
+      - db
+    volumes:
+      - ./cacert-cats:/var/www/cats
 
 volumes:
   db: { }

docker/apache-cats-foreground

@@ -0,0 +1,17 @@
+#!/bin/sh
+set -eux
+
+# Apache gets grumpy about PID files pre-existing
+rm -f /run/apache2/apache2.pid
+
+sed "s/@CATS_NORMAL_HOSTNAME@/${CATS_NORMAL_HOSTNAME}/g;
+     s/@CATS_SECURE_HOSTNAME@/${CATS_SECURE_HOSTNAME}/g;
+     s/@CATS_DB_HOSTNAME@/db/g;
+     s/@CATS_DB_USER@/${MYSQL_CATS_USER}/g;
+     s/@CATS_DB_PASSWORD@/${MYSQL_CATS_PASSWORD}/g;
+     s/@CATS_DATABASE@/${MYSQL_CATS_DATABASE}/g" \
+  /var/www/cats/includes/db_connect.inc.template > /var/www/cats/includes/db_connect.inc
+
+apache2ctl start "$@"
+
+exec tail -F --follow=name --retry /var/log/apache2/error.log

docker/apache-cats-virtualhost.conf

@@ -0,0 +1,25 @@
+<VirtualHost *:443>
+  ServerName cats.cacert.localhost
+  ServerAlias www.cats.cacert.localhost
+  DocumentRoot /var/www/cats
+
+  SSLEngine on
+  SSLStrictSNIVHostCheck on
+  SSLProtocol all -SSLv2 -SSLv3 -TLSv1
+  SSLHonorCipherOrder on
+  SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
+  SSLCertificateFile /etc/apache2/ssl/certs/cats.cacert.localhost.crt.pem
+  SSLCertificateKeyFile /etc/apache2/ssl/private/cats.cacert.localhost.key.pem
+
+  SSLCACertificateFile /etc/apache2/ssl/certs/combined.crt
+  SSLVerifyClient optional
+  SSLVerifyDepth 2
+  SSLOptions +StdEnvVars
+
+  <Directory /var/www/cats>
+    Options Indexes FollowSymlinks MultiViews
+    AllowOverride Options FileInfo
+  </Directory>
+
+  Header always set Strict-Transport-Security "max-age=31536000"
+</VirtualHost>

docker/apache-mgr-foreground

@@ -5,11 +5,14 @@ set -eux
 rm -f /run/apache2/apache2.pid
 
 sed "s/@MYSQL_MGR_USER@/${MYSQL_MGR_USER}/g; s/@MYSQL_MGR_PASSWORD@/${MYSQL_MGR_PASSWORD}/g" \
-  /usr/local/etc/mgr-application.ini > /var/www/manager/application/configs/application.ini
+  /usr/local/etc/mgr-application.ini > /var/www/mgr/manager/application/configs/application.ini
 
 mysql -u "${MYSQL_MGR_USER}" -h db "-p${MYSQL_MGR_PASSWORD}" mgr <<-EOF
 REPLACE INTO system_user (id, system_role_id, login, user_client_crt_s_dn_i_dn)
-VALUES (1, 2,'${CLIENT_CERT_EMAIL}','CN=${CLIENT_CERT_USERNAME}//CN=Class 3 Test CA,O=CAcert Inc.,C=AU');
+VALUES (
+  1, 2,'${CLIENT_CERT_EMAIL}',
+  'emailAddress=${CLIENT_CERT_EMAIL},CN=${CLIENT_CERT_USERNAME}//CN=Class 3 Test CA,O=CAcert Inc.,C=AU'
+);
 
 UPDATE system_config SET config_value='1' WHERE config_key='log.file.enabled';
 UPDATE system_config SET config_value='mail' WHERE config_key='imap.mailhost';

docker/apache-mgr-virtualhost.conf

@@ -1,23 +1,23 @@
 <VirtualHost *:443>
   ServerName mgr.cacert.localhost
   ServerAlias www.mgr.cacert.localhost
-  DocumentRoot /var/www/manager/public
+  DocumentRoot /var/www/mgr/manager/public
 
   SSLEngine on
   SSLStrictSNIVHostCheck on
   SSLProtocol all -SSLv2 -SSLv3 -TLSv1
   SSLHonorCipherOrder on
   SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
-  SSLCertificateFile /etc/ssl/certs/mgr.cacert.localhost.crt.pem
-  SSLCertificateKeyFile /etc/ssl/private/mgr.cacert.localhost.key.pem
-  SSLCertificateChainFile /etc/ssl/certs/combined.crt
+  SSLCertificateFile /etc/apache2/ssl/certs/mgr.cacert.localhost.crt.pem
+  SSLCertificateKeyFile /etc/apache2/ssl/private/mgr.cacert.localhost.key.pem
 
-  SSLCACertificateFile /etc/ssl/certs/combined.crt
+  SSLCACertificateFile /etc/apache2/ssl/certs/combined.crt
+  SSLCADNRequestFile /etc/apache2/ssl/certs/clientca.crt
   SSLVerifyClient optional
   SSLVerifyDepth 2
   SSLOptions +StdEnvVars
 
-  <Directory /var/www/manager/public>
+  <Directory /var/www/mgr/manager/public>
     Options Indexes FollowSymlinks MultiViews
     AllowOverride Options FileInfo
   </Directory>

docker/apache-virtualhost.conf

@@ -24,9 +24,8 @@
   SSLProtocol all -SSLv2 -SSLv3
   SSLHonorCipherOrder on
   SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
-  SSLCertificateFile /etc/ssl/certs/test.cacert.localhost.crt.pem
-  SSLCertificateKeyFile /etc/ssl/private/test.cacert.localhost.key.pem
-  SSLCACertificateFile /etc/ssl/certs/combined.crt
+  SSLCertificateFile /etc/apache2/ssl/certs/test.cacert.localhost.crt.pem
+  SSLCertificateKeyFile /etc/apache2/ssl/private/test.cacert.localhost.key.pem
 
   Header always set Strict-Transport-Security "max-age=31536000"
 
@@ -50,11 +49,12 @@
   SSLProtocol all -SSLv2 -SSLv3
   SSLHonorCipherOrder on
   SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
-  SSLCertificateFile /etc/ssl/certs/secure.test.cacert.localhost.crt.pem
-  SSLCertificateKeyFile /etc/ssl/private/secure.test.cacert.localhost.key.pem
+  SSLCertificateFile /etc/apache2/ssl/certs/secure.test.cacert.localhost.crt.pem
+  SSLCertificateKeyFile /etc/apache2/ssl/private/secure.test.cacert.localhost.key.pem
+
   SSLVerifyClient require
   SSLVerifyDepth 2
-  SSLCACertificateFile /etc/ssl/certs/combined.crt
+  SSLCACertificateFile /etc/ssl/apache2/certs/combined.crt
   #SSLCARevocationFile /etc/ssl/crls/cacert-combined.crl
   #SSLOCSPEnable on
   #SSLOCSPDefaultResponder http://ocsp.cacert.localhost/

docker/initdb.sh

@@ -4,6 +4,7 @@ set -eux
 
 mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" <<-EOF
 CREATE database cacert CHARSET latin1 COLLATE latin1_swedish_ci;
+CREATE database $MYSQL_CATS_DATABASE CHARSET latin1 COLLATE latin1_swedish_ci;
 CREATE database mgr CHARSET utf8 COLLATE utf8_unicode_ci;
 EOF
 
@@ -13,6 +14,11 @@ done
 
 mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" mgr </mgr_dbadm/ca_mgr.mysql
 
+mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" "${MYSQL_CATS_DATABASE}" </cats_db/create_db.sql
+mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" "${MYSQL_CATS_DATABASE}" </cats_db/update1.sql
+mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" "${MYSQL_CATS_DATABASE}" </cats_db/update2.sql
+mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" "${MYSQL_CATS_DATABASE}" </cats_db/sample_test.sql
+
 mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" cacert <<-'EOF'
 INSERT INTO languages (locale, en_co, en_lang, country, lang)
 VALUES  ('sq_AL', 'Albania', 'Albanian', 'Shqip&euml;ria', 'shqipe'),
@@ -122,7 +128,9 @@ GRANT CREATE TEMPORARY TABLES ON cacert.* TO $MYSQL_APP_USER@'%';
 GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_APP_USER@'%';
 
 CREATE USER $MYSQL_MGR_USER@'%' IDENTIFIED BY '$MYSQL_MGR_PASSWORD';
-GRANT CREATE TEMPORARY TABLES ON mgr.* TO $MYSQL_MGR_USER@'%';
 GRANT SELECT, INSERT, UPDATE, DELETE ON mgr.* TO $MYSQL_MGR_USER@'%';
 GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_MGR_USER@'%';
+
+CREATE USER $MYSQL_CATS_USER@'%' IDENTIFIED BY '$MYSQL_CATS_PASSWORD';
+GRANT SELECT, INSERT, UPDATE, DELETE ON $MYSQL_CATS_DATABASE.* TO $MYSQL_CATS_USER@'%';
 EOF

mariadb.Dockerfile

@@ -2,4 +2,5 @@ FROM mariadb:focal
 
 COPY docker/initdb.sh /docker-entrypoint-initdb.d/initdb.sh
 COPY cacert-software/scripts/db_migrations/*.sh /db_migrations/
-COPY cacert-mgr/dbadm/ca_mgr.mysql /mgr_dbadm/
+COPY cacert-mgr/dbadm/ca_mgr.mysql /mgr_dbadm/
+COPY cacert-cats/database/*.sql /cats_db/

mgr.Dockerfile

@@ -21,10 +21,10 @@ STOPSIGNAL SIGWINCH
 COPY docker/apache-mgr-foreground /usr/local/bin/
 COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
 COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
-COPY testca/certs/mgr.cacert.localhost.crt.pem /etc/ssl/certs/
-COPY testca/certs/mgr.cacert.localhost.key.pem /etc/ssl/private/
-COPY testca/certs/cachain.crt.pem /etc/ssl/certs/combined.crt
-COPY testca/class3/ca.crt.pem /etc/ssl/certs/clientca.crt
+COPY testca/certs/mgr.cacert.localhost.crt.pem /etc/apache2/ssl/certs/
+COPY testca/certs/mgr.cacert.localhost.key.pem /etc/apache2/ssl/private/
+COPY testca/certs/cachain.crt.pem /etc/apache2/ssl/certs/combined.crt
+COPY testca/class3/ca.crt.pem /etc/apache2/ssl/certs/clientca.crt
 
 COPY docker/apache-mgr-virtualhost.conf /etc/apache2/sites-available/mgr.cacert.localhost.conf
 COPY docker/mgr-application.ini /usr/local/etc/

setup_test_ca.sh

@@ -58,7 +58,7 @@ RANDFILE               = \$dir/private/.rand
 
 policy                 = policy_any
 unique_subject         = no
-email_in_dn            = no
+email_in_dn            = yes
 copy_extensions        = copy
 
 default_md             = sha256
@@ -219,7 +219,7 @@ fi
 
 if [ ! -f certs/testclient.p12 ]; then
   openssl req -new -keyout certs/testclient.key.pem -nodes \
-    -out certs/testclient.csr.pem -subj "/CN=${CLIENT_CERT_USERNAME}" \
+    -out certs/testclient.csr.pem -subj "/CN=${CLIENT_CERT_USERNAME}/emailAddress=${CLIENT_CERT_EMAIL}" \
     -addext "subjectAltName=email:${CLIENT_CERT_EMAIL}"
   openssl ca -config ca.cnf \
     -name class3_ca \