From 0c56512174157d9f567e5c155f06f3951de7265d Mon Sep 17 00:00:00 2001
From: Jan Dittberner <jan@dittberner.info>
Date: Tue, 22 Dec 2020 15:51:13 +0100
Subject: [PATCH] Add cats to the docker-compose setup
---
application.Dockerfile | 6 ++---
cats.Dockerfile | 42 +++++++++++++++++++++++++++++
docker-compose.yml | 20 +++++++++++++-
docker/apache-cats-foreground | 17 ++++++++++++
docker/apache-cats-virtualhost.conf | 25 +++++++++++++++++
docker/apache-mgr-foreground | 7 +++--
docker/apache-mgr-virtualhost.conf | 12 ++++-----
docker/apache-virtualhost.conf | 12 ++++-----
docker/initdb.sh | 10 ++++++-
mariadb.Dockerfile | 3 ++-
mgr.Dockerfile | 8 +++---
setup_test_ca.sh | 4 +--
12 files changed, 140 insertions(+), 26 deletions(-)
create mode 100644 cats.Dockerfile
create mode 100755 docker/apache-cats-foreground
create mode 100644 docker/apache-cats-virtualhost.conf
diff --git a/application.Dockerfile b/application.Dockerfile
index 89583f3..58eadb3 100644
--- a/application.Dockerfile
+++ b/application.Dockerfile
@@ -42,9 +42,9 @@ STOPSIGNAL SIGWINCH
COPY docker/apache-foreground /usr/local/bin/
COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
-COPY testca/certs/test.cacert.localhost.crt.pem testca/certs/secure.test.cacert.localhost.crt.pem /etc/ssl/certs/
-COPY testca/certs/test.cacert.localhost.key.pem testca/certs/secure.test.cacert.localhost.key.pem /etc/ssl/private/
-COPY testca/certs/cachain.crt.pem /etc/ssl/certs/combined.crt
+COPY testca/certs/test.cacert.localhost.crt.pem testca/certs/secure.test.cacert.localhost.crt.pem /etc/apache2/ssl/certs/
+COPY testca/certs/test.cacert.localhost.key.pem testca/certs/secure.test.cacert.localhost.key.pem /etc/apache2/ssl/private/
+COPY testca/certs/cachain.crt.pem /etc/ssl/apache2/certs/combined.crt
COPY docker/apache-virtualhost.conf /etc/apache2/sites-available/
COPY docker/cacert.conf /etc/apache2/conf-available/
diff --git a/cats.Dockerfile b/cats.Dockerfile
new file mode 100644
index 0000000..870ce48
--- /dev/null
+++ b/cats.Dockerfile
@@ -0,0 +1,42 @@
+FROM debian:jessie
+
+RUN apt-get update \
+ && DEBIAN_FRONTEND=noninteractive \
+ apt-get install -y --no-install-recommends \
+ ca-certificates \
+ curl \
+ gettext \
+ libapache2-mod-php5 \
+ locales-all \
+ nullmailer \
+ php5-mysql \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
+
+STOPSIGNAL SIGWINCH
+
+COPY docker/apache-cats-foreground /usr/local/bin/
+COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
+COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
+COPY testca/certs/cats.cacert.localhost.crt.pem /etc/apache2/ssl/certs/
+COPY testca/certs/cats.cacert.localhost.key.pem /etc/apache2/ssl/private/
+COPY testca/certs/cachain.crt.pem /etc/apache2/ssl/certs/combined.crt
+COPY testca/class3/ca.crt.pem /etc/apache2/ssl/certs/clientca.crt
+
+COPY docker/apache-cats-virtualhost.conf /etc/apache2/sites-available/cats.cacert.localhost.conf
+
+VOLUME /var/www/cats
+
+RUN a2ensite cats.cacert.localhost ; \
+ a2dissite 000-default ; \
+ a2enmod headers ; \
+ a2enmod rewrite ; \
+ a2enmod ssl ; \
+ cd /usr/local/share/ca-certificates ; \
+ curl -O http://www.cacert.org/certs/root_X0F.crt ; \
+ curl -O http://www.cacert.org/certs/class3_X0E.crt ; \
+ update-ca-certificates
+
+EXPOSE 443
+
+CMD ["/usr/local/bin/apache-cats-foreground"]
diff --git a/docker-compose.yml b/docker-compose.yml
index 5487f09..97c5c3e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,6 +7,8 @@ services:
dockerfile: mariadb.Dockerfile
env_file:
- ./.env
+ environment:
+ MYSQL_CATS_DATABASE: cats
volumes:
- db:/var/lib/mysql
ports:
@@ -66,7 +68,23 @@ services:
- db
- mail
volumes:
- - ./cacert-mgr:/var/www
+ - ./cacert-mgr:/var/www/mgr
+ cats:
+ build:
+ context: .
+ dockerfile: cats.Dockerfile
+ env_file:
+ - ./.env
+ environment:
+ CATS_NORMAL_HOSTNAME: "cats.cacert.localhost:7443"
+ CATS_SECURE_HOSTNAME: "cats.cacert.localhost:7443"
+ MYSQL_CATS_DATABASE: cats
+ ports:
+ - "7443:443"
+ depends_on:
+ - db
+ volumes:
+ - ./cacert-cats:/var/www/cats
volumes:
db: { }
diff --git a/docker/apache-cats-foreground b/docker/apache-cats-foreground
new file mode 100755
index 0000000..b75131f
--- /dev/null
+++ b/docker/apache-cats-foreground
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -eux
+
+# Apache gets grumpy about PID files pre-existing
+rm -f /run/apache2/apache2.pid
+
+sed "s/@CATS_NORMAL_HOSTNAME@/${CATS_NORMAL_HOSTNAME}/g;
+ s/@CATS_SECURE_HOSTNAME@/${CATS_SECURE_HOSTNAME}/g;
+ s/@CATS_DB_HOSTNAME@/db/g;
+ s/@CATS_DB_USER@/${MYSQL_CATS_USER}/g;
+ s/@CATS_DB_PASSWORD@/${MYSQL_CATS_PASSWORD}/g;
+ s/@CATS_DATABASE@/${MYSQL_CATS_DATABASE}/g" \
+ /var/www/cats/includes/db_connect.inc.template > /var/www/cats/includes/db_connect.inc
+
+apache2ctl start "$@"
+
+exec tail -F --follow=name --retry /var/log/apache2/error.log
diff --git a/docker/apache-cats-virtualhost.conf b/docker/apache-cats-virtualhost.conf
new file mode 100644
index 0000000..2ff69e9
--- /dev/null
+++ b/docker/apache-cats-virtualhost.conf
@@ -0,0 +1,25 @@
+<VirtualHost *:443>
+ ServerName cats.cacert.localhost
+ ServerAlias www.cats.cacert.localhost
+ DocumentRoot /var/www/cats
+
+ SSLEngine on
+ SSLStrictSNIVHostCheck on
+ SSLProtocol all -SSLv2 -SSLv3 -TLSv1
+ SSLHonorCipherOrder on
+ SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
+ SSLCertificateFile /etc/apache2/ssl/certs/cats.cacert.localhost.crt.pem
+ SSLCertificateKeyFile /etc/apache2/ssl/private/cats.cacert.localhost.key.pem
+
+ SSLCACertificateFile /etc/apache2/ssl/certs/combined.crt
+ SSLVerifyClient optional
+ SSLVerifyDepth 2
+ SSLOptions +StdEnvVars
+
+ <Directory /var/www/cats>
+ Options Indexes FollowSymlinks MultiViews
+ AllowOverride Options FileInfo
+ </Directory>
+
+ Header always set Strict-Transport-Security "max-age=31536000"
+</VirtualHost>
diff --git a/docker/apache-mgr-foreground b/docker/apache-mgr-foreground
index 90f9c64..439e586 100755
--- a/docker/apache-mgr-foreground
+++ b/docker/apache-mgr-foreground
@@ -5,11 +5,14 @@ set -eux
rm -f /run/apache2/apache2.pid
sed "s/@MYSQL_MGR_USER@/${MYSQL_MGR_USER}/g; s/@MYSQL_MGR_PASSWORD@/${MYSQL_MGR_PASSWORD}/g" \
- /usr/local/etc/mgr-application.ini > /var/www/manager/application/configs/application.ini
+ /usr/local/etc/mgr-application.ini > /var/www/mgr/manager/application/configs/application.ini
mysql -u "${MYSQL_MGR_USER}" -h db "-p${MYSQL_MGR_PASSWORD}" mgr <<-EOF
REPLACE INTO system_user (id, system_role_id, login, user_client_crt_s_dn_i_dn)
-VALUES (1, 2,'${CLIENT_CERT_EMAIL}','CN=${CLIENT_CERT_USERNAME}//CN=Class 3 Test CA,O=CAcert Inc.,C=AU');
+VALUES (
+ 1, 2,'${CLIENT_CERT_EMAIL}',
+ 'emailAddress=${CLIENT_CERT_EMAIL},CN=${CLIENT_CERT_USERNAME}//CN=Class 3 Test CA,O=CAcert Inc.,C=AU'
+);
UPDATE system_config SET config_value='1' WHERE config_key='log.file.enabled';
UPDATE system_config SET config_value='mail' WHERE config_key='imap.mailhost';
diff --git a/docker/apache-mgr-virtualhost.conf b/docker/apache-mgr-virtualhost.conf
index 30417b7..8294671 100644
--- a/docker/apache-mgr-virtualhost.conf
+++ b/docker/apache-mgr-virtualhost.conf
@@ -1,23 +1,23 @@
<VirtualHost *:443>
ServerName mgr.cacert.localhost
ServerAlias www.mgr.cacert.localhost
- DocumentRoot /var/www/manager/public
+ DocumentRoot /var/www/mgr/manager/public
SSLEngine on
SSLStrictSNIVHostCheck on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
- SSLCertificateFile /etc/ssl/certs/mgr.cacert.localhost.crt.pem
- SSLCertificateKeyFile /etc/ssl/private/mgr.cacert.localhost.key.pem
- SSLCertificateChainFile /etc/ssl/certs/combined.crt
+ SSLCertificateFile /etc/apache2/ssl/certs/mgr.cacert.localhost.crt.pem
+ SSLCertificateKeyFile /etc/apache2/ssl/private/mgr.cacert.localhost.key.pem
- SSLCACertificateFile /etc/ssl/certs/combined.crt
+ SSLCACertificateFile /etc/apache2/ssl/certs/combined.crt
+ SSLCADNRequestFile /etc/apache2/ssl/certs/clientca.crt
SSLVerifyClient optional
SSLVerifyDepth 2
SSLOptions +StdEnvVars
- <Directory /var/www/manager/public>
+ <Directory /var/www/mgr/manager/public>
Options Indexes FollowSymlinks MultiViews
AllowOverride Options FileInfo
</Directory>
diff --git a/docker/apache-virtualhost.conf b/docker/apache-virtualhost.conf
index 8d61b51..dbcf0f5 100644
--- a/docker/apache-virtualhost.conf
+++ b/docker/apache-virtualhost.conf
@@ -24,9 +24,8 @@
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
- SSLCertificateFile /etc/ssl/certs/test.cacert.localhost.crt.pem
- SSLCertificateKeyFile /etc/ssl/private/test.cacert.localhost.key.pem
- SSLCACertificateFile /etc/ssl/certs/combined.crt
+ SSLCertificateFile /etc/apache2/ssl/certs/test.cacert.localhost.crt.pem
+ SSLCertificateKeyFile /etc/apache2/ssl/private/test.cacert.localhost.key.pem
Header always set Strict-Transport-Security "max-age=31536000"
@@ -50,11 +49,12 @@
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
- SSLCertificateFile /etc/ssl/certs/secure.test.cacert.localhost.crt.pem
- SSLCertificateKeyFile /etc/ssl/private/secure.test.cacert.localhost.key.pem
+ SSLCertificateFile /etc/apache2/ssl/certs/secure.test.cacert.localhost.crt.pem
+ SSLCertificateKeyFile /etc/apache2/ssl/private/secure.test.cacert.localhost.key.pem
+
SSLVerifyClient require
SSLVerifyDepth 2
- SSLCACertificateFile /etc/ssl/certs/combined.crt
+ SSLCACertificateFile /etc/ssl/apache2/certs/combined.crt
#SSLCARevocationFile /etc/ssl/crls/cacert-combined.crl
#SSLOCSPEnable on
#SSLOCSPDefaultResponder http://ocsp.cacert.localhost/
diff --git a/docker/initdb.sh b/docker/initdb.sh
index 9273d82..bca293f 100755
--- a/docker/initdb.sh
+++ b/docker/initdb.sh
@@ -4,6 +4,7 @@ set -eux
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" <<-EOF
CREATE database cacert CHARSET latin1 COLLATE latin1_swedish_ci;
+CREATE database $MYSQL_CATS_DATABASE CHARSET latin1 COLLATE latin1_swedish_ci;
CREATE database mgr CHARSET utf8 COLLATE utf8_unicode_ci;
EOF
@@ -13,6 +14,11 @@ done
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" mgr </mgr_dbadm/ca_mgr.mysql
+mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" "${MYSQL_CATS_DATABASE}" </cats_db/create_db.sql
+mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" "${MYSQL_CATS_DATABASE}" </cats_db/update1.sql
+mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" "${MYSQL_CATS_DATABASE}" </cats_db/update2.sql
+mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" "${MYSQL_CATS_DATABASE}" </cats_db/sample_test.sql
+
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" cacert <<-'EOF'
INSERT INTO languages (locale, en_co, en_lang, country, lang)
VALUES ('sq_AL', 'Albania', 'Albanian', 'Shqipëria', 'shqipe'),
@@ -122,7 +128,9 @@ GRANT CREATE TEMPORARY TABLES ON cacert.* TO $MYSQL_APP_USER@'%';
GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_APP_USER@'%';
CREATE USER $MYSQL_MGR_USER@'%' IDENTIFIED BY '$MYSQL_MGR_PASSWORD';
-GRANT CREATE TEMPORARY TABLES ON mgr.* TO $MYSQL_MGR_USER@'%';
GRANT SELECT, INSERT, UPDATE, DELETE ON mgr.* TO $MYSQL_MGR_USER@'%';
GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_MGR_USER@'%';
+
+CREATE USER $MYSQL_CATS_USER@'%' IDENTIFIED BY '$MYSQL_CATS_PASSWORD';
+GRANT SELECT, INSERT, UPDATE, DELETE ON $MYSQL_CATS_DATABASE.* TO $MYSQL_CATS_USER@'%';
EOF
diff --git a/mariadb.Dockerfile b/mariadb.Dockerfile
index 695c5ab..dc41fe5 100644
--- a/mariadb.Dockerfile
+++ b/mariadb.Dockerfile
@@ -2,4 +2,5 @@ FROM mariadb:focal
COPY docker/initdb.sh /docker-entrypoint-initdb.d/initdb.sh
COPY cacert-software/scripts/db_migrations/*.sh /db_migrations/
-COPY cacert-mgr/dbadm/ca_mgr.mysql /mgr_dbadm/
\ No newline at end of file
+COPY cacert-mgr/dbadm/ca_mgr.mysql /mgr_dbadm/
+COPY cacert-cats/database/*.sql /cats_db/
\ No newline at end of file
diff --git a/mgr.Dockerfile b/mgr.Dockerfile
index 97bf26b..16d9ba8 100644
--- a/mgr.Dockerfile
+++ b/mgr.Dockerfile
@@ -21,10 +21,10 @@ STOPSIGNAL SIGWINCH
COPY docker/apache-mgr-foreground /usr/local/bin/
COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
-COPY testca/certs/mgr.cacert.localhost.crt.pem /etc/ssl/certs/
-COPY testca/certs/mgr.cacert.localhost.key.pem /etc/ssl/private/
-COPY testca/certs/cachain.crt.pem /etc/ssl/certs/combined.crt
-COPY testca/class3/ca.crt.pem /etc/ssl/certs/clientca.crt
+COPY testca/certs/mgr.cacert.localhost.crt.pem /etc/apache2/ssl/certs/
+COPY testca/certs/mgr.cacert.localhost.key.pem /etc/apache2/ssl/private/
+COPY testca/certs/cachain.crt.pem /etc/apache2/ssl/certs/combined.crt
+COPY testca/class3/ca.crt.pem /etc/apache2/ssl/certs/clientca.crt
COPY docker/apache-mgr-virtualhost.conf /etc/apache2/sites-available/mgr.cacert.localhost.conf
COPY docker/mgr-application.ini /usr/local/etc/
diff --git a/setup_test_ca.sh b/setup_test_ca.sh
index 40ea03d..5968215 100755
--- a/setup_test_ca.sh
+++ b/setup_test_ca.sh
@@ -58,7 +58,7 @@ RANDFILE = \$dir/private/.rand
policy = policy_any
unique_subject = no
-email_in_dn = no
+email_in_dn = yes
copy_extensions = copy
default_md = sha256
@@ -219,7 +219,7 @@ fi
if [ ! -f certs/testclient.p12 ]; then
openssl req -new -keyout certs/testclient.key.pem -nodes \
- -out certs/testclient.csr.pem -subj "/CN=${CLIENT_CERT_USERNAME}" \
+ -out certs/testclient.csr.pem -subj "/CN=${CLIENT_CERT_USERNAME}/emailAddress=${CLIENT_CERT_EMAIL}" \
-addext "subjectAltName=email:${CLIENT_CERT_EMAIL}"
openssl ca -config ca.cnf \
-name class3_ca \