PASSBOLT-1372 SSL, GPG Server Key, Admin account, Cipher Seed, Security Salt

.gitignore

@@ -1,27 +1,12 @@
 # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm
 # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
 
-# User-specific stuff:
+# IDE and editor specific files
-.idea/workspace.xml
+/nbproject
-.idea/tasks.xml
+.idea
-.idea/dictionaries
-.idea/vcs.xml
-.idea/jsLibraryMappings.xml
 
-# Sensitive or high-churn files:
+# mpeltonen/sbt-idea plugin
-.idea/dataSources.ids
+.idea_modules/
-.idea/dataSources.xml
-.idea/dataSources.local.xml
-.idea/sqlDataSources.xml
-.idea/dynamic.xml
-.idea/uiDesigner.xml
-
-# Gradle:
-.idea/gradle.xml
-.idea/libraries
-
-# Mongo Explorer plugin:
-.idea/mongoSettings.xml
 
 ## File-based project format:
 *.iws
@@ -31,9 +16,6 @@
 # IntelliJ
 /out/
 
-# mpeltonen/sbt-idea plugin
-.idea_modules/
-
 # JIRA plugin
 atlassian-ide-plugin.xml
 
@@ -43,3 +25,5 @@ crashlytics.properties
 crashlytics-build.properties
 fabric.properties
 
+# Generated docker files
+conf/*.key

Dockerfile

@@ -44,6 +44,11 @@ RUN ln -s /usr/bin/nodejs /usr/bin/node \
     # install grunt
     && npm install -g grunt-cli
 
+# Apache2 SSL
+RUN mkdir /etc/apache2/ssl \
+	&& openssl req -x509 -nodes -days 365 -new -newkey rsa:2048 -subj "/C=US/ST=Denial/L=Goa/O=Dis/CN=www.passbolt.com" -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt \
+	&& chmod 600 /etc/apache2/ssl/* \
+	&& a2enmod ssl
 
 # Install and configure gnupg
 RUN pecl install gnupg \
@@ -68,13 +73,17 @@ RUN rm -f /etc/apache2/sites-enabled/* \
     && a2ensite 000-default.conf
 
 # Configure php
-RUN echo "memory_limit=1024M" > /etc/php5/apache2/conf.d/20-memory-limit.ini \
+RUN echo "memory_limit=256M" > /etc/php5/apache2/conf.d/20-memory-limit.ini \
-    && echo "memory_limit=1024M" > /etc/php5/cli/conf.d/20-memory-limit.ini
+    && echo "memory_limit=256M" > /etc/php5/cli/conf.d/20-memory-limit.ini
 
 # Install composer
 RUN curl -sS https://getcomposer.org/installer | php \
     && mv composer.phar /usr/local/bin/composer
 
+# Generate the gpg server key
+ADD /conf/gpg_server_key_public.key /home/www-data/gpg_server_key_public.key
+ADD /conf/gpg_server_key_private.key /home/www-data/gpg_server_key_private.key
+
 # Special hack for macosx, to let www-data able to write on mounted volumes.
 # See docker bug: https://github.com/boot2docker/boot2docker/issues/581.
 RUN usermod -u 1000 www-data \

README.md

@@ -1,6 +1,6 @@
 # PASSBOLT DEBIAN DOCKER CONTAINER
 
-ERRATUM : THIS IS A DEMO CONTAINER. DO NOT USE IT IN PRODUCTION.
+ATTENTION : THIS IS A DEMO CONTAINER. DO NOT USE IT IN PRODUCTION.
 
 How to use it
 -------------
@@ -20,15 +20,37 @@ It contains the following options :
 - MYSQL_USERNAME : valid username for the database.
 - MYSQL_PASSWORD : valid password for the database.
 - MYSQL_DATABASE : name of the database to be used.
+- ADMIN_USERNAME : email of the admin user.
+- ADMIN_FIRST_NAME : first name of the admin user.
+- ADMIN_LAST_NAME : last name of the admin user.
 
 Enter the values corresponding to your settings. The most important setting is PASSBOLT_DIR. You can keep the default values for the rest.
 
-3) Finally, you can build and run the container :
+3) Generate the gpg server key.
+```
+	cd /path/to/docker/files
+	./bin/generate_gpg_server_key.sh
+```
+
+4) (optional) Configure the smtp server.
+
+In the PASSBOLT_DIR, edit the file app/Config/email.php.
+
+If you don't configure a smtp server, emails notifications won't be sent. User won't be able to finalize their registration.
+
+5) Finally, you can build and run the container.
 ```
 	cd /path/to/docker/files
 	docker build -t passbolt_debian .
 	./launch-container.sh
 ```
+If a smtp server has been configured you will receive a registration email at the email you defined in the conf.sh file.
+
+If no smtp server has been configured, you can still finalize the registration process. Take a look at the end of the docker logs,
+you will find the admin user registration link.
+```
+docker logs passbolt | awk '/The user has been registered with success/{print $0}'
+```
 
 Behavior
 --------
@@ -38,5 +60,3 @@ A few consideration :
 - There should be a valid username, password and database on the mysql server.
 - If the database exists but without passbolt installed, then passbolt will be installed normally.
 - If the database exists and already has a passbolt installed, then no db installation will be done and the existing data will be kept.
-
-

bin/generate_gpg_server_key.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+DIRNAME=`dirname $0`/..
+gpg --batch --armor --gen-key $DIRNAME/conf/gpg_server_key_settings.conf
+mv $DIRNAME/gpg_server_key_public.key $DIRNAME/conf
+mv $DIRNAME/gpg_server_key_private.key $DIRNAME/conf

conf/conf.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # Passbolt directory.
-PASSBOLT_DIR=/path/to/passbolt/dir
+PASSBOLT_DIR=~/projects/passbolt_for_docker_debian
 
 # MySQL configuration.
 MYSQL_HOST=localhost
@@ -11,3 +11,7 @@ MYSQL_USERNAME=passbolt
 MYSQL_PASSWORD=password123
 MYSQL_DATABASE=passbolt
 
+# Admin settings.
+ADMIN_USERNAME=admin@passbolt.com
+ADMIN_FIRST_NAME=Admin
+ADMIN_LAST_NAME=Admin

conf/gpg_server_key_settings.conf

@@ -0,0 +1,12 @@
+Key-Type: RSA
+Key-Length: 2048
+Subkey-Type: RSA
+Subkey-Length: 2048
+Name-Real: Passbolt Docker Server Key
+Name-Comment: Passbolt Docker Server Key
+Name-Email: info@passbolt.com
+Expire-Date: 0
+%pubring gpg_server_key_public.key
+%secring gpg_server_key_private.key
+%commit
+%echo Your gpg passbolt server key has been generated

entry-point.sh

@@ -1,11 +1,14 @@
 #!/bin/bash
+
+########################################################
+## Configure Mysql
+########################################################
+
 IS_MYSQL_LOCAL=1
-if [[ $MYSQL_HOST != "localhost" ]];
+if [ $MYSQL_HOST != "localhost" ]; then
-then
     IS_MYSQL_LOCAL=0
 fi
 
-
 # If Mysql is local (no persistence), we reset everything and create the database.
 if [ $IS_MYSQL_LOCAL == 1 ]; then
     echo "using local mysql"
@@ -40,17 +43,42 @@ else
     echo "ok"
 fi
 
+########################################################
+## Restart services
+########################################################
+
 # Restart the apache2 service
 service apache2 restart
 
 # Start the memcached service
 service memcached restart
 
+########################################################
+## Prepare the source code
+########################################################
+
 # Default configuration files
 cp -a /var/www/passbolt/app/Config/app.php.default /var/www/passbolt/app/Config/app.php
 cp -a /var/www/passbolt/app/Config/core.php.default /var/www/passbolt/app/Config/core.php
 cp -a /var/www/passbolt/app/webroot/js/app/config/config.json.default /var/www/passbolt/app/webroot/js/app/config/config.json
 
+# gpg
+GPG_SERVER_KEY_FINGERPRINT=`gpg -n --with-fingerprint /home/www-data/gpg_server_key_public.key | awk -v FS="=" '/Key fingerprint =/{print $2}' | sed 's/[ ]*//g'`
+/var/www/passbolt/app/Console/cake passbolt app_config write GPG.serverKey.fingerprint $GPG_SERVER_KEY_FINGERPRINT
+/var/www/passbolt/app/Console/cake passbolt app_config write GPG.serverKey.public /home/www-data/gpg_server_key_public.key
+/var/www/passbolt/app/Console/cake passbolt app_config write GPG.serverKey.private /home/www-data/gpg_server_key_private.key
+chown www-data:www-data /home/www-data/gpg_server_key_public.key
+chown www-data:www-data /home/www-data/gpg_server_key_private.key
+
+# overwrite the core configuration
+/var/www/passbolt/app/Console/cake passbolt core_config gen-cipher-seed
+/var/www/passbolt/app/Console/cake passbolt core_config gen-security-salt
+/var/www/passbolt/app/Console/cake passbolt core_config write App.fullBaseUrl https://192.168.99.100
+
+# overwrite the database configuration
+# @TODO based on the cake task DbConfigTask implement a task to manipulate the dabase configuration
+#/var/www/passbolt/app/Console/cake passbolt db_config ${MYSQL_HOST} ${MYSQL_USERNAME} ${MYSQL_PASSWORD} ${MYSQL_DATABASE}
+
 DATABASE_CONF=/var/www/passbolt/app/Config/database.php
 # Set configuration in file
 cat > $DATABASE_CONF << EOL
@@ -80,11 +108,10 @@ else
     echo "passbolt is not installed in this database. Proceeding.."
 fi
 
-
 # Install passbolt
-if [[ $IS_PASSBOLT_INSTALLED == "0"]]; then
+if [ $IS_PASSBOLT_INSTALLED == "0" ]; then
     echo "Installing"
-    su -s /bin/bash -c "/var/www/passbolt/app/Console/cake install" www-data
+    su -s /bin/bash -c "/var/www/passbolt/app/Console/cake install --admin-username ${ADMIN_USERNAME} --admin-first-name=${ADMIN_FIRST_NAME} --admin-last-name=${ADMIN_LAST_NAME}" www-data
     echo "We are all set. Have fun with Passbolt !"
     echo "Reminder : THIS IS A DEMO CONTAINER. DO NOT USE IT IN PRODUCTION!!!!"
 fi

launch-container.sh

@@ -3,11 +3,15 @@
 SRC=$(cd $(dirname "$0"); pwd)
 source "${SRC}/conf/conf.sh"
 
-docker run -p 8081:8081 -p 80:80 -d -it --hostname=passbolt.docker --name passbolt \
+docker run -p 8081:8081 -p 80:80 -p 443:443 -d -it --hostname=passbolt.docker --name passbolt \
     -v $PASSBOLT_DIR:/var/www/passbolt \
+    -e APP_URL=https://192.168.99.100 \
     -e MYSQL_HOST=$MYSQL_HOST \
     -e MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD \
     -e MYSQL_USERNAME=$MYSQL_USERNAME \
     -e MYSQL_PASSWORD=$MYSQL_PASSWORD \
     -e MYSQL_DATABASE=$MYSQL_DATABASE \
+    -e ADMIN_USERNAME=$ADMIN_USERNAME \
+    -e ADMIN_FIRST_NAME=$ADMIN_FIRST_NAME \
+    -e ADMIN_LAST_NAME=$ADMIN_LAST_NAME \
     passbolt_debian

server-conf/apache/passbolt.conf

@@ -12,3 +12,20 @@ Listen 8081
         allow from all
     </Directory>
 </VirtualHost>
+
+<VirtualHost *:443>
+    DocumentRoot /var/www/passbolt
+    RewriteEngine On
+    SSLEngine On
+    SSLCertificateFile /etc/apache2/ssl/apache.crt
+    SSLCertificateKeyFile /etc/apache2/ssl/apache.key
+    SSLVerifyClient None
+
+    # Other directives here
+    <Directory /var/www/passbolt>
+        Options Indexes FollowSymLinks
+        AllowOverride All
+        Order allow,deny
+        allow from all
+    </Directory>
+</VirtualHost>