CommunEu
/
Passbolt
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

PASSBOLT-1372 SSL, GPG Server Key, Admin account, Cipher Seed, Security Salt

This commit is contained in:
Cedric Alfonsi 2016-03-17 01:45:40 +01:00
parent 2299f6db99
commit 5a0f24812f
9 changed files with 128 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
.gitignore vendored
View File

@ -1,27 +1,12 @@
# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm
# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
# User-specific stuff: # IDE and editor specific files
.idea/workspace.xml /nbproject
.idea/tasks.xml .idea
.idea/dictionaries
.idea/vcs.xml
.idea/jsLibraryMappings.xml
# Sensitive or high-churn files: # mpeltonen/sbt-idea plugin
.idea/dataSources.ids .idea_modules/
.idea/dataSources.xml
.idea/dataSources.local.xml
.idea/sqlDataSources.xml
.idea/dynamic.xml
.idea/uiDesigner.xml
# Gradle:
.idea/gradle.xml
.idea/libraries
# Mongo Explorer plugin:
.idea/mongoSettings.xml
## File-based project format: ## File-based project format:
*.iws *.iws
@ -31,9 +16,6 @@
# IntelliJ # IntelliJ
/out/ /out/
# mpeltonen/sbt-idea plugin
.idea_modules/
# JIRA plugin # JIRA plugin
atlassian-ide-plugin.xml atlassian-ide-plugin.xml
@ -43,3 +25,5 @@ crashlytics.properties
crashlytics-build.properties crashlytics-build.properties
fabric.properties fabric.properties
# Generated docker files
conf/*.key

13
Dockerfile
View File

@ -44,6 +44,11 @@ RUN ln -s /usr/bin/nodejs /usr/bin/node \
# install grunt # install grunt
&& npm install -g grunt-cli && npm install -g grunt-cli
# Apache2 SSL
RUN mkdir /etc/apache2/ssl \
&& openssl req -x509 -nodes -days 365 -new -newkey rsa:2048 -subj "/C=US/ST=Denial/L=Goa/O=Dis/CN=www.passbolt.com" -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt \
&& chmod 600 /etc/apache2/ssl/* \
&& a2enmod ssl
# Install and configure gnupg # Install and configure gnupg
RUN pecl install gnupg \ RUN pecl install gnupg \
@ -68,13 +73,17 @@ RUN rm -f /etc/apache2/sites-enabled/* \
&& a2ensite 000-default.conf && a2ensite 000-default.conf
# Configure php # Configure php
RUN echo "memory_limit=1024M" > /etc/php5/apache2/conf.d/20-memory-limit.ini \ RUN echo "memory_limit=256M" > /etc/php5/apache2/conf.d/20-memory-limit.ini \
&& echo "memory_limit=1024M" > /etc/php5/cli/conf.d/20-memory-limit.ini && echo "memory_limit=256M" > /etc/php5/cli/conf.d/20-memory-limit.ini
# Install composer # Install composer
RUN curl -sS https://getcomposer.org/installer | php \ RUN curl -sS https://getcomposer.org/installer | php \
&& mv composer.phar /usr/local/bin/composer && mv composer.phar /usr/local/bin/composer
# Generate the gpg server key
ADD /conf/gpg_server_key_public.key /home/www-data/gpg_server_key_public.key
ADD /conf/gpg_server_key_private.key /home/www-data/gpg_server_key_private.key
# Special hack for macosx, to let www-data able to write on mounted volumes. # Special hack for macosx, to let www-data able to write on mounted volumes.
# See docker bug: https://github.com/boot2docker/boot2docker/issues/581. # See docker bug: https://github.com/boot2docker/boot2docker/issues/581.
RUN usermod -u 1000 www-data \ RUN usermod -u 1000 www-data \

28
README.md
View File

@ -1,6 +1,6 @@
# PASSBOLT DEBIAN DOCKER CONTAINER # PASSBOLT DEBIAN DOCKER CONTAINER
ERRATUM : THIS IS A DEMO CONTAINER. DO NOT USE IT IN PRODUCTION. ATTENTION : THIS IS A DEMO CONTAINER. DO NOT USE IT IN PRODUCTION.
How to use it How to use it
------------- -------------
@ -20,15 +20,37 @@ It contains the following options :
- MYSQL_USERNAME : valid username for the database. - MYSQL_USERNAME : valid username for the database.
- MYSQL_PASSWORD : valid password for the database. - MYSQL_PASSWORD : valid password for the database.
- MYSQL_DATABASE : name of the database to be used. - MYSQL_DATABASE : name of the database to be used.
- ADMIN_USERNAME : email of the admin user.
- ADMIN_FIRST_NAME : first name of the admin user.
- ADMIN_LAST_NAME : last name of the admin user.
Enter the values corresponding to your settings. The most important setting is PASSBOLT_DIR. You can keep the default values for the rest. Enter the values corresponding to your settings. The most important setting is PASSBOLT_DIR. You can keep the default values for the rest.
3) Finally, you can build and run the container : 3) Generate the gpg server key.
```
cd /path/to/docker/files
./bin/generate_gpg_server_key.sh
```
4) (optional) Configure the smtp server.
In the PASSBOLT_DIR, edit the file app/Config/email.php.
If you don't configure a smtp server, emails notifications won't be sent. User won't be able to finalize their registration.
5) Finally, you can build and run the container.
``` ```
cd /path/to/docker/files cd /path/to/docker/files
docker build -t passbolt_debian . docker build -t passbolt_debian .
./launch-container.sh ./launch-container.sh
``` ```
If a smtp server has been configured you will receive a registration email at the email you defined in the conf.sh file.
If no smtp server has been configured, you can still finalize the registration process. Take a look at the end of the docker logs,
you will find the admin user registration link.
```
docker logs passbolt | awk '/The user has been registered with success/{print $0}'
```
Behavior Behavior
-------- --------
@ -38,5 +60,3 @@ A few consideration :
- There should be a valid username, password and database on the mysql server. - There should be a valid username, password and database on the mysql server.
- If the database exists but without passbolt installed, then passbolt will be installed normally. - If the database exists but without passbolt installed, then passbolt will be installed normally.
- If the database exists and already has a passbolt installed, then no db installation will be done and the existing data will be kept. - If the database exists and already has a passbolt installed, then no db installation will be done and the existing data will be kept.

6
bin/generate_gpg_server_key.sh Executable file
View File

@ -0,0 +1,6 @@
#!/bin/sh
DIRNAME=`dirname $0`/..
gpg --batch --armor --gen-key $DIRNAME/conf/gpg_server_key_settings.conf
mv $DIRNAME/gpg_server_key_public.key $DIRNAME/conf
mv $DIRNAME/gpg_server_key_private.key $DIRNAME/conf

6
conf/conf.sh
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
# Passbolt directory. # Passbolt directory.
PASSBOLT_DIR=/path/to/passbolt/dir PASSBOLT_DIR=~/projects/passbolt_for_docker_debian
# MySQL configuration. # MySQL configuration.
MYSQL_HOST=localhost MYSQL_HOST=localhost
@ -11,3 +11,7 @@ MYSQL_USERNAME=passbolt
MYSQL_PASSWORD=password123 MYSQL_PASSWORD=password123
MYSQL_DATABASE=passbolt MYSQL_DATABASE=passbolt
# Admin settings.
ADMIN_USERNAME=admin@passbolt.com
ADMIN_FIRST_NAME=Admin
ADMIN_LAST_NAME=Admin

12
conf/gpg_server_key_settings.conf Normal file
View File

@ -0,0 +1,12 @@
Key-Type: RSA
Key-Length: 2048
Subkey-Type: RSA
Subkey-Length: 2048
Name-Real: Passbolt Docker Server Key
Name-Comment: Passbolt Docker Server Key
Name-Email: info@passbolt.com
Expire-Date: 0
%pubring gpg_server_key_public.key
%secring gpg_server_key_private.key
%commit
%echo Your gpg passbolt server key has been generated

39
entry-point.sh
View File

@ -1,11 +1,14 @@
#!/bin/bash #!/bin/bash
########################################################
## Configure Mysql
########################################################
IS_MYSQL_LOCAL=1 IS_MYSQL_LOCAL=1
if [[ $MYSQL_HOST != "localhost" ]]; if [ $MYSQL_HOST != "localhost" ]; then
then
IS_MYSQL_LOCAL=0 IS_MYSQL_LOCAL=0
fi fi
# If Mysql is local (no persistence), we reset everything and create the database. # If Mysql is local (no persistence), we reset everything and create the database.
if [ $IS_MYSQL_LOCAL == 1 ]; then if [ $IS_MYSQL_LOCAL == 1 ]; then
echo "using local mysql" echo "using local mysql"
@ -40,17 +43,42 @@ else
echo "ok" echo "ok"
fi fi
########################################################
## Restart services
########################################################
# Restart the apache2 service # Restart the apache2 service
service apache2 restart service apache2 restart
# Start the memcached service # Start the memcached service
service memcached restart service memcached restart
########################################################
## Prepare the source code
########################################################
# Default configuration files # Default configuration files
cp -a /var/www/passbolt/app/Config/app.php.default /var/www/passbolt/app/Config/app.php cp -a /var/www/passbolt/app/Config/app.php.default /var/www/passbolt/app/Config/app.php
cp -a /var/www/passbolt/app/Config/core.php.default /var/www/passbolt/app/Config/core.php cp -a /var/www/passbolt/app/Config/core.php.default /var/www/passbolt/app/Config/core.php
cp -a /var/www/passbolt/app/webroot/js/app/config/config.json.default /var/www/passbolt/app/webroot/js/app/config/config.json cp -a /var/www/passbolt/app/webroot/js/app/config/config.json.default /var/www/passbolt/app/webroot/js/app/config/config.json
# gpg
GPG_SERVER_KEY_FINGERPRINT=`gpg -n --with-fingerprint /home/www-data/gpg_server_key_public.key | awk -v FS="=" '/Key fingerprint =/{print $2}' | sed 's/[ ]*//g'`
/var/www/passbolt/app/Console/cake passbolt app_config write GPG.serverKey.fingerprint $GPG_SERVER_KEY_FINGERPRINT
/var/www/passbolt/app/Console/cake passbolt app_config write GPG.serverKey.public /home/www-data/gpg_server_key_public.key
/var/www/passbolt/app/Console/cake passbolt app_config write GPG.serverKey.private /home/www-data/gpg_server_key_private.key
chown www-data:www-data /home/www-data/gpg_server_key_public.key
chown www-data:www-data /home/www-data/gpg_server_key_private.key
# overwrite the core configuration
/var/www/passbolt/app/Console/cake passbolt core_config gen-cipher-seed
/var/www/passbolt/app/Console/cake passbolt core_config gen-security-salt
/var/www/passbolt/app/Console/cake passbolt core_config write App.fullBaseUrl https://192.168.99.100
# overwrite the database configuration
# @TODO based on the cake task DbConfigTask implement a task to manipulate the dabase configuration
#/var/www/passbolt/app/Console/cake passbolt db_config ${MYSQL_HOST} ${MYSQL_USERNAME} ${MYSQL_PASSWORD} ${MYSQL_DATABASE}
DATABASE_CONF=/var/www/passbolt/app/Config/database.php DATABASE_CONF=/var/www/passbolt/app/Config/database.php
# Set configuration in file # Set configuration in file
cat > $DATABASE_CONF << EOL cat > $DATABASE_CONF << EOL
@ -80,11 +108,10 @@ else
echo "passbolt is not installed in this database. Proceeding.." echo "passbolt is not installed in this database. Proceeding.."
fi fi
# Install passbolt # Install passbolt
if [[ $IS_PASSBOLT_INSTALLED == "0"]]; then if [ $IS_PASSBOLT_INSTALLED == "0" ]; then
echo "Installing" echo "Installing"
su -s /bin/bash -c "/var/www/passbolt/app/Console/cake install" www-data su -s /bin/bash -c "/var/www/passbolt/app/Console/cake install --admin-username ${ADMIN_USERNAME} --admin-first-name=${ADMIN_FIRST_NAME} --admin-last-name=${ADMIN_LAST_NAME}" www-data
echo "We are all set. Have fun with Passbolt !" echo "We are all set. Have fun with Passbolt !"
echo "Reminder : THIS IS A DEMO CONTAINER. DO NOT USE IT IN PRODUCTION!!!!" echo "Reminder : THIS IS A DEMO CONTAINER. DO NOT USE IT IN PRODUCTION!!!!"
fi fi

6
launch-container.sh
View File

@ -3,11 +3,15 @@
SRC=$(cd $(dirname "$0"); pwd) SRC=$(cd $(dirname "$0"); pwd)
source "${SRC}/conf/conf.sh" source "${SRC}/conf/conf.sh"
docker run -p 8081:8081 -p 80:80 -d -it --hostname=passbolt.docker --name passbolt \ docker run -p 8081:8081 -p 80:80 -p 443:443 -d -it --hostname=passbolt.docker --name passbolt \
-v $PASSBOLT_DIR:/var/www/passbolt \ -v $PASSBOLT_DIR:/var/www/passbolt \
-e APP_URL=https://192.168.99.100 \
-e MYSQL_HOST=$MYSQL_HOST \ -e MYSQL_HOST=$MYSQL_HOST \
-e MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD \ -e MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD \
-e MYSQL_USERNAME=$MYSQL_USERNAME \ -e MYSQL_USERNAME=$MYSQL_USERNAME \
-e MYSQL_PASSWORD=$MYSQL_PASSWORD \ -e MYSQL_PASSWORD=$MYSQL_PASSWORD \
-e MYSQL_DATABASE=$MYSQL_DATABASE \ -e MYSQL_DATABASE=$MYSQL_DATABASE \
-e ADMIN_USERNAME=$ADMIN_USERNAME \
-e ADMIN_FIRST_NAME=$ADMIN_FIRST_NAME \
-e ADMIN_LAST_NAME=$ADMIN_LAST_NAME \
passbolt_debian passbolt_debian

31
server-conf/apache/passbolt.conf
View File

@ -1,14 +1,31 @@
Listen 8081 Listen 8081
<VirtualHost *:8081> <VirtualHost *:8081>
DocumentRoot /var/www/passbolt DocumentRoot /var/www/passbolt
RewriteEngine On RewriteEngine On
# Other directives here # Other directives here
<Directory /var/www/passbolt> <Directory /var/www/passbolt>
Options Indexes FollowSymLinks Options Indexes FollowSymLinks
AllowOverride All AllowOverride All
Order allow,deny Order allow,deny
allow from all allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/passbolt
RewriteEngine On
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
SSLVerifyClient None
# Other directives here
<Directory /var/www/passbolt>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
</Directory> </Directory>
</VirtualHost> </VirtualHost>