PASSBOLT-1372 SSL, GPG Server Key, Admin account, Cipher Seed, Security Salt

2016-03-17 01:45:40 +01:00 · 2016-03-17 01:45:40 +01:00 · 5a0f24812f
parent 2299f6db99
commit 5a0f24812f
9 changed files with 128 additions and 45 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,27 +1,12 @@
 # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and Webstorm
 # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839

-# User-specific stuff:
-.idea/workspace.xml
-.idea/tasks.xml
-.idea/dictionaries
-.idea/vcs.xml
-.idea/jsLibraryMappings.xml
+# IDE and editor specific files
+/nbproject
+.idea

-# Sensitive or high-churn files:
-.idea/dataSources.ids
-.idea/dataSources.xml
-.idea/dataSources.local.xml
-.idea/sqlDataSources.xml
-.idea/dynamic.xml
-.idea/uiDesigner.xml
-
-# Gradle:
-.idea/gradle.xml
-.idea/libraries
-
-# Mongo Explorer plugin:
-.idea/mongoSettings.xml
+# mpeltonen/sbt-idea plugin
+.idea_modules/

 ## File-based project format:
 *.iws
@ -31,9 +16,6 @@
 # IntelliJ
 /out/

-# mpeltonen/sbt-idea plugin
-.idea_modules/
-
 # JIRA plugin
 atlassian-ide-plugin.xml

@ -43,3 +25,5 @@ crashlytics.properties
 crashlytics-build.properties
 fabric.properties

+# Generated docker files
+conf/*.key
--- a/13
+++ b/13
@ -44,6 +44,11 @@ RUN ln -s /usr/bin/nodejs /usr/bin/node \
    # install grunt
    && npm install -g grunt-cli

+# Apache2 SSL
+RUN mkdir /etc/apache2/ssl \
+	&& openssl req -x509 -nodes -days 365 -new -newkey rsa:2048 -subj "/C=US/ST=Denial/L=Goa/O=Dis/CN=www.passbolt.com" -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt \
+	&& chmod 600 /etc/apache2/ssl/* \
+	&& a2enmod ssl

 # Install and configure gnupg
 RUN pecl install gnupg \
@ -68,13 +73,17 @@ RUN rm -f /etc/apache2/sites-enabled/* \
    && a2ensite 000-default.conf

 # Configure php
-RUN echo "memory_limit=1024M" > /etc/php5/apache2/conf.d/20-memory-limit.ini \
-    && echo "memory_limit=1024M" > /etc/php5/cli/conf.d/20-memory-limit.ini
+RUN echo "memory_limit=256M" > /etc/php5/apache2/conf.d/20-memory-limit.ini \
+    && echo "memory_limit=256M" > /etc/php5/cli/conf.d/20-memory-limit.ini

 # Install composer
 RUN curl -sS https://getcomposer.org/installer | php \
    && mv composer.phar /usr/local/bin/composer

+# Generate the gpg server key
+ADD /conf/gpg_server_key_public.key /home/www-data/gpg_server_key_public.key
+ADD /conf/gpg_server_key_private.key /home/www-data/gpg_server_key_private.key
+
 # Special hack for macosx, to let www-data able to write on mounted volumes.
 # See docker bug: https://github.com/boot2docker/boot2docker/issues/581.
 RUN usermod -u 1000 www-data \
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
 # PASSBOLT DEBIAN DOCKER CONTAINER

-ERRATUM : THIS IS A DEMO CONTAINER. DO NOT USE IT IN PRODUCTION.
+ATTENTION : THIS IS A DEMO CONTAINER. DO NOT USE IT IN PRODUCTION.

 How to use it
 -------------
@ -20,15 +20,37 @@ It contains the following options :
 - MYSQL_USERNAME : valid username for the database.
 - MYSQL_PASSWORD : valid password for the database.
 - MYSQL_DATABASE : name of the database to be used.
+- ADMIN_USERNAME : email of the admin user.
+- ADMIN_FIRST_NAME : first name of the admin user.
+- ADMIN_LAST_NAME : last name of the admin user.

 Enter the values corresponding to your settings. The most important setting is PASSBOLT_DIR. You can keep the default values for the rest.

-3) Finally, you can build and run the container :
+3) Generate the gpg server key.
+```
+	cd /path/to/docker/files
+	./bin/generate_gpg_server_key.sh
+```
+
+4) (optional) Configure the smtp server.
+
+In the PASSBOLT_DIR, edit the file app/Config/email.php.
+
+If you don't configure a smtp server, emails notifications won't be sent. User won't be able to finalize their registration.
+
+5) Finally, you can build and run the container.
 ```
 	cd /path/to/docker/files
 	docker build -t passbolt_debian .
 	./launch-container.sh
 ```
+If a smtp server has been configured you will receive a registration email at the email you defined in the conf.sh file.
+
+If no smtp server has been configured, you can still finalize the registration process. Take a look at the end of the docker logs,
+you will find the admin user registration link.
+```
+docker logs passbolt | awk '/The user has been registered with success/{print $0}'
+```

 Behavior
 --------
@ -38,5 +60,3 @@ A few consideration :
 - There should be a valid username, password and database on the mysql server.
 - If the database exists but without passbolt installed, then passbolt will be installed normally.
 - If the database exists and already has a passbolt installed, then no db installation will be done and the existing data will be kept.
-
-
--- a/bin/generate_gpg_server_key.sh
+++ b/bin/generate_gpg_server_key.sh
@ -0,0 +1,6 @@
+#!/bin/sh
+
+DIRNAME=`dirname $0`/..
+gpg --batch --armor --gen-key $DIRNAME/conf/gpg_server_key_settings.conf
+mv $DIRNAME/gpg_server_key_public.key $DIRNAME/conf
+mv $DIRNAME/gpg_server_key_private.key $DIRNAME/conf
--- a/conf/conf.sh
+++ b/conf/conf.sh
@ -1,7 +1,7 @@
 #!/bin/sh

 # Passbolt directory.
-PASSBOLT_DIR=/path/to/passbolt/dir
+PASSBOLT_DIR=~/projects/passbolt_for_docker_debian

 # MySQL configuration.
 MYSQL_HOST=localhost
@ -11,3 +11,7 @@ MYSQL_USERNAME=passbolt
 MYSQL_PASSWORD=password123
 MYSQL_DATABASE=passbolt

+# Admin settings.
+ADMIN_USERNAME=admin@passbolt.com
+ADMIN_FIRST_NAME=Admin
+ADMIN_LAST_NAME=Admin
--- a/conf/gpg_server_key_settings.conf
+++ b/conf/gpg_server_key_settings.conf
@ -0,0 +1,12 @@
+Key-Type: RSA
+Key-Length: 2048
+Subkey-Type: RSA
+Subkey-Length: 2048
+Name-Real: Passbolt Docker Server Key
+Name-Comment: Passbolt Docker Server Key
+Name-Email: info@passbolt.com
+Expire-Date: 0
+%pubring gpg_server_key_public.key
+%secring gpg_server_key_private.key
+%commit
+%echo Your gpg passbolt server key has been generated
--- a/entry-point.sh
+++ b/entry-point.sh
@ -1,11 +1,14 @@
 #!/bin/bash
+
+########################################################
+## Configure Mysql
+########################################################
+
 IS_MYSQL_LOCAL=1
-if [[ $MYSQL_HOST != "localhost" ]];
-then
+if [ $MYSQL_HOST != "localhost" ]; then
    IS_MYSQL_LOCAL=0
 fi

-
 # If Mysql is local (no persistence), we reset everything and create the database.
 if [ $IS_MYSQL_LOCAL == 1 ]; then
    echo "using local mysql"
@ -40,17 +43,42 @@ else
    echo "ok"
 fi

+########################################################
+## Restart services
+########################################################
+
 # Restart the apache2 service
 service apache2 restart

 # Start the memcached service
 service memcached restart

+########################################################
+## Prepare the source code
+########################################################
+
 # Default configuration files
 cp -a /var/www/passbolt/app/Config/app.php.default /var/www/passbolt/app/Config/app.php
 cp -a /var/www/passbolt/app/Config/core.php.default /var/www/passbolt/app/Config/core.php
 cp -a /var/www/passbolt/app/webroot/js/app/config/config.json.default /var/www/passbolt/app/webroot/js/app/config/config.json

+# gpg
+GPG_SERVER_KEY_FINGERPRINT=`gpg -n --with-fingerprint /home/www-data/gpg_server_key_public.key | awk -v FS="=" '/Key fingerprint =/{print $2}' | sed 's/[ ]*//g'`
+/var/www/passbolt/app/Console/cake passbolt app_config write GPG.serverKey.fingerprint $GPG_SERVER_KEY_FINGERPRINT
+/var/www/passbolt/app/Console/cake passbolt app_config write GPG.serverKey.public /home/www-data/gpg_server_key_public.key
+/var/www/passbolt/app/Console/cake passbolt app_config write GPG.serverKey.private /home/www-data/gpg_server_key_private.key
+chown www-data:www-data /home/www-data/gpg_server_key_public.key
+chown www-data:www-data /home/www-data/gpg_server_key_private.key
+
+# overwrite the core configuration
+/var/www/passbolt/app/Console/cake passbolt core_config gen-cipher-seed
+/var/www/passbolt/app/Console/cake passbolt core_config gen-security-salt
+/var/www/passbolt/app/Console/cake passbolt core_config write App.fullBaseUrl https://192.168.99.100
+
+# overwrite the database configuration
+# @TODO based on the cake task DbConfigTask implement a task to manipulate the dabase configuration
+#/var/www/passbolt/app/Console/cake passbolt db_config ${MYSQL_HOST} ${MYSQL_USERNAME} ${MYSQL_PASSWORD} ${MYSQL_DATABASE}
+
 DATABASE_CONF=/var/www/passbolt/app/Config/database.php
 # Set configuration in file
 cat > $DATABASE_CONF << EOL
@ -80,11 +108,10 @@ else
    echo "passbolt is not installed in this database. Proceeding.."
 fi

-
 # Install passbolt
-if [[ $IS_PASSBOLT_INSTALLED == "0"]]; then
+if [ $IS_PASSBOLT_INSTALLED == "0" ]; then
    echo "Installing"
-    su -s /bin/bash -c "/var/www/passbolt/app/Console/cake install" www-data
+    su -s /bin/bash -c "/var/www/passbolt/app/Console/cake install --admin-username ${ADMIN_USERNAME} --admin-first-name=${ADMIN_FIRST_NAME} --admin-last-name=${ADMIN_LAST_NAME}" www-data
    echo "We are all set. Have fun with Passbolt !"
    echo "Reminder : THIS IS A DEMO CONTAINER. DO NOT USE IT IN PRODUCTION!!!!"
 fi
--- a/launch-container.sh
+++ b/launch-container.sh
@ -3,11 +3,15 @@
 SRC=$(cd $(dirname "$0"); pwd)
 source "${SRC}/conf/conf.sh"

-docker run -p 8081:8081 -p 80:80 -d -it --hostname=passbolt.docker --name passbolt \
+docker run -p 8081:8081 -p 80:80 -p 443:443 -d -it --hostname=passbolt.docker --name passbolt \
    -v $PASSBOLT_DIR:/var/www/passbolt \
+    -e APP_URL=https://192.168.99.100 \
    -e MYSQL_HOST=$MYSQL_HOST \
    -e MYSQL_ROOT_PASSWORD=$MYSQL_ROOT_PASSWORD \
    -e MYSQL_USERNAME=$MYSQL_USERNAME \
    -e MYSQL_PASSWORD=$MYSQL_PASSWORD \
    -e MYSQL_DATABASE=$MYSQL_DATABASE \
+    -e ADMIN_USERNAME=$ADMIN_USERNAME \
+    -e ADMIN_FIRST_NAME=$ADMIN_FIRST_NAME \
+    -e ADMIN_LAST_NAME=$ADMIN_LAST_NAME \
    passbolt_debian
--- a/server-conf/apache/passbolt.conf
+++ b/server-conf/apache/passbolt.conf
@ -1,14 +1,31 @@
 Listen 8081

 <VirtualHost *:8081>
-	DocumentRoot /var/www/passbolt
-	RewriteEngine On
+    DocumentRoot /var/www/passbolt
+    RewriteEngine On

-	# Other directives here
+    # Other directives here
    <Directory /var/www/passbolt>
-            Options Indexes FollowSymLinks
-            AllowOverride All
-            Order allow,deny
-            allow from all
+        Options Indexes FollowSymLinks
+        AllowOverride All
+        Order allow,deny
+        allow from all
+    </Directory>
+</VirtualHost>
+
+<VirtualHost *:443>
+    DocumentRoot /var/www/passbolt
+    RewriteEngine On
+    SSLEngine On
+    SSLCertificateFile /etc/apache2/ssl/apache.crt
+    SSLCertificateKeyFile /etc/apache2/ssl/apache.key
+    SSLVerifyClient None
+
+    # Other directives here
+    <Directory /var/www/passbolt>
+        Options Indexes FollowSymLinks
+        AllowOverride All
+        Order allow,deny
+        allow from all
    </Directory>
 </VirtualHost>