From 43ff8793cb0a36eb5a3f5d112ffa3e6fedd2dfb7 Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Thu, 26 Apr 2018 09:56:31 +0200 Subject: [PATCH 01/13] Forces mysql 8.x to use mysql_native_password auth. Fixes #103 --- docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yml b/docker-compose.yml index cfca8e3..1f7f8ab 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,6 +2,7 @@ version: '3.4' services: db: image: mysql:latest + entrypoint: ['/entrypoint.sh', '--default-authentication-plugin=mysql_native_password'] env_file: - env/mysql.env volumes: From d9c68fe79f0b0c94f7d2b899d3f1bb51ae89759e Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Thu, 26 Apr 2018 12:17:11 +0200 Subject: [PATCH 02/13] switch to mariadb --- docker-compose-dev.yml | 2 +- docker-compose-pro.yml | 2 +- docker-compose.yml | 5 ++--- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml index 8aa644c..289f723 100644 --- a/docker-compose-dev.yml +++ b/docker-compose-dev.yml @@ -1,7 +1,7 @@ version: '3.4' services: db: - image: mysql:latest + image: mariadb:latest env_file: - env/mysql.env volumes: diff --git a/docker-compose-pro.yml b/docker-compose-pro.yml index 0fc8571..d81f2d3 100644 --- a/docker-compose-pro.yml +++ b/docker-compose-pro.yml @@ -1,7 +1,7 @@ version: '3.4' services: db: - image: mysql:latest + image: mariadb:latest env_file: - env/mysql.env volumes: diff --git a/docker-compose.yml b/docker-compose.yml index 1f7f8ab..6d6964e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,8 +1,7 @@ version: '3.4' services: db: - image: mysql:latest - entrypoint: ['/entrypoint.sh', '--default-authentication-plugin=mysql_native_password'] + image: mariadb:latest env_file: - env/mysql.env volumes: @@ -11,7 +10,7 @@ services: - 3306 passbolt: - image: passbolt/passbolt:2.0.3-debian + image: passbolt/passbolt:2.0.4-debian tty: true depends_on: - db From 01b34b38640f3abbc1fa9fcf719d5572019f53df Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Thu, 26 Apr 2018 12:17:43 +0200 Subject: [PATCH 03/13] version bump --- Dockerfile | 2 +- docker-compose-pro.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 873acfd..e1f19c4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM php:7-fpm LABEL maintainer="diego@passbolt.com" -ARG PASSBOLT_VERSION="2.0.3" +ARG PASSBOLT_VERSION="2.0.4" ARG PASSBOLT_URL="https://github.com/passbolt/passbolt_api/archive/v${PASSBOLT_VERSION}.tar.gz" ARG PHP_EXTENSIONS="gd \ diff --git a/docker-compose-pro.yml b/docker-compose-pro.yml index d81f2d3..284d8e9 100644 --- a/docker-compose-pro.yml +++ b/docker-compose-pro.yml @@ -10,7 +10,7 @@ services: - 3306 passbolt: - image: passbolt/passbolt:2.0.3-pro-debian + image: passbolt/passbolt:2.0.4-pro-debian tty: true depends_on: - db From 8020bc42ce2edef370be0058b1498bb95997f1ad Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Thu, 26 Apr 2018 12:41:02 +0200 Subject: [PATCH 04/13] switch tests to use mariadb --- spec/docker_runtime/runtime_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/docker_runtime/runtime_spec.rb b/spec/docker_runtime/runtime_spec.rb index 0ce9062..f9e7b2f 100644 --- a/spec/docker_runtime/runtime_spec.rb +++ b/spec/docker_runtime/runtime_spec.rb @@ -16,7 +16,7 @@ describe 'passbolt_api service' do "mysqladmin ping --silent" ] }, - 'Image' => 'mysql') + 'Image' => 'mariadb') @mysql.start while @mysql.json['State']['Health']['Status'] != 'healthy' From 9d0b9a820e565d49b9ddf07df696046e99ffb379 Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Mon, 7 May 2018 16:52:32 +0200 Subject: [PATCH 05/13] nginx configuration fixed --- conf/passbolt.conf | 43 +++++++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/conf/passbolt.conf b/conf/passbolt.conf index 33ddfb0..249346f 100644 --- a/conf/passbolt.conf +++ b/conf/passbolt.conf @@ -10,28 +10,29 @@ server { keepalive_timeout 5 5; send_timeout 10; - root /var/www/passbolt; + root /var/www/passbolt/webroot; + index index.php; location / { try_files $uri $uri/ /index.php?$args; - index index.php; } location ~ \.php$ { - fastcgi_index index.php; - fastcgi_pass 127.0.0.1:9000; - fastcgi_split_path_info ^(.+\.php)(.+)$; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param SERVER_NAME $http_host; - fastcgi_param PHP_VALUE "upload_max_filesize=5M \n post_max_size=5M"; + try_files $uri =404; + include fastcgi_params; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + fastcgi_intercept_errors on; + fastcgi_split_path_info ^(.+\.php)(.+)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SERVER_NAME $http_host; + fastcgi_param PHP_VALUE "upload_max_filesize=5M \n post_max_size=5M"; } location ~* \.(jpe?g|woff|woff2|ttf|gif|png|bmp|ico|css|js|ejs|json|pdf|zip|htm|html|docx?|xlsx?|pptx?|txt|wav|swf|svg|avi|mp\d)$ { access_log off; log_not_found off; try_files $uri /webroot/$uri /index.php?$args; - #try_files $uri /app/webroot/$uri /index.php?$args; } } @@ -56,24 +57,26 @@ server { ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH"; ssl_session_tickets off; - root /var/www/passbolt; + root /var/www/passbolt/webroot; + index index.php; location / { try_files $uri $uri/ /index.php?$args; - index index.php; } location ~ \.php$ { - fastcgi_index index.php; - fastcgi_pass 127.0.0.1:9000; - fastcgi_split_path_info ^(.+\.php)(.+)$; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param SERVER_NAME $http_host; - fastcgi_param PHP_VALUE "upload_max_filesize=5M \n post_max_size=5M"; + try_files $uri =404; + include fastcgi_params; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + fastcgi_intercept_errors on; + fastcgi_split_path_info ^(.+\.php)(.+)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SERVER_NAME $http_host; + fastcgi_param PHP_VALUE "upload_max_filesize=5M \n post_max_size=5M"; } - location ~* \.(jpe?g|woff|woff2|ttf|gif|png|bmp|ico|css|js|json|pdf|zip|htm|html|docx?|xlsx?|pptx?|txt|wav|swf|svg|avi|mp\d)$ { + location ~* \.(jpe?g|woff|woff2|ttf|gif|png|bmp|ico|css|js|ejs|json|pdf|zip|htm|html|docx?|xlsx?|pptx?|txt|wav|swf|svg|avi|mp\d)$ { access_log off; log_not_found off; try_files $uri /webroot/$uri /index.php?$args; From 80051a53b3e5fdf2e7d37b9f419ef9eb5771f40f Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Mon, 7 May 2018 16:53:04 +0200 Subject: [PATCH 06/13] checks on private directories --- spec/docker_image/image_spec.rb | 4 +++ spec/docker_runtime/runtime_spec.rb | 40 +++++++++++++++++++++++++++-- 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/spec/docker_image/image_spec.rb b/spec/docker_image/image_spec.rb index 7964b14..175a2f1 100644 --- a/spec/docker_image/image_spec.rb +++ b/spec/docker_image/image_spec.rb @@ -89,6 +89,10 @@ describe 'Dockerfile' do it 'has the correct permissions' do expect(file(site_conf)).to be_owned_by 'root' end + + it 'points to the correct root folder' do + expect(file(site_conf).content).to match 'root /var/www/passbolt/webroot' + end end describe 'ports exposed' do diff --git a/spec/docker_runtime/runtime_spec.rb b/spec/docker_runtime/runtime_spec.rb index f9e7b2f..6ca046b 100644 --- a/spec/docker_runtime/runtime_spec.rb +++ b/spec/docker_runtime/runtime_spec.rb @@ -30,6 +30,7 @@ describe 'passbolt_api service' do 'DATASOURCES_DEFAULT_PASSWORD=P4ssb0lt', 'DATASOURCES_DEFAULT_USERNAME=passbolt', 'DATASOURCES_DEFAULT_DATABASE=passbolt', + 'PASSBOLT_SSL_FORCE=true' ], 'Image' => @image.id) @container.start @@ -44,8 +45,12 @@ describe 'passbolt_api service' do @container.kill end - let(:http_path) { "/healthcheck/status.json" } - let(:healthcheck) { 'curl -s -o /dev/null -w "%{http_code}" http://localhost/healthcheck/status.json' } + let(:healthcheck) { 'curl -sk -o /dev/null -w "%{http_code}" -H "Host: passbolt.local" https://localhost/healthcheck/status.json' } + let(:serverkey) { 'curl -sk -o /dev/null -w "%{http_code}" -H "Host: passbolt.local" https://localhost/config/gpg/serverkey.asc' } + let(:serverkey_private) { 'curl -sk -o /dev/null -w "%{http_code}" -H "Host: passbolt.local" https://localhost/config/gpg/serverkey_private.asc' } + let(:tmp) { 'curl -sk -o /dev/null -w "%{http_code}" -H "Host: passbolt.local" https://localhost/tmp/cache/database/empty' } + let(:logs) { 'curl -sk -o /dev/null -w "%{http_code}" -H "Host: passbolt.local" https://localhost/logs/error.log' } + let(:conf_app) { 'curl -sk -o /dev/null -w "%{http_code}" -H "Host: passbolt.local" https://localhost/conf/app.php' } describe 'php service' do it 'is running supervised' do @@ -82,4 +87,35 @@ describe 'passbolt_api service' do expect(command(healthcheck).stdout).to eq '200' end end + + describe 'passbolt serverkey unaccessible' do + it 'returns 404' do + expect(command(serverkey).stdout).to eq '404' + end + end + + describe 'passbolt serverkey private unaccessible' do + it 'returns 404' do + expect(command(serverkey_private).stdout).to eq '404' + end + end + + describe 'passbolt tmp folder is unaccessible' do + it 'returns 404' do + expect(command(tmp).stdout).to eq '404' + end + end + + describe 'passbolt conf files can not be retrieved' do + it 'returns 404' do + expect(command(conf_app).stdout).to eq '404' + end + end + + describe 'passbolt error log folder is unaccessible' do + it 'returns 404' do + expect(command(logs).stdout).to eq '404' + end + end + end From dc05ce251ad0d8748d27eeb5a42937d7c0e1c4eb Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Tue, 8 May 2018 09:51:35 +0200 Subject: [PATCH 07/13] updated gems --- Gemfile.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 49219f5..51c93ed 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -3,12 +3,12 @@ GEM specs: coderay (1.1.2) diff-lcs (1.3) - docker-api (1.34.0) + docker-api (1.34.2) excon (>= 0.47.0) multi_json - excon (0.60.0) + excon (0.62.0) method_source (0.9.0) - multi_json (1.12.2) + multi_json (1.13.1) net-scp (1.2.1) net-ssh (>= 2.6.5) net-ssh (4.2.0) @@ -16,7 +16,7 @@ GEM pry (0.11.3) coderay (~> 1.1.0) method_source (~> 0.9.0) - rake (12.3.0) + rake (12.3.1) rspec (3.7.0) rspec-core (~> 3.7.0) rspec-expectations (~> 3.7.0) @@ -32,14 +32,14 @@ GEM rspec-mocks (3.7.0) diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.7.0) - rspec-support (3.7.0) + rspec-support (3.7.1) serverspec (2.41.3) multi_json rspec (~> 3.0) rspec-its specinfra (~> 2.72) sfl (2.3) - specinfra (2.73.0) + specinfra (2.73.3) net-scp net-ssh (>= 2.7, < 5.0) net-telnet From cd4fca51093b7348d6747c8b086405255ff09f6a Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Tue, 8 May 2018 09:51:49 +0200 Subject: [PATCH 08/13] DRY tests --- spec/docker_runtime/runtime_spec.rb | 43 +++++++++++++++-------------- 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/spec/docker_runtime/runtime_spec.rb b/spec/docker_runtime/runtime_spec.rb index 6ca046b..afae3fa 100644 --- a/spec/docker_runtime/runtime_spec.rb +++ b/spec/docker_runtime/runtime_spec.rb @@ -3,6 +3,7 @@ require 'spec_helper' describe 'passbolt_api service' do before(:all) do + @mysql_image = Docker::Image.create('fromImage' => 'mariadb:latest') @mysql = Docker::Container.create( 'Env' => [ 'MYSQL_ROOT_PASSWORD=test', @@ -16,7 +17,7 @@ describe 'passbolt_api service' do "mysqladmin ping --silent" ] }, - 'Image' => 'mariadb') + 'Image' => @mysql_image.id) @mysql.start while @mysql.json['State']['Health']['Status'] != 'healthy' @@ -45,12 +46,10 @@ describe 'passbolt_api service' do @container.kill end - let(:healthcheck) { 'curl -sk -o /dev/null -w "%{http_code}" -H "Host: passbolt.local" https://localhost/healthcheck/status.json' } - let(:serverkey) { 'curl -sk -o /dev/null -w "%{http_code}" -H "Host: passbolt.local" https://localhost/config/gpg/serverkey.asc' } - let(:serverkey_private) { 'curl -sk -o /dev/null -w "%{http_code}" -H "Host: passbolt.local" https://localhost/config/gpg/serverkey_private.asc' } - let(:tmp) { 'curl -sk -o /dev/null -w "%{http_code}" -H "Host: passbolt.local" https://localhost/tmp/cache/database/empty' } - let(:logs) { 'curl -sk -o /dev/null -w "%{http_code}" -H "Host: passbolt.local" https://localhost/logs/error.log' } - let(:conf_app) { 'curl -sk -o /dev/null -w "%{http_code}" -H "Host: passbolt.local" https://localhost/conf/app.php' } + let(:passbolt_host) { @container.json['NetworkSettings']['IPAddress'] } + let(:uri) { "/healthcheck/status.json" } + let(:curl) { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}/#{uri}" } + let(:conf_app) { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}/conf/app.php" } describe 'php service' do it 'is running supervised' do @@ -84,37 +83,41 @@ describe 'passbolt_api service' do describe 'passbolt status' do it 'returns 200' do - expect(command(healthcheck).stdout).to eq '200' + expect(command(curl).stdout).to eq '200' end end describe 'passbolt serverkey unaccessible' do - it 'returns 404' do - expect(command(serverkey).stdout).to eq '404' + let(:uri) { '/config/gpg/serverkey.asc' } + it "returns 404" do + expect(command(curl).stdout).to eq '404' end end describe 'passbolt serverkey private unaccessible' do + let(:uri) { '/config/gpg/serverkey_private.asc' } it 'returns 404' do - expect(command(serverkey_private).stdout).to eq '404' + expect(command(curl).stdout).to eq '404' end end - describe 'passbolt tmp folder is unaccessible' do + describe 'passbolt conf unaccessible' do + let(:uri) { '/config/app.php' } it 'returns 404' do - expect(command(tmp).stdout).to eq '404' + expect(command(curl).stdout).to eq '404' + end + end + describe 'passbolt tmp folder is unaccessible' do + let(:uri) { '/tmp/cache/database/empty' } + it 'returns 404' do + expect(command(curl).stdout).to eq '404' end end describe 'passbolt conf files can not be retrieved' do + let(:uri) { '/config/gpg/serverkey_private.asc' } it 'returns 404' do - expect(command(conf_app).stdout).to eq '404' - end - end - - describe 'passbolt error log folder is unaccessible' do - it 'returns 404' do - expect(command(logs).stdout).to eq '404' + expect(command(curl).stdout).to eq '404' end end From c467f25fe300ca266f4027f0e7248430553ccb33 Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Tue, 8 May 2018 11:21:05 +0200 Subject: [PATCH 09/13] version bump --- Dockerfile | 2 +- docker-compose.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index e1f19c4..66dba1e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM php:7-fpm LABEL maintainer="diego@passbolt.com" -ARG PASSBOLT_VERSION="2.0.4" +ARG PASSBOLT_VERSION="2.0.5" ARG PASSBOLT_URL="https://github.com/passbolt/passbolt_api/archive/v${PASSBOLT_VERSION}.tar.gz" ARG PHP_EXTENSIONS="gd \ diff --git a/docker-compose.yml b/docker-compose.yml index 6d6964e..ef8c0c2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,7 +10,7 @@ services: - 3306 passbolt: - image: passbolt/passbolt:2.0.4-debian + image: passbolt/passbolt:2.0.5-debian tty: true depends_on: - db From cd952bd72dfd74cf5ca8fa214811333a7abcc555 Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Tue, 8 May 2018 12:45:32 +0200 Subject: [PATCH 10/13] removed duplicates --- spec/docker_runtime/runtime_spec.rb | 7 ------- 1 file changed, 7 deletions(-) diff --git a/spec/docker_runtime/runtime_spec.rb b/spec/docker_runtime/runtime_spec.rb index afae3fa..280c429 100644 --- a/spec/docker_runtime/runtime_spec.rb +++ b/spec/docker_runtime/runtime_spec.rb @@ -114,11 +114,4 @@ describe 'passbolt_api service' do end end - describe 'passbolt conf files can not be retrieved' do - let(:uri) { '/config/gpg/serverkey_private.asc' } - it 'returns 404' do - expect(command(curl).stdout).to eq '404' - end - end - end From d80fe5f7b68dcafd2e79f118f122cb3b7d45231b Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Tue, 8 May 2018 12:55:53 +0200 Subject: [PATCH 11/13] removed static files location --- conf/passbolt.conf | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/conf/passbolt.conf b/conf/passbolt.conf index 249346f..e20c7a6 100644 --- a/conf/passbolt.conf +++ b/conf/passbolt.conf @@ -29,12 +29,6 @@ server { fastcgi_param PHP_VALUE "upload_max_filesize=5M \n post_max_size=5M"; } - location ~* \.(jpe?g|woff|woff2|ttf|gif|png|bmp|ico|css|js|ejs|json|pdf|zip|htm|html|docx?|xlsx?|pptx?|txt|wav|swf|svg|avi|mp\d)$ { - access_log off; - log_not_found off; - try_files $uri /webroot/$uri /index.php?$args; - } - } server { @@ -75,10 +69,4 @@ server { fastcgi_param SERVER_NAME $http_host; fastcgi_param PHP_VALUE "upload_max_filesize=5M \n post_max_size=5M"; } - - location ~* \.(jpe?g|woff|woff2|ttf|gif|png|bmp|ico|css|js|ejs|json|pdf|zip|htm|html|docx?|xlsx?|pptx?|txt|wav|swf|svg|avi|mp\d)$ { - access_log off; - log_not_found off; - try_files $uri /webroot/$uri /index.php?$args; - } } From 76e5d34783f30780dddae332b39702961b0d3377 Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Tue, 8 May 2018 17:43:11 +0200 Subject: [PATCH 12/13] updated changelog --- CHANGELOG.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4d717fd..d4b6ade 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,13 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). -## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v2.0.4...HEAD) +## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v2.0.5...HEAD) + +## [2.0.5](https://github.com/passbolt/passbolt_docker/compare/v2.0.4...v2.0.5) - 2018-05-08 + +### Fixed + +- Nginx configuration file root directive for passbolt ## [2.0.4](https://github.com/passbolt/passbolt_docker/compare/v2.0.2...v2.0.4) - 2018-04-26 From 44bc84190e08845407520c046cd1a070dc0adc31 Mon Sep 17 00:00:00 2001 From: Diego Lendoiro Date: Tue, 8 May 2018 17:47:19 +0200 Subject: [PATCH 13/13] version bump --- docker-compose-pro.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose-pro.yml b/docker-compose-pro.yml index 284d8e9..7c8298b 100644 --- a/docker-compose-pro.yml +++ b/docker-compose-pro.yml @@ -10,7 +10,7 @@ services: - 3306 passbolt: - image: passbolt/passbolt:2.0.4-pro-debian + image: passbolt/passbolt:2.0.5-pro-debian tty: true depends_on: - db