diff --git a/Makefile b/Makefile index c4257ab..3e5c238 100644 --- a/Makefile +++ b/Makefile @@ -395,6 +395,10 @@ test-startup-meet-demo: ## Test if the Meet demo setup starts up docker-compose -f examples/meet/docker-compose.yml -f examples/meet/tests/test-container.yml stop 2>/dev/null docker ps --filter name=kopano_test* -aq | xargs docker rm -f +.PHONY: test-startup-individual +test-startup-individual: + docker run -it --rm -e DEBUG=true -v /etc/machine-id:/etc/machine-id -v /var/lib/dbus/machine-id:/var/lib/dbus/machine-id kopano/kopano_konnect + # TODO this needs goss added to travis and dcgoss pulled from my own git repo .PHONY: test-goss test-goss: ## Test configuration of containers with goss diff --git a/core/Dockerfile b/core/Dockerfile index ce4afd4..3ca4da3 100644 --- a/core/Dockerfile +++ b/core/Dockerfile @@ -49,16 +49,19 @@ RUN \ # install apt-get update && \ set -x && \ - apt-get install --no-install-recommends -y \ + apt-get -o Debug::pkgProblemResolver=true install --no-install-recommends -y \ kopano-server-packages \ - kopano-grapi kopano-kapid \ ${ADDITIONAL_KOPANO_PACKAGES} \ && \ coreversion=$(dpkg-query --showformat='${Version}' --show kopano-server) && \ + if dpkg --compare-versions "$coreversion" "gt" "8.7.0"; then \ + apt-get -o Debug::pkgProblemResolver=true install --no-install-recommends -y \ + kopano-grapi kopano-kapid; \ + fi && \ if dpkg --compare-versions "$coreversion" "gt" "8.7.84"; then \ - apt-get install --no-install-recommends -y \ + apt-get -o Debug::pkgProblemResolver=true install --no-install-recommends -y \ python3-grapi.backend.ldap; \ - fi; \ + fi && \ set +x && \ rm -rf /var/cache/apt /var/lib/apt/lists && \ touch /etc/kopano/admin.cfg && \ diff --git a/docker-compose.yml b/docker-compose.yml index 34c847e..cf847d9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -436,6 +436,7 @@ services: - identifier_registration_conf=/kopano/ssl/konnectd-identifier-registration.yaml - identifier_scopes_conf=/etc/kopano/konnectd-identifier-scopes.yaml - signing_private_key=/kopano/ssl/konnectd-tokens-signing-key.pem + - validation_keys_path=/kopano/ssl/konnectkeys env_file: - kopano_konnect.env networks: diff --git a/konnect/Dockerfile b/konnect/Dockerfile index 0f1582a..e6099b4 100644 --- a/konnect/Dockerfile +++ b/konnect/Dockerfile @@ -41,4 +41,6 @@ RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSI COPY --chown=nobody:nogroup konnectd-identifier-registration.yaml konnectd-identifier-scopes.yaml /etc/kopano/ COPY wrapper.sh /usr/local/bin +USER nobody + ENTRYPOINT ["wrapper.sh"] diff --git a/konnect/commander.yaml b/konnect/commander.yaml index a13a41e..410cd81 100644 --- a/konnect/commander.yaml +++ b/konnect/commander.yaml @@ -35,6 +35,28 @@ tests: config: env: identifier_registration_conf: /etc/kopano/konnectd-identifier-registration.yaml + no write permissions for certificates: + command: /commander/test-helper.sh && wrapper.sh + exit-code: 1 + stderr: + contains: + - "can't create /root/sign.key: Permission denied" + - 'Timeout after 1s waiting on dependencies to become available: [file:///root/sign.key]' + config: + env: + signing_private_key: /root/sign.key + DOCKERIZE_TIMEOUT: 1s + certificate creation in container: + command: /commander/test-helper.sh && wrapper.sh + stderr: + contains: + - "setup: creating new RSA private key at" + not-contains: + - "Timeout after 360s waiting on dependencies to become available:" + config: + env: + signing_private_key: /tmp/sign.key + encryption_secret_key: /tmp/secret.key config: env: PATH: ${PATH} diff --git a/konnect/wrapper.sh b/konnect/wrapper.sh index c8c0ce2..d43028c 100755 --- a/konnect/wrapper.sh +++ b/konnect/wrapper.sh @@ -3,28 +3,76 @@ set -eu [ "$DEBUG" ] && set -x +DOCKERIZE_TIMEOUT=${DOCKERIZE_TIMEOUT:-360s} + # allow helper commands given by "docker-compose run" if [ $# -gt 0 ]; then exec "$@" exit fi -if [ "${allow_client_guests:-}" = "yes" ]; then - # TODO try to create the file if it does not yet exist, how to combine with the below dockerize check? - # TODO this should be simplified so that ecparam and eckey are only required if there is no jwk-meet.json yet +signing_private_key=${signing_private_key:-"/etc/kopano/konnectd-signing-private-key.pem"} +validation_keys_path=${validation_keys_path:-"/etc/kopano/konnectkeys"} + +if ! true >> "$signing_private_key"; then + # file can not be created in this container, wait for external creation dockerize \ - -wait file://"${ecparam:?}" \ - -wait file://"${eckey:?}" \ - -timeout 360s + -wait file://"$signing_private_key" \ + -timeout "$DOCKERIZE_TIMEOUT" +fi + +if [ -f "${signing_private_key}" ] && [ ! -s "${signing_private_key}" ]; then + mkdir -p "${validation_keys_path}" + rnd=$(RANDFILE=/tmp/.rnd openssl rand -hex 2) + key="${validation_keys_path}/konnect-$(date +%Y%m%d)-${rnd}.pem" + >&2 echo "setup: creating new RSA private key at ${key} ..." + RANDFILE=/tmp/.rnd openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:4096 -pkeyopt rsa_keygen_pubexp:65537 + if [ -f "${key}" ]; then + rm "$signing_private_key" + ln -sn "${key}" "${signing_private_key}" + fi +fi + +encryption_secret_key=${encryption_secret_key:-"/etc/kopano/konnectd-encryption-secret.key"} +if ! true >> "$encryption_secret_key"; then + # file can not be created in this container, wait for external creation + dockerize \ + -wait file://"$encryption_secret_key" \ + -timeout "$DOCKERIZE_TIMEOUT" +fi + +if [ -f "${encryption_secret_key}" ] && [ ! -s "${encryption_secret_key}" ]; then + >&2 echo "setup: creating new secret key at ${encryption_secret_key} ..." + RANDFILE=/tmp/.rnd openssl rand -out "${encryption_secret_key}" 32 +fi + +if [ "${allow_client_guests:-}" = "yes" ]; then + # TODO this could be simplified so that ecparam and eckey are only required if there is no jwk-meet.json yet + + ecparam=${ecparam:-/etc/kopano/ecparam.pem} + if ! true >> "$ecparam"; then + # ecparam can not be created in this container, wait for external creation + dockerize \ + -wait file://"$ecparam" \ + -timeout "$DOCKERIZE_TIMEOUT" + fi + + eckey=${eckey:-/etc/kopano/meet-kwmserver.pem} + if ! true >> "$eckey"; then + # eckey can not be created in this container, wait for external creation + dockerize \ + -wait file://"$eckey" \ + -timeout "$DOCKERIZE_TIMEOUT" + fi # Key generation for Meet guest mode if [ ! -s "$ecparam" ]; then - echo "Creating ec param key for Meet..." + echo "Creating ec param key for Meet guest mode ..." openssl ecparam -name prime256v1 -genkey -noout -out "$ecparam" >/dev/null 2>&1 fi if [ ! -s "$eckey" ]; then - echo "Creating ec private key for Meet..." + echo "Creating ec private key for Meet guest mode..." openssl ec -in "$ecparam" -out "$eckey" >/dev/null 2>&1 fi @@ -92,14 +140,12 @@ fi # services need to be aware of the machine-id dockerize \ - -wait file://"${signing_private_key:?}" \ - -wait file://"${encryption_secret_key:?}" \ -wait file:///etc/machine-id \ -wait file:///var/lib/dbus/machine-id \ - -timeout 360s + -timeout "$DOCKERIZE_TIMEOUT" exec konnectd serve \ - --signing-private-key="${signing_private_key:?}" \ - --encryption-secret="${encryption_secret_key:?}" \ + --signing-private-key="$signing_private_key" \ + --encryption-secret="$encryption_secret_key" \ --identifier-registration-conf "${identifier_registration_conf:?}" \ --identifier-scopes-conf "${identifier_scopes_conf:?}" \ "$@" "$KONNECT_BACKEND" diff --git a/ssl/start.sh b/ssl/start.sh index ecc6207..d9dd0a3 100755 --- a/ssl/start.sh +++ b/ssl/start.sh @@ -42,9 +42,9 @@ if [ ! -f $enckey ]; then mv $enckey.tmp $enckey fi -# Konnect - create token signing key if not already present +# Konnect - create token signing key if not already present signkey="/kopano/ssl/konnectd-tokens-signing-key.pem" -if [ ! -f $signkey ]; then +if [ ! -L $signkey ] && [ ! -f $signkey ]; then echo "Creating Konnect token signing key..." openssl genpkey -algorithm RSA -out $signkey.tmp -pkeyopt rsa_keygen_bits:4096 >/dev/null 2>&1 chmod go+r $signkey.tmp