Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DRAFT: Add OCSP support #58

Closed
wants to merge 49 commits into from
Closed

DRAFT: Add OCSP support #58

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
ed4abf5
add submodules for TAK server and integration API
rambo Oct 14, 2023
cadc44e
create db and user for tak (and solve some FIXMEs while adding some m…
rambo Oct 14, 2023
cd6617c
start by making sure we can build and start the multi-container takse…
rambo Oct 14, 2023
29f9f14
Create takserver containers, the db init must be run as superuser due…
rambo Oct 14, 2023
f9f38c3
update submodule pointers
rambo Oct 14, 2023
b60814c
Upgrade TAK to 4.10, add the retention service
rambo Oct 14, 2023
fa1256d
use new rm specific firstrun script
rambo Oct 14, 2023
2e6c00e
Add the tak-rm integration container to the compositions
rambo Oct 14, 2023
522dd05
api and submodules point to fresh mains
rambo Oct 20, 2023
3997ebf
add ENV variables for domain and port
rambo Oct 21, 2023
dcaf0db
fakewerk->miniwerk remove mkcert
rambo Oct 21, 2023
89d9fd5
make takinit not require pg superuser privileges
rambo Oct 21, 2023
ef19594
Fix privileges issue for services that do not use schemas correctly o…
rambo Oct 22, 2023
d1a299b
Remove no-longer-needed workaround
rambo Oct 22, 2023
ac9df72
preview the new ui
rambo Oct 23, 2023
34d5855
serve rmui from production build files
rambo Oct 26, 2023
3933a45
update takserver submodule pointer
rambo Nov 3, 2023
7ef77e9
remove old env variables for takserver
rambo Nov 3, 2023
a28be98
add tak to main composition
rambo Nov 3, 2023
15b6053
update submodule pointers
rambo Nov 3, 2023
fd8e6da
need postgis for tak
rambo Nov 3, 2023
d581947
tak certificate store pw's
Nov 3, 2023
0a92592
notes about ports, do not expose taks non-tls debug port in production
rambo Nov 3, 2023
b6ecb85
add tak env variables to production composition
rambo Nov 3, 2023
f86ba23
takintegration needs to access tak data
rambo Nov 4, 2023
3159054
update submodule pointers
rambo Nov 4, 2023
8dc178b
set restart policies on containers that should stay running
rambo Nov 4, 2023
afd0475
more updates to submodules
rambo Nov 4, 2023
022895d
it seems tak chokes on ECDSA keys in certs :facepalm:
rambo Nov 4, 2023
88901e5
update
rambo Nov 4, 2023
92ef31b
fix the takserver reading only root ca from chain and thus not accept…
rambo Nov 4, 2023
080718e
Use libpvarki helper for pkcs12 bundling
rambo Nov 5, 2023
d2be2fa
give le_certs to takmsg and takapi in case they are needed
rambo Nov 5, 2023
f64a128
condition and target update
Nov 11, 2023
bdac025
update submodule pointers
rambo Nov 5, 2023
4401a0f
submodule pointers updated
rambo Nov 11, 2023
7a75006
add integration test for listing 5+ pools
rambo Nov 11, 2023
f961f4d
fix rmui
rambo Nov 11, 2023
036d8a4
allow products to have certs signed and revoked
rambo Nov 12, 2023
749e4d9
add integration test for user deletion
rambo Nov 12, 2023
e726878
kwinit devel_shell seems to block a bunch of services from starting
rambo Nov 12, 2023
fb16f27
make the local composition logs more human readable
rambo Nov 12, 2023
b94fe23
user delete/revoke fixes
rambo Nov 12, 2023
2fef143
fixes/workarounds to tests
rambo Nov 12, 2023
95fd380
rmdev for some reason has started waiting indefinitely for some condi…
rambo Nov 12, 2023
c37c2a1
enable proxying of vite dev server in dev composition
rambo Nov 12, 2023
b50d047
takrmapi needs LE chain to add to the ca pkcs12
rambo Nov 14, 2023
314a26d
Start adding support for the new ocsp helper
rambo Nov 14, 2023
c398740
trying to figure out actually working config for either OCSP or CRL
rambo Nov 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,7 @@ jobs:
dcloc down -v || true

rmdev:
if: false
runs-on: ubuntu-latest
permissions:
contents: write
Expand Down
6 changes: 6 additions & 0 deletions .gitmodules
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,9 @@
[submodule "ui"]
path = ui
url = git@github.com:pvarki/rasenmaeher-ui.git
[submodule "takserver"]
path = takserver
url = git@github.com:pvarki/docker-atak-server.git
[submodule "takintegration"]
path = takintegration
url = git@github.com:pvarki/python-tak-rmapi.git
4 changes: 3 additions & 1 deletion README.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,10 @@ Directories that are submodules
- keycloak https://github.com/pvarki/docker-keycloak
- kw_product_init https://github.com/pvarki/golang-kraftwerk-init-helper-cli
- openldap https://github.com/pvarki/docker-openldap
- miniwerk https://github.com/pvarki/ https://github.com/pvarki/python-rasenmaeher-miniwerk
- miniwerk https://github.com/pvarki/python-rasenmaeher-miniwerk
- ui https://github.com/pvarki/rasenmaeher-ui
- takserver https://github.com/pvarki/docker-atak-server
- takintegration https://github.com/pvarki/python-tak-rmapi


Running in local development mode
Expand Down
2 changes: 1 addition & 1 deletion api
Open in desktop
Submodule api updated 30 files
+1 −1 .bumpversion.cfg
+1 −0 docker/container-init.sh
+643 −587 poetry.lock
+2 −2 pyproject.toml
+1 −1 src/rasenmaeher_api/__init__.py
+9 −2 src/rasenmaeher_api/cfssl/base.py
+15 −1 src/rasenmaeher_api/cfssl/private.py
+4 −1 src/rasenmaeher_api/cfssl/public.py
+1 −1 src/rasenmaeher_api/console.py
+0 −31 src/rasenmaeher_api/db/enrollments.py
+2 −14 src/rasenmaeher_api/db/people.py
+9 −6 src/rasenmaeher_api/prodcutapihelpers.py
+2 −0 src/rasenmaeher_api/rmsettings.py
+2 −0 src/rasenmaeher_api/web/api/enduserpfx/views.py
+0 −6 src/rasenmaeher_api/web/api/enrollment/schema.py
+16 −15 src/rasenmaeher_api/web/api/enrollment/views.py
+53 −5 src/rasenmaeher_api/web/api/healthcheck/schema.py
+33 −28 src/rasenmaeher_api/web/api/healthcheck/views.py
+26 −7 src/rasenmaeher_api/web/api/people/views.py
+23 −0 src/rasenmaeher_api/web/api/product/schema.py
+46 −10 src/rasenmaeher_api/web/api/product/views.py
+7 −0 tests/ptfpapi/fprun.py
+6 −6 tests/ptfpapi/requirements.txt
+11 −14 tests/test_healthcheck.py
+1 −1 tests/test_rasenmaeher_api.py
+3 −21 tests/tlstests/conftest.py
+40 −0 tests/tlstests/test_caroutes.py
+38 −19 tests/usersapis/conftest.py
+30 −0 tests/usersapis/test_people.py
+24 −1 tests/usersapis/test_pools.py
2 changes: 1 addition & 1 deletion cfssl
Open in desktop
Submodule cfssl updated 22 files
+16 −0 .bumpversion.cfg
+142 −0 .gitignore
+62 −25 .pre-commit-config.yaml
+75 −1 Dockerfile
+95 −0 docker-compose.yml
+3 −3 files/cfssl-init.sh
+1 −1 files/cfssl-start.sh
+1 −0 files/container-env.sh
+1 −1 files/ocsp-start.sh
+10 −0 files/ocsprest-entrypoint.sh
+2,008 −0 poetry.lock
+89 −0 pyproject.toml
+2 −0 src/ocsprest/__init__.py
+49 −0 src/ocsprest/config.py
+1 −0 src/ocsprest/console/__init__.py
+143 −0 src/ocsprest/console/fakessl.py
+67 −0 src/ocsprest/console/ocsprest.py
+70 −0 src/ocsprest/helpers.py
+100 −0 src/ocsprest/routes.py
+0 −0 tests/__init__.py
+24 −0 tests/conftest.py
+7 −0 tests/test_ocsprest.py
53 changes: 51 additions & 2 deletions docker-compose-dev.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ services:
volumes:
- "./api:/app"

rmui:
rmuidev:
image: pvarki/rmui:devel_shell
build:
context: ./ui
Expand All @@ -21,12 +21,33 @@ services:
command: ["-c", "npm install && npm run dev -- --port 8002 --host 0.0.0.0"]
volumes:
- "./ui:/app"
environment:
SERVER_DOMAIN: ${SERVER_DOMAIN:-localmaeher.pvarki.fi}
API_PORT: ${NGINX_HTTPS_PORT:-4439}
networks:
- intranet
ports: # REMINDER Do not expose these in production
- "${NGINX_UI_UPSTREAM_PORT:-8002}:${NGINX_UI_UPSTREAM_PORT:-8002}"
healthcheck:
test: 'true' # FIXME
interval: 5s
timeout: 5s
retries: 3
start_period: 5s

rmnginx: # apparently we have to specify these here or it tries to start too early
rmnginx: # need to load different templates for uidev
image: nginx
environment:
NGINX_UI_UPSTREAM: "rmuidev"
NGINX_UI_UPSTREAM_PORT: ${NGINX_UI_UPSTREAM_PORT:-8002}
NGINX_ENVSUBST_TEMPLATE_DIR: /templates_uidev
volumes:
- ./nginx/templates_rasenmaeher_uidev:/templates_uidev
depends_on:
rmapi:
condition: service_healthy
rmuidev:
condition: service_healthy

kwinit_prod: # For building the go executable needed by rmfpapi
image: pvarki/kw_product_init:latest
Expand Down Expand Up @@ -55,6 +76,29 @@ services:
rmfpapi:
condition: service_healthy


takrmapi:
image: pvarki/takrmapi:devel_shell
build:
context: ./takintegration
dockerfile: Dockerfile
target: integ_devel_shell
command: ["-c", "source /root/.profile && /container-init.sh && poetry install && uvicorn --host 0.0.0.0 --port 8003 --log-level debug --factory takrmapi.app:get_app --reload"]
environment:
LOG_LEVEL: 10
volumes:
- "./takintegration:/app"
depends_on:
rmnginx:
condition: service_healthy

taknginx: # apparently we have to specify these here or it tries to start too early
image: nginx
depends_on:
takrmapi:
condition: service_healthy


kwinit: # docker-compose -p rmdev -f docker-compose-local.yml -f docker-compose-dev.yml exec kwinit zsh
image: pvarki/kw_product_init:devel_shell
build:
Expand All @@ -69,3 +113,8 @@ services:
depends_on:
rmapi:
condition: service_healthy
profiles: ["kwinit_dev"]


networks:
intranet:
Loading