pvarki · rambo · Mar 28, 2024 · Nov 14, 2023 · Nov 15, 2023 · Nov 26, 2023
diff --git a/.dockerignore b/.dockerignore
@@ -25,6 +25,7 @@ coverage*
 *.exe
 build/
 
-# docker build files (so just changing them does not invalidate *all* caches)
+# docker build files and git state (so just changing them does not invalidate *all* caches)
 .dockerignore
 Dockerfile
+.git
diff --git a/api b/api
diff --git a/caddy/Dockerfile b/caddy/Dockerfile
@@ -0,0 +1,7 @@
+FROM caddy:builder AS builder
+RUN xcaddy build \
+      --with github.com/gr33nbl00d/caddy-revocation-validator \
+    && true
+
+FROM caddy:latest as production
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
diff --git a/caddy/templates_rasenmaeher/Caddyfile b/caddy/templates_rasenmaeher/Caddyfile
@@ -0,0 +1,93 @@
+{
+}
+
+# Regular HTTPS Server Block (non-mTLS)
+${NGINX_HOST} {
+    # Redirect HTTP to HTTPS
+    redir https://${host}${uri} permanent
+
+    # HTTPS configuration
+    tls /le_certs/${NGINX_CERT_NAME}/fullchain.pem /le_certs/${NGINX_CERT_NAME}/privkey.pem
+
+    # Proxy locations
+    route /ca/crl {
+        reverse_proxy ${NGINX_UPSTREAM}:${NGINX_UPSTREAM_PORT}/api/v1/utils/crl
+    }
+
+    route /ca/ocsp {
+        reverse_proxy ${NGINX_OCSP_UPSTREAM}:${CFSSL_OCSP_BIND_PORT}
+    }
+
+    route /api/* {
+        reverse_proxy ${NGINX_UPSTREAM}:${NGINX_UPSTREAM_PORT}/api
+    }
+
+    # Static file serving
+    file_server {
+        root /rmui_files
+        index index.html
+    }
+}
+
+# mTLS Server Block
+mtls.${NGINX_HOST} {
+    # Redirect HTTP to HTTPS
+    redir https://${host}${uri} permanent
+
+    # HTTPS configuration
+    tls /le_certs/${NGINX_CERT_NAME}/fullchain.pem /le_certs/${NGINX_CERT_NAME}/privkey.pem
+
+    "client_authentication": {
+        "trusted_ca_certs_pem_files": [
+          "/ca_public/ca_chain.pem"
+        ],
+        "mode": "require_and_verify",
+        "verifiers": [ {
+            "verifier": "revocation",
+            "mode": "crl_only",
+            "crl_config": {
+              "work_dir": "./crlworkdir",
+              "storage_type": "memory",
+              "update_interval": "1m",
+              "signature_validation_mode": "verify",
+              "crl_files" : ["/ca_public/crl.pem"],
+              crl_urls: ["http://${NGINX_UPSTREAM}:${NGINX_UPSTREAM_PORT}/api/v1/utils/crl"]
+              "cdp_config": {
+                "crl_fetch_mode": "fetch_actively",
+                "crl_cdp_strict": true
+              }
+            }
+          }
+        ]
+    }
+
+    # Proxy locations
+    route /ca/* {
+        redir https://${NGINX_HOST}:${NGINX_HTTPS_PORT}{uri}
+    }
+
+    route /api/* {
+        handle {
+            @mtls_fail expression {ssl_client_verify} != "SUCCESS"
+            redir @mtls_fail https://${NGINX_HOST}:${NGINX_HTTPS_PORT}/error?code=mtls_fail
+        }
+
+        reverse_proxy ${NGINX_UPSTREAM}:${NGINX_UPSTREAM_PORT}/api
+        #header_upstream X-ClientCert-DN {>X-ClientCert-DN}
+        #header_upstream X-ClientCert-Serial {>X-ClientCert-Serial}
+    }
+
+    # Static file serving with mTLS check
+    route {
+        handle {
+            @mtls_fail expression {ssl_client_verify} != "SUCCESS"
+            redir @mtls_fail https://${NGINX_HOST}:${NGINX_HTTPS_PORT}/error?code=mtls_fail
+        }
+
+        file_server {
+            root /rmui_files
+            index index.html
+            try_files {path} {path}/ /index.html
+        }
+    }
+}
diff --git a/cfssl b/cfssl
diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
@@ -1,6 +1,14 @@
 # This extends the _local file, run with:
 #   `docker-compose -p rmdev -f docker-compose-local.yml -f docker-compose-dev.yml up -d`
 version: '3.7'
+
+x-nginxbuilds: &nginxbuildinfo
+  image: pvarki/nginx:1.25
+  build:
+    context: ./nginx
+    dockerfile: Dockerfile
+
+
 services:
   rmapi:
     image: pvarki/rmapi:devel_shell${DOCKER_TAG_EXTRA:-}
@@ -9,6 +17,12 @@ services:
       dockerfile: Dockerfile
       target: devel_shell
     command: ["-c", "source /root/.profile  && poetry install && uvicorn --host 0.0.0.0 --port 8000 --log-level debug --factory rasenmaeher_api.web.application:get_app --reload"]
+    healthcheck:
+      test: '/bin/bash -c "source /root/.profile && rasenmaeher_api healthcheck" || exit 1'
+      interval: 5s
+      timeout: 5s
+      retries: 3
+      start_period: 5s
     volumes:
       - "./api:/app"
 
@@ -36,7 +50,7 @@ services:
       start_period: 5s
 
   rmnginx:  # need to load different templates for uidev
-    image: nginx:stable
+    <<: *nginxbuildinfo
     environment:
       NGINX_UI_UPSTREAM: "rmuidev"
       NGINX_UI_UPSTREAM_PORT: ${NGINX_UI_UPSTREAM_PORT:-8002}
@@ -71,7 +85,7 @@ services:
         condition: service_healthy
 
   fpnginx:  # apparently we have to specify these here or it tries to start too early
-    image: nginx:stable
+    <<: *nginxbuildinfo
     depends_on:
       rmfpapi:
         condition: service_healthy
@@ -84,16 +98,20 @@ services:
       dockerfile: Dockerfile
       target: integ_devel_shell
     command: ["-c", "source /root/.profile && /container-init.sh && poetry install && uvicorn --host 0.0.0.0 --port 8003 --log-level debug --factory takrmapi.app:get_app --reload"]
-    environment:
-      LOG_LEVEL: 10
     volumes:
       - "./takintegration:/app"
+    healthcheck:
+      test: '/bin/bash -c "source /root/.profile && takrmapi healthcheck" || exit 1'
+      interval: 5s
+      timeout: 5s
+      retries: 3
+      start_period: 5s
     depends_on:
       rmnginx:
         condition: service_healthy
 
   taknginx:  # apparently we have to specify these here or it tries to start too early
-    image: nginx:stable
+    <<: *nginxbuildinfo
     depends_on:
       takrmapi:
         condition: service_healthy
+1 −1		.bumpversion.cfg
+2 −2		.github/workflows/build.yml
+17 −6		poetry.lock
+2 −2		pyproject.toml
+1 −1		src/rasenmaeher_api/__init__.py
+9 −6		src/rasenmaeher_api/cfssl/anoncsr.py
+19 −4		src/rasenmaeher_api/cfssl/base.py
+54 −12		src/rasenmaeher_api/cfssl/private.py
+12 −4		src/rasenmaeher_api/cfssl/public.py
+36 −0		src/rasenmaeher_api/console.py
+17 −21		src/rasenmaeher_api/db/people.py
+23 −10		src/rasenmaeher_api/prodcutapihelpers.py
+4 −1		src/rasenmaeher_api/rmsettings.py
+10 −4		src/rasenmaeher_api/web/api/enrollment/views.py
+2 −0		src/rasenmaeher_api/web/application.py
+22 −3		tests/conftest.py
+32 −5		tests/docker-compose.yml
+1 −1		tests/test_console.py
+16 −3		tests/test_db.py
+9 −0		tests/test_enrollment.py
+1 −1		tests/test_rasenmaeher_api.py
+16 −0		.bumpversion.cfg
+45 −1		.github/workflows/build.yml
+142 −0		.gitignore
+62 −25		.pre-commit-config.yaml
+78 −1		Dockerfile
+95 −0		docker-compose.yml
+4 −2		files/cfssl-start.sh
+1 −0		files/container-env.sh
+1 −1		files/ocsp-start.sh
+11 −0		files/ocsprest-entrypoint.sh
+1 −1		files/opt/cfssl/template/root_ca_cfssl.json.tpl
+2,426 −0		poetry.lock
+93 −0		pyproject.toml
+2 −0		src/ocsprest/__init__.py
+62 −0		src/ocsprest/config.py
+1 −0		src/ocsprest/console/__init__.py
+143 −0		src/ocsprest/console/fakessl.py
+90 −0		src/ocsprest/console/ocsprest.py
+144 −0		src/ocsprest/helpers.py
+192 −0		src/ocsprest/routes.py
+0 −0		tests/__init__.py
+33 −0		tests/conftest.py
+19 −0		tests/test_ocsprest.py