From 70f9f3277add9839c32054e0a8c992350b8c7ce7 Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Mon, 27 Jul 2015 16:40:37 -0700 Subject: [PATCH] viper config for notary signer Signed-off-by: David Lawrence (github: endophage) --- cmd/notary-signer/config.json | 18 ++++++++ cmd/notary-signer/main.go | 80 ++++++++++++++++++++++++++--------- docker-compose.yml | 2 +- notary-signer-Dockerfile | 10 +++-- 4 files changed, 85 insertions(+), 25 deletions(-) create mode 100644 cmd/notary-signer/config.json diff --git a/cmd/notary-signer/config.json b/cmd/notary-signer/config.json new file mode 100644 index 0000000000..21c9c0fbbd --- /dev/null +++ b/cmd/notary-signer/config.json @@ -0,0 +1,18 @@ +{ + "server": { + "http_addr": ":4444", + "grpc_addr": ":7899", + "cert_file": "./fixtures/notary-signer.crt", + "key_file": "./fixtures/notary-signer.key" + }, + "crypto": { + "pkcslib": "/usr/local/lib/softhsm/libsofthsm2.so" + }, + "logging": { + "level": 5 + }, + "storage": { + "backend": "mysql", + "db_url": "dockercondemo:dockercondemo@tcp(notarymysql:3306)/dockercondemo" + } +} diff --git a/cmd/notary-signer/main.go b/cmd/notary-signer/main.go index 85c2d03106..47f8a56789 100644 --- a/cmd/notary-signer/main.go +++ b/cmd/notary-signer/main.go @@ -11,6 +11,7 @@ import ( "net" "net/http" "os" + "path/filepath" "strings" "google.golang.org/grpc" @@ -25,36 +26,41 @@ import ( _ "github.com/go-sql-driver/mysql" "github.com/miekg/pkcs11" + "github.com/Sirupsen/logrus" pb "github.com/docker/notary/proto" + "github.com/spf13/viper" ) const ( - _Addr = ":4444" - _RpcAddr = ":7899" _DebugAddr = "localhost:8080" _DBType = "mysql" _EnvPrefix = "NOTARY_SIGNER" - _DefaultAliasEnv = _EnvPrefix + "_DEFAULT_ALIAS" + _DefaultAliasEnv = "DEFAULT_ALIAS" + _PINCode = "PIN" ) var debug bool -var certFile, keyFile, pkcs11Lib, pin, dbURL string +var configFile string func init() { - flag.StringVar(&certFile, "cert", "", "Intermediate certificates") - flag.StringVar(&keyFile, "key", "", "Private key file") - flag.StringVar(&dbURL, "dburl", "", "URL of the database") - flag.StringVar(&pkcs11Lib, "pkcs11", "", "enables HSM mode and uses the provided pkcs11 library path") - flag.StringVar(&pin, "pin", "", "the PIN to use for the HSM") + // set default log level to Error + viper.SetDefault("logging", map[string]interface{}{"level": 2}) + + viper.SetEnvPrefix(_EnvPrefix) + viper.BindEnv(_DefaultAliasEnv) + viper.BindEnv(_PINCode) + + // Setup flags + flag.StringVar(&configFile, "config", "", "Path to configuration file") flag.BoolVar(&debug, "debug", false, "show the version and exit") } func passphraseRetriever(keyName, alias string, createNew bool, attempts int) (passphrase string, giveup bool, err error) { - envVar := _EnvPrefix + "_" + strings.ToUpper(alias) - passphrase = os.Getenv(envVar) + viper.BindEnv(alias) + passphrase = viper.GetString(strings.ToUpper(alias)) if passphrase == "" { - return "", false, errors.New("expected env variable to not be empty: " + envVar) + return "", false, errors.New("expected env variable to not be empty: " + alias) } return passphrase, false, nil @@ -68,6 +74,24 @@ func main() { go debugServer(_DebugAddr) } + filename := filepath.Base(configFile) + ext := filepath.Ext(configFile) + configPath := filepath.Dir(configFile) + + viper.SetConfigType(strings.TrimPrefix(ext, ".")) + viper.SetConfigName(strings.TrimSuffix(filename, ext)) + viper.AddConfigPath(configPath) + err := viper.ReadInConfig() + if err != nil { + logrus.Error("Viper Error: ", err.Error()) + logrus.Error("Could not read config at ", configFile) + os.Exit(1) + } + + logrus.SetLevel(logrus.Level(viper.GetInt("logging.level"))) + + certFile := viper.GetString("server.cert_file") + keyFile := viper.GetString("server.key_file") if certFile == "" || keyFile == "" { usage() log.Fatalf("Certificate and key are mandatory") @@ -90,24 +114,34 @@ func main() { cryptoServices := make(signer.CryptoServiceIndex) + pin := viper.GetString(_PINCode) + pkcs11Lib := viper.GetString("crypto.pkcs11lib") if pkcs11Lib != "" { if pin == "" { log.Fatalf("Using PIN is mandatory with pkcs11") } - ctx, session := SetupHSMEnv(pkcs11Lib) + ctx, session := SetupHSMEnv(pkcs11Lib, pin) defer cleanup(ctx, session) cryptoServices[data.RSAKey] = api.NewRSAHardwareCryptoService(ctx, session) } - dbSQL, err := sql.Open(_DBType, dbURL) + dbType := strings.ToLower(viper.GetString("storage.backend")) + dbURL := viper.GetString("storage.db_url") + if dbType != _DBType || dbURL == "" { + usage() + log.Fatalf("Currently only a MySQL database backend is supported.") + } + dbSQL, err := sql.Open(dbType, dbURL) if err != nil { log.Fatalf("failed to open the database: %s, %v", dbURL, err) } - keyStore, err := trustmanager.NewKeyDBStore(passphraseRetriever, _DefaultAliasEnv, _DBType, dbSQL) + defaultAlias := viper.GetString(_DefaultAliasEnv) + logrus.Debug("Default Alias: ", defaultAlias) + keyStore, err := trustmanager.NewKeyDBStore(passphraseRetriever, defaultAlias, dbType, dbSQL) if err != nil { log.Fatalf("failed to create a new keydbstore: %v", err) } @@ -124,7 +158,8 @@ func main() { pb.RegisterKeyManagementServer(grpcServer, kms) pb.RegisterSignerServer(grpcServer, ss) - lis, err := net.Listen("tcp", _RpcAddr) + rpcAddr := viper.GetString("server.grpc_addr") + lis, err := net.Listen("tcp", rpcAddr) if err != nil { log.Fatalf("failed to listen %v", err) } @@ -134,16 +169,20 @@ func main() { } go grpcServer.Serve(creds.NewListener(lis)) + httpAddr := viper.GetString("server.http_addr") + if httpAddr == "" { + log.Fatalf("Server address is required") + } //HTTP server setup server := http.Server{ - Addr: _Addr, + Addr: httpAddr, Handler: api.Handlers(cryptoServices), TLSConfig: tlsConfig, } if debug { - log.Println("[Notary-signer RPC Server] : Listening on", _RpcAddr) - log.Println("[Notary-signer Server] : Listening on", _Addr) + log.Println("[Notary-signer RPC Server] : Listening on", rpcAddr) + log.Println("[Notary-signer Server] : Listening on", httpAddr) } err = server.ListenAndServeTLS(certFile, keyFile) @@ -168,7 +207,7 @@ func debugServer(addr string) { } // SetupHSMEnv is a method that depends on the existences -func SetupHSMEnv(libraryPath string) (*pkcs11.Ctx, pkcs11.SessionHandle) { +func SetupHSMEnv(libraryPath, pin string) (*pkcs11.Ctx, pkcs11.SessionHandle) { p := pkcs11.New(libraryPath) if p == nil { @@ -195,7 +234,6 @@ func SetupHSMEnv(libraryPath string) (*pkcs11.Ctx, pkcs11.SessionHandle) { log.Fatalf("Failed to Start Session with HSM %s", err) } - // (diogo): Configure PIN from config file if err = p.Login(session, pkcs11.CKU_USER, pin); err != nil { log.Fatalf("User PIN %s\n", err.Error()) } diff --git a/docker-compose.yml b/docker-compose.yml index 3d5f288bc2..be90b9c533 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,7 +6,7 @@ notaryserver: - notarysigner ports: - "8080" - - "4443" + - "4443:4443" environment: SERVICE_NAME: notary notarysigner: diff --git a/notary-signer-Dockerfile b/notary-signer-Dockerfile index dcc4c04618..afca89e486 100644 --- a/notary-signer-Dockerfile +++ b/notary-signer-Dockerfile @@ -2,9 +2,11 @@ FROM diogomonica/golang-softhsm2 MAINTAINER Diogo Monica "diogo@docker.com" # CHANGE-ME: Default values for SoftHSM2 PIN and SOPIN, used to initialize the first token -ENV PIN="1234" +ENV NOTARY_SIGNER_PIN="1234" ENV SOPIN="1234" ENV LIBDIR="/usr/local/lib/softhsm/" +ENV NOTARY_SIGNER_DEFAULT_ALIAS="timestamp_1" +ENV NOTARY_SIGNER_TIMESTAMP_1="testpassword" # Install openSC and dependencies RUN apt-get update && \ @@ -17,7 +19,7 @@ RUN apt-get update && \ && rm -rf /var/lib/apt/lists/* # Initialize the SoftHSM2 token on slod 0, using PIN and SOPIN varaibles -RUN softhsm2-util --init-token --slot 0 --label "test_token" --pin $PIN --so-pin $SOPIN +RUN softhsm2-util --init-token --slot 0 --label "test_token" --pin $NOTARY_SIGNER_PIN --so-pin $SOPIN # Copy the local repo to the expected go path COPY . /go/src/github.com/docker/notary @@ -29,4 +31,6 @@ RUN go install github.com/docker/notary/cmd/notary-signer EXPOSE 4443 -ENTRYPOINT notary-signer -dburl "dockercondemo:dockercondemo@tcp(notarymysql:3306)/dockercondemo" -cert /go/src/github.com/docker/notary/fixtures/notary-signer.crt -key /go/src/github.com/docker/notary/fixtures/notary-signer.key -debug -pkcs11 $LIBDIR/libsofthsm2.so -pin 1234 +WORKDIR /go/src/github.com/docker/notary + +ENTRYPOINT notary-signer -config=cmd/notary-signer/config.json -debug