Add password for server and signer

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-05-10 16:40:46 -07:00 · 2016-05-10 16:40:46 -07:00 · 8245905aae
parent db8fa5d3ae
commit 8245905aae
11 changed files with 80 additions and 36 deletions
--- a/cmd/notary-server/config.go
+++ b/cmd/notary-server/config.go
@ -97,12 +97,12 @@ func getStore(configuration *viper.Viper, hRegister healthRegister) (
 		if doBootstrap {
 			sess, err = rethinkdb.AdminConnection(tlsOpts, storeConfig.Source)
 		} else {
-			sess, err = rethinkdb.UserConnection(tlsOpts, storeConfig.Source, notary.NotaryServerUser)
+			sess, err = rethinkdb.UserConnection(tlsOpts, storeConfig.Source, storeConfig.Username, storeConfig.Password)
 		}
 		if err != nil {
 			return nil, fmt.Errorf("Error starting %s driver: %s", backend, err.Error())
 		}
-		s := storage.NewRethinkDBStorage(storeConfig.DBName, sess)
+		s := storage.NewRethinkDBStorage(storeConfig.DBName, storeConfig.Username, storeConfig.Password, sess)
 		store = *storage.NewTUFMetaStorage(s)
 		hRegister("DB operational", s.CheckHealth, time.Minute)
 	default:
--- a/cmd/notary-signer/config.go
+++ b/cmd/notary-signer/config.go
@ -130,12 +130,12 @@ func setUpCryptoservices(configuration *viper.Viper, allowedBackends []string) (
 		if doBootstrap {
 			sess, err = rethinkdb.AdminConnection(tlsOpts, storeConfig.Source)
 		} else {
-			sess, err = rethinkdb.UserConnection(tlsOpts, storeConfig.Source, notary.NotarySignerUser)
+			sess, err = rethinkdb.UserConnection(tlsOpts, storeConfig.Source, storeConfig.Username, storeConfig.Password)
 		}
 		if err != nil {
 			return nil, fmt.Errorf("Error starting %s driver: %s", backend, err.Error())
 		}
-		s := keydbstore.NewRethinkDBKeyStore(storeConfig.DBName, passphraseRetriever, defaultAlias, sess)
+		s := keydbstore.NewRethinkDBKeyStore(storeConfig.DBName, storeConfig.Username, storeConfig.Password, passphraseRetriever, defaultAlias, sess)
 		health.RegisterPeriodicFunc("DB operational", s.CheckHealth, time.Minute)
 		keyStore = s
 	case notary.MySQLBackend, notary.SQLiteBackend:
--- a/cmd/notary-signer/main_test.go
+++ b/cmd/notary-signer/main_test.go
@ -123,7 +123,9 @@ func TestSetupCryptoServicesRethinkDBStoreNoDefaultAlias(t *testing.T) {
 				"tls_ca_file": "/tls/ca.pem",
 				"client_cert_file": "/tls/cert.pem",
 				"client_key_file": "/tls/key.pem",
-				"database": "rethinkdbtest"
+				"database": "rethinkdbtest",
+				"username": "signer",
+				"password": "password"
 				}
 			}`,
 			notary.RethinkDBBackend)),
@ -142,7 +144,9 @@ func TestSetupCryptoServicesRethinkDBStoreConnectionFails(t *testing.T) {
 				"tls_ca_file": "../../fixtures/rethinkdb/ca.pem",
 				"client_cert_file": "../../fixtures/rethinkdb/cert.pem",
 				"client_key_file": "../../fixtures/rethinkdb/key.pem",
-				"database": "rethinkdbtest"
+				"database": "rethinkdbtest",
+				"username": "signer",
+				"password": "password"
 				},
 				"default_alias": "timestamp"
 			}`,
--- a/const.go
+++ b/const.go
@ -56,10 +56,6 @@ const (
 	MemoryBackend    = "memory"
 	SQLiteBackend    = "sqlite3"
 	RethinkDBBackend = "rethinkdb"
-
-	// Users for the notaryserver and notarysigner databases, respectively
-	NotaryServerUser = "server"
-	NotarySignerUser = "signer"
 )

 // NotaryDefaultExpiries is the construct used to configure the default expiry times of
--- a/fixtures/server-config.rethink.json
+++ b/fixtures/server-config.rethink.json
@ -22,6 +22,8 @@
 		"database": "notaryserver",
 		"tls_ca_file": "./rethinkdb/ca.pem",
 		"client_key_file": "./rethinkdb/key.pem",
-		"client_cert_file": "./rethinkdb/cert.pem"
+		"client_cert_file": "./rethinkdb/cert.pem",
+		"username": "server",
+		"password": "serverpass"
 	}
 }
--- a/fixtures/signer-config.rethink.json
+++ b/fixtures/signer-config.rethink.json
@ -15,6 +15,8 @@
 		"database": "notarysigner",
 		"tls_ca_file": "./rethinkdb/ca.pem",
 		"client_key_file": "./rethinkdb/key.pem",
-		"client_cert_file": "./rethinkdb/cert.pem"
+		"client_cert_file": "./rethinkdb/cert.pem",
+		"username": "signer",
+		"password": "signerpass"
 	}
 }
--- a/server/storage/rethinkdb.go
+++ b/server/storage/rethinkdb.go
@ -7,7 +7,6 @@ import (
 	"sort"
 	"time"

-	"github.com/docker/notary"
 	"github.com/docker/notary/storage/rethinkdb"
 	"github.com/docker/notary/tuf/data"
 	"gopkg.in/dancannon/gorethink.v2"
@ -46,15 +45,19 @@ func (r RDBKey) TableName() string {

 // RethinkDB implements a MetaStore against the Rethink Database
 type RethinkDB struct {
-	dbName string
-	sess   *gorethink.Session
+	dbName   string
+	sess     *gorethink.Session
+	user     string
+	password string
 }

 // NewRethinkDBStorage initializes a RethinkDB object
-func NewRethinkDBStorage(dbName string, sess *gorethink.Session) RethinkDB {
+func NewRethinkDBStorage(dbName, user, password string, sess *gorethink.Session) RethinkDB {
 	return RethinkDB{
-		dbName: dbName,
-		sess:   sess,
+		dbName:   dbName,
+		sess:     sess,
+		user:     user,
+		password: password,
 	}
 }

@ -271,7 +274,7 @@ func (rdb RethinkDB) Bootstrap() error {
 	}); err != nil {
 		return err
 	}
-	return rethinkdb.CreateAndGrantDBUser(rdb.sess, rdb.dbName, notary.NotaryServerUser, "")
+	return rethinkdb.CreateAndGrantDBUser(rdb.sess, rdb.dbName, rdb.user, rdb.password)
 }

 // CheckHealth is currently a noop
--- a/signer/keydbstore/rethink_keydbstore.go
+++ b/signer/keydbstore/rethink_keydbstore.go
@ -6,7 +6,6 @@ import (
 	"sync"
 	"time"

-	"github.com/docker/notary"
 	"github.com/docker/notary/passphrase"
 	"github.com/docker/notary/storage/rethinkdb"
 	"github.com/docker/notary/trustmanager"
@ -24,6 +23,8 @@ type RethinkDBKeyStore struct {
 	defaultPassAlias string
 	retriever        passphrase.Retriever
 	cachedKeys       map[string]data.PrivateKey
+	user             string
+	password         string
 }

 // RDBPrivateKey represents a PrivateKey in the rethink database
@ -49,7 +50,7 @@ func (g RDBPrivateKey) TableName() string {
 }

 // NewRethinkDBKeyStore returns a new RethinkDBKeyStore backed by a RethinkDB database
-func NewRethinkDBKeyStore(dbName string, passphraseRetriever passphrase.Retriever, defaultPassAlias string, rethinkSession *gorethink.Session) *RethinkDBKeyStore {
+func NewRethinkDBKeyStore(dbName, username, password string, passphraseRetriever passphrase.Retriever, defaultPassAlias string, rethinkSession *gorethink.Session) *RethinkDBKeyStore {
 	cachedKeys := make(map[string]data.PrivateKey)

 	return &RethinkDBKeyStore{
@ -59,6 +60,8 @@ func NewRethinkDBKeyStore(dbName string, passphraseRetriever passphrase.Retrieve
 		dbName:           dbName,
 		retriever:        passphraseRetriever,
 		cachedKeys:       cachedKeys,
+		user:             username,
+		password:         password,
 	}
 }

@ -244,7 +247,7 @@ func (rdb RethinkDBKeyStore) Bootstrap() error {
 	}); err != nil {
 		return err
 	}
-	return rethinkdb.CreateAndGrantDBUser(rdb.sess, rdb.dbName, notary.NotarySignerUser, "")
+	return rethinkdb.CreateAndGrantDBUser(rdb.sess, rdb.dbName, rdb.user, rdb.password)
 }

 // CheckHealth verifies that DB exists and is query-able
--- a/storage/rethinkdb/rethinkdb.go
+++ b/storage/rethinkdb/rethinkdb.go
@ -36,7 +36,7 @@ func AdminConnection(tlsOpts tlsconfig.Options, host string) (*gorethink.Session

 // UserConnection sets up a user RethinkDB connection to the host (`host:port` format)
 // using the CA .pem file provided at path `caFile`, using the provided username.
-func UserConnection(tlsOpts tlsconfig.Options, host, username string) (*gorethink.Session, error) {
+func UserConnection(tlsOpts tlsconfig.Options, host, username, password string) (*gorethink.Session, error) {
 	logrus.Debugf("attempting to connect user %s to host %s", username, host)
 	t, err := tlsconfig.Client(tlsOpts)
 	if err != nil {
@ -47,6 +47,7 @@ func UserConnection(tlsOpts tlsconfig.Options, host, username string) (*gorethin
 			Address:   host,
 			TLSConfig: t,
 			Username:  username,
+			Password:  password,
 		},
 	)
 }
--- a/utils/configuration.go
+++ b/utils/configuration.go
@ -26,10 +26,12 @@ type Storage struct {
 // RethinkDBStorage is configuration about a RethinkDB backend service
 type RethinkDBStorage struct {
 	Storage
-	CA     string
-	Cert   string
-	DBName string
-	Key    string
+	CA       string
+	Cert     string
+	DBName   string
+	Key      string
+	Username string
+	Password string
 }

 // GetPathRelativeToConfig gets a configuration key which is a path, and if
@ -118,10 +120,12 @@ func ParseRethinkDBStorage(configuration *viper.Viper) (*RethinkDBStorage, error
 			Backend: configuration.GetString("storage.backend"),
 			Source:  configuration.GetString("storage.db_url"),
 		},
-		CA:     GetPathRelativeToConfig(configuration, "storage.tls_ca_file"),
-		Cert:   GetPathRelativeToConfig(configuration, "storage.client_cert_file"),
-		Key:    GetPathRelativeToConfig(configuration, "storage.client_key_file"),
-		DBName: configuration.GetString("storage.database"),
+		CA:       GetPathRelativeToConfig(configuration, "storage.tls_ca_file"),
+		Cert:     GetPathRelativeToConfig(configuration, "storage.client_cert_file"),
+		Key:      GetPathRelativeToConfig(configuration, "storage.client_key_file"),
+		DBName:   configuration.GetString("storage.database"),
+		Username: configuration.GetString("storage.username"),
+		Password: configuration.GetString("storage.password"),
 	}

 	switch {
@ -150,6 +154,11 @@ func ParseRethinkDBStorage(configuration *viper.Viper) (*RethinkDBStorage, error
 			"%s requires a specific database to connect to",
 			store.Backend,
 		)
+	case store.Username == "":
+		return nil, fmt.Errorf(
+			"%s requires a username to connect to the db",
+			store.Backend,
+		)
 	}

 	return &store, nil
--- a/utils/configuration_test.go
+++ b/utils/configuration_test.go
@ -217,7 +217,8 @@ func TestParseRethinkStorageDBStoreInvalidBackend(t *testing.T) {
 			"tls_ca_file": "/tls/ca.pem",
 			"client_cert_file": "/tls/cert.pem",
 			"client_key_file": "/tls/key.pem",
-			"database": "rethinkdbtest"
+			"database": "rethinkdbtest",
+			"username": "user"
 		}
 	}`)

@ -234,7 +235,9 @@ func TestParseRethinkStorageDBStoreEmptyDBUrl(t *testing.T) {
 			"tls_ca_file": "/tls/ca.pem",
 			"client_cert_file": "/tls/cert.pem",
 			"client_key_file": "/tls/key.pem",
-			"database": "rethinkdbtest"
+			"database": "rethinkdbtest",
+			"username": "user",
+			"password": "password"
 		}
 	}`)

@ -251,7 +254,8 @@ func TestParseRethinkStorageDBStoreEmptyDBName(t *testing.T) {
 			"db_url": "username:password@tcp(hostname:1234)/dbname",
 			"tls_ca_file": "/tls/ca.pem",
 			"client_cert_file": "/tls/cert.pem",
-			"client_key_file": "/tls/key.pem"
+			"client_key_file": "/tls/key.pem",
+			"username": "user"
 		}
 	}`)

@ -268,7 +272,8 @@ func TestParseRethinkStorageDBStoreEmptyCA(t *testing.T) {
 			"db_url": "username:password@tcp(hostname:1234)/dbname",
 			"database": "rethinkdbtest",
 			"client_cert_file": "/tls/cert.pem",
-			"client_key_file": "/tls/key.pem"
+			"client_key_file": "/tls/key.pem",
+			"username": "user"
 		}
 	}`)

@ -284,7 +289,8 @@ func TestParseRethinkStorageDBStoreEmptyCertAndKey(t *testing.T) {
 			"backend": "rethinkdb",
 			"db_url": "username:password@tcp(hostname:1234)/dbname",
 			"database": "rethinkdbtest",
-			"tls_ca_file": "/tls/ca.pem"
+			"tls_ca_file": "/tls/ca.pem",
+			"username": "user"
 		}
 	}`)

@ -293,6 +299,24 @@ func TestParseRethinkStorageDBStoreEmptyCertAndKey(t *testing.T) {
 	require.Contains(t, err.Error(), "cowardly refusal to connect to rethinkdb without a client cert")
 }

+// ParseRethinkDBStorage will require a username to connect to the database after bootstrapping
+func TestParseRethinkStorageDBStoreEmptyUsername(t *testing.T) {
+	config := configure(`{
+		"storage": {
+			"backend": "rethinkdb",
+			"db_url": "username:password@tcp(hostname:1234)/dbname",
+			"database": "rethinkdbtest",
+			"client_cert_file": "/tls/cert.pem",
+			"client_key_file": "/tls/key.pem",
+			"tls_ca_file": "/tls/ca.pem"
+		}
+	}`)
+
+	_, err := ParseRethinkDBStorage(config)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "requires a username to connect to the db")
+}
+
 func TestParseSQLStorageWithEnvironmentVariables(t *testing.T) {
 	config := configure(`{
 		"storage": {