Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
First commit of template for basic auth
  • Loading branch information
@skoranda
skoranda committed Feb 13, 2017
1 parent 4e41000 commit 43a4971
Showing 4 changed files with 366 additions and 0 deletions.
44 changes: 44 additions & 0 deletions comanage-registry-basic-auth/000-comanage.conf
View file
@@ -0,0 +1,44 @@
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA]
</VirtualHost>

<VirtualHost *:443>

DocumentRoot /var/www/html

RedirectMatch ^/$ /registry/

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

LogLevel warn

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on

SSLCertificateFile /etc/apache2/cert.pem
SSLCertificateKeyFile /etc/apache2/privkey.pem
SSLCertificateChainFile /etc/apache2/chain.pem

<Directory /var/www/html/registry>
Options Indexes FollowSymLinks
DirectoryIndex index.php
AllowOverride All
Require all granted
</Directory>

<Directory /var/www/html/registry/auth/login>
AuthType Basic
AuthName "COmanage Registry Login"
AuthBasicProvider file
AuthUserFile "/etc/apache2/passwords"
Require valid-user
</Directory>

</VirtualHost>
104 changes: 104 additions & 0 deletions comanage-registry-basic-auth/Dockerfile.template
View file
@@ -0,0 +1,104 @@
# Copyright (C) 2017 Spherical Cow Group
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under
# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the specific language governing
# permissions and limitations under the License.

# Official PHP image with Apache HTTPD includes
# --with-openssl
# --with-mbstring
# but xls, pdo, pdo_mysql, pdo_pgsql, mysqli, pgsql,
# and ldap extensions must be built.
FROM php:7.0-apache

ARG COMANAGE_REGISTRY_VERSION=%%COMANAGE_REGISTRY_VERSION%%
ARG COMANAGE_REGISTRY_SRC_URL=https://github.com/Internet2/comanage-registry/archive/$COMANAGE_REGISTRY_VERSION.tar.gz

LABEL comanage_registry_version=$COMANAGE_REGISTRY_VERSION
LABEL comanage_registry_src_url=$COMANAGE_REGISTRY_SRC_URL

ENV COMANAGE_REGISTRY_DIR /srv/comanage-registry

RUN apt-get update && apt-get install -y \
libldap-2.4-2 \
libldap2-dev \
libmysqlclient18 \
libmysqlclient-dev \
libpq-dev \
libxml2 \
libxslt1-dev \
libxslt1.1 \
ssl-cert \
wget \
zlib1g \
&& docker-php-ext-configure pgsql -with-pgsql=/usr/local/pgsql \
&& docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu \
&& docker-php-ext-configure mysqli --with-mysqli=/usr/bin/mysql_config \
&& docker-php-ext-install xsl pdo pdo_mysql pdo_pgsql mysqli pgsql ldap \
&& docker-php-source delete \
&& apt-get purge -y \
libldap2-dev \
libmysqlclient-dev \
libpq-dev \
&& apt-get clean

COPY 000-comanage.conf /etc/apache2/sites-available/000-comanage.conf

WORKDIR "$COMANAGE_REGISTRY_DIR"

RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \
&& wget -O comanage.tar.gz $COMANAGE_REGISTRY_SRC_URL \
&& tar -zxf comanage.tar.gz -C "$COMANAGE_REGISTRY_DIR" --strip-components=1 \
&& rm -f comanage.tar.gz \
&& rm -f "$COMANAGE_REGISTRY_DIR/app/tmp" \
&& cp -r "$COMANAGE_REGISTRY_DIR/app/tmp.dist" "$COMANAGE_REGISTRY_DIR/app/tmp" \
&& chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" \
&& cd /var/www/html \
&& ln -s "$COMANAGE_REGISTRY_DIR/app/webroot" registry \
&& cd "$COMANAGE_REGISTRY_DIR" \
&& rm -rf local \
&& mkdir -p /local \
&& ln -s /local local \
&& a2enmod headers \
&& a2enmod ssl \
&& a2enmod rewrite \
&& a2dissite 000-default.conf \
&& a2ensite 000-comanage.conf \
&& a2disconf other-vhosts-access-log \
&& cd /etc/apache2 \
&& ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \
&& ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \
&& ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem \
&& sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php"

COPY docker-comanage-entrypoint /usr/local/bin/

# expose COmanage Registry local directory
VOLUME ["/local"]

ENTRYPOINT ["docker-comanage-entrypoint"]

WORKDIR /var/www/html

EXPOSE 80 443

# Default values for first administrator bootstrapped
# into the platform, most likely overridden at build time
# using build arguments.
ARG COMANAGE_REGISTRY_ADMIN_GIVEN_NAME
ARG COMANAGE_REGISTRY_ADMIN_FAMILY_NAME
ARG COMANAGE_REGISTRY_ADMIN_USERNAME
ARG COMANAGE_REGISTRY_ENABLE_POOLING

ENV COMANAGE_REGISTRY_ADMIN_GIVEN_NAME ${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME:-Registry}
ENV COMANAGE_REGISTRY_ADMIN_FAMILY_NAME ${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME:-Admin}
ENV COMANAGE_REGISTRY_ADMIN_USERNAME ${COMANAGE_REGISTRY_ADMIN_USERNAME:-registry.admin}
ENV COMANAGE_REGISTRY_ENABLE_POOLING ${COMANAGE_REGISTRY_ENABLE_POOLING:-No}

CMD ["apache2-foreground"]
138 changes: 138 additions & 0 deletions comanage-registry-basic-auth/README.md
View file
@@ -0,0 +1,138 @@
# COmanage Registry Basic Auth

Intended to build a COmanage Registry image
using the official PHP 7 with Apache image as the foundation
and providing Apache HTTP Server Basic Auth as the authentication
mechanism.

Basic Auth is only suitable for COmanage Registry deployments
not operating in a federated identity context, or for an introduction
to COmanage Registry.

See other templates in this repository for examples on how to build images
that support federated identity deployments.

## Build

```
export COMANAGE_REGISTRY_VERSION=develop
sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile
docker build -t comanage-registry-basic-auth:${COMANAGE_REGISTRY_VERSION} .
```

You can (and should) use build arguments to bootstrap the first
platform administrator. The administrator username is the value
COmanage Registry expects to read from $REMOTE\_USER after
the administrator authenticates using whichever authentication
method is provided:

```
export COMANAGE_REGISTRY_VERSION=develop
export COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=Karel
export COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Novak
export COMANAGE_REGISTRY_ADMIN_USERNAME=karel.novak@my.org
sed -e s/%%COMANAGE_REGISTRY_VERSION%%/${COMANAGE_REGISTRY_VERSION}/g Dockerfile.template > Dockerfile
docker build \
--build-arg COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME} \
--build-arg COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME} \
--build-arg COMANAGE_REGISTRY_ADMIN_USERNAME=${COMANAGE_REGISTRY_ADMIN_USERNAME} \
-t comanage-registry:${COMANAGE_REGISTRY_VERSION} .
```
## Run

### Database

COmanage Registry requires a relational database. See the
[PostgreSQL example for COmanage Registry](../comanage-registry-postgres/README.md).

### Network

Create a user-defined network bridge with

```
docker network create --driver=bridge \
--subnet=192.168.0.0/16 \
--gateway=192.168.0.100 \
comanage-registry-internal-network
```

### Configuration

Create a directory to hold persistent COmanage Registry configuration and
other state such as local plugins and other customizations. In that directory
create a `Config` directory and in it place a `database.php` and `email.php`
configuration file:

```
mkdir -p /opt/comanage-registry/Config
cat >> /opt/comanage-registry/Config/database.php <<"EOF"
<?php
class DATABASE_CONFIG {
public $default = array(
'datasource' => 'Database/Postgres',
'persistent' => false,
'host' => 'comanage-registry-database',
'login' => 'registry_user',
'password' => 'password',
'database' => 'registry',
'prefix' => 'cm_',
);
}
EOF
cat >> /opt/comanage-registry/Config/database.php <<"EOF"
<?php
class EmailConfig {
public $default = array(
'transport' => 'Smtp',
'host' => 'tls://smtp.gmail.com',
'port' => 465,
'username' => 'account@gmail.com',
'password' => 'password'
);
}
EOF
```

### Container

```
docker run -d --name comanage-registry \
-v /opt/comanage-registry:/local \
-v /opt/passwords:/etc/apache2/passwords \
--network comanage-registry-internal-network \
-p 80:80 -p 443:443 \
comanage-registry:${COMANAGE_REGISTRY_VERSION}
```

### Authentication

Mount or COPY in a password file created with `htpasswd`.

```
COPY passwords /etc/apache2/passwords
```

### Logging

Both Apache HTTP Server and COmanage Registry log to the stdout and
stderr of the container.

### HTTPS Configuration

Mount or COPY in an X.509 certificate file, associated private key file,
and certificate signing chain file.

```
COPY cert.pem /etc/apache2/cert.pem
COPY privkey.pem /etc/apache2/privkey.pem
COPY chain.pem /etc/apache2/chain.pem
```
80 changes: 80 additions & 0 deletions comanage-registry-basic-auth/docker-comanage-entrypoint
View file
@@ -0,0 +1,80 @@
#!/bin/bash

# Copyright (C) 2017 Spherical Cow Group
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under
# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the specific language governing
# permissions and limitations under the License.

# Database initialization or schema management using adodb
# is idempotent so we always run it at startup.
pushd "$COMANAGE_REGISTRY_DIR/app" > /dev/null 2>&1
./Console/cake database > /dev/null 2>&1
popd > /dev/null 2>&1

# We only want to run the setup script once since it creates
# state in the database. Until COmanage Registry has a better
# mechanism for telling us if setup has already been run
# we create an ephemeral CakePHP script to tell us.
SETUP_ALREADY_SCRIPT="$COMANAGE_REGISTRY_DIR/app/Console/Command/SetupAlreadyShell.php"

cat >> $SETUP_ALREADY_SCRIPT <<"EOF"
<?php
class SetupAlreadyShell extends AppShell {
var $uses = array('Co');
function main() {
$args = array();
$args['conditions']['Co.name'] = 'COmanage';
$args['contain'] = false;
$co = $this->Co->find('first', $args);
if(!empty($co)) {
$this->error('Setup already');
}
}
}
EOF

pushd /srv/comanage-registry/app > /dev/null 2>&1
./Console/cake setupAlready > /dev/null 2>&1
setup_already=$?

rm -f "$SETUP_ALREADY_SCRIPT"

if [ $setup_already -eq 0 ]; then
rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" > /dev/null 2>&1
rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" > /dev/null 2>&1
./Console/cake setup --admin-given-name "${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME}" \
--admin-family-name "${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME}" \
--admin-username "${COMANAGE_REGISTRY_ADMIN_USERNAME}" \
--enable-pooling "${COMANAGE_REGISTRY_ENABLE_POOLING}" > /dev/null 2>&1
fi

popd > /dev/null 2>&1

# Running CakePHP console commands generates cache files so
# set the ownership of those files appropriately.
chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp"

# Make sure the directory structure we need is available
# in the data volume for $COMANAGE_REGISTRY_DIR/local
mkdir -p "$COMANAGE_REGISTRY_DIR/local/Config"
mkdir -p "$COMANAGE_REGISTRY_DIR/local/Plugin"
mkdir -p "$COMANAGE_REGISTRY_DIR/local/View/Pages/public"
mkdir -p "$COMANAGE_REGISTRY_DIR/local/webroot/img"

# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
set -- apache2-foreground "$@"
fi

exec "$@"

0 comments on commit 43a4971

Please sign in to comment.