diff --git a/Dockerfile b/Dockerfile index 44c121b8b..69aa682be 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,6 +20,6 @@ RUN useradd -ms /bin/bash notary \ ENV NOTARYDIR /go/src/github.com/docker/notary COPY . ${NOTARYDIR} -RUN chmod -R a+rw /go +RUN chmod -R a+rw /go && chmod 0600 ${NOTARYDIR}/fixtures/database/* WORKDIR ${NOTARYDIR} diff --git a/buildscripts/dbtests.sh b/buildscripts/dbtests.sh index 228c241b8..928d56021 100755 --- a/buildscripts/dbtests.sh +++ b/buildscripts/dbtests.sh @@ -15,8 +15,8 @@ case ${db} in ;; postgresql*) db="postgresql" - dbContainerOpts="--name postgresql_tests postgresql" - DBURL="postgres://server@postgresql_tests:5432/notaryserver?sslmode=disable" + dbContainerOpts="--name postgresql_tests postgresql -l" + DBURL="postgres://server@postgresql_tests:5432/notaryserver?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-server.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-server-key.pem" ;; *) echo "Usage: $0 (mysql|rethink)" diff --git a/development.postgresql.yml b/development.postgresql.yml index 17dfd0297..3f4848020 100644 --- a/development.postgresql.yml +++ b/development.postgresql.yml @@ -14,7 +14,7 @@ services: command: -c "./migrations/migrate.sh && notary-server -config=fixtures/server-config.postgres.json" environment: MIGRATIONS_PATH: migrations/server/postgresql - DB_URL: postgres://server@postgresql:5432/notaryserver?sslmode=disable + DB_URL: postgres://server@postgresql:5432/notaryserver?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-server.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-server-key.pem depends_on: - postgresql - signer @@ -31,7 +31,7 @@ services: command: -c "./migrations/migrate.sh && notary-signer -config=fixtures/signer-config.postgres.json" environment: MIGRATIONS_PATH: migrations/signer/postgresql - DB_URL: postgres://signer@postgresql:5432/notarysigner?sslmode=disable + DB_URL: postgres://signer@postgresql:5432/notarysigner?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-signer.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-signer-key.pem depends_on: - postgresql postgresql: @@ -40,6 +40,7 @@ services: - mdb volumes: - ./notarysql/postgresql-initdb.d:/docker-entrypoint-initdb.d + command: -l client: build: context: . diff --git a/docker-compose.postgresql.yml b/docker-compose.postgresql.yml index 8a518255c..65cc85a56 100644 --- a/docker-compose.postgresql.yml +++ b/docker-compose.postgresql.yml @@ -14,7 +14,7 @@ services: command: -c "./migrations/migrate.sh && notary-server -config=fixtures/server-config.postgres.json" environment: MIGRATIONS_PATH: migrations/server/postgresql - DB_URL: postgres://server@postgresql:5432/notaryserver?sslmode=disable + DB_URL: postgres://server@postgresql:5432/notaryserver?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-server.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-server-key.pem depends_on: - postgresql - signer @@ -31,7 +31,7 @@ services: command: -c "./migrations/migrate.sh && notary-signer -config=fixtures/signer-config.postgres.json" environment: MIGRATIONS_PATH: migrations/signer/postgresql - DB_URL: postgres://signer@postgresql:5432/notarysigner?sslmode=disable + DB_URL: postgres://signer@postgresql:5432/notarysigner?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-signer.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-signer-key.pem depends_on: - postgresql postgresql: @@ -43,6 +43,7 @@ services: - notary_data:/var/lib/postgresql ports: - 5432:5432 + command: -l volumes: notary_data: external: false diff --git a/fixtures/database/ca.pem b/fixtures/database/ca.pem new file mode 100644 index 000000000..c58ac149d --- /dev/null +++ b/fixtures/database/ca.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDajCCAlKgAwIBAgIUHN8eDMtoTOBXOd+RjnCxLYUs4kYwDQYJKoZIhvcNAQEL +BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh +bmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENBMB4XDTE3MDUxMjIyMzcw +MFoXDTIyMDUxMTIyMzcwMFowTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw +FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENB +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy9811sQcEoe2pH0+jUQP +8Jq7RkuUnFtbYpR7H6AyMXfyCsiz4ghpkENFScJlQhFE/Q5XXk0mTVEJD7UEwuQp +haqqSbDYMKVXHGY3CESyRF6z/k4jPTpxK0KxqsIXi8MZFvLOMUVGhXp+duFFX365 +ZXi0GTIhkkbo6/tQLLAYAL5dfAOU7FTOthK6RkPBnPLdb5ZuKJfbSBkIBH+Rdrm5 +atJYzL6rha3p2Hnm6FFF0eqdd+uqYpBuXcmQsftxPLBMvqbHXaPMov51+WvRXz0K +EeluT0Fue0LuYCRYFMlbmALFg85tFAHWXKer6M/ejK4MCWQnpPwalE9Oaetb1/q5 +MwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV +HQ4EFgQU30PAjq5cOwlLzi4fxSE3J/v9EPcwDQYJKoZIhvcNAQELBQADggEBAJhV +p1Va9r/NdCXaL5Ah+4i+l5m3hcKXT9h3811rmtLtKqcUwwnBbG+V3Ko+arbuCDYV +VajGLRnhTjy1thqYZr6KbeG6HZ6BN8Zxhcam86O7JXDBKoWJH4SIGysXO0jXg1n4 +fM1teEhQ69OUCrCkFGBblL88uHbdgIQGTDkD9F4hFGia6NSII46MTIE6tH0UBrIy +L5ZNCgG5Mn5w4D2Su6X6vq5ovE/mXRJLYCQLkvKSi5BQDdM26SwmKFSNk2V+DUeu +te3qluUTIFLa+V+U0C6vJMaxgaTB5phzQ1R7HykqBnSrzcqyQKYKnR3aGzvHnb2m +VYGGXEToG4TacQ/psn8= +-----END CERTIFICATE----- diff --git a/fixtures/database/notary-server-key.pem b/fixtures/database/notary-server-key.pem new file mode 100644 index 000000000..191d15a5c --- /dev/null +++ b/fixtures/database/notary-server-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAznRYoWEqB8VQQ3VnFSv1b2PU1UwTdREfsFu/O/yxdBpCEbSY +s1Qc6ynHZuMOyscS46kiB3PSX1/CxMmPPSGcO1Z3VIbf8YUBtaMxTsO7nA5H22EO +/M8SI+psrDhv+OtmrjzDtWVC9KgDV/F5+/8vynyh4J7HMilUjzbMHXYCZvW7aG7z +rrItMNjhGmJeRXFlBIuSLxdbKGcuFv2xz3QPqF151mNcPaQosj1k7LtvB5Dkfhra +33nMEsBp8QZfAag6xfuhEREeV6qOlG2DQL8nKuti1hLYUDFy3G7k1iswG/HadUBo +MGrn+n8SywTmAW3HDvcfxOXzl5brmLURNUY+dQIDAQABAoIBAAu+cow7iriGcNpl +g0ehCIUdmK3JdhHit3rAvVAcP7vrAncfXtBUqJB3/+/KWr0ONfTdWiIyZHUobVvk +W1GO5+Q4NvGH+pUyi7ZZYiSo3bMy3MON8dxPqyh/3U6upy/xtBWVP0zCRdzE8eu+ +wMGk8oMCM/MjFRG1aCn9Y/8JB3nzxl2d8QCxeLjbIHJ/NWj7gf0xGVmKK7YVXd7W +FHFFLTAxLRgfjZcxZB/u/L/T0pEwuyzbk2iGc9YkkgiBVUEqtIce6a7HHnKL7oBJ +9sWxqc10rs9EP/2W7qfNolNkFVNnfJmY4x8ZpfAjW7/Osin22qCp5+kWyT2I/Qg6 ++TwNQgECgYEA5ie0FdwsJbh0qNuWpXyMYJ2m27ag1zhpnsGs8iT9yWorZwp8BNm0 +1NchF/hE1Gkwvo+47U3ZvEmx7tLEA7Ekl7KZZro5+0jumSKd/vUrEpThqeJglz68 +T6/xZBGPIa3KZdXszs1pGjBNVEs1WuXgMPiFSypFT3ODnXgbFovX/nkCgYEA5aNR +fCF2ACs3oeKHDwVCwMh3fbSmf4ZwpzdhARV5rSc8Je9K7oyoO5fgGWWXZqKLP138 +1ARQGwGcwImzrYvY8g7AqXe/J+Mr9Jr6+vrLDPShmeqyTiBdOTwgg/5muDdv+GS3 +zqzXtPI1Upuo8/1EwYUacYOk4EX7ga7iZMEoEN0CgYEAvkOgSloDXQOJ3XX6qb+2 +xMBPil8FxCXsmsN9V4hhDTrpunseX1wic7mMsCYbsIVtOHvT4sly8Ibzw30Vcf/l +QkrxKc1V1XhLVukZOAYxn2DY1PpB44aHYlEO+yzQ6ISlR158L9H7yxyXMNIjv4s9 +tP4eIy9EsRPLgEgkDJV67/ECgYAwHbxhKhGzj1qkzPZHq26FPnvrFwMcDWtlXjEx +LPLF2Ua9HBqzST2m3vfR2nuSwdQzftoPAqhWQEw7+55uarMWZQjxeWnQTcVUB3U3 +SX1qRYfm3EpoHFfsOjEF9zRGvTb08QWihIzeGTIbEQqhtRvHAMC9sDvH0mIUljRR +sDdY8QKBgQDcT3yamYnGy6GzxWfpZYwoWqJFMtXjacD2rV32jwHifCa1RNu/Su6S +UJcN9v/1GYfvLWzjDMv6hKFt/Q1e3mACgohL9vfZtgiZx5SCVi0AXdOpXLBWlLvl +KM4XVhbuVTko/DsuGPVyXAHFHRFOjr+00Bw8y80DQIjNv4fgocr58Q== +-----END RSA PRIVATE KEY----- diff --git a/fixtures/database/notary-server.pem b/fixtures/database/notary-server.pem new file mode 100644 index 000000000..59472f0ab --- /dev/null +++ b/fixtures/database/notary-server.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDojCCAoqgAwIBAgIUXF5OjDTCDfBwQkJSdzPtt7HTljUwDQYJKoZIhvcNAQEL +BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh +bmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENBMB4XDTE3MDUxMjIyNDAw +MFoXDTE4MDUxMjIyNDAwMFowQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw +FAYDVQQHEw1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQDEwZzZXJ2ZXIwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOdFihYSoHxVBDdWcVK/VvY9TVTBN1ER+w +W787/LF0GkIRtJizVBzrKcdm4w7KxxLjqSIHc9JfX8LEyY89IZw7VndUht/xhQG1 +ozFOw7ucDkfbYQ78zxIj6mysOG/462auPMO1ZUL0qANX8Xn7/y/KfKHgnscyKVSP +NswddgJm9btobvOusi0w2OEaYl5FcWUEi5IvF1soZy4W/bHPdA+oXXnWY1w9pCiy +PWTsu28HkOR+GtrfecwSwGnxBl8BqDrF+6ERER5Xqo6UbYNAvycq62LWEthQMXLc +buTWKzAb8dp1QGgwauf6fxLLBOYBbccO9x/E5fOXluuYtRE1Rj51AgMBAAGjgYMw +gYAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB +/wQCMAAwHQYDVR0OBBYEFAs/6pFKZmzdHb27KyFFd0G9G/39MB8GA1UdIwQYMBaA +FN9DwI6uXDsJS84uH8UhNyf7/RD3MAsGA1UdEQQEMAKCADANBgkqhkiG9w0BAQsF +AAOCAQEAhCYtK8m7gPrijUgmYFyUqwiYFSLIhTEE+9nGZ/3Q5IeLneTVcQMAogUY +cZCNPrj8QBQmEXupacHBH1UO58L0OsXf+jJ3Gx5W9YiNyEzhZxoi08u2y/JzQ+3K +OVfSYpsHPVH82f9pz9TVmBhcVBrxUY1cO4vTxBm5P9irVo1M8KHRB3qLjHSSr7mP +pvFRYTrnG8cEMRwJT+Akfc9jFDXzCxPptHGme5lZAXH0OcyAEaGLrBlmrZKOuGa8 +ssJWcp5OoTdUiL0j6LfRZSghbVkNsSTXPVcBU38YsowpOm8AOpqu+mF0hl/cq8/h +vE8cxe19y4FmiPD5JaUtndkwXxM8bQ== +-----END CERTIFICATE----- diff --git a/fixtures/database/notary-signer-key.pem b/fixtures/database/notary-signer-key.pem new file mode 100644 index 000000000..552bc26b4 --- /dev/null +++ b/fixtures/database/notary-signer-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEA0UiaAApHxQUjBAY+02+ioQKbPivrFmCrsNEC4VPHmAuHfgbh +IwSf+zZq4+xL2j7If354Mb7RpgUT+Y0jFfaIBBLWXVXG+/91EVTwFTj33iCmRyNB +AbD0BkiAYqV5PkqlUhkCIglLell/MiOM+8CEUARKA3L82bkILG86fdHhYK0cRzf1 +CPQrgtWg1GtWZlDEilnG083a8PjUyc1ejuSjoa606nszS/UctKAkGkvhl+KQyEep +EFffm1Xmb66wv/S+p3Ba4YhU5xqT7b6TSTcIuXpzOOkkNwnyU79BIBaP1BSAE8Rx +EXBts9Lo6E8b9QhEJyzPxmQXM5qE1y2yYoOoLwIDAQABAoIBAHGEi+PRr7QyYRfh +u1o8h14GZ+aFM/LjZL134bQPGYhjWI8HdD7mV1CP59LRbSNoQqDFHLT+6ADBaGBI +KevT2Vs8TII78L7nhbxs8fzQ9cHKu+aCPNSKAxMVaG4Zi3Y6TwoE/p8vo30t5kxv +9BzqA9rTOMI+MOB3+PMBMhzlJvakc0fOy3w2ZTZoTWYe0Fnv8NcslKqYoTLBEkC1 +drwBU9G4BlkeRg6E6zadJJCyy6r8PmUp0ipfC87nVZDPrHxQmjemMrBCVUDE5e+V +9R0CtxXGfOuyXUQUS3ZQMQerILfhx+O49VV/H08SctDpOPeKNFi8wK5uffutDykL +C0XyTyECgYEA09xVLRKRdyAC7s4KV4b4JTRBtrlI/5CxyrlfxlZZGUbAtf6prpOP +YPNCetHEOW9dF5kSLDVNujaOrdvu30f2BkQcf1f0MavLh9lU+zwrqnRhGn+IOOat +Jhf0zF8H7NccEI1w93XQG/M9+3Lczs60ioiyX+IL7EJRaGaDguUOAOsCgYEA/OLR +0cOAGvzWpKuUmS5yGIewGk6P8uLlnBkv7Lo607PTlIDMmTl8KTFyqrXajulK5o0W +JsgTlCr/0lfaOV9boW1+PkvA3NYCzoR/c+gdvvCSDbnfmgFkx8dUh05oXW2zGdgv +3PFK2IUzHgBvjR9kB7hWl5BaCYMFzLCKd7qLxM0CgYAxZGnbMzwEqMrmP9T7aPUL +P26emf3hzysUFzmz9Mea8/rTs0Z989r2gGAcYDE+Lq9mZAJvmhG/+x4yfFbpaU57 +UX/PVIMS3Xl693kvhWystas50UfB9E2j1uv0hadEWTYqyb7vgmD9Uy09JR9De79t +mMb1Qa8D6sYt79BzQNGN9wKBgEzjUdQrUsnh0gkjOf0RCBO5Pavh8xZwMkuxxMZ/ +IN+5Lz1Zo9t6hOupYynQPPFysRlEEFYeQwWrxThZCbqj6aI9PkMGmU8LqrLLykyd +aF3jmySdPQUAI3oyetrg1g6CChBzkKnmm1EVvqMCkugfgTRvsbRHaXi2446GprMc +ft6JAoGAYPumwvVhH2hQ+/CxvcESE1Udl9uavnwwtrw52wKBOTqwZYnVojEVn8e3 +rQpiBHU89K2dsEmvomrU2HHnPBmXYV3frh7GD/VIP4NvFQmXNs+1LNPP+3A56PtT +/UqE7KPUPJ0WqkyJ/wC2r9QFylA4swxJEiZH0s8SvbY/Ce1IEDE= +-----END RSA PRIVATE KEY----- diff --git a/fixtures/database/notary-signer.pem b/fixtures/database/notary-signer.pem new file mode 100644 index 000000000..62f66503f --- /dev/null +++ b/fixtures/database/notary-signer.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDojCCAoqgAwIBAgIUeYAM7aBfKP6UBYbE83msSo04RsowDQYJKoZIhvcNAQEL +BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh +bmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENBMB4XDTE3MDUxMjIyNDAw +MFoXDTE4MDUxMjIyNDAwMFowQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw +FAYDVQQHEw1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQDEwZzaWduZXIwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRSJoACkfFBSMEBj7Tb6KhAps+K+sWYKuw +0QLhU8eYC4d+BuEjBJ/7Nmrj7EvaPsh/fngxvtGmBRP5jSMV9ogEEtZdVcb7/3UR +VPAVOPfeIKZHI0EBsPQGSIBipXk+SqVSGQIiCUt6WX8yI4z7wIRQBEoDcvzZuQgs +bzp90eFgrRxHN/UI9CuC1aDUa1ZmUMSKWcbTzdrw+NTJzV6O5KOhrrTqezNL9Ry0 +oCQaS+GX4pDIR6kQV9+bVeZvrrC/9L6ncFrhiFTnGpPtvpNJNwi5enM46SQ3CfJT +v0EgFo/UFIATxHERcG2z0ujoTxv1CEQnLM/GZBczmoTXLbJig6gvAgMBAAGjgYMw +gYAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB +/wQCMAAwHQYDVR0OBBYEFKKGeJZLHFg3QgqFOFE7UjmSYCjNMB8GA1UdIwQYMBaA +FN9DwI6uXDsJS84uH8UhNyf7/RD3MAsGA1UdEQQEMAKCADANBgkqhkiG9w0BAQsF +AAOCAQEAREI6iRUC0Pjn41QLI0Xtjv/2GeM1jKY0i6LcT+779QAU5iqPvmxhtO1N +BM5ycQwyLD3T55t50ANDDm91klFlXF8IgSvq3efCVSWPtEkVznfQVMOu4dwVblhT +GPg1BWbRsbjqdSVfU2cjoQNlflqRaw0XMJ738TrciaLxRHkvYsd0XCOjNTUfUuzi +G16zdjBYn43XXW+4FnB2FzqzoM+PicCfEl8Gvi20QlgqtM5kaflhik2gQy6zXc1i +hCiiRiE1Qv60VjsGvLFG+TN6HeWQlE260v5drzjmMen9i8hYc42glRDolUSg6hQs +DLjTitTiXond4yxJ80LQH6CTtPybvg== +-----END CERTIFICATE----- diff --git a/fixtures/server-config.postgres.json b/fixtures/server-config.postgres.json index b9979ee21..ad8f8a8df 100644 --- a/fixtures/server-config.postgres.json +++ b/fixtures/server-config.postgres.json @@ -18,6 +18,6 @@ }, "storage": { "backend": "postgres", - "db_url": "postgres://server@postgresql:5432/notaryserver?sslmode=disable" + "db_url": "postgres://server@postgresql:5432/notaryserver?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-server.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-server-key.pem" } } diff --git a/fixtures/signer-config.postgres.json b/fixtures/signer-config.postgres.json index 6bf0c948f..63d76ba48 100644 --- a/fixtures/signer-config.postgres.json +++ b/fixtures/signer-config.postgres.json @@ -10,6 +10,6 @@ }, "storage": { "backend": "postgres", - "db_url": "postgres://signer@postgresql:5432/notarysigner?sslmode=disable" + "db_url": "postgres://signer@postgresql:5432/notarysigner?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-signer.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-signer-key.pem" } } diff --git a/notarysql/postgresql-initdb.d/pg_hba.conf b/notarysql/postgresql-initdb.d/pg_hba.conf new file mode 100644 index 000000000..1d0aad330 --- /dev/null +++ b/notarysql/postgresql-initdb.d/pg_hba.conf @@ -0,0 +1,2 @@ +# http://stackoverflow.com/q/18497299 +hostssl all all 0.0.0.0/0 cert clientcert=1 diff --git a/notarysql/postgresql-initdb.d/root.crt b/notarysql/postgresql-initdb.d/root.crt new file mode 100644 index 000000000..c58ac149d --- /dev/null +++ b/notarysql/postgresql-initdb.d/root.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDajCCAlKgAwIBAgIUHN8eDMtoTOBXOd+RjnCxLYUs4kYwDQYJKoZIhvcNAQEL +BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh +bmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENBMB4XDTE3MDUxMjIyMzcw +MFoXDTIyMDUxMTIyMzcwMFowTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw +FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENB +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy9811sQcEoe2pH0+jUQP +8Jq7RkuUnFtbYpR7H6AyMXfyCsiz4ghpkENFScJlQhFE/Q5XXk0mTVEJD7UEwuQp +haqqSbDYMKVXHGY3CESyRF6z/k4jPTpxK0KxqsIXi8MZFvLOMUVGhXp+duFFX365 +ZXi0GTIhkkbo6/tQLLAYAL5dfAOU7FTOthK6RkPBnPLdb5ZuKJfbSBkIBH+Rdrm5 +atJYzL6rha3p2Hnm6FFF0eqdd+uqYpBuXcmQsftxPLBMvqbHXaPMov51+WvRXz0K +EeluT0Fue0LuYCRYFMlbmALFg85tFAHWXKer6M/ejK4MCWQnpPwalE9Oaetb1/q5 +MwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV +HQ4EFgQU30PAjq5cOwlLzi4fxSE3J/v9EPcwDQYJKoZIhvcNAQELBQADggEBAJhV +p1Va9r/NdCXaL5Ah+4i+l5m3hcKXT9h3811rmtLtKqcUwwnBbG+V3Ko+arbuCDYV +VajGLRnhTjy1thqYZr6KbeG6HZ6BN8Zxhcam86O7JXDBKoWJH4SIGysXO0jXg1n4 +fM1teEhQ69OUCrCkFGBblL88uHbdgIQGTDkD9F4hFGia6NSII46MTIE6tH0UBrIy +L5ZNCgG5Mn5w4D2Su6X6vq5ovE/mXRJLYCQLkvKSi5BQDdM26SwmKFSNk2V+DUeu +te3qluUTIFLa+V+U0C6vJMaxgaTB5phzQ1R7HykqBnSrzcqyQKYKnR3aGzvHnb2m +VYGGXEToG4TacQ/psn8= +-----END CERTIFICATE----- diff --git a/notarysql/postgresql-initdb.d/server.crt b/notarysql/postgresql-initdb.d/server.crt new file mode 100644 index 000000000..f86581245 --- /dev/null +++ b/notarysql/postgresql-initdb.d/server.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIUBFaJGFhoc5kBplg2RjIG0EJCNAUwDQYJKoZIhvcNAQEL +BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh +bmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENBMB4XDTE3MDUxMjIyMzkw +MFoXDTE4MDUxMjIyMzkwMFowRTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw +FAYDVQQHEw1TYW4gRnJhbmNpc2NvMREwDwYDVQQDEwhkYXRhYmFzZTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMoEIo/VnyDNDkwHPBB+Lvc0ibOvTQN8 +HNpMhPDkAr10pI4dpgizGevvw3OP26h1aVdZA9mMQB9NfX207R8Vlvq4R8PeY59k +iWXb4rEN3WmyY6L042SiABgUB0sSP9OIS+pRXlUyT8dyv4GeWfV3onL5WFvf1AzX +3uWard9hLCNE0EzXVSyxxxtLNTJB8qXniKFWuFyHaFalaaesmhedbK3H5k+VU2Um +fygYUYoHABTEKe0miMsTgzXQSHheKzowyt7BiI2FpcmHUMg8C+CWIvzrbWWC+0rr +Pka7YBFCscJyfMyKN2YblFQhqIbyf6QenyFe3cuOP2OMdR4Ukw66KYsCAwEAAaOB +lDCBkTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T +AQH/BAIwADAdBgNVHQ4EFgQU7bNuwTAm8Ez3cb8+fYQHymgV2t8wHwYDVR0jBBgw +FoAU30PAjq5cOwlLzi4fxSE3J/v9EPcwHAYDVR0RBBUwE4IKcG9zdGdyZXNxbIIF +bXlzcWwwDQYJKoZIhvcNAQELBQADggEBACSdcADswQRitOr+EUUTrb6xluXtMMjQ +h2ZDkZ8FXNMiem149o22FGtmKVKhaNnG0hgejHrzJKJp6TFS56HAz55PkO8NxP1C +opk2whrvq/5Nspz+91WLWqMel8CbaHxVlLjMZbgLCkEOiZJ27Va1AWVZd+cW4ACQ +vb7/clQumZQi49jSthJuzY//aFsuT0/CtkuGwXg38bqNI6hGvU9crDQermuGnd8t +uMabgyWfQeUohKn1HZ0mo+rnMR/Y8pJXZvcoLwyxfo9hRXk1PHMGdwAOI5VlxxOy +89sRyeXdFkzipGg1Ywd3TR528+q1lUYkYmRReEqKS/HquGHQtnvT1Nw= +-----END CERTIFICATE----- diff --git a/notarysql/postgresql-initdb.d/server.key b/notarysql/postgresql-initdb.d/server.key new file mode 100644 index 000000000..df673f226 --- /dev/null +++ b/notarysql/postgresql-initdb.d/server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAygQij9WfIM0OTAc8EH4u9zSJs69NA3wc2kyE8OQCvXSkjh2m +CLMZ6+/Dc4/bqHVpV1kD2YxAH019fbTtHxWW+rhHw95jn2SJZdvisQ3dabJjovTj +ZKIAGBQHSxI/04hL6lFeVTJPx3K/gZ5Z9XeicvlYW9/UDNfe5Zqt32EsI0TQTNdV +LLHHG0s1MkHypeeIoVa4XIdoVqVpp6yaF51srcfmT5VTZSZ/KBhRigcAFMQp7SaI +yxODNdBIeF4rOjDK3sGIjYWlyYdQyDwL4JYi/OttZYL7Sus+RrtgEUKxwnJ8zIo3 +ZhuUVCGohvJ/pB6fIV7dy44/Y4x1HhSTDropiwIDAQABAoIBAQCXXKHIw3aHTRz5 +OjJ26RSnhGXoi+BYTBYSOmMhWrXy3gKtuOk+e3NgpDT90Tvz7IURPVD1H3CsA5OT +LIy+TZ7iHFEpIOfj9aA9AZPItWrAVzjwUCxQqlEHuXn9dZ79D5JR7sWPcDL2bbOv +msYsdYbyPoFF1V88gEIyJsNAK762bPN7pIMasHdtQGninx7IXoI2pZKnarMfxADy +TS5z95qKmegFcOfPtjF+QbFLqScb8uuDWkHGhpNyWN9dhVtSkzPnuT/Y87x9SRNI +Si3dVG1rPJ2FN6mQGhqs6Wp5VjXyu43O0zk/Dt5NO4nEqIXnfjkZ0NhsKy51gUmy +4YnkU+CBAoGBANYBFd842c2NThlNATRSaoWEcf2p2QL2Ss1B2lgYwxw0jm5wZWJt +muH1RILY5erign2yEtPDOubBQS9OePvyJsaaPepRyyMAUdv9vvAqxW3ev3DLQhy0 +8BQFsabGu/7WBQLIuiR0N682sANNJREGY5XZiWogaNCt7AEKkCygeVFHAoGBAPGo +zhAbcnKvUFHZXG4Kw8axlNpT75JISxeRilmt6KtiWHwhHzBxQgkyj3413wD7vADd +NIu8eqJUzBDJ8ZFAn3ZSdZCgDtCbTTn59wdRXzUT8WJGj7ProQVZH5+Vw0MEhtT3 +YOxlNefN+1OlJTZ6V1o8BTyhXi66DJAqUHMUQqedAoGAPKUaGaP2tPVySGE2Eim4 +3hVmaEgVo21ATWJ4Cbcas4eBRXK8iGQfHCFxRNNKdIG0EQLBqxkMPBBP9KP8TQmW +S3myShDbzBNvHzSNQ2obgMM65S/0kEYGMuZaLbTr2Y+049EWTvZQQWrx/j2CX4y7 +898tvdFpYpmm47Smnr7rIkkCgYB1uRwZMKXCRLFGDjM+0DOrOZsf+L++bUVXh+jz +4wpzYwdkAOamvKXEwUKx4yBt5DQj357Xa8v6BIEctKPfdLG5/FWVTMOqz90BH0o9 +4GAXBU4T5/fdWC4q4s3K+jQTE8NzP8eRoYRvFiMXDl5geZzQMmkCrkGpVa0FFff2 +96m46QKBgGzCuE2ZSaCduQYKVL6KcvASqkJ72eodKSzvB1aY2MD6d+RCWPebLqR2 +TuUpwx13/G6RUMO7i5cDeE9rMxinGPU7X0/h9m+Fr2+vO3a2FuBiL8ZZM5+CI2y2 +0av1S7h0quIScNifN3QM8jawE1IWXd6AQPbFx7nCrtmEP+rVl5Z9 +-----END RSA PRIVATE KEY----- diff --git a/notarysql/postgresql-initdb.d/tls-setup.sh b/notarysql/postgresql-initdb.d/tls-setup.sh new file mode 100644 index 000000000..321462224 --- /dev/null +++ b/notarysql/postgresql-initdb.d/tls-setup.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +# Setup the server so it knows where to find certs so that server can be +# started with TLS enabled. +set -e + +sed -i "s/#ssl = off/ssl = on/" "$PGDATA"/postgresql.conf +sed -i "s/#ssl_ca_file = ''/ssl_ca_file = 'root.crt'/" "$PGDATA"/postgresql.conf +cp /docker-entrypoint-initdb.d/pg_hba.conf "$PGDATA" +cp /docker-entrypoint-initdb.d/server.{crt,key} "$PGDATA" +cp /docker-entrypoint-initdb.d/root.crt "$PGDATA" +chown postgres:postgres "$PGDATA"/server.{crt,key} +chown postgres:postgres "$PGDATA"/root.crt +chmod 0600 "$PGDATA"/server.key diff --git a/server.Dockerfile b/server.Dockerfile index 87b96bda2..53f38bb96 100644 --- a/server.Dockerfile +++ b/server.Dockerfile @@ -13,6 +13,8 @@ COPY . /go/src/${NOTARYPKG} WORKDIR /go/src/${NOTARYPKG} +RUN chmod 0600 ./fixtures/database/* + ENV SERVICE_NAME=notary_server EXPOSE 4443 diff --git a/signer.Dockerfile b/signer.Dockerfile index d509c2f65..1760f5299 100644 --- a/signer.Dockerfile +++ b/signer.Dockerfile @@ -13,6 +13,8 @@ COPY . /go/src/${NOTARYPKG} WORKDIR /go/src/${NOTARYPKG} +RUN chmod 0600 ./fixtures/database/* + ENV SERVICE_NAME=notary_signer ENV NOTARY_SIGNER_DEFAULT_ALIAS="timestamp_1" ENV NOTARY_SIGNER_TIMESTAMP_1="testpassword"