setup script aligned with docker-compose.yml and Dockerfile/entrypoint.sh

Dockerfile cleanup: removed trust-manager
TO-DO: WebID delegation

Author: namedgraph

.gitignore

@@ -7,4 +7,4 @@
 /node
 /node_modules
 /docker-compose.override.yml
-/public-keys
+/ssl

Dockerfile

@@ -10,16 +10,6 @@ RUN mkdir /jena && \
     curl -SL "$JENA_TAR_URL" | \
     tar -xzf - -C /jena
 
-# copy trust manager source code
-
-WORKDIR /usr/src/trust-manager
-
-COPY platform/trust-manager /usr/src/trust-manager
-
-# build trust manager
-
-RUN mvn clean install # builds target/trust-manager-1.0.0-SNAPSHOT.jar
-
 # copy platform source code and POM
 
 WORKDIR /usr/src/platform
@@ -52,10 +42,6 @@ COPY platform/server.xsl conf/server.xsl
 
 COPY platform/context.xsl conf/context.xsl
 
-# copy trust manager from the maven stage of the build
-
-COPY --from=maven /usr/src/trust-manager/target/trust-manager-1.0.0-SNAPSHOT.jar lib/ldh-trust-manager.jar
-
 ENV CACHE_MODEL_LOADS=true
 
 ENV STYLESHEET=static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/layout.xsl
@@ -74,25 +60,21 @@ ENV HOST=localhost
 
 ENV ABS_PATH=/
 
-# ENV HTTP_PROXY_PORT=80
-
 ENV HTTP_REDIRECT_PORT=443
 
 ENV HTTP_COMPRESSION=on
 
-ENV SECRETARY_REL_URI=admin/acl/agents/e413f97b-15ee-47ea-ba65-4479aa7f1f9e/#this
-
-ENV SECRETARY_KEY_PASSWORD=LinkedDataHub
+ENV SERVER_CERT=/var/linkeddatahub/ssl/server/server.crt
 
-ENV SECRETARY_CERT_ALIAS=ldh
+ENV SECRETARY_CERT="$CATALINA_HOME/webapps/ROOT/ssl/cert.pem"
 
-ENV SECRETARY_CERT_VALIDITY=36500
+ENV SECRETARY_CERT_ALIAS=secretary
 
-ENV CLIENT_KEYSTORE="$CATALINA_HOME/webapps/ROOT/certs/secretary.p12"
+ENV CLIENT_KEYSTORE="$CATALINA_HOME/webapps/ROOT/ssl/keystore.p12"
 
-ENV CLIENT_TRUSTSTORE="$CATALINA_HOME/webapps/ROOT/certs/secretary.truststore"
+ENV CLIENT_TRUSTSTORE="$CATALINA_HOME/webapps/ROOT/ssl/client.truststore"
 
-ENV OWNER_PUBLIC_KEY="/var/linkeddatahub/public-keys/owner.pem"
+ENV OWNER_PUBLIC_KEY=/var/linkeddatahub/ssl/owner/public.pem
 
 ENV LOAD_DATASETS=
 
@@ -166,8 +148,8 @@ ENV JENA_HOME=/jena
 
 ENV PATH="${PATH}:${JENA_HOME}/bin"
 
-# persist certificates in a volume
+# persist SSL-related files in a volume
 
-VOLUME /var/linkeddatahub/certs "$CATALINA_HOME/webapps/ROOT/certs"
+VOLUME /var/linkeddatahub/ssl "$CATALINA_HOME/webapps/ROOT/ssl"
 
 ENTRYPOINT ["/bin/sh", "entrypoint.sh"]

docker-compose.yml

@@ -50,8 +50,9 @@ services:
       # - GOOGLE_CLIENT_ID=
       # - GOOGLE_CLIENT_SECRET=
     volumes:
-      - ./certs:/usr/local/tomcat/webapps/ROOT/certs
-      - ./public-keys/owner.pem:/var/linkeddatahub/public-keys/owner.pem
+      - ./ssl/server:/var/linkeddatahub/ssl/server
+      - ./ssl/owner:/var/linkeddatahub/ssl/owner
+      - ./ssl/secretary:/usr/local/tomcat/webapps/ROOT/ssl
       - ./uploads:/var/www/linkeddatahub/uploads
       - ./config/dev.log4j.properties:/usr/local/tomcat/webapps/ROOT/WEB-INF/classes/log4j.properties:ro
       - ./config/system-varnish.trig:/var/linkeddatahub/datasets/system.trig:ro

http-tests/setup-test-user.sh

@@ -0,0 +1 @@
+./setup.sh https://localhost:4443/ /tmp/test-user.p12 changeit 'CN=Test Agent, OU=LinkedDataHub (localhost), O=AtomGraph, L=Copenhagen, ST=Denmark, C=DK' /tmp/test-user.pem 3650

http-tests/setup.sh

@@ -1,67 +1,119 @@
 #!/bin/bash
 
-if [ "$#" -ne 6 ]; then
-  echo "Usage:   $0" '$env_file $alias $owner_cert $owner_cert_pwd $owner_public_key $validity' >&2
-  echo "Example: $0 .env martynas martynas.localhost.p12 Password martynas.localhost.pem 3650" >&2
+if [ "$#" -ne 4 ]; then
+  echo "Usage:   $0" '$env_file $out_folder $owner_cert_pwd $validity' >&2
+  echo "Example: $0 .env ssl Password 3650" >&2
   exit 1
 fi
 
 env_file="$1"
+out_folder="$2"
 
-alias="$2"
-owner_cert="$3"
-owner_cert_pwd="$4"
-owner_public_key="$5"
-validity="$6"
+owner_alias="owner"
+owner_keystore="${out_folder}/owner/keystore.p12"
+owner_cert_pwd="$3"
+owner_public_key="${out_folder}/owner/public.pem"
+validity="$4"
 
-secretary_keystore="ssl/secretary/keystore.p12"
+secretary_alias="secretary"
+secretary_keystore="${out_folder}/secretary/keystore.p12"
 secretary_keystore_pwd="LinkedDataHub"
-secretary_cert="ssl/secretary/cert.pem"
+secretary_cert="${out_folder}/secretary/cert.pem"
 secretary_cert_pwd="LinkedDataHub"
-secretary_cert_validity=36500
-
-mkdir -p ssl/secretary
 
 declare -A env
 
 # read file line by line and populate the array. Field separator is "="
 while IFS='=' read -r k v; do
-    if [ ! -z $k ] ; then env["$k"]="$v"; fi
+    if [ -n "$k" ] ; then env["$k"]="$v"; fi
 done < "$env_file"
 
-for x in "${!env[@]}"; do printf "[%s]=%s\n" "$x" "${env[$x]}" ; done
+if [ -z "${env['PROTOCOL']}" ]; then
+    echo "Configuration is incomplete: PROTOCOL is missing"
+    exit 1
+fi
+if [ -z "${env['HTTPS_PORT']}" ]; then
+    echo "Configuration is incomplete: HTTPS_PORT is missing"
+    exit 1
+fi
+if [ -z "${env['HTTP_PORT']}" ]; then
+    echo "Configuration is incomplete: HTTP_PORT is missing"
+    exit 1
+fi
+if [ -z "${env['HOST']}" ]; then
+    echo "Configuration is incomplete: HOST is missing"
+    exit 1
+fi
+if [ -z "${env['ABS_PATH']}" ]; then
+    echo "Configuration is incomplete: ABS_PATH is missing"
+    exit 1
+fi
 
 if [ "${env['PROTOCOL']}" = "https" ]; then
     if [ "${env['HTTPS_PORT']}" = 443 ]; then
-        export base_uri="${env['PROTOCOL']}://${env['HOST']}${env['ABS_PATH']}"
+        base_uri="${env['PROTOCOL']}://${env['HOST']}${env['ABS_PATH']}"
     else
-        export base_uri="${env['PROTOCOL']}://${env['HOST']}:${env['HTTPS_PORT']}${env['ABS_PATH']}"
+        base_uri="${env['PROTOCOL']}://${env['HOST']}:${env['HTTPS_PORT']}${env['ABS_PATH']}"
     fi
 else
     if [ "${env['HTTP_PORT']}" = 80 ]; then
-        export base_uri="${env['PROTOCOL']}://${env['HOST']}${env['ABS_PATH']}"
+        base_uri="${env['PROTOCOL']}://${env['HOST']}${env['ABS_PATH']}"
     else
-        export base_uri="${env['PROTOCOL']}://${env['HOST']}:${env['HTTP_PORT']}${env['ABS_PATH']}"
+        base_uri="${env['PROTOCOL']}://${env['HOST']}:${env['HTTP_PORT']}${env['ABS_PATH']}"
     fi
 fi
 
-printf "\n ### Base URI: %s\n" "$base_uri"
+printf "### Base URI: %s\n" "$base_uri"
 
 # create owner certificate
 
+printf "\n### Owner's WebID URI: %s\n" "$owner_uri"
+
+if [ -z "${env['OWNER_GIVEN_NAME']}" ]; then
+    echo "Configuration is incomplete: OWNER_GIVEN_NAME is missing"
+    exit 1
+fi
+if [ -z "${env['OWNER_FAMILY_NAME']}" ]; then
+    echo "Configuration is incomplete: OWNER_FAMILY_NAME is missing"
+    exit 1
+fi
+if [ -z "${env['OWNER_ORG_UNIT']}" ]; then
+    echo "Configuration is incomplete: OWNER_ORG_UNIT is missing"
+    exit 1
+fi
+if [ -z "${env['OWNER_ORGANIZATION']}" ]; then
+    echo "Configuration is incomplete: OWNER_ORGANIZATION is missing"
+    exit 1
+fi
+if [ -z "${env['OWNER_LOCALITY']}" ]; then
+    echo "Configuration is incomplete: OWNER_LOCALITY is missing"
+    exit 1
+fi
+if [ -z "${env['OWNER_STATE_OR_PROVINCE']}" ]; then
+    echo "Configuration is incomplete: OWNER_STATE_OR_PROVINCE is missing"
+    exit 1
+fi
+if [ -z "${env['OWNER_COUNTRY_NAME']}" ]; then
+    echo "Configuration is incomplete: OWNER_COUNTRY_NAME is missing"
+    exit 1
+fi
+
 owner_uuid=$(uuidgen | tr '[:upper:]' '[:lower:]') # lowercase
 owner_uri="${base_uri}admin/acl/agents/${owner_uuid}/#this"
 
 printf "\n### Owner's WebID URI: %s\n" "$owner_uri"
 
 owner_cert_dname="CN=${env['OWNER_GIVEN_NAME']} ${env['OWNER_FAMILY_NAME']}, OU=${env['OWNER_ORG_UNIT']}, O=${env['OWNER_ORGANIZATION']}, L=${env['OWNER_LOCALITY']}, ST=${env['OWNER_STATE_OR_PROVINCE']}, C=${env['OWNER_COUNTRY_NAME']}"
+printf "\n### Owner WebID certificate's DName attributes: %s\n" "$owner_cert_dname"
+
+mkdir -p "$out_folder"/owner
 
 keytool \
-    -alias "$alias" \
     -genkeypair \
+    -alias "$owner_alias" \
     -keyalg RSA \
     -storetype PKCS12 \
-    -keystore "$owner_cert" \
+    -keystore "$owner_keystore" \
     -storepass "$owner_cert_pwd" \
     -keypass "$owner_cert_pwd" \
     -dname "$owner_cert_dname" \
@@ -70,30 +122,36 @@ keytool \
 
 # convert owner's certificate to PEM
 
-openssl pkcs12 -in "$owner_cert" -passin pass:"$owner_cert_pwd" -nokeys -out "$owner_public_key" # only export the public key!
+openssl \
+    pkcs12 \
+    -in "$owner_keystore" \
+    -passin pass:"$owner_cert_pwd" \
+    -nokeys \
+    -out "$owner_public_key"
 
 # create secratary's certificate
 
+mkdir -p "$out_folder"/secretary
+
 secretary_uuid=$(uuidgen | tr '[:upper:]' '[:lower:]') # lowercase
 secretary_uri="${base_uri}admin/acl/agents/${secretary_uuid}/#this"
 
 printf "\n### Secretary's WebID URI: %s\n" "$secretary_uri"
 
-secretary_dname="CN=LDH, OU=LDH, O=AtomGraph, L=Copenhagen, ST=Denmark, C=DK"
+secretary_cert_dname="CN=LDH, OU=LDH, O=AtomGraph, L=Copenhagen, ST=Denmark, C=DK"
+printf "\n### Secretary WebID certificate's DName attributes: %s\n" "$secretary_cert_dname"
 
 keytool \
     -genkeypair \
-    -alias "ldh-secretary" \
+    -alias "$secretary_alias" \
     -keyalg RSA \
     -storetype PKCS12 \
     -keystore "$secretary_keystore" \
     -storepass "$secretary_keystore_pwd" \
     -keypass "$secretary_cert_pwd" \
-    -dname "$secretary_dname" \
+    -dname "$secretary_cert_dname" \
     -ext "SAN=uri:${secretary_uri}" \
-    -validity "$secretary_cert_validity"
-
-printf "\n### Secretary WebID certificate's DName attributes: %s\n" "$secretary_dname"
+    -validity "$validity"
 
 # convert secretary's certificate to PEM
 
@@ -102,9 +160,4 @@ openssl \
     -in "$secretary_keystore" \
     -passin pass:"$secretary_keystore_pwd" \
     -out "$secretary_cert" \
-    -passout pass:"$secretary_cert_pwd"
-
-# ===
-# openssl pkcs12 -in "$owner_cert" -out ./http-tests/owner.p12.pem -passin pass:"$owner_cert_pwd" -passout pass:"$owner_cert_pwd" # re-generate the owner PEM cert - seems to differ with different openssl versions?
-
-# openssl pkcs12 -in ./certs/secretary.p12 -out ./http-tests/secretary.p12.pem -passin pass:"$secretary_cert_pwd" -passout pass:"$secretary_cert_pwd
+    -passout pass:"$secretary_cert_pwd"