Removed server.xsl

acl:delegates moved from owner's template to secretary's
Updated post_push hook to actually tag images with source commit hash
Client keystore mounting refactored -- gets copied from $CLIENT_KEYSTORE_MOUNT

Author: namedgraph

Dockerfile

@@ -34,10 +34,6 @@ ENV SOURCE_COMMIT=$SOURCE_COMMIT
 
 WORKDIR $CATALINA_HOME
 
-# add XSLT stylesheet that makes changes to server.xml
-
-COPY platform/server.xsl conf/server.xsl
-
 # add XSLT stylesheet that makes changes to ROOT.xml
 
 COPY platform/context.xsl conf/context.xsl
@@ -64,12 +60,16 @@ ENV HTTP_REDIRECT_PORT=443
 
 ENV HTTP_COMPRESSION=on
 
+ENV HTTPS=false
+
 ENV SERVER_CERT=/var/linkeddatahub/ssl/server/server.crt
 
-ENV SECRETARY_CERT="$CATALINA_HOME/webapps/ROOT/ssl/cert.pem"
+ENV SECRETARY_CERT=/var/linkeddatahub/ssl/secretary/cert.pem
 
 ENV SECRETARY_CERT_ALIAS=secretary
 
+ENV CLIENT_KEYSTORE_MOUNT=/var/linkeddatahub/ssl/secretary/keystore.p12
+
 ENV CLIENT_KEYSTORE="$CATALINA_HOME/webapps/ROOT/ssl/keystore.p12"
 
 ENV CLIENT_TRUSTSTORE="$CATALINA_HOME/webapps/ROOT/ssl/client.truststore"
@@ -148,8 +148,4 @@ ENV JENA_HOME=/jena
 
 ENV PATH="${PATH}:${JENA_HOME}/bin"
 
-# persist SSL-related files in a volume
-
-VOLUME /var/linkeddatahub/ssl "$CATALINA_HOME/webapps/ROOT/ssl"
-
 ENTRYPOINT ["/bin/sh", "entrypoint.sh"]

docker-compose.yml

@@ -52,7 +52,7 @@ services:
     volumes:
       - ./ssl/server:/var/linkeddatahub/ssl/server
       - ./ssl/owner:/var/linkeddatahub/ssl/owner
-      - ./ssl/secretary:/usr/local/tomcat/webapps/ROOT/ssl
+      - ./ssl/secretary:/var/linkeddatahub/ssl/secretary
       - ./uploads:/var/www/linkeddatahub/uploads
       - ./config/dev.log4j.properties:/usr/local/tomcat/webapps/ROOT/WEB-INF/classes/log4j.properties:ro
       - ./config/system-varnish.trig:/var/linkeddatahub/datasets/system.trig:ro

hooks/post_push

@@ -1,5 +1,5 @@
 #!/bin/bash
 
-echo "$IMAGE_NAME" "$DOCKER_REPO":"$SOURCE_COMMIT"
+docker tag "$IMAGE_NAME" "$DOCKER_REPO":"$SOURCE_COMMIT"
 
-docker tag "$IMAGE_NAME" "$DOCKER_REPO":"$SOURCE_COMMIT"
+docker push "$DOCKER_REPO":"$SOURCE_COMMIT"

platform/entrypoint.sh

@@ -48,38 +48,6 @@ if [ -n "$HTTPS" ] ; then
     HTTPS_PARAM="--stringparam https $HTTPS "
 fi
 
-if [ -n "$HTTPS_SCHEME" ] ; then
-    HTTPS_SCHEME_PARAM="--stringparam https.scheme $HTTPS_SCHEME "
-fi
-
-if [ -n "$HTTPS_PORT" ] ; then
-    HTTPS_PORT_PARAM="--stringparam https.port $HTTPS_PORT "
-fi
-
-if [ -n "$HTTPS_MAX_THREADS" ] ; then
-    HTTPS_MAX_THREADS_PARAM="--stringparam https.maxThreads $HTTPS_MAX_THREADS "
-fi
-
-if [ -n "$HTTPS_CLIENT_AUTH" ] ; then
-    HTTPS_CLIENT_AUTH_PARAM="--stringparam https.clientAuth $HTTPS_CLIENT_AUTH "
-fi
-
-if [ -n "$HTTPS_PROXY_NAME" ] ; then
-    HTTPS_PROXY_NAME_PARAM="--stringparam https.proxyName $HTTPS_PROXY_NAME "
-fi
-
-if [ -n "$HTTPS_PROXY_PORT" ] ; then
-    HTTPS_PROXY_PORT_PARAM="--stringparam https.proxyPort $HTTPS_PROXY_PORT "
-fi
-
-if [ -n "$HTTPS_COMPRESSION" ] ; then
-    HTTPS_COMPRESSION_PARAM="--stringparam https.compression $HTTPS_COMPRESSION "
-fi
-
-if [ -n "$KEY_ALIAS" ] ; then
-    KEY_ALIAS_PARAM="--stringparam https.keyAlias '$KEY_ALIAS' "
-fi
-
 transform="xsltproc \
   --output conf/server.xml \
   $HTTP_PARAM \
@@ -91,14 +59,6 @@ transform="xsltproc \
   $HTTP_CONNECTION_TIMEOUT_PARAM \
   $HTTP_COMPRESSION_PARAM \
   $HTTPS_PARAM \
-  $HTTPS_SCHEME_PARAM \
-  $HTTPS_PORT_PARAM \
-  $HTTPS_MAX_THREADS_PARAM \
-  $HTTPS_CLIENT_AUTH_PARAM \
-  $HTTPS_PROXY_NAME_PARAM \
-  $HTTPS_PROXY_PORT_PARAM \
-  $HTTPS_COMPRESSION_PARAM \
-  $KEY_ALIAS_PARAM \
   conf/letsencrypt-tomcat.xsl \
   conf/server.xml"
 
@@ -148,6 +108,11 @@ if [ -z "$CLIENT_KEYSTORE" ] ; then
     exit 1
 fi
 
+if [ -z "$CLIENT_KEYSTORE_MOUNT" ] ; then
+    echo '$CLIENT_KEYSTORE_MOUNT not set'
+    exit 1
+fi
+
 if [ -z "$SECRETARY_CERT_ALIAS" ] ; then
     echo '$SECRETARY_CERT_ALIAS not set'
     exit 1
@@ -396,7 +361,7 @@ if [ -z "$OWNER_URI" ] ; then
     exit 1
 fi
 
-printf "\n### Owner's WebID URI: %s\n" "$owner_uri"
+printf "\n### Owner's WebID URI: %s\n" "$OWNER_URI"
 
 # strip fragment from the URL, if any
 
@@ -431,6 +396,12 @@ rm -f root-owner.trig root-owner.nq split.root-owner.nq
 echo "<${root_admin_app}> <http://xmlns.com/foaf/0.1/maker> <${OWNER_URI}> ." >> "$based_context_dataset"
 echo "<${root_end_user_app}> <http://xmlns.com/foaf/0.1/maker> <${OWNER_URI}> ." >> "$based_context_dataset"
 
+# copy mounted client keystore to a location where the webapp can access it
+
+mkdir -p "$(dirname "$CLIENT_KEYSTORE")"
+
+cp -f "$CLIENT_KEYSTORE_MOUNT" "$(dirname "$CLIENT_KEYSTORE")"
+
 # if CLIENT_TRUSTSTORE does not exist:
 # 1. import the certificate into the CLIENT_TRUSTSTORE
 # 2. initialize an Agent/PublicKey with secretary's metadata and key modulus
@@ -444,7 +415,7 @@ if [ ! -f "$CLIENT_TRUSTSTORE" ]; then
         exit 1
     fi
 
-    printf "\n### Secretary's WebID URI: %s\n" "$owner_uri"
+    printf "\n### Secretary's WebID URI: %s\n" "$SECRETARY_URI"
 
     # strip fragment from the URL, if any
 
@@ -479,29 +450,31 @@ if [ ! -f "$CLIENT_TRUSTSTORE" ]; then
     # if server certificate is self-signed, import it into client truststore
 
     if [ "$SELF_SIGNED_CERT" = true ] ; then
-      printf "\n### Importing server certificate into the client truststore\n\n"
-
-      keytool -importcert \
-        -alias "$KEY_ALIAS" \
-        -file "$SERVER_CERT" \
-        -keystore "$CLIENT_TRUSTSTORE" \
-        -noprompt \
-        -storepass "$CLIENT_KEYSTORE_PASSWORD" \
-        -storetype PKCS12 \
-        -trustcacerts
+        printf "\n### Importing server certificate into the client truststore\n\n"
+
+        mkdir -p "$(dirname "$CLIENT_TRUSTSTORE")"
+
+        keytool -importcert \
+            -alias "$SECRETARY_CERT_ALIAS" \
+            -file "$SERVER_CERT" \
+            -keystore "$CLIENT_TRUSTSTORE" \
+            -noprompt \
+            -storepass "$CLIENT_KEYSTORE_PASSWORD" \
+            -storetype PKCS12 \
+            -trustcacerts
     fi
 
-    # import default CA certs from the JRE
-
+    printf "\n### Importing default CA certificates into the client truststore\n\n"
+ 
     export CACERTS="${JAVA_HOME}/lib/security/cacerts"
 
     keytool -importkeystore \
-      -destkeystore "$CLIENT_TRUSTSTORE" \
-      -deststorepass "$CLIENT_KEYSTORE_PASSWORD" \
-      -deststoretype PKCS12 \
-      -noprompt \
-      -srckeystore "$CACERTS" \
-      -srcstorepass changeit > /dev/null
+        -destkeystore "$CLIENT_TRUSTSTORE" \
+        -deststorepass "$CLIENT_KEYSTORE_PASSWORD" \
+        -deststoretype PKCS12 \
+        -noprompt \
+        -srckeystore "$CACERTS" \
+        -srcstorepass changeit
 fi
 
 if [ -z "$LOAD_DATASETS" ]; then

platform/root-owner.trig.template

@@ -1,7 +1,6 @@
 @prefix adm:    <ns#> .
 @prefix rdfs:	<http://www.w3.org/2000/01/rdf-schema#> .
 @prefix xsd:	<http://www.w3.org/2001/XMLSchema#> .
-@prefix acl:    <http://www.w3.org/ns/auth/acl#> .
 @prefix cert:   <http://www.w3.org/ns/auth/cert#> .
 @prefix dh:	<https://www.w3.org/ns/ldt/document-hierarchy/domain#> .
 @prefix sioc:	<http://rdfs.org/sioc/ns#> .
@@ -21,8 +20,6 @@
     foaf:isPrimaryTopicOf <${OWNER_DOC_URI}> ;
     cert:key <acl/public-keys/${OWNER_KEY_UUID}/#this> .
 
-<acl/agents/e413f97b-15ee-47ea-ba65-4479aa7f1f9e/#this> acl:delegates <${OWNER_URI}> .
-
 # PUBLIC KEY
 
 <acl/public-keys/${OWNER_KEY_UUID}/> a adm:PublicKeyItem ;

platform/root-secretary.trig.template

@@ -1,6 +1,7 @@
 @prefix adm:    <ns#> .
 @prefix rdfs:	<http://www.w3.org/2000/01/rdf-schema#> .
 @prefix xsd:	<http://www.w3.org/2001/XMLSchema#> .
+@prefix acl:    <http://www.w3.org/ns/auth/acl#> .
 @prefix cert:   <http://www.w3.org/ns/auth/cert#> .
 @prefix dh:	<https://www.w3.org/ns/ldt/document-hierarchy/domain#> .
 @prefix sioc:	<http://rdfs.org/sioc/ns#> .
@@ -35,4 +36,10 @@
 
 # secretary is a member of the writers group
 
-<acl/groups/writers/#this> foaf:member <${SECRETARY_URI}> .
+<acl/groups/writers/#this> foaf:member <${SECRETARY_URI}> .
+
+# DELEGATION
+
+# secretary delegates the owner agent
+
+<${SECRETARY_URI}> acl:delegates <${OWNER_URI}> .