Authentication (#239)

* Add databox labels to services

* Create certs with sha-256

* Add unsecure port to container manager

* Tidying

* Update Tests to Https

* Fix multiple IPs in travis tests

* Components

* Add additional details to certificates for #210

* Enable local app server over https (#215)

* Move to default ports for UI

* Create auth token

* Add der encoded root certificate for ios

* Fix missing certs error

databox-start

@@ -169,7 +169,7 @@ fi
 mkdir -p ./certs
 
 err "Creating Certificates"
-_exec node ./src/createCerts.js ${ips[@]}
+_exec node ./src/createCerts.js ${EXT_IP} ${ips[@]}
 
 if [ "$DEV" == "1" ]
 then

docker-compose.yaml

@@ -79,11 +79,11 @@ services:
 
 secrets:
   DATABOX_ROOT_CA:
-    file: ${DATABOX_PATH}/certs/containerManager.crt
+    file: ${DATABOX_PATH}/certs/rootCert.crt
   CM_KEY:
     file: ${DATABOX_PATH}/certs/arbiterToken-container-manager
   DATABOX_CM.pem:
-    file: ${DATABOX_PATH}/certs/containerManager.pem
+    file: ${DATABOX_PATH}/certs/rootCert.pem
   DATABOX_ARBITER.pem:
     file: ${DATABOX_PATH}/certs/arbiter.pem
   DATABOX_EXPORT_SERVICE_PEM.json:

package.json

@@ -32,7 +32,7 @@
     "dockerode": "^2.4.3",
     "jsonfile": "^3.0.0",
     "node-forge": "^0.7.1",
-    "request": "^2.81.0",
+    "qrcode": "^1.2.0",
     "selfsigned": "^1.8.0"
   },
   "devDependencies": {}

src/container-manager.js

@@ -1,16 +1,12 @@
 const Config = require('./config.json');
-const os = require('os');
 const crypto = require('crypto');
-const jsonfile = require('jsonfile');
 const fs = require('fs');
 
 const Docker = require('dockerode');
 const docker = new Docker();
 
-const ip = '127.0.0.1';
-
 //ARCH to append -arm to the end of a container name if running on arm
-var ARCH = '';
+const ARCH = '';
 
 const certPath = './certs/';
 
@@ -30,7 +26,7 @@ const generateArbiterToken = function (name) {
 
 			crypto.randomBytes(32, function (err, buffer) {
 				if (err) reject(err);
-				var token = buffer.toString('base64');
+				const token = buffer.toString('base64');
 				fs.writeFileSync(fullpath, token);
 				resolve(token);
 			});
@@ -42,9 +38,6 @@ exports.generateArbiterToken = generateArbiterToken;
 //Pull latest image from any repo defaults to dockerIO
 const pullDockerIOImage = function (imageName) {
 	return new Promise((resolve, reject) => {
-		const parts = imageName.split(':');
-		const name = parts[0];
-		const version = parts[1];
 		console.log('[Pulling Image] ' + imageName );
 		dockerImagePull(imageName, resolve,reject);
 	});
@@ -53,9 +46,6 @@ const pullDockerIOImage = function (imageName) {
 //Pull latest image from Config.registryUrl
 const pullImage = function (imageName) {
 	return new Promise((resolve, reject) => {
-		const parts = imageName.split(':');
-		const name = parts[0];
-		const version = parts[1];
 		console.log('[Pulling Image] ' + imageName );
 		dockerImagePull(Config.registryUrl + "/" + imageName, resolve,reject);
 	});

src/createCerts.js

@@ -2,7 +2,11 @@ process.setMaxListeners(200);
 
 const conman = require('./container-manager.js');
 const Config = require('./config.json');
+const QRCode = require('qrcode');
 const httpsHelper = require('./https-helper');
+const crypto = require('crypto');
+const fs = require('fs');
+
 
 httpsHelper.init()
 	.then(() => {
@@ -14,13 +18,41 @@ httpsHelper.init()
 			return httpsHelper.createClientCert(name);
 		}));
 
-		const ips = process.argv.slice(2);
+		const ips = process.argv.slice(3);
 		if (ips.indexOf('127.0.0.1') === -1) {
 			ips.push('127.0.0.1');
 		}
 		proms.push(httpsHelper.createClientCert('container-manager', ips));
 		proms.push(httpsHelper.createClientCert('app-server', ips));
 
+		let createToken = true;
+		try {
+			const content = fs.readFileSync('certs/container-mananager-auth.json');
+			const authToken = JSON.parse(content);
+			if (authToken.ip === process.argv[2]) {
+				createToken = false;
+			}
+		} catch(e) {
+			createToken = true;
+		}
+		if (createToken) {
+			const token = crypto.randomBytes(24).toString('base64');
+			const auth = {
+				ip: process.argv[2],
+				token: token
+			};
+			const auth_str = JSON.stringify(auth);
+
+			proms.push(QRCode.toFile('certs/qrcode.png', auth_str, {}));
+
+			proms.push(new Promise((resolve, reject) => {
+				fs.writeFile('certs/container-mananager-auth.json', auth_str, function (err) {
+					if (err) reject(err);
+					else resolve();
+				});
+			}));
+		}
+
 		return Promise.all(proms);
 	})
 	.then(() => {

src/https-helper.js

@@ -15,9 +15,10 @@ const config = {days: 365, keySize: 2048, algorithm: 'sha256'};
 let rootPems;
 
 const certPath = './certs/';
-const devCertPath = './certs/certs.json';
-const devPemCertPath = './certs/containerManager.pem';
-const devCAPath = './certs/containerManager.crt';
+const devCertPath = certPath + 'certs.json';
+const devPemCertPath = certPath + 'rootCert.pem';
+const devDerCertPath = certPath + 'rootCert.der';
+const devCAPath = certPath + 'rootCert.crt';
 
 //Generate the CM root cert at startup.
 const init = function () {
@@ -36,12 +37,28 @@ const init = function () {
 				if (err) {
 					reject(err);
 				}
+
 				rootPems = pems;
+
+				// Delete cert directory if root certs are re-created,
+				// since all other cert need to be recreated too
+				if(fs.existsSync(certPath)) {
+					fs.rmdirSync(certPath);
+				}
+				fs.mkdirSync(certPath);
+
 				//Cash the certs in dev mode. These are new certs so display the update instructions and exit.
-				jsonfile.writeFileSync(devCertPath, pems);
-				fs.writeFileSync(devPemCertPath, pems.private + pems.public + pems.cert);
+				jsonfile.writeFileSync(devCertPath, rootPems);
+
+				fs.writeFileSync(devPemCertPath, rootPems.private + rootPems.public + rootPems.cert);
 				fs.writeFileSync(devCAPath, rootPems.cert);
 
+				const cert = forge.pki.certificateFromPem(rootPems.cert);
+				const asn = forge.pki.certificateToAsn1(cert);
+				const der = forge.asn1.toDer(asn).getBytes();
+
+				fs.writeFileSync(devDerCertPath, der, 'binary');
+
 				resolve({rootCAcert: rootPems.cert});
 			});
 		});
@@ -154,4 +171,4 @@ const createClientCert = function (commonName, ips) {
 	});
 };
 
-module.exports = {init: init, createClientCert: createClientCert, getRootCert: getRootCert};
+module.exports = {init: init, createClientCert: createClientCert};