Add CircleCI test

.circleci/config.yml

@@ -0,0 +1,34 @@
+version: 2
+jobs:
+  build:
+    docker:
+      - image: sicz/dockerspec:17.04.24
+    working_directory: ~/docker-simple-ca
+    environment:
+      - MAKEFLAGS=--no-print-directory
+    steps:
+      - run:
+          name: Set up Environment
+          command: |
+            curl -sSL https://github.com/SICZ/Mk/archive/master.tar.gz | tar -xzf -
+            mv Mk-master ~/Mk
+      - checkout
+      - setup_remote_docker
+      - run:
+          name: Remote Docker engine version
+          command: |
+            docker version
+      - run:
+          name: Build Docker image
+          command: |
+            make rebuild
+      - run:
+          name: Run Docker container
+          command: |
+            make secrets
+            make run
+            make logs
+      - run:
+          name: Run tests
+          command: |
+            env DOCKER_CONTAINER_ID=$(cat .container_id) rspec --format doc

.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

Dockerfile

@@ -1,20 +1,15 @@
 FROM sicz/lighttpd:3.5
 
-ENV \
-  org.label-schema.schema-version="1.0" \
-  org.label-schema.name="sicz/simple-ca" \
-  org.label-schema.description="A simple automated Certificate Authority." \
-  org.label-schema.build-date="2017-04-18T20:36:03Z" \
-  org.label-schema.url="https://github.com/sicz/docker-simple-ca" \
-  org.label-schema.vcs-url="https://github.com/sicz/docker-simple-ca"
-
-ENV \
-  LIGHTTPD_PORT=9443 \
-  SIMPLE_CA_DIR=/var/lib/simple-ca
+ENV org.label-schema.schema-version="1.0"
+ENV org.label-schema.name="sicz/simple-ca"
+ENV org.label-schema.description="A simple automated Certificate Authority."
+ENV org.label-schema.build-date="2017-04-18T20:36:03Z"
+ENV org.label-schema.url="https://github.com/sicz/docker-simple-ca"
+ENV org.label-schema.vcs-url="https://github.com/sicz/docker-simple-ca"
 
 COPY config /etc
 COPY docker-entrypoint.d /docker-entrypoint.d
-COPY www ${LIGHTTPD_DIR}
-RUN set -x && chmod +x ${LIGHTTPD_DIR}/*.cgi
+COPY www /var/www
+RUN set -x && chmod +x /var/www/simple-ca.cgi
 
-EXPOSE ${LIGHTTPD_PORT}
+EXPOSE 443

Dockerfile.tpl

@@ -1,20 +1,15 @@
 FROM sicz/lighttpd:%%BASE_IMAGE_TAG%%
 
-ENV \
-  org.label-schema.schema-version="1.0" \
-  org.label-schema.name="%%DOCKER_PROJECT%%/%%DOCKER_NAME%%" \
-  org.label-schema.description="A simple automated Certificate Authority." \
-  org.label-schema.build-date="%%REFRESHED_AT%%" \
-  org.label-schema.url="https://github.com/sicz/docker-simple-ca" \
-  org.label-schema.vcs-url="https://github.com/%%DOCKER_PROJECT%%/docker-%%DOCKER_NAME%%"
-
-ENV \
-  LIGHTTPD_PORT=9443 \
-  SIMPLE_CA_DIR=/var/lib/simple-ca
+ENV org.label-schema.schema-version="1.0"
+ENV org.label-schema.name="%%DOCKER_PROJECT%%/%%DOCKER_NAME%%"
+ENV org.label-schema.description="A simple automated Certificate Authority."
+ENV org.label-schema.build-date="%%REFRESHED_AT%%"
+ENV org.label-schema.url="https://github.com/sicz/docker-simple-ca"
+ENV org.label-schema.vcs-url="https://github.com/%%DOCKER_PROJECT%%/docker-%%DOCKER_NAME%%"
 
 COPY config /etc
 COPY docker-entrypoint.d /docker-entrypoint.d
-COPY www ${LIGHTTPD_DIR}
-RUN set -x && chmod +x ${LIGHTTPD_DIR}/*.cgi
+COPY www /var/www
+RUN set -x && chmod +x /var/www/simple-ca.cgi
 
-EXPOSE ${LIGHTTPD_PORT}
+EXPOSE 443

Makefile

@@ -4,12 +4,14 @@ DOCKER_PROJECT		= sicz
 DOCKER_NAME		= simple-ca
 DOCKER_TAG		= $(ALPINE_VERSION)
 
-DOCKER_RUN_OPTS		= -v $(CURDIR)/secrets:/var/lib/simple-ca/secrets \
-			  -v /var/run/docker.sock:/var/run/docker.sock
+DOCKER_RUN_OPTS		+= -v $(CURDIR)/secrets:/var/lib/simple-ca/secrets \
+			   -v /var/run/docker.sock:/var/run/docker.sock
+DOCKER_SHELL_CMD	= /docker-entrypoint.sh bash
+DOCKER_TEST_OPTS	+= -v $(CURDIR)/secrets:/secrets
 
 
 .PHONY: all build rebuild deploy run up destroy rm down start stop restart
-.PHONY: status logs shell clean secrets
+.PHONY: status logs shell refresh test clean secrets
 
 all: destroy build secrets deploy logs-tail
 build: docker-build
@@ -23,6 +25,8 @@ status: docker-status
 logs: docker-logs
 logs-tail: docker-logs-tail
 shell: docker-shell
+refresh: docker-refresh
+test: docker-test
 
 clean: destroy
 	@SECRETS="$$(ls secrets/ca_* 2>/dev/null | tr '\n' ' ')"; \

README.md

@@ -1,5 +1,7 @@
 # docker-simple-ca
 
+[![CircleCI Status Badge](https://circleci.com/gh/sicz/docker-simple-ca.svg?style=shield&circle-token=06deeca25c070ce627cd547f0631afdc2c700f10)](https://circleci.com/gh/sicz/docker-simple-ca)
+
 **This project is not aimed at public consumption.
 It exists to serve as a single endpoint for SICZ containers.**
 

config/lighttpd/server.conf

@@ -14,7 +14,7 @@ server.modules        += (
 )
 
 # Setup server
-server.port           = env.LIGHTTPD_PORT
+server.port           = 443
 server.document-root  = htdocs_dir
 
 # Setup authentication and authorization
@@ -46,7 +46,6 @@ static-file.exclude-extensions = (".cgi")
 
 # Copy environment variables
 setenv.add-environment = (
-  "SIMPLE_CA_DIR"     => env.SIMPLE_CA_DIR,
   "CA_CRT"            => env.CA_CRT,
   "CA_KEY"            => env.CA_KEY,
   "CA_KEY_PWD_FILE"   => env.CA_KEY_PWD_FILE

config/ssl/openssl.cnf

@@ -8,7 +8,7 @@
 # than one openssl command.
 
 [ default ]
-dir                     = %%SIMPLE_CA_DIR%%     # Top dir
+dir                     = /var/lib/simple-ca   # Top dir
 
 # The next part of the configuration file is used by the openssl req command.
 

docker-entrypoint.d/30-environment-certs.sh

@@ -4,7 +4,7 @@ debug0 "Processing $(basename ${DOCKER_ENTRYPOINT:-$0})"
 
 ################################################################################
 # OpenSSL random file
-export RANDFILE=${SIMPLE_CA_DIR}/.rnd
+export RANDFILE=/var/lib/simple-ca/.rnd
 
 ################################################################################
 # Default CA user name and realm
@@ -15,7 +15,7 @@ export RANDFILE=${SIMPLE_CA_DIR}/.rnd
 if [ -e /run/secrets/ca_user.pwd ]; then
   : ${CA_USER_PWD_FILE:=/run/secrets/ca_user.pwd}
 else
-  : ${CA_USER_PWD_FILE:=${SIMPLE_CA_DIR}/secrets/ca_user.pwd}
+  : ${CA_USER_PWD_FILE:=/var/lib/simple-ca/secrets/ca_user.pwd}
 fi
 
 ################################################################################
@@ -26,27 +26,26 @@ fi
 if [ -e /run/secrets/ca_crt.pem ]; then
   : ${CA_CRT:=/run/secrets/ca_crt.pem}
 else
-  : ${CA_CRT:=${SIMPLE_CA_DIR}/secrets/ca_crt.pem}
+  : ${CA_CRT:=/var/lib/simple-ca/secrets/ca_crt.pem}
 fi
 
 # Default CA private key file location
 if [ -e /run/secrets/ca_key.pem ]; then
   : ${CA_KEY:=/run/secrets/ca_key.pem}
 else
-  : ${CA_KEY:=${SIMPLE_CA_DIR}/secrets/ca_key.pem}
+  : ${CA_KEY:=/var/lib/simple-ca/secrets/ca_key.pem}
 fi
 
 # Default CA private key passphrase file
 if [ -e /run/secrets/ca_key.pwd ]; then
   : ${CA_KEY_PWD_FILE:=/run/secrets/ca_key.pwd}
 else
-  : ${CA_KEY_PWD_FILE:=${SIMPLE_CA_DIR}/secrets/ca_key.pwd}
+  : ${CA_KEY_PWD_FILE:=/var/lib/simple-ca/secrets/ca_key.pwd}
 fi
 
 # Paths must be hardcoded in openssl.cnf because LibreSSL removed support
 # for ${ENV::VARIABLE} in openssl.cnf
 sed -i -E \
-  -e "s|%%SIMPLE_CA_DIR%%|${SIMPLE_CA_DIR}|" \
   -e "s|%%CA_CRT%%|${CA_CRT}|" \
   -e "s|%%CA_KEY%%|${CA_KEY}|" \
   /etc/ssl/openssl.cnf
@@ -74,22 +73,22 @@ export CA_CRT CA_KEY CA_KEY_PWD_FILE
 if [ -e /run/secrets/ca_server.pem ]; then
   : ${SERVER_CRT:=/run/secrets/ca_server.pem}
 else
-  : ${SERVER_CRT:=${SIMPLE_CA_DIR}/secrets/ca_server.pem}
+  : ${SERVER_CRT:=/var/lib/simple-ca/secrets/ca_server.pem}
 fi
 
 # Default server private key file location
 if [ -e /run/secrets/ca_server_key.pem ]; then
   : ${SERVER_KEY:=/run/secrets/ca_server_key.pem}
 else
-  : ${SERVER_KEY:=${SIMPLE_CA_DIR}/secrets/ca_server_key.pem}
+  : ${SERVER_KEY:=/var/lib/simple-ca/secrets/ca_server_key.pem}
 fi
 
 # NOTE: lighttpd does not support server private key passphrase
 # # Default server private key passphrase file location
 # if [ -e /run/secrets/ca_server_key.pwd ]; then
 #   : ${SERVER_KEY_PWD_FILE:=/run/secrets/ca_server_key.pwd}
 # else
-#   : ${SERVER_KEY_PWD_FILE:=${SIMPLE_CA_DIR}/secrets/ca_server_key.pwd}
+#   : ${SERVER_KEY_PWD_FILE:=/var/lib/simple-ca/secrets/ca_server_key.pwd}
 # fi
 #
 # # Server private key passphrase

docker-entrypoint.d/40-server-certs.sh

@@ -4,15 +4,15 @@ debug0 "Processing $(basename ${DOCKER_ENTRYPOINT:-$0})"
 
 ################################################################################
 # Initialize CA's directory
-if [ ! -e ${SIMPLE_CA_DIR}/serial ]; then
-  info "Initializing CA directory ${SIMPLE_CA_DIR}"
-  mkdir -p ${SIMPLE_CA_DIR}/newcerts ${SIMPLE_CA_DIR}/secrets
-  touch ${SIMPLE_CA_DIR}/index
+if [ ! -e /var/lib/simple-ca/serial ]; then
+  info "Initializing CA directory /var/lib/simple-ca"
+  mkdir -p /var/lib/simple-ca/newcerts /var/lib/simple-ca/secrets
+  touch /var/lib/simple-ca/index
   if [ -e ${SERVER_CRT} ]; then
     # SERVER_CRT has serial number 01, start from 02
-    echo -n "02" > ${SIMPLE_CA_DIR}/serial
+    echo -n "02" > /var/lib/simple-ca/serial
   else
-    echo -n "01" > ${SIMPLE_CA_DIR}/serial
+    echo -n "01" > /var/lib/simple-ca/serial
   fi
 fi
 
@@ -65,8 +65,8 @@ if [ ! -e "${SERVER_CRT}" ]; then
     -keyout "${SERVER_KEY}" |
   env \
     PATH_INFO="/sign" \
-    QUERY_STRING="dn=${SERVER_CRT_SUBJECT}&dns=${SERVER_CRT_NAMES}&ip=${SERVER_CRT_IP}&oid=${SERVER_CRT_OID}" \
-  ${LIGHTTPD_DIR}/simple-ca.cgi |
+    QUERY_STRING="dn=${SERVER_CRT_SUBJECT}&dns=${SERVER_CRT_NAMES}&ip=${SERVER_CRT_IP}&rid=${SERVER_CRT_RID}" \
+  /var/www/simple-ca.cgi |
   egrep -v "^(HTTP/.*|Content-Type:.*|)$" > ${SERVER_CRT}
   cat ${SERVER_KEY} >> ${SERVER_CRT}
   chmod o-rwx ${SERVER_CRT}
@@ -88,7 +88,5 @@ fi
 
 ################################################################################
 # Set permissions
-if [ -n "${DOCKER_USER}" ]; then
-  chown -R ${DOCKER_USER}:${DOCKER_USER} ${SIMPLE_CA_DIR} ${SERVER_USER_DB}
-fi
-chmod -R o-rwx ${SIMPLE_CA_DIR} ${SERVER_USER_DB}
+chown -R lighttpd:lighttpd /var/lib/simple-ca ${SERVER_USER_DB}
+chmod -R o-rwx /var/lib/simple-ca ${SERVER_USER_DB}

spec/docker/10_docker_image_spec.rb

@@ -0,0 +1,39 @@
+# encoding: UTF-8
+require "docker_helper"
+
+describe "Package" do
+  [
+    "bash",
+    "curl",
+    "jq",
+    "libressl",
+    "lighttpd",
+    "lighttpd-mod_auth",
+  ].each do |package|
+    context package do
+      it "is installed" do
+        expect(package(package)).to be_installed
+      end
+    end
+  end
+end
+
+describe "Docker entrypoint file" do
+  context "/docker-entrypoint.sh" do
+    it "has set permissions" do
+      expect(file("/docker-entrypoint.sh")).to exist
+      expect(file("/docker-entrypoint.sh")).to be_executable
+    end
+  end
+  [
+    "/docker-entrypoint.d/30-environment-certs.sh",
+    "/docker-entrypoint.d/40-server-certs.sh",
+  ].each do |file|
+    context file do
+      it "exists" do
+        expect(file(file)).to exist
+        expect(file(file)).to be_readable
+      end
+    end
+  end
+end

spec/docker/20_web_server_spec.rb

@@ -0,0 +1,71 @@
+# encoding: UTF-8
+require "docker_helper"
+
+describe "Web server" do
+
+  context "configuration file" do
+    [
+      "/etc/lighttpd/lighttpd.conf",
+      "/etc/lighttpd/logs.conf",
+      "/etc/lighttpd/server.conf",
+      "/etc/ssl/openssl.cnf",
+    ].each do |file|
+      context file do
+        it "exists" do
+          expect(file(file)).to exist
+          expect(file(file)).to be_readable.by_user("lighttpd")
+        end
+      end
+    end
+  end
+
+  context "user 'lighttpd'" do
+    it "has uid 1000" do
+      expect(user("lighttpd")).to exist
+      expect(user("lighttpd")).to have_uid(1000)
+    end
+    it "belongs to primary group 'lighttpd'" do
+      expect(user("lighttpd")).to belong_to_primary_group "lighttpd"
+    end
+  end
+
+  context "group 'lighttpd'" do
+    it "has gid 1000" do
+      expect(group("lighttpd")).to exist
+      expect(group("lighttpd")).to have_gid(1000)
+    end
+  end
+
+  context "server certificate" do
+    key = "/var/lib/simple-ca/secrets/ca_server.pem"
+    crt = "/var/lib/simple-ca/secrets/ca_server.pem"
+    it "has set permissions" do
+      expect(file(key)).to be_owned_by("lighttpd")
+      expect(file(key)).to be_grouped_into("lighttpd")
+      expect(file(key)).not_to be_readable.by("others")
+      # crt and key are the same file
+      # expect(file(crt)).to be_owned_by("lighttpd")
+      # expect(file(crt)).to be_grouped_into("lighttpd")
+      # expect(file(crt)).not_to be_readable.by("others")
+    end
+    it "is valid" do
+      expect(x509_private_key(key)).to be_valid
+      expect(x509_certificate(crt)).to be_certificate
+      expect(x509_certificate(crt)).to be_valid
+      expect(x509_certificate(crt).subject).to eq "/CN=sicz_simple_ca"
+      expect(x509_certificate(crt).issuer).to eq "/CN=Docker Simple CA"
+      expect(x509_certificate(crt).validity_in_days).to be > 3650
+      expect(x509_certificate(crt).subject_alt_names).to include "DNS:localhost"
+      expect(x509_certificate(crt).subject_alt_names).to include "IP Address:127.0.0.1"
+      expect(x509_private_key(key)).to have_matching_certificate(crt)
+    end
+  end
+
+  context "daemon" do
+    it "is listening on TCP port 443" do
+      expect(process("lighttpd")).to be_running
+      expect(port(80)).not_to be_listening.with("tcp")
+      expect(port(443)).to be_listening.with("tcp")
+    end
+  end
+end