Merge pull request #3228 from fhanik/pr/ldap-as-part-of-docker

Add a docker service using openldap/slapd
cloudfoundry · Jan 16, 2025 · 4977728 · 4977728
2 parents d979329 + 860ed17
commit 4977728
Show file tree

Hide file tree

Showing 17 changed files with 626 additions and 176 deletions.
diff --git a/.gitignore b/.gitignore
@@ -41,4 +41,9 @@ uaa/slate/node_modules/**/*
 uaa/slateCustomizations/source/versionfile
 
 ci/dockerfile/Dockerfile
-logs/**
+logs/**
+
+# generated certificates
+scripts/certificates/*.key
+scripts/certificates/*.crt
+scripts/certificates/tmp/**
diff --git a/build.gradle b/build.gradle
@@ -213,6 +213,10 @@ cargo {
         } else if (activeSpringProfiles.contains("debug") || Boolean.valueOf(System.getProperty("xdebug"))) {
             jvmArgs = String.format("%s -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005", jvmArgs)
         }
+        String tlsDebug = System.getProperty("javax.net.debug");
+        if (tlsDebug?.trim()) {
+            jvmArgs = String.format("%s -Djavax.net.debug=%s", jvmArgs, tlsDebug)
+        }
 
         if (Boolean.valueOf(System.getProperty("xcoveragerun"))) {
             copy {

diff --git a/scripts/certificates/generate.sh b/scripts/certificates/generate.sh
@@ -0,0 +1,104 @@
+#!/bin/bash
+
+set -e
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+NC='\033[0m' # No Color
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+TMP_DIR=${SCRIPT_DIR}/tmp
+
+pushd $SCRIPT_DIR
+
+  # Clean up old data
+  rm -f *.key
+  rm -f *.crt
+  rm -rf ${TMP_DIR}
+  mkdir -p ${TMP_DIR}
+
+  # Create a random passphrase for the private key
+  echo -e "${GREEN}Generating passphrase for private keys${NC}"
+  openssl rand -base64 48 > ${TMP_DIR}/privateKey.passphrase
+
+  # Generate CA private key
+  echo -e "${GREEN}Generating CA private key: ${RED}CA.key${NC}"
+  openssl genrsa -des3 -passout file:${TMP_DIR}/privateKey.passphrase -out CA.key 4096
+  # Remove Passphrase from Key
+  cp CA.key ${TMP_DIR}/CA-original.key
+  openssl rsa -in ${TMP_DIR}/CA-original.key -passin file:${TMP_DIR}/privateKey.passphrase -out CA.key
+  rm -f ${TMP_DIR}/CA-original.key
+
+  # Generate CA certificate in PEM format
+  echo -e "${GREEN}Generating CA certificate: ${RED}CA.crt${NC}"
+  openssl req -x509 -new -nodes -key CA.key -sha256 -days 3650 -out CA.crt \
+    -subj "/C=US/ST=WA/L=Vancouver/O=Tanzu/OU=AppSSP/CN=localhost"
+
+  # Generate server key and signing request
+  echo -e "${GREEN}Generating a server private key: ${RED}server.key${NC}"
+  openssl req -new -nodes -sha256 -out ${TMP_DIR}/server.csr -keyout server.key -newkey rsa:4096 \
+    -subj "/C=US/ST=WA/L=Vancouver/O=Tanzu/OU=AppSSP/CN=localhost"
+
+  # Generate signing config
+
+  cat > ${TMP_DIR}/CA.conf <<EOL
+[ ca ]
+default_ca = ca_default
+[ ca_default ]
+certs = $TMP_DIR
+new_certs_dir = $TMP_DIR/ca.db.certs
+database = $TMP_DIR/ca.db.index
+serial = $TMP_DIR/ca.db.serial
+RANDFILE = $TMP_DIR/ca.db.rand
+certificate = $TMP_DIR/CA.crt
+private_key = $TMP_DIR/CA.key
+default_days = 3650
+default_crl_days = 30
+default_md = sha256
+preserve = no
+policy = generic_policy
+[ generic_policy ]
+countryName = optional
+stateOrProvinceName = optional
+localityName = optional
+organizationName = optional
+organizationalUnitName = optional
+commonName = optional
+emailAddress = optional
+
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+commonName = Common Name
+commonName_max = 64
+
+[v3_req]
+basicConstraints = critical,CA:TRUE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+EOL
+
+  # Create openssl certificate database
+  mkdir ${TMP_DIR}/ca.db.certs
+  touch ${TMP_DIR}/ca.db.index
+  echo "1234" > ${TMP_DIR}/ca.db.serial
+
+  # sign the server certificate
+  echo -e "${GREEN}Generating a signed server certificate: ${RED}server.crt${NC}"
+  openssl ca -batch -config ${TMP_DIR}/CA.conf -out server.crt -notext -days 3650 -in ${TMP_DIR}/server.csr -keyfile CA.key -extensions v3_req -cert CA.crt
+
+  # Delete the temporary data
+  rm -rf ${TMP_DIR}
+
+  chmod og+r server.key
+  chmod og+r server.crt
+  chmod og+r CA.key
+  chmod og+r CA.crt
+
+  echo -e "${GREEN}Certificates are ready: ${NC}"
+  echo -e "\t${GREEN}Server Certificate: ${RED}server.crt${NC}"
+  echo -e "\t${GREEN}Server Key        : ${RED}server.key${NC}"
+  echo -e "\t${GREEN}CA Certificate    : ${RED}CA.crt${NC}"
+  echo -e "\t${GREEN}CA Key            : ${RED}CA.key${NC}"
+popd
diff --git a/scripts/docker-compose.yml b/scripts/docker-compose.yml
@@ -1,7 +1,7 @@
 name: uaa
 
 services:
-  postgres:
+  postgresql:
     image: "postgres:15"
     ports:
       - 5432:5432
@@ -33,22 +33,19 @@ services:
       - TZ=${TZ}
     command:
       - --sql_mode=ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION,PAD_CHAR_TO_FULL_LENGTH
+
   openldap:
-    image: docker.io/bitnami/openldap:2.6
+    build:
+      context: .
+      dockerfile: ldap/Dockerfile
     ports:
-      - '389:1389'
-      - '636:1636'
-    # docs of these env vars: https://github.com/bitnami/containers/tree/2724f9cd02b3b4e7986a1e2a0b0b30af3737bbd2/bitnami/openldap#configuration
-    environment:
-      - LDAP_ROOT=dc=test,dc=com
-      - LDAP_ADMIN_USERNAME=admin
-      - LDAP_ADMIN_PASSWORD=password
-      - LDAP_USERS=user01,user02
-      - LDAP_PASSWORDS=password1,password2
-      - LDAP_GROUP=some-ldap-group
+      - '389:389'
+      - '636:636'
+    entrypoint: [ "/bin/bash", "-c" ]
+    command:
+      - "/uaa/ldap/ldap-start-and-populate.sh"
+    tty: true
     volumes:
-      - 'openldap_data:/bitnami/openldap'
+      - ./ldap:/uaa/ldap/
+      - ./certificates:/uaa/certificates/
 
-volumes:
-  openldap_data:
-    driver: local
diff --git a/scripts/integration-tests.sh b/scripts/integration-tests.sh
@@ -20,8 +20,8 @@ bootDB "${DB}"
 
 pushd $(dirname $DIR)
   /etc/init.d/slapd start
-  ldapadd -Y EXTERNAL -H ldapi:/// -f ./uaa/src/test/resources/ldap_db_init.ldif
-  ldapadd -x -D 'cn=admin,dc=test,dc=com' -w password -f ./uaa/src/test/resources/ldap_init.ldif
+  ldapadd -Y EXTERNAL -H ldapi:/// -f ./scripts/ldap/ldap_slapd_schema.ldif
+  ldapadd -x -D 'cn=admin,dc=test,dc=com' -w password -f ./scripts/ldap/ldap_slapd_data.ldif
   readonly assembleCode="./gradlew '-Dspring.profiles.active=${TESTENV}' \
             '-Djava.security.egd=file:/dev/./urandom' \
             assemble \

diff --git a/scripts/ldap/Dockerfile b/scripts/ldap/Dockerfile
@@ -0,0 +1,20 @@
+FROM ubuntu:jammy
+
+STOPSIGNAL SIGQUIT
+
+SHELL ["/bin/bash", "-xo", "pipefail", "-c"]
+
+# Generate locale C.UTF-8
+ENV LANG=C.UTF-8
+ENV TZ=UTC
+
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+
+RUN DEBIAN_FRONTEND=noninteractive apt-get -qy update
+RUN DEBIAN_FRONTEND=noninteractive apt-get -qy install slapd ldap-utils
+RUN DEBIAN_FRONTEND=noninteractive apt-get -qy install libssl-dev ca-certificates
+
+RUN mkdir -p /uaa/ldap/
+RUN mkdir -p /uaa/certificates/
+
+STOPSIGNAL SIGQUIT
diff --git a/scripts/ldap/docker-compose.yml b/scripts/ldap/docker-compose.yml
diff --git a/scripts/ldap/docker-confirm-ldapquery.sh b/scripts/ldap/docker-confirm-ldapquery.sh
@@ -6,10 +6,10 @@ set -e
 
 echo ==================================GET all userApplication attributes using anonymous bind=============================================
 
-ldapsearch -vvv -x -L -H ldap://localhost -b dc=test,dc=com
+LDAPTLS_REQCERT=never ldapsearch -vvv -x -L -H ldaps://localhost -b dc=test,dc=com
 
 echo =====================================Bind with Admin and Seach for user01==========================================
 
-ldapsearch -vvv -x -L -H ldap://localhost -b dc=test,dc=com -D "cn=admin,dc=test,dc=com" -w password "(cn=user01)"
+LDAPTLS_REQCERT=never ldapsearch -vvv -x -L -H ldaps://localhost -b dc=test,dc=com -D "cn=admin,dc=test,dc=com" -w password "(cn=user01)"
 
 echo -e "\n*********** SUCCESS"
diff --git a/scripts/ldap/install-ldap.sh b/scripts/ldap/install-ldap.sh
@@ -1,7 +1,11 @@
 #!/bin/bash
 
+## TODO - remove this script. The ../docker-compose.yml has a container with the same setup
+
 set -e
 
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+
 cd `dirname $0`/../..
 
 sudo apt-get -qy purge slapd ldap-utils
@@ -49,5 +53,5 @@ olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem" > /etc/ssl/cert
 
 fi
 
-sudo ldapadd -Y EXTERNAL -H ldapi:/// -f uaa/src/test/resources/ldap_db_init.ldif
-sudo ldapadd -x -D 'cn=admin,dc=test,dc=com' -w password -f uaa/src/test/resources/ldap_init.ldif
+sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ${SCRIPT_DIR}/ldap_slapd_schema.ldif
+sudo ldapadd -x -D 'cn=admin,dc=test,dc=com' -w password -f ${SCRIPT_DIR}/ldap_slapd_data.ldif
diff --git a/scripts/ldap/ldap-start-and-populate.sh b/scripts/ldap/ldap-start-and-populate.sh
@@ -0,0 +1,104 @@
+#!/bin/bash
+
+# Used by ../docker-compose.yml
+set -e
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+
+LDAP_TLS_CHK=/tmp/ldap-tls-run-once
+LDAP_SCHEMA_CHK=/tmp/ldap-schema-run-once
+
+function restart_ldap() {
+  ### service slapd restart|stop doesn't kill the slapd daemon
+  pid=$(pgrep slapd || echo "0")
+  if [[ "$pid" -gt "0" ]]; then
+    echo "Sending QUIT signal to slapd"
+    kill -3 $pid
+    sleep 1
+    pid=$(pgrep slapd || echo "0")
+    if [[ "$pid" == "0" ]]; then
+      echo "slapd stop [OK]"
+    else
+      echo "slapd stop [ERROR]"
+      kill -9 $pid
+    fi
+  fi
+  service slapd start
+}
+
+function generate_certs_if_needed() {
+  if
+    [ ! -f /uaa/certificates/server.crt ] ||
+    [ ! -f /uaa/certificates/server.key ] ||
+    [ ! -f /uaa/certificates/CA.crt ] ||
+    [ ! -f /uaa/certificates/CA.key ]; then
+    /uaa/certificates/generate.sh
+  fi
+}
+
+function configure_slapd_tls() {
+  cp /uaa/certificates/CA.key /etc/ldap/sasl2/
+  cp /uaa/certificates/CA.crt /etc/ldap/sasl2/
+  cp /uaa/certificates/server.crt /etc/ldap/sasl2/
+  cp /uaa/certificates/server.key /etc/ldap/sasl2/
+  cp /etc/ssl/certs/ca-certificates.crt /etc/ldap/sasl2/
+  cat /etc/ldap/sasl2/CA.crt >> /etc/ldap/sasl2/ca-certificates.crt
+  chown -R openldap:openldap /etc/ldap/sasl2
+
+  echo "dn: cn=config
+changetype: modify
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ldap/sasl2/ca-certificates.crt
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/sasl2/server.crt
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/sasl2/server.key" > /etc/ldap/sasl2/uaa-certinfo.ldif
+  ## TODO start LDAP server here
+  restart_ldap
+  echo "Adding LDAP Certs"
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/sasl2/uaa-certinfo.ldif
+  echo "LDAP Certs added"
+  sed -i "s/^SLAPD_SERVICES.*/SLAPD_SERVICES=\"ldap\:\/\/\/ ldapi\:\/\/\/ ldaps\:\/\/\/\"/g" /etc/default/slapd
+  sed -i "s/^TLS/\#TLS/g" /etc/ldap/ldap.conf
+  echo "TLS_CACERT /etc/ldap/sasl2/ca-certificates.crt
+TLS_REQCERT allow
+" >> /etc/ldap/ldap.conf
+  restart_ldap
+}
+
+if [ ! -f ${LDAP_SCHEMA_CHK} ]; then
+  generate_certs_if_needed
+  configure_slapd_tls
+  touch ${LDAP_TLS_CHK}
+fi
+
+echo "LDAP server Status:"
+service slapd status || true
+
+if [ ! -f ${LDAP_SCHEMA_CHK} ]; then
+  echo "Starting LDAP server."
+  restart_ldap
+  echo "Creating LDAP schema."
+  ldapadd -Y EXTERNAL -H ldapi:/// -f $SCRIPT_DIR/ldap_slapd_schema.ldif
+  echo "Populating LDAP database entries."
+  ldapadd -x -D 'cn=admin,dc=test,dc=com' -w password -f $SCRIPT_DIR/ldap_slapd_data.ldif
+  touch ${LDAP_SCHEMA_CHK}
+else
+  echo "Starting LDAP server with existing data."
+  restart_ldap
+fi
+
+doExit() {
+  echo "Caught SIGTERM signal."
+  exit 0
+}
+
+trap doExit SIGINT SIGQUIT SIGTERM
+
+echo "LDAP server is READY"
+
+# Do not exit the container in docker compose
+while true; do
+    sleep 1
+done