Merge remote-tracking branch 'origin/dev-2.2' into dev-2.2

# Conflicts:
#	build
#	src/RESTAPI_handler.cpp
#	src/RESTAPI_handler.h
#	src/RESTAPI_system_command.cpp

Dockerfile

@@ -46,13 +46,17 @@ RUN addgroup -S "$UCENTRALSEC_USER" && \
     adduser -S -G "$UCENTRALSEC_USER" "$UCENTRALSEC_USER"
 
 RUN mkdir /ucentral
-RUN mkdir -p "$UCENTRALSEC_ROOT" "$UCENTRALSEC_CONFIG"
-RUN apk add --update --no-cache librdkafka mariadb-connector-c libpq unixodbc su-exec
-
+RUN mkdir -p "$UCENTRALSEC_ROOT" "$UCENTRALSEC_CONFIG" && \
+    chown "$UCENTRALSEC_USER": "$UCENTRALSEC_ROOT" "$UCENTRALSEC_CONFIG"
+RUN apk add --update --no-cache librdkafka mariadb-connector-c libpq unixodbc su-exec gettext ca-certificates
 COPY --from=builder /ucentralsec/cmake-build/ucentralsec /ucentral/ucentralsec
 COPY --from=builder /cppkafka/cmake-build/src/lib/* /lib/
 COPY --from=builder /poco/cmake-build/lib/* /lib/
+
+COPY ucentralsec.properties.tmpl ${UCENTRALSEC_CONFIG}/
 COPY docker-entrypoint.sh /
+RUN wget https://raw.githubusercontent.com/Telecominfraproject/wlan-cloud-ucentral-deploy/main/docker-compose/certs/restapi-ca.pem \
+    -O /usr/local/share/ca-certificates/restapi-ca-selfsigned.pem
 
 EXPOSE 16001 17001 16101
 

docker-entrypoint.sh

@@ -1,6 +1,50 @@
 #!/bin/sh
 set -e
 
+if [ "$SELFSIGNED_CERTS" = 'true' ]; then
+    update-ca-certificates
+fi
+
+if [[ "$TEMPLATE_CONFIG" = 'true' && ! -f "$UCENTRALSEC_CONFIG"/ucentralsec.properties ]]; then
+  RESTAPI_HOST_ROOTCA=${RESTAPI_HOST_ROOTCA:-"\$UCENTRALSEC_ROOT/certs/restapi-ca.pem"} \
+  RESTAPI_HOST_PORT=${RESTAPI_HOST_PORT:-"16001"} \
+  RESTAPI_HOST_CERT=${RESTAPI_HOST_CERT:-"\$UCENTRALSEC_ROOT/certs/restapi-cert.pem"} \
+  RESTAPI_HOST_KEY=${RESTAPI_HOST_KEY:-"\$UCENTRALSEC_ROOT/certs/restapi-key.pem"} \
+  RESTAPI_HOST_KEY_PASSWORD=${RESTAPI_HOST_KEY_PASSWORD:-"mypassword"} \
+  RESTAPI_WWWASSETS=${RESTAPI_WWWASSETS:-"\$UCENTRALSEC_ROOT/wwwassets"} \
+  INTERNAL_RESTAPI_HOST_ROOTCA=${INTERNAL_RESTAPI_HOST_ROOTCA:-"\$UCENTRALSEC_ROOT/certs/restapi-ca.pem"} \
+  INTERNAL_RESTAPI_HOST_PORT=${INTERNAL_RESTAPI_HOST_PORT:-"17001"} \
+  INTERNAL_RESTAPI_HOST_CERT=${INTERNAL_RESTAPI_HOST_CERT:-"\$UCENTRALSEC_ROOT/certs/restapi-cert.pem"} \
+  INTERNAL_RESTAPI_HOST_KEY=${INTERNAL_RESTAPI_HOST_KEY:-"\$UCENTRALSEC_ROOT/certs/restapi-key.pem"} \
+  INTERNAL_RESTAPI_HOST_KEY_PASSWORD=${INTERNAL_RESTAPI_HOST_KEY_PASSWORD:-"mypassword"} \
+  AUTHENTICATION_DEFAULT_USERNAME=${AUTHENTICATION_DEFAULT_USERNAME:-"tip@ucentral.com"} \
+  AUTHENTICATION_DEFAULT_PASSWORD=${AUTHENTICATION_DEFAULT_PASSWORD:-"13268b7daa751240369d125e79c873bd8dd3bef7981bdfd38ea03dbb1fbe7dcf"} \
+  SYSTEM_DATA=${SYSTEM_DATA:-"\$UCENTRALSEC_ROOT/data"} \
+  SYSTEM_URI_PRIVATE=${SYSTEM_URI_PRIVATE:-"https://localhost:17001"} \
+  SYSTEM_URI_PUBLIC=${SYSTEM_URI_PUBLIC:-"https://localhost:16001"} \
+  SYSTEM_URI_UI=${SYSTEM_URI_UI:-"http://localhost"} \
+  SERVICE_KEY=${SERVICE_KEY:-"\$UCENTRALSEC_ROOT/certs/restapi-key.pem"} \
+  SERVICE_KEY_PASSWORD=${SERVICE_KEY_PASSWORD:-"mypassword"} \
+  MAILER_HOSTNAME=${MAILER_HOSTNAME:-"smtp.gmail.com"} \
+  MAILER_USERNAME=${MAILER_USERNAME:-"************************"} \
+  MAILER_PASSWORD=${MAILER_PASSWORD:-"************************"} \
+  MAILER_PORT=${MAILER_PORT:-"587"} \
+  KAFKA_ENABLE=${KAFKA_ENABLE:-"true"} \
+  KAFKA_BROKERLIST=${KAFKA_BROKERLIST:-"localhost:9092"} \
+  STORAGE_TYPE=${STORAGE_TYPE:-"sqlite"} \
+  STORAGE_TYPE_POSTGRESQL_HOST=${STORAGE_TYPE_POSTGRESQL_HOST:-"localhost"} \
+  STORAGE_TYPE_POSTGRESQL_USERNAME=${STORAGE_TYPE_POSTGRESQL_USERNAME:-"ucentralsec"} \
+  STORAGE_TYPE_POSTGRESQL_PASSWORD=${STORAGE_TYPE_POSTGRESQL_PASSWORD:-"ucentralsec"} \
+  STORAGE_TYPE_POSTGRESQL_DATABASE=${STORAGE_TYPE_POSTGRESQL_DATABASE:-"ucentralsec"} \
+  STORAGE_TYPE_POSTGRESQL_PORT=${STORAGE_TYPE_POSTGRESQL_PORT:-"5432"} \
+  STORAGE_TYPE_MYSQL_HOST=${STORAGE_TYPE_MYSQL_HOST:-"localhost"} \
+  STORAGE_TYPE_MYSQL_USERNAME=${STORAGE_TYPE_MYSQL_USERNAME:-"ucentralsec"} \
+  STORAGE_TYPE_MYSQL_PASSWORD=${STORAGE_TYPE_MYSQL_PASSWORD:-"ucentralsec"} \
+  STORAGE_TYPE_MYSQL_DATABASE=${STORAGE_TYPE_MYSQL_DATABASE:-"ucentralsec"} \
+  STORAGE_TYPE_MYSQL_PORT=${STORAGE_TYPE_MYSQL_PORT:-"3306"} \
+  envsubst < $UCENTRALSEC_CONFIG/ucentralsec.properties.tmpl > $UCENTRALSEC_CONFIG/ucentralsec.properties
+fi
+
 if [ "$1" = '/ucentral/ucentralsec' -a "$(id -u)" = '0' ]; then
     if [ "$RUN_CHOWN" = 'true' ]; then
       chown -R "$UCENTRALSEC_USER": "$UCENTRALSEC_ROOT" "$UCENTRALSEC_CONFIG"

helm/Chart.yaml

@@ -1,5 +1,18 @@
-apiVersion: v1
+apiVersion: v2
 appVersion: "1.0"
 description: A Helm chart for Kubernetes
 name: ucentralsec
 version: 0.1.0
+dependencies:
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 10.9.2
+  condition: postgresql.enabled
+- name: mysql
+  repository: https://charts.bitnami.com/bitnami
+  version: 8.8.3
+  condition: mysql.enabled
+- name: mariadb
+  repository: https://charts.bitnami.com/bitnami
+  version: 9.4.2
+  condition: mariadb.enabled

helm/values.yaml

@@ -214,3 +214,64 @@ certs:
   # restapi-ca.pem: ""
   # restapi-cert.pem: ""
   # restapi-key.pem: ""
+
+# PostgreSQL (https://github.com/bitnami/charts/tree/master/bitnami/postgresql)
+postgresql:
+  enabled: false
+
+  image:
+    registry: docker.io
+    repository: bitnami/postgresql
+    tag: 11.13.0-debian-10-r0
+
+  postgresqlPostgresPassword: ""
+  postgresqlUsername: postgres
+  postgresqlPassword: ""
+  postgresqlDatabase: ""
+
+  persistence:
+    enabled: true
+    storageClass: ""
+    size: 8Gi
+
+# MySQL (https://github.com/bitnami/charts/tree/master/bitnami/mysql)
+mysql:
+  enabled: false
+
+  image:
+    registry: docker.io
+    repository: bitnami/mysql
+    tag: 8.0.26-debian-10-r10
+
+  auth:
+    rootPassword: ""
+    database: my_database
+    username: ""
+    password: ""
+
+  primary:
+    persistence:
+      enabled: true
+      storageClass: ""
+      size: 8Gi
+
+# MariaDB (https://github.com/bitnami/charts/tree/master/bitnami/mariadb)
+mariadb:
+  enabled: false
+
+  image:
+    registry: docker.io
+    repository: bitnami/mariadb
+    tag: 10.5.12-debian-10-r0
+
+  auth:
+    rootPassword: ""
+    database: my_database
+    username: ""
+    password: ""
+
+  primary:
+    persistence:
+      enabled: true
+      storageClass: ""
+      size: 8Gi

ucentralsec.properties.tmpl

@@ -0,0 +1,145 @@
+#
+# uCentral protocol server for devices. This is where you point
+# all your devices. You can replace the * for address by the specific
+# address of one of your interfaces
+#
+
+#
+# REST API access
+#
+ucentral.restapi.host.0.backlog = 100
+ucentral.restapi.host.0.security = relaxed
+ucentral.restapi.host.0.rootca = ${RESTAPI_HOST_ROOTCA}
+ucentral.restapi.host.0.address = *
+ucentral.restapi.host.0.port = ${RESTAPI_HOST_PORT}
+ucentral.restapi.host.0.cert = ${RESTAPI_HOST_CERT}
+ucentral.restapi.host.0.key = ${RESTAPI_HOST_KEY}
+ucentral.restapi.host.0.key.password = ${RESTAPI_HOST_KEY_PASSWORD}
+ucentral.restapi.wwwassets = ${RESTAPI_WWWASSETS}
+
+ucentral.internal.restapi.host.0.backlog = 100
+ucentral.internal.restapi.host.0.security = relaxed
+ucentral.internal.restapi.host.0.rootca = ${INTERNAL_RESTAPI_HOST_ROOTCA}
+ucentral.internal.restapi.host.0.address = *
+ucentral.internal.restapi.host.0.port = ${INTERNAL_RESTAPI_HOST_PORT}
+ucentral.internal.restapi.host.0.cert = ${INTERNAL_RESTAPI_HOST_CERT}
+ucentral.internal.restapi.host.0.key = ${INTERNAL_RESTAPI_HOST_KEY}
+ucentral.internal.restapi.host.0.key.password = ${INTERNAL_RESTAPI_HOST_KEY_PASSWORD}
+
+#
+# Generic section that all microservices must have
+#
+authentication.enabled = true
+authentication.default.username = ${AUTHENTICATION_DEFAULT_USERNAME}
+authentication.default.password = ${AUTHENTICATION_DEFAULT_PASSWORD}
+ucentral.system.data = ${SYSTEM_DATA}
+ucentral.system.uri.private = ${SYSTEM_URI_PRIVATE}
+ucentral.system.uri.public = ${SYSTEM_URI_PUBLIC}
+ucentral.system.uri.ui = ${SYSTEM_URI_UI}
+ucentral.system.commandchannel = /tmp/app.ucentralsec
+ucentral.service.key = ${SERVICE_KEY}
+ucentral.service.key.password = ${SERVICE_KEY_PASSWORD}
+
+#
+# Security Microservice Specific Section
+#
+mailer.hostname = ${MAILER_HOSTNAME}
+mailer.username = ${MAILER_USERNAME}
+mailer.password = ${MAILER_PASSWORD}
+mailer.loginmethod = login
+mailer.port = ${MAILER_PORT}
+mailer.templates = $UCENTRALSEC_ROOT/templates
+
+
+#############################
+# Generic information for all micro services
+#############################
+#
+# NLB Support
+#
+alb.enable = true
+alb.port = 16101
+
+#
+# Kafka
+#
+ucentral.kafka.group.id = security
+ucentral.kafka.client.id = security1
+ucentral.kafka.enable = ${KAFKA_ENABLE}
+ucentral.kafka.brokerlist = ${KAFKA_BROKERLIST}
+ucentral.kafka.auto.commit = false
+ucentral.kafka.queue.buffering.max.ms = 50
+
+ucentral.document.policy.access = /wwwassets/access_policy.html
+ucentral.document.policy.password = /wwwassets/password_policy.html
+ucentral.avatar.maxsize = 2000000
+#
+# This section select which form of persistence you need
+# Only one selected at a time. If you select multiple, this service will die if a horrible
+# death and might make your beer flat.
+#
+storage.type = ${STORAGE_TYPE}
+
+storage.type.sqlite.db = security.db
+storage.type.sqlite.idletime = 120
+storage.type.sqlite.maxsessions = 128
+
+storage.type.postgresql.maxsessions = 64
+storage.type.postgresql.idletime = 60
+storage.type.postgresql.host = ${STORAGE_TYPE_POSTGRESQL_HOST}
+storage.type.postgresql.username = ${STORAGE_TYPE_POSTGRESQL_USERNAME}
+storage.type.postgresql.password = ${STORAGE_TYPE_POSTGRESQL_PASSWORD}
+storage.type.postgresql.database = ${STORAGE_TYPE_POSTGRESQL_DATABASE}
+storage.type.postgresql.port = ${STORAGE_TYPE_POSTGRESQL_PORT}
+storage.type.postgresql.connectiontimeout = 60
+
+storage.type.mysql.maxsessions = 64
+storage.type.mysql.idletime = 60
+storage.type.mysql.host = ${STORAGE_TYPE_MYSQL_HOST}
+storage.type.mysql.username = ${STORAGE_TYPE_MYSQL_USERNAME}
+storage.type.mysql.password = ${STORAGE_TYPE_MYSQL_PASSWORD}
+storage.type.mysql.database = ${STORAGE_TYPE_MYSQL_DATABASE}
+storage.type.mysql.port = ${STORAGE_TYPE_MYSQL_PORT}
+storage.type.mysql.connectiontimeout = 60
+
+
+########################################################################
+########################################################################
+#
+# Logging: please leave as is for now.
+#
+########################################################################
+logging.formatters.f1.class = PatternFormatter
+logging.formatters.f1.pattern = %Y-%m-%d %H:%M:%S %s: [%p] %t
+logging.formatters.f1.times = UTC
+logging.channels.c1.class = ConsoleChannel
+logging.channels.c1.formatter = f1
+
+# This is where the logs will be written. This path MUST exist
+logging.channels.c2.class = FileChannel
+logging.channels.c2.path = $UCENTRALSEC_ROOT/logs/log
+logging.channels.c2.formatter.class = PatternFormatter
+logging.channels.c2.formatter.pattern = %Y-%m-%d %H:%M:%S %s: [%p] %t
+logging.channels.c2.rotation = 20 M
+logging.channels.c2.archive = timestamp
+logging.channels.c2.purgeCount = 20
+logging.channels.c3.class = ConsoleChannel
+logging.channels.c3.pattern = %s: [%p] %t
+
+# External Channel
+logging.loggers.root.channel = c1
+logging.loggers.root.level = debug
+
+# Inline Channel with PatternFormatter
+# logging.loggers.l1.name = logger1
+# logging.loggers.l1.channel.class = ConsoleChannel
+# logging.loggers.l1.channel.pattern = %s: [%p] %t
+# logging.loggers.l1.level = information
+# SplitterChannel
+# logging.channels.splitter.class = SplitterChannel
+# logging.channels.splitter.channels = l1,l2
+# logging.loggers.l2.name = logger2
+# logging.loggers.l2.channel = splitter
+
+
+