[ FAB-3982 ] TLS dynamic certs for fabric-ca tests

Adds the tls_pki.sh script will exploit the existing pki tool to create an
RSA certificate hierarchy for TLS:
   rootCA (20-yr) FabricTlsRootCa 4096-bit
     |
     intermediateCA (10-yr) FabricTlsSubCa 4096-bit
       |
       resourceAuthorityCA (5-yr) FabricTlsRa 4096-bit
         |                          |
         server (2-yr) 2048-bit     client (2-yr) 2048-bit
         FabricTlsServerEE          FabricTlsClientEE

RSA was selected as the lowest common denominator since mysql does not
support EC keys.

The auth chain will be bundled into a single file for
easier configuration: FabricTlsPkiBundle.pem

All of the existing references to certfiles/keyfile in the TLS
configuration (and command line options) have been updated to use those
which are now dynamically generated when the docker image is built.

The crypto artifacts are created in /etc/hyperledger/fabric-ca/,
along with the ldif files and setup scripts. The certificate and
key files will be copied to each server's respctive directory
(or in the case of LDAP, added to the config's DIT).

Lastly, the Dockerfile has been optimized, as the server setup
steps have been moved to individual files. This should speep up
the builds and reduce the size of the image.

Change-Id: I192508cc34c4f8245d58741b6b0ff1d42dbe7109
Signed-off-by: rennman <eabailey@us.ibm.com>

Makefile

@@ -130,16 +130,16 @@ build/image/fabric-ca/payload: \
 build/image/fabric-ca-fvt/payload: \
 	build/docker/bin/fabric-ca-client \
 	build/docker/bin/fabric-ca-server \
-	images/fabric-ca-fvt/base.ldif \
-	images/fabric-ca-fvt/add-users.ldif \
-	images/fabric-ca-fvt/start.sh
+	build/fabric-ca-fvt.tar.bz2
 build/image/%/payload:
 	@echo "Copying $^ to $@"
 	mkdir -p $@
 	cp $^ $@
 
 build/fabric-ca.tar.bz2: $(shell git ls-files images/fabric-ca/payload)
 
+build/fabric-ca-fvt.tar.bz2: $(shell find images/fabric-ca-fvt/payload/ -maxdepth 1)
+
 build/%.tar.bz2:
 	@echo "Building $@"
 	@tar -jc -C images/$*/payload $(notdir $^) > $@

images/fabric-ca-fvt/Dockerfile.in

@@ -5,94 +5,47 @@
 #
 FROM hyperledger/fabric-baseimage:_BASE_TAG_
 
-ENV DEBIAN_FRONTEND noninteractive
-ENV PATH "/usr/local/go/bin/:${PATH}"
-ENV GOPATH "/opt/gopath"
-ENV PGDATA "/usr/local/pgsql/data/"
-ENV PGUSER "postgres"
-ENV PGPASSWORD "postgres"
-ENV PGVER _PGVER_
-ENV HOSTADDR "127.0.0.1"
-ENV LDAPPORT "389"
-ENV LDAPUSER "admin"
-ENV LDAPPASWD "adminpw"
+ENV PATH="/usr/local/go/bin/:${PATH}" \
+    DEBIAN_FRONTEND="noninteractive" \
+    GOPATH="/opt/gopath" \
+    PGDATA="/usr/local/pgsql/data/" \
+    PGUSER="postgres" \
+    PGPASSWORD="postgres" \
+    PGVER=_PGVER_ \
+    HOSTADDR="127.0.0.1" \
+    LDAPPORT="389" \
+    LDAPUSER="admin" \
+    LDAPPASWD="adminpw" \
+    FABRIC_CA_DATA=/etc/hyperledger/fabric-ca \
+    TLS_BUNDLE=FabricTlsPkiBundle.pem \
+    TLS_SERVER_CERT=FabricTlsServerEEcert.pem \
+    TLS_SERVER_KEY=FabricTlsServerEEkey.pem \
+    MYSQLDATA=/var/lib/mysql
+
+# setup scripts for slapd, postgres, mysql, and openssl
+ADD payload/fabric-ca-fvt.tar.bz2 $FABRIC_CA_DATA
+RUN chmod +x $FABRIC_CA_DATA/*sh
+RUN cd $FABRIC_CA_DATA
+RUN $FABRIC_CA_DATA/tls_pki.sh
 
 # Avoid ERROR:
 #   invoke-rc.d: policy-rc.d denied execution of start.
 RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d
 
-# Update system
-RUN apt-get -y update && apt-get -y install --no-install-recommends locales
-RUN sed -i -e 's/^[[:blank:]]*#[[:blank:]]*en_US.UTF-8[[:blank:]]*UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
-RUN printf "LANG=en_US.UTF-8\nLANGUAGE=en_US.UTF-8\n" > /etc/default/locale
-RUN dpkg-reconfigure locales && update-locale LANG=en_US.UTF-8
-
-# Install more test depedencies
-RUN echo "mysql-server mysql-server/root_password password mysql" | debconf-set-selections
-RUN echo "mysql-server mysql-server/root_password_again password mysql" | debconf-set-selections
-RUN apt-get -y install --no-install-recommends rsyslog bc vim lsof sqlite3 haproxy postgresql-$PGVER \
-                       postgresql-client-common postgresql-contrib-$PGVER isag jq git html2text \
-                       debconf-utils zsh htop python2.7-minimal libpython2.7-stdlib \
-                       mysql-client  mysql-common mysql-server
-RUN apt-get -y autoremove
-
-# Configure rsyslog
-  # Include the imudp modules (syslog messages via UDP) by uncommenting
-RUN sed -i 's/^[[:blank:]]*#\([[:blank:]]*.*imudp.*\)/\1/' /etc/rsyslog.conf
-RUN rm /etc/rsyslog.d/*haproxy*conf
-RUN printf "local2.*    /var/log/haproxy.log\n& ~\n" > /etc/rsyslog.d/haproxy.conf
-
-# Configure and start postgres
-RUN echo $PGUSER:$PGUSER | chpasswd
-RUN mkdir -p $PGDATA && chown postgres:postgres $PGDATA
-RUN su $PGUSER -c "/usr/lib/postgresql/$PGVER/bin/initdb -D $PGDATA"
-RUN su $PGUSER -c "/usr/lib/postgresql/$PGVER/bin/pg_ctl start -D $PGDATA" &&\
-                   sleep 10 &&\
-                   psql -U postgres -h localhost -c "ALTER USER $PGUSER WITH PASSWORD '$PGPASSWORD';" &&\
-                   su postgres -c "/usr/lib/postgresql/$PGVER/bin/pg_ctl stop"
-RUN echo "host all  all    0.0.0.0/0  trust" >> ${PGDATA}/pg_hba.conf
-RUN echo "listen_addresses='*'" >> ${PGDATA}/postgresql.conf
-
-# Install slapd
-RUN ls /tmp
-COPY payload/*ldif /etc/ldap/
-RUN printf  "slapd slapd/internal/generated_adminpw password $LDAPPASWD\n\
-slapd slapd/password2 password $LDAPPASWD\n\
-slapd slapd/internal/adminpw password $LDAPPASWD\n\
-slapd slapd/password1 password $LDAPPASWD\n\
-slapd slapd/domain string example.com\n\
-slapd shared/organization string example.com" | debconf-set-selections &&\
-   sudo apt-get -y install --no-install-recommends slapd ldap-utils
-RUN sed -i \
-   "s@^[[:blank:]]*SLAPD_SERVICES=.*@SLAPD_SERVICES=\"ldap://$HOSTADDR:$LDAPPORT/ ldaps:/// ldapi:///\"@"\
-   /etc/default/slapd
-RUN /etc/init.d/slapd start && \
-    ldapadd -h localhost -p 389 -D cn=$LDAPUSER,dc=example,dc=com -w $LDAPPASWD -f /etc/ldap/base.ldif && \
-    ldapadd -h localhost -p 389 -D cn=$LDAPUSER,dc=example,dc=com -w $LDAPPASWD -f /etc/ldap/add-users.ldif && \
-    /etc/init.d/slapd stop
+RUN $FABRIC_CA_DATA/system_update.sh
+RUN $FABRIC_CA_DATA/postgres_setup.sh
+RUN $FABRIC_CA_DATA/slapd_setup.sh
+RUN $FABRIC_CA_DATA/mysql_setup.sh
 
 # Install fabric-ca dependencies
 RUN go get github.com/go-sql-driver/mysql
 RUN go get github.com/lib/pq
 
-# Use python2, not 3
-RUN ln -s /usr/bin/python2.7 /usr/local/bin/python && chmod 777 /usr/local/bin/python
-
-# Generate version-agnostic postgres command
-RUN ln -s /usr/lib/postgresql/$PGVER/bin/postgres /usr/local/bin/postgres && chmod 777 /usr/local/bin/postgres
-
 # Add docker-built execs for (potentially) alternative architecture
-COPY payload/fabric-ca-client /usr/local/bin
-RUN chmod +x /usr/local/bin/fabric-ca-client
-COPY payload/fabric-ca-server /usr/local/bin
-RUN chmod +x /usr/local/bin/fabric-ca-server
-
-# Add start script to initialize adjunct servers
-COPY payload/start.sh /start.sh
-
-# Clean up APT when done.
-RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+COPY payload/fabric-ca-client payload/fabric-ca-server /usr/local/bin/
+RUN chmod +x /usr/local/bin/fabric-ca-client /usr/local/bin/fabric-ca-server
 
 WORKDIR ${GOPATH}/src/github.com/hyperledger/fabric-ca
+RUN cp $FABRIC_CA_DATA/start.sh /
 ENTRYPOINT [ "/start.sh" ]
 CMD ["make", "fvt-tests"]

images/fabric-ca-fvt/payload/certinfo.ldif

@@ -0,0 +1,9 @@
+dn: cn=config
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ssl/certs/FabricTlsPkiBundle.pem
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ssl/certs/FabricTlsServerEEcert.pem
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ssl/private/FabricTlsServerEEkey.pem

images/fabric-ca-fvt/payload/mysql_setup.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+RC=0
+arch=$(uname -m)
+
+mkdir -p /var/run/mysqld
+chown mysql:mysql /var/run/mysqld
+
+# Mysql certificates
+cp $FABRIC_CA_DATA/$TLS_BUNDLE $MYSQLDATA/
+cp $FABRIC_CA_DATA/$TLS_SERVER_CERT $MYSQLDATA/
+openssl rsa -in $FABRIC_CA_DATA/$TLS_SERVER_KEY -out $MYSQLDATA/$TLS_SERVER_KEY || let RC+=1
+chown mysql.mysql $MYSQLDATA/*pem
+chmod 600 $MYSQLDATA/$TLS_SERVER_KEY
+test $arch = s390x && MYCNF=/etc/mysql/my.cnf || MYCNF=/etc/mysql/mysql.conf.d/mysqld.cnf
+sed -i "s/^[[:blank:]]*#*[[:blank:]]*ssl-ca=.*/ssl-ca=$TLS_BUNDLE/;
+        s/^[[:blank:]]*#*[[:blank:]]*ssl-cert=.*/ssl-cert=$TLS_SERVER_CERT/;
+        s/^[[:blank:]]*#*[[:blank:]]*ssl-key=.*/ssl-key=$TLS_SERVER_KEY/" $MYCNF || let RC+=1
+chown -R mysql.mysql $MYSQLDATA
+exit $RC

images/fabric-ca-fvt/payload/postgres_setup.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+RC=0
+
+# Configure and start postgres
+echo $PGUSER:$PGUSER | chpasswd
+mkdir -p $PGDATA && chown postgres:postgres $PGDATA
+su $PGUSER -c "/usr/lib/postgresql/$PGVER/bin/initdb -D $PGDATA"
+su $PGUSER -c "/usr/lib/postgresql/$PGVER/bin/pg_ctl start -D $PGDATA" &&\
+                   sleep 10 &&\
+                   psql -U postgres -h localhost -c "ALTER USER $PGUSER WITH PASSWORD '$PGPASSWORD';" &&\
+                   su postgres -c "/usr/lib/postgresql/$PGVER/bin/pg_ctl stop"
+let RC+=$?
+echo "host all  all    0.0.0.0/0  trust" >> ${PGDATA}/pg_hba.conf
+echo "listen_addresses='*'" >> ${PGDATA}/postgresql.conf
+# Enable TLS for postgres
+cp $FABRIC_CA_DATA/$TLS_BUNDLE $PGDATA || let RC+=1
+cp $FABRIC_CA_DATA/$TLS_SERVER_CERT $PGDATA || let RC+=1
+cp $FABRIC_CA_DATA/$TLS_SERVER_KEY  $PGDATA || let RC+=1
+# postgres insists on restricted access to keys
+chown $PGUSER.$PGUSER $PGDATA/*pem || let RC+=1
+chmod 600 $PGDATA/FabricTlsServer*.pem || let RC+=1
+sed -i "s/\(^[[:blank:]]*\)#*\([[:blank:]]*ssl[[:blank:]]*=[[:blank:]]*\).*/\1\2on/;\
+s/\(^[[:blank:]]*\)#*\([[:blank:]]*ssl_cert_file[[:blank:]]*=[[:blank:]]*\).*/\1\2'$TLS_SERVER_CERT'/;\
+s/\(^[[:blank:]]*\)#*\([[:blank:]]*ssl_key_file[[:blank:]]*=[[:blank:]]*\).*/\1\2'$TLS_SERVER_KEY'/;\
+s/\(^[[:blank:]]*\)#*\([[:blank:]]*ssl_ca_file[[:blank:]]*=[[:blank:]]*\).*/\1\2'$TLS_BUNDLE'/" $PGDATA/postgresql.conf || let RC+=1
+
+# Generate version-agnostic postgres command
+ln -s /usr/lib/postgresql/$PGVER/bin/postgres /usr/local/bin/postgres && chmod 777 /usr/local/bin/postgres || let RC+=1
+
+exit $RC

images/fabric-ca-fvt/payload/slapd_setup.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+RC=0
+
+# Install slapd
+printf  "slapd slapd/internal/generated_adminpw password $LDAPPASWD\n\
+slapd slapd/password2 password $LDAPPASWD\n\
+slapd slapd/internal/adminpw password $LDAPPASWD\n\
+slapd slapd/password1 password $LDAPPASWD\n\
+slapd slapd/domain string example.com\n\
+slapd shared/organization string example.com" | debconf-set-selections 
+apt-get -y update
+apt-get -y install --no-install-recommends slapd ldap-utils
+adduser openldap ssl-cert
+cp $FABRIC_CA_DATA/$TLS_BUNDLE /etc/ssl/certs/
+cp $FABRIC_CA_DATA/$TLS_SERVER_CERT /etc/ssl/certs/
+cp $FABRIC_CA_DATA/$TLS_SERVER_KEY /etc/ssl/private/$TLS_SERVER_KEY
+cp $FABRIC_CA_DATA/*ldif /etc/ldap/
+
+chgrp ssl-cert /etc/ssl/private/$TLS_SERVER_KEY
+chmod 644 /etc/ssl/certs/$TLS_BUNDLE
+chmod 644 /etc/ssl/certs/$TLS_SERVER_CERT
+chmod 640 /etc/ssl/private/$TLS_SERVER_KEY
+sed -i \
+   "s@^[[:blank:]]*SLAPD_SERVICES=.*@SLAPD_SERVICES=\"ldap://$HOSTADDR:$LDAPPORT/ ldaps:/// ldapi:///\"@"\
+   /etc/default/slapd
+
+/etc/init.d/slapd start || let RC+=1
+
+i=0;while ! nc -znvt $HOSTADDR $LDAPPORT; do
+    sleep .5
+    let i+
+    if test $((i/2)) -gt $timeout; then
+       let RC+=1
+       break
+    fi
+done
+
+ldapadd -h localhost -p $LDAPPORT -D cn=$LDAPUSER,dc=example,dc=com -w $LDAPPASWD -f /etc/ldap/base.ldif || let RC+=1
+ldapadd -h localhost -p $LDAPPORT -D cn=$LDAPUSER,dc=example,dc=com -w $LDAPPASWD -f /etc/ldap/add-users.ldif || let RC+=1
+ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/certinfo.ldif || let RC+=1
+/etc/init.d/slapd stop
+
+exit $RC

images/fabric-ca-fvt/payload/start.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+#
+# Copyright IBM Corp. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+POSTGRES_PORT=5432
+MYSQL_PORT=3306
+LDAP_PORT=389
+PORTS=($POSTGRES_PORT $MYSQL_PORT $LDAP_PORT)
+
+timeout=12
+su postgres -c 'postgres -D /usr/local/pgsql/data' &
+chown -R mysql.mysql $MYSQLDATA
+/usr/bin/mysqld_safe --sql-mode=STRICT_TRANS_TABLES &
+/etc/init.d/slapd start &
+
+for port in ${PORTS[*]}; do
+   i=0
+   while ! nc -zvnt -w 5 $HOSTADDR $port; do
+      sleep 1
+      test $i -gt $timeout && break
+      let i++;
+   done
+done
+
+exec "$@"

images/fabric-ca-fvt/payload/system_update.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+RC=0
+export DEBIAN_FRONTEND=noninteractive
+
+# Avoid sysvinit errors
+cat > /usr/sbin/policy-rc.d <<EOF
+#!/bin/bash
+exit 101
+EOF
+chmod +x /usr/sbin/policy-rc.d
+dpkg-divert --local --rename --add /sbin/initctl
+
+# Update system
+apt-get -y update && apt-get -y install --no-install-recommends locales
+sed -i -e 's/^[[:blank:]]*#[[:blank:]]*en_US.UTF-8[[:blank:]]*UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
+printf "LANG=en_US.UTF-8\nLANGUAGE=en_US.UTF-8\n" > /etc/default/locale
+dpkg-reconfigure locales && update-locale LANG=en_US.UTF-8 || let RC+=1
+
+# Install more test depedencies
+echo "mysql-server mysql-server/root_password password mysql" | debconf-set-selections
+echo "mysql-server mysql-server/root_password_again password mysql" | debconf-set-selections
+apt-get -y install --no-install-recommends rsyslog bc vim lsof sqlite3 haproxy postgresql-$PGVER \
+           postgresql-client-common postgresql-contrib-$PGVER isag jq git html2text \
+           debconf-utils zsh htop python2.7-minimal libpython2.7-stdlib \
+           mysql-client  mysql-common mysql-server || let RC+=1
+apt-get -y install ssl-cert || let RC+=1
+apt-get -y autoremove
+
+# Configure rsyslog
+sed -i 's/^[[:blank:]]*#\([[:blank:]]*.*imudp.*\)/\1/' /etc/rsyslog.conf
+rm /etc/rsyslog.d/*haproxy*conf
+printf "local2.*    /var/log/haproxy.log\n& ~\n" > /etc/rsyslog.d/haproxy.conf
+
+# Use python2, not 3
+ln -s /usr/bin/python2.7 /usr/local/bin/python && chmod 777 /usr/local/bin/python || let RC+=1
+
+# Clean up APT when done.
+apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+exit $RC