Skip to content

Commit

Permalink
mtls between server and postgres
Browse files Browse the repository at this point in the history
  • Loading branch information
@dheidemann
dheidemann committed Nov 9, 2024
1 parent 348a2fd commit bb9f2bb
Show file tree
Hide file tree
Showing 15 changed files with 150 additions and 32 deletions.
10 changes: 5 additions & 5 deletions .env
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ POSTGRES_PASSWORD="password123"
POSTGRES_USER="postgres"
POSTGRES_DB="postgres"

SMTP_HOST=
SMTP_USER=
SMTP_PASSWORD=
SMTP_PORT=
FROM_ADDRESS=
SMTP_HOST=""
SMTP_USER=""
SMTP_PASSWORD=""
SMTP_PORT=""
FROM_ADDRESS=""
7 changes: 6 additions & 1 deletion .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,9 @@
.vscode/

# jetbrains
.idea/
.idea/

# certs
*.crt
*.key
*.csr
11 changes: 10 additions & 1 deletion docker-compose.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,18 +8,27 @@ services:
restart: always
volumes:
- data:/var/lib/postgresql/data
- ./postgresql.conf:/etc/postgresql/config/postgresql.conf:ro
- ./tls/certs/root.crt:/etc/postgres/security/root.crt:ro
- ./tls/certs/server.crt:/etc/postgres/security/server.crt:ro
- ./tls/certs/server.key:/etc/postgres/security/server.key:ro
command: -c config_file=/etc/postgresql/config/postgresql.conf
env_file: .env.local

otel-collector:
image: otel/opentelemetry-collector-contrib
volumes:
- ./otel-collector-config.yaml:/etc/otelcol-contrib/config.yaml
- ./otel-collector-config.yaml:/etc/otelcol-contrib/config.yaml:ro

server:
build:
context: ./server
dockerfile: Dockerfile
restart: always
volumes:
- ./tls/certs/client.crt:/client.crt:ro
- ./tls/certs/client.key:/client.key:ro
- ./tls/certs/root.crt:/root.crt:ro
env_file: .env.local
ports:
- 8080:8080
Expand Down
42 changes: 42 additions & 0 deletions gen_certs.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
#!/usr/bin/env bash

set -euo pipefail

(
cd ./tls/certs

# root certs
echo "Generating root certificates..."
openssl genrsa -out root.key 4096
openssl req -new -x509 -days 365 -subj "/CN=pepp" \
-key root.key -out root.crt -config ../config/root.conf

# server certs
echo "Generating server certificates..."
openssl genrsa -out server.key 4096
openssl req -new -key server.key -subj "/CN=postgres" \
-config ../config/server_client.conf -extensions req_ext -out server.csr
openssl x509 -req -in server.csr -days 365 \
-CA root.crt -CAkey root.key -CAcreateserial -out server.crt \
-extfile ../config/server_client.conf -extensions req_ext

echo "Setting correct server.key ownership."
sudo chmod 600 server.key
sudo chown 70:70 server.key

# client certs
echo "Generating client certificates..."
openssl genrsa -out client.key 4096
openssl req -new -key client.key -subj "/CN=client" \
-config ../config/server_client.conf -extensions req_ext -out client.csr
openssl x509 -req -in client.csr -days 365 \
-CA root.crt -CAkey root.key -CAcreateserial -out client.crt \
-extfile ../config/server_client.conf -extensions req_ext

echo "Successfully created all certificates!"
echo
)

echo "You can now start the application"
echo
echo " docker compose up -d && docker compose logs -f"
6 changes: 6 additions & 0 deletions postgresql.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
ssl = on
ssl_ca_file = '/etc/postgres/security/root.crt'
ssl_cert_file = '/etc/postgres/security/server.crt'
ssl_key_file = '/etc/postgres/security/server.key'
password_encryption = scram-sha-256
listen_addresses = '*'
43 changes: 35 additions & 8 deletions server/db/init.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,21 +7,19 @@ import (
"os"

"github.com/FachschaftMathPhysInfo/pepp/server/models"
_ "github.com/lib/pq"
log "github.com/sirupsen/logrus"
"github.com/uptrace/bun"
"github.com/uptrace/bun/dialect/pgdialect"
"github.com/uptrace/bun/driver/pgdriver"
"github.com/uptrace/bun/extra/bunotel"
"go.opentelemetry.io/otel/sdk/trace"
)

func Init(ctx context.Context, tracer *trace.TracerProvider) (*bun.DB, *sql.DB, error) {
db_user := os.Getenv("POSTGRES_USER")
db_pw := os.Getenv("POSTGRES_PASSWORD")
db_db := os.Getenv("POSTGRES_DB")
dsn := fmt.Sprintf("postgres://%s:%s@postgres:5432/%s?sslmode=disable",
db_user, db_pw, db_db)

sqldb := sql.OpenDB(pgdriver.NewConnector(pgdriver.WithDSN(dsn)))
sqldb, err := connectTCPSocket()
if err != nil {
return nil, nil, err
}

db := bun.NewDB(sqldb, pgdialect.New())

Expand Down Expand Up @@ -80,3 +78,32 @@ func createTables(ctx context.Context, db *bun.DB, tables []interface{}) error {

return nil
}

func connectTCPSocket() (*sql.DB, error) {
mustGetenv := func(k string) string {
v := os.Getenv(k)
if v == "" {
log.Fatalf("Fatal Error in init.go: %s environment variable not set.", k)
}
return v
}

var (
dbUser = mustGetenv("POSTGRES_USER")
dbPwd = mustGetenv("POSTGRES_PASSWORD")
dbName = mustGetenv("POSTGRES_DB")
)

dbURI := fmt.Sprintf("host=postgres user=%s password=%s database=%s sslmode=verify-full sslrootcert=root.crt sslcert=client.crt sslkey=client.key",
dbUser, dbPwd, dbName)

dbPool, err := sql.Open("postgres", dbURI)
if err != nil {
return nil, fmt.Errorf("sql.Open: %w", err)
}
if err = dbPool.Ping(); err != nil {
log.Fatalf("DB unreachable: %s", err)
}

return dbPool, nil
}
6 changes: 3 additions & 3 deletions server/db/seed.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@ package db
import (
"context"
"fmt"
"log"
"strconv"
"time"

"github.com/FachschaftMathPhysInfo/pepp/server/models"
log "github.com/sirupsen/logrus"
"github.com/uptrace/bun"
)

Expand Down Expand Up @@ -187,9 +187,9 @@ func insertData[T any](ctx context.Context, db *bun.DB, model T, data []T, descr
if _, err := db.NewInsert().Model(&data).Exec(ctx); err != nil {
return err
}
log.Printf("%s seeded successfully\n", description)
log.Infof("%s seeded successfully\n", description)
} else {
log.Printf("%s already exist, skipping seed\n", description)
log.Infof("%s already exist, skipping seed\n", description)
}
return nil
}
4 changes: 2 additions & 2 deletions server/go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,15 @@ require (
github.com/99designs/gqlgen v0.17.49
github.com/arran4/golang-ical v0.3.1
github.com/go-chi/chi/v5 v5.1.0
github.com/lib/pq v1.10.9
github.com/matcornic/hermes/v2 v2.1.0
github.com/ravilushqa/otelgqlgen v0.16.0
github.com/riandyrn/otelchi v0.9.0
github.com/robfig/cron/v3 v3.0.1
github.com/rs/cors v1.11.0
github.com/sirupsen/logrus v1.9.3
github.com/uptrace/bun v1.2.1
github.com/uptrace/bun/dialect/pgdialect v1.2.1
github.com/uptrace/bun/driver/pgdriver v1.2.1
github.com/uptrace/bun/extra/bunotel v1.2.1
github.com/vektah/gqlparser/v2 v2.5.16
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0
Expand Down Expand Up @@ -79,5 +80,4 @@ require (
google.golang.org/protobuf v1.34.2 // indirect
gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
mellium.im/sasl v0.3.1 // indirect
)
9 changes: 5 additions & 4 deletions server/go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
github.com/matcornic/hermes/v2 v2.1.0 h1:9TDYFBPFv6mcXanaDmRDEp/RTWj0dTTi+LpFnnnfNWc=
github.com/matcornic/hermes/v2 v2.1.0/go.mod h1:2+ziJeoyRfaLiATIL8VZ7f9hpzH4oDHqTmn0bhrsgVI=
github.com/mattn/go-runewidth v0.0.3/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
Expand Down Expand Up @@ -114,6 +116,8 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
github.com/sosodev/duration v1.3.1 h1:qtHBDMQ6lvMQsL15g4aopM4HEfOaYuhWBw3NPTtlqq4=
github.com/sosodev/duration v1.3.1/go.mod h1:RQIBBX0+fMLc/D9+Jb/fwvVmo0eZvDDEERAikUR6SDg=
github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf h1:pvbZ0lM0XWPBqUKqFU8cmavspvIl9nulOYwdy6IFRRo=
Expand All @@ -131,8 +135,6 @@ github.com/uptrace/bun v1.2.1 h1:2ENAcfeCfaY5+2e7z5pXrzFKy3vS8VXvkCag6N2Yzfk=
github.com/uptrace/bun v1.2.1/go.mod h1:cNg+pWBUMmJ8rHnETgf65CEvn3aIKErrwOD6IA8e+Ec=
github.com/uptrace/bun/dialect/pgdialect v1.2.1 h1:ceP99r03u+s8ylaDE/RzgcajwGiC76Jz3nS2ZgyPQ4M=
github.com/uptrace/bun/dialect/pgdialect v1.2.1/go.mod h1:mv6B12cisvSc6bwKm9q9wcrr26awkZK8QXM+nso9n2U=
github.com/uptrace/bun/driver/pgdriver v1.2.1 h1:Cp6c1tKzbTIyL8o0cGT6cOhTsmQZdsUNhgcV51dsmLU=
github.com/uptrace/bun/driver/pgdriver v1.2.1/go.mod h1:jEd3WGx74hWLat3/IkesOoWNjrFNUDADK3nkyOFOOJM=
github.com/uptrace/bun/extra/bunotel v1.2.1 h1:5oTy3Jh7Q1bhCd5vnPszBmJgYouw+PuuZ8iSCm+uNCQ=
github.com/uptrace/bun/extra/bunotel v1.2.1/go.mod h1:SWW3HyjiXPYM36q0QSpdtTP8v21nWHnTCxu4lYkpO90=
github.com/uptrace/opentelemetry-go-extra/otelsql v0.2.4 h1:x3omFAG2XkvWFg1hvXRinY2ExAL1Aacl7W9ZlYjo6gc=
Expand Down Expand Up @@ -208,6 +210,7 @@ golang.org/x/sys v0.0.0-20190225065934-cc5685c2db12/go.mod h1:STP8DvDyc/dI5b8T5h
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
Expand Down Expand Up @@ -262,5 +265,3 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
mellium.im/sasl v0.3.1 h1:wE0LW6g7U83vhvxjC1IY8DnXM+EU095yeo8XClvCdfo=
mellium.im/sasl v0.3.1/go.mod h1:xm59PUYpZHhgQ9ZqoJ5QaCqzWMi8IeS49dhp6plPCzw=
8 changes: 4 additions & 4 deletions server/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package main

import (
"context"
"log"
"net/http"
"net/http/httputil"
"net/url"
Expand All @@ -22,6 +21,7 @@ import (
"github.com/riandyrn/otelchi"
"github.com/robfig/cron/v3"
"github.com/rs/cors"
log "github.com/sirupsen/logrus"
)

const (
Expand Down Expand Up @@ -66,11 +66,11 @@ func main() {
hourlyTracer := maintenanceTracer.Tracer("hourly")

if err := maintenance.DeleteUnconfirmedPeople(ctx, &resolver, hourlyTracer); err != nil {
log.Println("Error deleting unconfirmed people:", err)
log.Error("Error deleting unconfirmed people:", err)
}

if err := maintenance.CleanSessionIds(ctx, &resolver, hourlyTracer); err != nil {
log.Println("Error cleaning session ids:", err)
log.Error("Error cleaning session ids:", err)
}
})
c.Start()
Expand Down Expand Up @@ -122,6 +122,6 @@ func main() {

router.Handle("/playground", playground.Handler("GraphQL playground", "/api"))

log.Printf("connect to http://localhost:%s/ for GraphQL playground", port)
log.Infof("connect to http://localhost:%s/ for GraphQL playground", port)
log.Fatal(http.ListenAndServe(":"+port, router))
}
8 changes: 4 additions & 4 deletions server/tracing/init.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ package tracing

import (
"context"
"fmt"
"time"

log "github.com/sirupsen/logrus"
"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc"
"go.opentelemetry.io/otel/sdk/resource"
Expand All @@ -28,7 +28,7 @@ func InitTracing(serviceName string) *sdktrace.TracerProvider {
ctx,
otlptracegrpc.WithGRPCConn(collectorConn))
if err != nil {
fmt.Println("failed to create exporter", err)
log.Error("failed to create exporter", err)
}

res, err := resource.New(
Expand All @@ -39,7 +39,7 @@ func InitTracing(serviceName string) *sdktrace.TracerProvider {
resource.WithHost(),
resource.WithOSType())
if err != nil {
fmt.Print("resource creation failed", err)
log.Error("resource creation failed", err)
}

tp := sdktrace.NewTracerProvider(
Expand All @@ -60,6 +60,6 @@ func mustConnGRPC(ctx context.Context, conn **grpc.ClientConn, addr string) {
grpc.WithStatsHandler(otelgrpc.NewClientHandler()))

if err != nil {
panic(fmt.Sprintf("grpc: failed to connect %s", addr))
log.Fatal("grpc: failed to connect %s", addr)
}
}
Empty file added tls/certs/.placeholder
View file
Empty file.
1 change: 1 addition & 0 deletions tls/certs/root.srl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
5CBC3B5D5E557F0ABB2A981CD276AF89164931B3
12 changes: 12 additions & 0 deletions tls/config/root.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
x509_extensions = v3_ca

[ req_distinguished_name ]
organizationName = Fachschaft MathPhysInfo
commonName = pepp
commonName_max = 64

[ v3_ca ]
basicConstraints = CA:true
15 changes: 15 additions & 0 deletions tls/config/server_client.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext

[ req_distinguished_name ]
commonName = pepp
commonName_max = 64

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = postgres
IP.1 = 127.0.0.1

0 comments on commit bb9f2bb

Please sign in to comment.