diff --git a/.goreleaser.yml b/.goreleaser.yml index 0466b61..9d6bd61 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -84,20 +84,39 @@ nfpms: formats: - apk - deb - # contents: - # - src: misc/packaging/common/config-agent.yml - # dst: /etc/emissary/agent.yml - # type: config - # - src: misc/packaging/systemd/emissary-agent.systemd.service - # dst: /usr/lib/systemd/system/emissary-agent.service - # packager: deb - # - src: misc/packaging/systemd/emissary-agent.systemd.service - # dst: /usr/lib/systemd/system/emissary-agent.service - # packager: rpm - # - src: misc/packaging/openrc/emissary-agent.openrc.sh - # dst: /etc/init.d/emissary-agent - # file_info: - # mode: 0755 - # packager: apk - # scripts: - # postinstall: "misc/packaging/common/postinstall-agent.sh" \ No newline at end of file + contents: + # Deb + - src: misc/packaging/systemd/storage-server.systemd.service + dst: /usr/lib/systemd/system/storage-server.service + packager: deb + - src: misc/packaging/systemd/storage-server.env + dst: /etc/storage-server/environ + type: config|noreplace + file_info: + mode: 0640 + packager: deb + + # APK + - src: misc/packaging/openrc/storage-server.openrc.sh + dst: /etc/init.d/storage-server + file_info: + mode: 0755 + packager: apk + - src: misc/packaging/openrc/storage-server.conf + type: config|noreplace + dst: /etc/conf.d/storage-server + file_info: + mode: 0640 + packager: apk + - dst: /var/lib/storage-server + type: dir + file_info: + mode: 0700 + packager: apk + - dst: /var/log/storage-server + type: dir + file_info: + mode: 0750 + packager: apk + scripts: + postinstall: "misc/packaging/common/postinstall-storage-server.sh" \ No newline at end of file diff --git a/cmd/storage-server/command/auth/new_token.go b/cmd/storage-server/command/auth/new_token.go index ecd3520..9601db7 100644 --- a/cmd/storage-server/command/auth/new_token.go +++ b/cmd/storage-server/command/auth/new_token.go @@ -16,7 +16,8 @@ func NewToken() *cli.Command { Usage: "Generate new authentication token", Flags: []cli.Flag{ &cli.StringFlag{ - Name: "tenant", + Name: "tenant", + Required: true, }, flag.PrivateKey, flag.PrivateKeySigningAlgorithm, @@ -28,6 +29,10 @@ func NewToken() *cli.Command { privateKeyDefaultSize := flag.GetPrivateKeyDefaultSize(ctx) tenant := ctx.String("tenant") + if tenant == "" { + return errors.New("you must provide a value for --tenant flag") + } + privateKey, err := jwtutil.LoadOrGenerateKey( privateKeyFile, privateKeyDefaultSize, diff --git a/cmd/storage-server/command/flag/flag.go b/cmd/storage-server/command/flag/flag.go index 99ede47..60d42df 100644 --- a/cmd/storage-server/command/flag/flag.go +++ b/cmd/storage-server/command/flag/flag.go @@ -22,7 +22,7 @@ const SigningAlgorithmFlagName = "signing-algorithm" var PrivateKeySigningAlgorithm = &cli.StringFlag{ Name: SigningAlgorithmFlagName, - EnvVars: []string{"STORAGE_SERVER_PRIVATE_KEY_SIGNING_ALGORITHM"}, + EnvVars: []string{"STORAGE_SERVER_SIGNING_ALGORITHM"}, Value: jwa.RS256.String(), } diff --git a/cmd/storage-server/command/run.go b/cmd/storage-server/command/run.go index 17681d7..613fd50 100644 --- a/cmd/storage-server/command/run.go +++ b/cmd/storage-server/command/run.go @@ -37,6 +37,7 @@ func Run() *cli.Command { Flags: []cli.Flag{ &cli.StringFlag{ Name: "address", + EnvVars: []string{"STORAGE_SERVER_ADDRESS"}, Aliases: []string{"addr"}, Value: ":3001", }, diff --git a/misc/packaging/common/postinstall-storage-server.sh b/misc/packaging/common/postinstall-storage-server.sh new file mode 100644 index 0000000..3cc101c --- /dev/null +++ b/misc/packaging/common/postinstall-storage-server.sh @@ -0,0 +1,75 @@ +#!/bin/sh + +use_systemctl="True" +systemd_version=0 +if ! command -V systemctl >/dev/null 2>&1; then + use_systemctl="False" +else + systemd_version=$(systemctl --version | head -1 | cut -d ' ' -f 2) +fi + +service_name=storage-server + +cleanup() { + if [ "${use_systemctl}" = "False" ]; then + rm -f /usr/lib/systemd/system/${service_name}.service + else + rm -f /etc/chkconfig/${service_name} + rm -f /etc/init.d/${service_name} + fi +} + +cleanInstall() { + printf "\033[32m Post Install of an clean install\033[0m\n" + if [ "${use_systemctl}" = "False" ]; then + if command -V chkconfig >/dev/null 2>&1; then + chkconfig --add ${service_name} + fi + + service ${service_name} restart || : + else + if [[ "${systemd_version}" -lt 231 ]]; then + printf "\033[31m systemd version %s is less then 231, fixing the service file \033[0m\n" "${systemd_version}" + sed -i "s/=+/=/g" /usr/lib/systemd/system/${service_name}.service + fi + printf "\033[32m Reload the service unit from disk\033[0m\n" + systemctl daemon-reload || : + printf "\033[32m Unmask the service\033[0m\n" + systemctl unmask ${service_name} || : + printf "\033[32m Set the preset flag for the service unit\033[0m\n" + systemctl preset ${service_name} || : + printf "\033[32m Set the enabled flag for the service unit\033[0m\n" + systemctl enable ${service_name} || : + systemctl restart ${service_name} || : + fi +} + +upgrade() { + printf "\033[32m Post Install of an upgrade\033[0m\n" + systemctl daemon-reload || : + systemctl restart ${service_name} || : +} + +# Step 2, check if this is a clean install or an upgrade +action="$1" +if [ "$1" = "configure" ] && [ -z "$2" ]; then + action="install" +elif [ "$1" = "configure" ] && [ -n "$2" ]; then + action="upgrade" +fi + +case "$action" in +"1" | "install") + cleanInstall + ;; +"2" | "upgrade") + printf "\033[32m Post Install of an upgrade\033[0m\n" + upgrade + ;; +*) + printf "\033[32m Alpine\033[0m" + cleanInstall + ;; +esac + +cleanup diff --git a/misc/packaging/openrc/storage-server.conf b/misc/packaging/openrc/storage-server.conf new file mode 100644 index 0000000..044e548 --- /dev/null +++ b/misc/packaging/openrc/storage-server.conf @@ -0,0 +1,9 @@ +export STORAGE_SERVER_ADDRESS=:3001 +export STORAGE_SERVER_BLOBSTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/%APPID%/blobstore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000" +export STORAGE_SERVER_DOCUMENTSTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/%APPID%/documentstore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000" +export STORAGE_SERVER_SHARESTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/sharestore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000" +export STORAGE_SERVER_PRIVATE_KEY="/var/lib/storage-server/storage-server.key" +export STORAGE_SERVER_PRIVATE_KEY_DEFAULT_SIZE="2048" +export STORAGE_SERVER_SIGNING_ALGORITHM="RS256" +export STORAGE_SERVER_CACHE_TTL=1h +export STORAGE_SERVER_CACHE_SIZE=32 \ No newline at end of file diff --git a/misc/packaging/openrc/storage-server.openrc.sh b/misc/packaging/openrc/storage-server.openrc.sh new file mode 100644 index 0000000..98a7473 --- /dev/null +++ b/misc/packaging/openrc/storage-server.openrc.sh @@ -0,0 +1,11 @@ +#!/sbin/openrc-run + +command="/usr/bin/storage-server" +command_args="" +supervisor=supervise-daemon +output_log="/var/log/storage-server.log" +error_log="$output_log" + +depend() { + need net +} \ No newline at end of file diff --git a/misc/packaging/systemd/storage-server.env b/misc/packaging/systemd/storage-server.env new file mode 100644 index 0000000..3810a3f --- /dev/null +++ b/misc/packaging/systemd/storage-server.env @@ -0,0 +1,9 @@ +STORAGE_SERVER_ADDRESS=:3001 +STORAGE_SERVER_BLOBSTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/%APPID%/blobstore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000" +STORAGE_SERVER_DOCUMENTSTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/%APPID%/documentstore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000" +STORAGE_SERVER_SHARESTORE_DSN_PATTERN="sqlite:///var/lib/storage-server/data/%TENANT%/sharestore.sqlite?_pragma=foreign_keys(1)&_pragma=busy_timeout=60000" +STORAGE_SERVER_PRIVATE_KEY="/var/lib/storage-server/storage-server.key" +STORAGE_SERVER_PRIVATE_KEY_DEFAULT_SIZE="2048" +STORAGE_SERVER_SIGNING_ALGORITHM="RS256" +STORAGE_SERVER_CACHE_TTL=1h +STORAGE_SERVER_CACHE_SIZE=32 diff --git a/misc/packaging/systemd/storage-server.systemd.service b/misc/packaging/systemd/storage-server.systemd.service new file mode 100644 index 0000000..a983fc2 --- /dev/null +++ b/misc/packaging/systemd/storage-server.systemd.service @@ -0,0 +1,35 @@ +[Unit] +Description=storage-server service +After=network.target + +[Service] +Type=simple +Restart=on-failure +EnvironmentFile=/etc/storage-server/environ +ExecStart=/usr/bin/storage-server +EnvironmentFile=/etc/storage-server/environ +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +PrivateUsers=yes +DynamicUser=yes +StateDirectory=storage-server +DevicePolicy=closed +ProtectSystem=true +ProtectHome=read-only +ProtectKernelLogs=yes +ProtectProc=invisible +ProtectClock=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +MemoryDenyWriteExecute=yes +LockPersonality=yes +CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_WAKE_ALARM CAP_SYS_TTY_CONFIG + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/pkg/jwtutil/token.go b/pkg/jwtutil/token.go index da86988..24cfd50 100644 --- a/pkg/jwtutil/token.go +++ b/pkg/jwtutil/token.go @@ -6,6 +6,7 @@ import ( "github.com/lestrrat-go/jwx/v2/jwa" "github.com/lestrrat-go/jwx/v2/jwk" "github.com/lestrrat-go/jwx/v2/jwt" + "github.com/oklog/ulid/v2" "github.com/pkg/errors" ) @@ -16,6 +17,10 @@ func SignedToken(key jwk.Key, signingAlgorithm jwa.SignatureAlgorithm, claims ma return nil, errors.WithStack(err) } + if err := token.Set(jwt.JwtIDKey, ulid.Make().String()); err != nil { + return nil, errors.WithStack(err) + } + for key, value := range claims { if err := token.Set(key, value); err != nil { return nil, errors.Wrapf(err, "could not set claim '%s' with value '%v'", key, value)