Skip to content

Commit

Permalink
Merge pull request #73 from cloud66/feature/secure_security_server
Browse files Browse the repository at this point in the history
securing the secret server
  • Loading branch information
Daniël van Gils authored Jun 22, 2017
2 parents 283f4b7 + b2345ba commit 77c38d5
Show file tree
Hide file tree
Showing 7 changed files with 36 additions and 6 deletions.
13 changes: 13 additions & 0 deletions api/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,19 @@ func (s *Server) StartServer(version string) error {
VERSION = version
secret_api := rest.NewApi()

if s.Builder.Conf.UseAuthenticatedSecretServer {
secret_api.Use(&rest.AuthBasicMiddleware{
Realm: "Habitus secret service",
Authenticator: func(userId string, password string) bool {
if userId == s.Builder.Conf.AuthenticatedSecretServerUser && password == s.Builder.Conf.AuthenticatedSecretServerPassword {
return true
}
return false
},
})
}


router, err := rest.MakeRouter(
// system
&rest.Route{"GET", "/v1/ping", s.ping},
Expand Down
3 changes: 3 additions & 0 deletions configuration/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,9 @@ type Config struct {
DockerMemory string
DockerCPUSetCPUs string
DockerCPUShares int
UseAuthenticatedSecretServer bool
AuthenticatedSecretServerPassword string
AuthenticatedSecretServerUser string
}

func (i *TupleArray) String() string {
Expand Down
13 changes: 9 additions & 4 deletions examples/security_env/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
FROM alpine:3.5
ARG host
ARG port
RUN wget -qO- http://$host:$port/v1/secrets/env/my_env_secret | less
FROM ubuntu:16.04
RUN apt-get update
RUN apt-get install wget -y
RUN apt-get install less -y
ARG habitus_host
ARG habitus_port
ARG habitus_password
ARG habitus_user
RUN wget --http-user=$habitus_user --http-password=$habitus_password -qO- http://$habitus_host:$habitus_port/v1/secrets/env/my_env_secret | less
6 changes: 5 additions & 1 deletion examples/security_env/README.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
Run this example using secrets

`habitus --build host=[ip of habitus endpoint] --host=unix:///var/run/docker.sock --binding=0.0.0.0 --secrets=true`
`habitus -f examples/security_env/build.yml -d examples/security_env --secrets=true --authentication-secret-server=true --binding=[your ip] --build habitus_host=[your ip] --build habitus_port=8080 --build habitus_password=admin --build habitus_user=habitus`

Make sure you set the EnvVar

`export HABITUS_HOME=my_secret`
2 changes: 1 addition & 1 deletion examples/security_env/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ build:
builder:
name: builder
dockerfile: Dockerfile
no_cache: true
no_cache: false
secrets:
my_env_secret:
type: env
Expand Down
1 change: 1 addition & 0 deletions examples/security_env/sd
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
./habitus -f examples/security_env/build.yml -d examples/security_env --secrets=true --authentication-secret-server=false --binding=192.168.1.58 --build habitus_host=192.168.1.58 --build habitus_port=8080 --build habitus_password=admin --build habitus_user=habitus
4 changes: 4 additions & 0 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,10 @@ func main() {
flag.StringVar(&config.DockerCPUSetCPUs, "docker-cpuset-cpus", "", "CPU binding limits to apply to Docker build operations. More: https://docs.docker.com/engine/reference/commandline/build")
flag.IntVar(&config.DockerCPUShares, "docker-cpu-shares", 1024, "CPU share weighting to apply to Docker build operations. More: https://docs.docker.com/engine/reference/commandline/build")

flag.BoolVar(&config.UseAuthenticatedSecretServer, "authentication-secret-server", false, "Enable basic authentication for secret server")
flag.StringVar(&config.AuthenticatedSecretServerPassword, "password-secret-server", "admin", "The password for basic authentication.")
flag.StringVar(&config.AuthenticatedSecretServerUser, "user-secret-server", "habitus", "The user for basic authentication.")

config.Logger = *log
flag.Parse()

Expand Down

0 comments on commit 77c38d5

Please sign in to comment.