From dfe28b17794cd7ae933186e80e40c0d53abf1d78 Mon Sep 17 00:00:00 2001 From: kexkey Date: Mon, 19 Nov 2018 21:39:54 -0500 Subject: [PATCH] Tweaks and versioning and nginx arm alpine --- api_auth_docker/Dockerfile | 4 +++- api_auth_docker/Dockerfile-debian | 22 +++++++++++++++++++++ api_auth_docker/auth.sh | 32 ++++++++++++++++--------------- api_auth_docker/entrypoint.sh | 2 +- api_auth_docker/tests.sh | 2 +- otsclient_docker/README.md | 8 ++------ pycoin_docker/Dockerfile | 3 +-- 7 files changed, 47 insertions(+), 26 deletions(-) create mode 100644 api_auth_docker/Dockerfile-debian diff --git a/api_auth_docker/Dockerfile b/api_auth_docker/Dockerfile index c1db73b..1fcf538 100644 --- a/api_auth_docker/Dockerfile +++ b/api_auth_docker/Dockerfile @@ -1,4 +1,6 @@ -FROM nginx:alpine +# Does not work on ARM / Raspberry Pi + +FROM cyphernode/nginx:1.14.1-alpine RUN apk add --update --no-cache \ git \ diff --git a/api_auth_docker/Dockerfile-debian b/api_auth_docker/Dockerfile-debian new file mode 100644 index 0000000..f9ec643 --- /dev/null +++ b/api_auth_docker/Dockerfile-debian @@ -0,0 +1,22 @@ +FROM nginx:1.14 + +RUN apt-get update \ + && apt-get install -y \ + openssl \ + spawn-fcgi \ + fcgiwrap \ + jq \ + curl + +COPY auth.sh /etc/nginx/conf.d +COPY default-ssl.conf /etc/nginx/conf.d/default.conf +COPY entrypoint.sh entrypoint.sh +COPY keys.properties /etc/nginx/conf.d +COPY api.properties /etc/nginx/conf.d +COPY trace.sh /etc/nginx/conf.d +COPY tests.sh /etc/nginx/conf.d +COPY ip-whitelist.conf /etc/nginx/conf.d + +RUN chmod +x /etc/nginx/conf.d/auth.sh entrypoint.sh + +ENTRYPOINT ["./entrypoint.sh"] diff --git a/api_auth_docker/auth.sh b/api_auth_docker/auth.sh index 6915603..6900f71 100644 --- a/api_auth_docker/auth.sh +++ b/api_auth_docker/auth.sh @@ -39,14 +39,14 @@ verify_sign() if [ ${exp} -gt ${current} ]; then trace "[verify_sign] Not expired, let's validate signature" local id=$(echo ${payload} | jq ".id" | tr -d '"') - trace "[verify_sign] id=${id}" + trace "[verify_sign] id=${id}" - # Check for code injection - # id will usually be an int, but can be alphanum... nothing else - case $id in (*[![:alnum:]]*|"") - trace "[verify_sign] Potential code injection, exiting" - return 1 - esac + # Check for code injection + # id will usually be an int, but can be alphanum... nothing else + case $id in (*[![:alnum:]]*|"") + trace "[verify_sign] Potential code injection, exiting" + return 1 + esac # It is so much faster to include the keys here instead of grep'ing the file for key. . ./keys.properties @@ -88,15 +88,15 @@ verify_group() local id=${1} # REQUEST_URI should look like this: /watch/2blablabla - local action=$(echo "${REQUEST_URI:1}" | cut -d '/' -f1) + local action=$(echo "${REQUEST_URI#\/}" | cut -d '/' -f1) trace "[verify_group] action=${action}" # Check for code injection # action can be alphanum... and _ and - but nothing else local actiontoinspect=$(echo "$action" | tr -d '_-') case $actiontoinspect in (*[![:alnum:]]*|"") - trace "[verify_group] Potential code injection, exiting" - return 1 + trace "[verify_group] Potential code injection, exiting" + return 1 esac # It is so much faster to include the keys here instead of grep'ing the file for key. @@ -121,15 +121,17 @@ verify_group() # $HTTP_AUTHORIZATION = Bearer +# Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjAwMyIsImV4cCI6MTU0MjE0OTMyNH0=.b811067cf79c7009a0a38f110a6e3bf82cc4310aa6afae75b9d915b9febf13f7 # If this is not found in header, we leave trace "[auth.sh] HTTP_AUTHORIZATION=${HTTP_AUTHORIZATION}" -if [ "${HTTP_AUTHORIZATION:0:6}" = "Bearer" ]; then - token="${HTTP_AUTHORIZATION:6}" +# /bin/sh on debian points to dash, which does not support substring in the form ${var:offset:length} +if [ "-${HTTP_AUTHORIZATION%% *}" = "-Bearer" ]; then + token="${HTTP_AUTHORIZATION#Bearer }" if [ -n "$token" ]; then - trace "[auth.sh] Valid format for authorization header" - verify_sign "${token}" - [ "$?" -eq "0" ] && return + trace "[auth.sh] Valid format for authorization header" + verify_sign "${token}" + [ "$?" -eq "0" ] && return fi fi diff --git a/api_auth_docker/entrypoint.sh b/api_auth_docker/entrypoint.sh index be8f164..fb53a01 100644 --- a/api_auth_docker/entrypoint.sh +++ b/api_auth_docker/entrypoint.sh @@ -1,5 +1,5 @@ #!/bin/sh -spawn-fcgi -s /var/run/fcgiwrap.socket -u nginx -g nginx -U nginx -- /usr/bin/fcgiwrap +spawn-fcgi -s /var/run/fcgiwrap.socket -u nginx -g nginx -U nginx -- `which fcgiwrap` nginx -g "daemon off;" diff --git a/api_auth_docker/tests.sh b/api_auth_docker/tests.sh index 25e1285..e95fd26 100644 --- a/api_auth_docker/tests.sh +++ b/api_auth_docker/tests.sh @@ -4,7 +4,7 @@ # Replace # proxy_pass http://cyphernode:8888; # by -# proxy_pass http://tests:8888; +# proxy_pass http://cyphernode:1111; # in /etc/nginx/conf.d/default.conf to run the tests test_expiration() diff --git a/otsclient_docker/README.md b/otsclient_docker/README.md index c90bb4e..b45e20d 100644 --- a/otsclient_docker/README.md +++ b/otsclient_docker/README.md @@ -14,11 +14,7 @@ sudo find ~/otsfiles -type d -exec chmod 2775 {} \; ; sudo find ~/otsfiles -type # Usefull examples -See https://github.com/opentimestamps/javascript-opentimestamps - -List SegWit addresses for path 0/24-30 for a pub32: - ```shell -curl -H "Content-Type: application/json" -d '{"pub32":"tpubD6NzVbkrYhZ4YR3QK2tyfMMvBghAvqtNaNK1LTyDWcRHLcMUm3ZN2cGm5BS3MhCRCeCkXQkTXXjiJgqxpqXK7PeUSp86DTTgkLpcjMtpKWk","path":"0/25-30"}' http://localhost:7777/derive -curl -H "Content-Type: application/json" -d '{"pub32":"vpub5SLqN2bLY4WeZF3kL4VqiWF1itbf3A6oRrq9aPf16AZMVWYCuN9TxpAZwCzVgW94TNzZPNc9XAHD4As6pdnExBtCDGYRmNJrcJ4eV9hNqcv","path":"0/25-30"}' http://localhost:7777/derive +curl http://localhost:6666/stamp/1ddfb769eb0b8876bc570e25580e6a53afcf973362ee1ee4b54a807da2e5eed7 +curl http://localhost:6666/upgrade/1ddfb769eb0b8876bc570e25580e6a53afcf973362ee1ee4b54a807da2e5eed7 ``` diff --git a/pycoin_docker/Dockerfile b/pycoin_docker/Dockerfile index 5e74852..7b45efa 100644 --- a/pycoin_docker/Dockerfile +++ b/pycoin_docker/Dockerfile @@ -1,5 +1,4 @@ -#FROM resin/raspberry-pi-alpine-python:3.6 -FROM python:3.6-alpine +FROM python:3.6-alpine3.8 ENV HOME /pycoin