Merge branch 'main' into interactors

G-Research · Aug 28, 2024 · 5cd8d9d · 5cd8d9d
2 parents 50da259 + e7997f7
commit 5cd8d9d
Show file tree

Hide file tree

Showing 13 changed files with 209 additions and 148 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,66 +1,58 @@
 # syntax = docker/dockerfile:1
-
-# This Dockerfile is designed for production, not development. Use with Kamal or build'n'run by hand:
-# docker build -t my-app .
-# docker run -d -p 80:80 -p 443:443 --name my-app -e RAILS_MASTER_KEY=<value from config/master.key> my-app
-
-# Make sure RUBY_VERSION matches the Ruby version in .ruby-version
 ARG RUBY_VERSION=3.3.4
-FROM docker.io/library/ruby:$RUBY_VERSION-slim AS base
+ARG RAILS_ROOT=/app
+FROM ruby:$RUBY_VERSION-alpine AS builder
 
-# Rails app lives here
-WORKDIR /rails
-
-# Install base packages
-RUN apt-get update -qq && \
-    apt-get install --no-install-recommends -y curl libjemalloc2 libsqlite3-0 libvips && \
-    rm -rf /var/lib/apt/lists /var/cache/apt/archives
+# Install build dependencies
+RUN apk add --no-cache build-base git pkgconfig
 
 # Set production environment
 ENV RAILS_ENV="production" \
+    RAILS_ROOT="/app" \
     BUNDLE_DEPLOYMENT="1" \
-    BUNDLE_PATH="/usr/local/bundle" \
-    BUNDLE_WITHOUT="development"
-
-# Throw-away build stage to reduce size of final image
-FROM base AS build
+    BUNDLE_PATH="/app/.bundle" \
+    BUNDLE_WITHOUT="test development"
 
-# Install packages needed to build gems
-RUN apt-get update -qq && \
-    apt-get install --no-install-recommends -y build-essential git pkg-config && \
-    rm -rf /var/lib/apt/lists /var/cache/apt/archives
+WORKDIR $RAILS_ROOT
 
-# Install application gems
+# Install gems
 COPY Gemfile Gemfile.lock ./
-RUN bundle install && \
-    rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git && \
-    bundle exec bootsnap precompile --gemfile
+RUN bundle config --global frozen 1 \
+    && bundle config set path 'vendor/bundle' \
+    && bundle install --without development:test -j4 --retry 3 \
+    && rm -rf vendor/bundle/ruby/3.3.0/cache/*.gem # \
+    && find vendor/bundle/ruby/3.3.0/gems/ -name "*.c" -delete \
+    && find vendor/bundle/ruby/3.3.0/gems/ -name "*.o" -delete
 
 # Copy application code
 COPY . .
 
-# Precompile bootsnap code for faster boot times
+# Precompile bootsnap
 RUN bundle exec bootsnap precompile app/ lib/
 
+# Final stage
+FROM ruby:$RUBY_VERSION-alpine
 
+# Install runtime dependencies
+RUN apk add --no-cache curl jemalloc sqlite-libs vips tzdata
 
+ENV RAILS_ENV="production" \
+    RAILS_ROOT="/app" \
+    BUNDLE_DEPLOYMENT="1" \
+    BUNDLE_APP_CONFIG="/app/.bundle" \
+    BUNDLE_WITHOUT="test development"
 
-# Final stage for app image
-FROM base
+WORKDIR $RAILS_ROOT
 
-# Copy built artifacts: gems, application
-COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
-COPY --from=build /rails /rails
+# Copy built artifacts
+COPY --from=builder $RAILS_ROOT $RAILS_ROOT
 
-# Run and own only the runtime files as a non-root user for security
-RUN groupadd --system --gid 1000 rails && \
-    useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \
+# Add non-root user
+RUN addgroup -S rails && adduser -S rails -G rails && \
     chown -R rails:rails db log storage tmp
-USER 1000:1000
-
-# Entrypoint prepares the database.
-ENTRYPOINT ["/rails/bin/docker-entrypoint"]
+USER rails:rails
 
 # Start the server by default, this can be overwritten at runtime
 EXPOSE 3000
-CMD ["./bin/rails", "server"]
+# Start the server
+CMD ["bin/rails", "server", "-b", "0.0.0.0"]
diff --git a/Gemfile b/Gemfile
@@ -1,7 +1,7 @@
 source "https://rubygems.org"
 
 # Bundle edge Rails instead: gem "rails", github: "rails/rails", branch: "main"
-gem "rails", "~> 7.2.0"
+gem "rails", "~> 7.2.1"
 # Use sqlite3 as the database for Active Record
 gem "sqlite3", ">= 1.4"
 # Use the Puma web server [https://github.com/puma/puma]

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,29 +1,29 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (7.2.0)
-      actionpack (= 7.2.0)
-      activesupport (= 7.2.0)
+    actioncable (7.2.1)
+      actionpack (= 7.2.1)
+      activesupport (= 7.2.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (7.2.0)
-      actionpack (= 7.2.0)
-      activejob (= 7.2.0)
-      activerecord (= 7.2.0)
-      activestorage (= 7.2.0)
-      activesupport (= 7.2.0)
+    actionmailbox (7.2.1)
+      actionpack (= 7.2.1)
+      activejob (= 7.2.1)
+      activerecord (= 7.2.1)
+      activestorage (= 7.2.1)
+      activesupport (= 7.2.1)
       mail (>= 2.8.0)
-    actionmailer (7.2.0)
-      actionpack (= 7.2.0)
-      actionview (= 7.2.0)
-      activejob (= 7.2.0)
-      activesupport (= 7.2.0)
+    actionmailer (7.2.1)
+      actionpack (= 7.2.1)
+      actionview (= 7.2.1)
+      activejob (= 7.2.1)
+      activesupport (= 7.2.1)
       mail (>= 2.8.0)
       rails-dom-testing (~> 2.2)
-    actionpack (7.2.0)
-      actionview (= 7.2.0)
-      activesupport (= 7.2.0)
+    actionpack (7.2.1)
+      actionview (= 7.2.1)
+      activesupport (= 7.2.1)
       nokogiri (>= 1.8.5)
       racc
       rack (>= 2.2.4, < 3.2)
@@ -32,35 +32,35 @@ GEM
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
       useragent (~> 0.16)
-    actiontext (7.2.0)
-      actionpack (= 7.2.0)
-      activerecord (= 7.2.0)
-      activestorage (= 7.2.0)
-      activesupport (= 7.2.0)
+    actiontext (7.2.1)
+      actionpack (= 7.2.1)
+      activerecord (= 7.2.1)
+      activestorage (= 7.2.1)
+      activesupport (= 7.2.1)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.2.0)
-      activesupport (= 7.2.0)
+    actionview (7.2.1)
+      activesupport (= 7.2.1)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    activejob (7.2.0)
-      activesupport (= 7.2.0)
+    activejob (7.2.1)
+      activesupport (= 7.2.1)
       globalid (>= 0.3.6)
-    activemodel (7.2.0)
-      activesupport (= 7.2.0)
-    activerecord (7.2.0)
-      activemodel (= 7.2.0)
-      activesupport (= 7.2.0)
+    activemodel (7.2.1)
+      activesupport (= 7.2.1)
+    activerecord (7.2.1)
+      activemodel (= 7.2.1)
+      activesupport (= 7.2.1)
       timeout (>= 0.4.0)
-    activestorage (7.2.0)
-      actionpack (= 7.2.0)
-      activejob (= 7.2.0)
-      activerecord (= 7.2.0)
-      activesupport (= 7.2.0)
+    activestorage (7.2.1)
+      actionpack (= 7.2.1)
+      activejob (= 7.2.1)
+      activerecord (= 7.2.1)
+      activesupport (= 7.2.1)
       marcel (~> 1.0)
-    activesupport (7.2.0)
+    activesupport (7.2.1)
       base64
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.3.1)
@@ -115,7 +115,7 @@ GEM
       net-smtp
     marcel (1.0.4)
     mini_mime (1.1.5)
-    minitest (5.24.1)
+    minitest (5.25.1)
     msgpack (1.7.2)
     net-imap (0.4.14)
       date
@@ -156,30 +156,30 @@ GEM
     rackup (2.1.0)
       rack (>= 3)
       webrick (~> 1.8)
-    rails (7.2.0)
-      actioncable (= 7.2.0)
-      actionmailbox (= 7.2.0)
-      actionmailer (= 7.2.0)
-      actionpack (= 7.2.0)
-      actiontext (= 7.2.0)
-      actionview (= 7.2.0)
-      activejob (= 7.2.0)
-      activemodel (= 7.2.0)
-      activerecord (= 7.2.0)
-      activestorage (= 7.2.0)
-      activesupport (= 7.2.0)
+    rails (7.2.1)
+      actioncable (= 7.2.1)
+      actionmailbox (= 7.2.1)
+      actionmailer (= 7.2.1)
+      actionpack (= 7.2.1)
+      actiontext (= 7.2.1)
+      actionview (= 7.2.1)
+      activejob (= 7.2.1)
+      activemodel (= 7.2.1)
+      activerecord (= 7.2.1)
+      activestorage (= 7.2.1)
+      activesupport (= 7.2.1)
       bundler (>= 1.15.0)
-      railties (= 7.2.0)
+      railties (= 7.2.1)
     rails-dom-testing (2.2.0)
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.6.0)
       loofah (~> 2.21)
       nokogiri (~> 1.14)
-    railties (7.2.0)
-      actionpack (= 7.2.0)
-      activesupport (= 7.2.0)
+    railties (7.2.1)
+      actionpack (= 7.2.1)
+      activesupport (= 7.2.1)
       irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
@@ -274,7 +274,7 @@ DEPENDENCIES
   interactor (~> 3.0)
   jwt
   puma (>= 5.0)
-  rails (~> 7.2.0)
+  rails (~> 7.2.1)
   rubocop-rails-omakase
   sqlite3 (>= 1.4)
   tzinfo-data

diff --git a/README.md b/README.md
@@ -20,6 +20,8 @@ rails s
 3) POST /certificates to acquire cert in terminal:
 ```
 curl -X POST http://localhost:3000/certificates \
--H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhcHBsaWNhdGlvbl9uYW1lIiwiY29tbW9uX25hbWUiOiJleGFtcGxlLmNvbSIsImlwX3NhbnMiOiIxMC4wLjEuMTAwIn0.61e0oQIj7vwGtOpFuPJDCI_Bqf8ZTpJxe_2kUwcbN7Y"
+-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTUxNjIzOTAyMiwiZ3JvdXBzIjpbImdyb3VwMSIsImdyb3VwMiJdLCJhdWQiOiJhc3RyYWwifQ.tfRLXmE_eq-piP88_clwPWrYfMAQbCJAeZQI6OFxZSI" \
+-H "Content-type: application/json" \
+-d "{ \"common_name\": \"example.com\" }"
 ```
 
diff --git a/app/lib/services/app_registry_service.rb b/app/lib/services/app_registry_service.rb
diff --git a/app/lib/services/auth_service.rb b/app/lib/services/auth_service.rb
@@ -1,16 +1,29 @@
 module Services
   class AuthService
     def initialize
-      # TODO make this selectable
-      @impl = AppRegistryService.new
+      @domain_ownership_service = DomainOwnershipService.new
     end
 
     def authenticate!(token)
-      @impl.authenticate!(token)
+      identity = decode(token)
+      raise AuthError unless identity
+      # TODO verify identity with authority?
+      identity
     end
 
-    def authorize!(token, cert_issue_req)
-      @impl.authorize!(token, cert_issue_req)
+    def authorize!(identity, cert_issue_req)
+      @domain_ownership_service.authorize!(identity, cert_issue_req)
+    end
+
+    private
+
+    def decode(token)
+      # Decode a JWT access token using the configured base.
+      body = JWT.decode(token, Rails.application.config.astral[:jwt_signing_key])[0]
+      Identity.new(body)
+    rescue => e
+      Rails.logger.warn "Unable to decode token: #{e}"
+      nil
     end
   end
 end
diff --git a/app/lib/services/domain_ownership_service.rb b/app/lib/services/domain_ownership_service.rb
@@ -0,0 +1,19 @@
+module Services
+  class DomainOwnershipService
+    def authorize!(identity, cert_req)
+      cert_req.fqdns.each do |fqdn|
+        domain = get_domain_name(fqdn)
+        raise AuthError unless domain.owner == identity.subject ||
+                                (domain.group_delegation &&
+                                (domain.groups & identity.groups).any?)
+      end
+      nil
+    end
+
+    private
+
+    def get_domain_name(fqdn)
+      # TODO implement
+    end
+  end
+end
diff --git a/app/models/domain_info.rb b/app/models/domain_info.rb
@@ -0,0 +1,8 @@
+class DomainInfo
+  include ActiveModel::Model
+  include ActiveModel::Attributes
+
+  attribute :owner, :string
+  attribute :groups, array: :string, default: []
+  attribute :group_delegation, :boolean, default: false
+end
diff --git a/app/models/identity.rb b/app/models/identity.rb
@@ -0,0 +1,13 @@
+class Identity
+  include ActiveModel::Model
+  include ActiveModel::Attributes
+
+  attribute :subject, :string
+  attribute :name, :string
+  attribute :iat, :integer
+  attribute :aud, :string
+  attribute :groups, array: :string, default: []
+
+  alias_attribute :sub, :subject
+  alias_attribute :roles, :groups
+end