From 2dbfcc9c92f61909036943965d170f1fe1742dae Mon Sep 17 00:00:00 2001
From: Mikael Frykholm <mifr@sunet.se>
Date: Fri, 23 Aug 2024 11:02:08 +0200
Subject: [PATCH] Docker improvements.

Add env variables to help with running in docker.
Add example docker compose file.
Add Dockerfile for building a container.
---
 docker/build.sh              |  2 ++
 docker/docker-compose.yml    | 66 ++++++++++++++++++++++++++++++++++++
 docker/fedservice.Dockerfile | 21 ++++++++++++
 docker/requirements.docker   |  4 +++
 docker/start.sh              | 13 +++++++
 setup_federation/entity.py   | 14 ++++++--
 6 files changed, 118 insertions(+), 2 deletions(-)
 create mode 100755 docker/build.sh
 create mode 100644 docker/docker-compose.yml
 create mode 100644 docker/fedservice.Dockerfile
 create mode 100644 docker/requirements.docker
 create mode 100755 docker/start.sh

diff --git a/docker/build.sh b/docker/build.sh
new file mode 100755
index 0000000..70b5287
--- /dev/null
+++ b/docker/build.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+docker build -t fedservice -f ./fedservice.Dockerfile .. --no-cache
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
new file mode 100644
index 0000000..9b2ca73
--- /dev/null
+++ b/docker/docker-compose.yml
@@ -0,0 +1,66 @@
+services:
+  wallet_provider:
+    image: fedservice
+    command: "wallet_provider"
+    ports:
+      - "5001:5001"
+    environment:
+      FEDSERVICE_ENTITYID: https://example.com:5001
+      FEDSERVICE_WEBCERT_KEY: /cert/privkey.pem
+      FEDSERVICE_WEBCERT_CHAIN: /cert/chain.pem
+      FEDSERVICE_SECRET_KEY: 12345678909987654321
+      FEDSERVICE_DEBUG: true
+      FEDSERVICE_PORT: 5001
+      FEDSERVICE_BIND: 0.0.0.0
+    volumes:
+    - ./wallet_provider:/wallet_provider:rw
+    - ./certificates:/certs:ro
+  trust_mark_issuer:
+    image: fedservice
+    command: "trust_mark_issuer"
+    ports:
+      - "6001:6001"
+    environment:
+      FEDSERVICE_ENTITYID: https://example.com:5005
+      FEDSERVICE_WEBCERT_KEY: /cert/privkey.pem
+      FEDSERVICE_WEBCERT_CHAIN: /cert/chain.pem
+      FEDSERVICE_SECRET_KEY: 12345678909987654321
+      FEDSERVICE_DEBUG: true
+      FEDSERVICE_PORT: 6001
+      FEDSERVICE_BIND: 0.0.0.0
+    volumes:
+    - ./trust_mark_issuer:/trust_mark_issuer:rw
+    - ./certificates:/certs:ro
+  trust_anchor:
+    image: fedservice
+    command: "trust_anchor"
+    ports:
+      - "7001:7001"
+    environment:
+      FEDSERVICE_ENTITYID: https://example.com:7001
+      FEDSERVICE_WEBCERT_KEY: /cert/privkey.pem
+      FEDSERVICE_WEBCERT_CHAIN: /cert/chain.pem
+      FEDSERVICE_SECRET_KEY: 12345678909987654321
+      FEDSERVICE_DEBUG: true
+      FEDSERVICE_PORT: 7001
+      FEDSERVICE_BIND: 0.0.0.0
+    volumes:
+    - ./trust_anchor:/trust_anchor:rw
+    - ./certificates:/certs:ro
+  flask_wallet:
+    image: fedservice
+    command: "flask_wallet"
+    ports:
+      - "5005:5005"
+    environment:
+      FEDSERVICE_ENTITYID: https://example.com:5005
+      FEDSERVICE_WEBCERT_KEY: /cert/privkey.pem
+      FEDSERVICE_WEBCERT_CHAIN: /cert/chain.pem
+      FEDSERVICE_SECRET_KEY: 12345678909987654321
+      FEDSERVICE_DEBUG: true
+      FEDSERVICE_PORT: 5005
+      FEDSERVICE_BIND: 0.0.0.0
+    volumes:
+    - ./flask_wallet:/flask_wallet:rw
+    - ./certificates:/certs:ro
+
diff --git a/docker/fedservice.Dockerfile b/docker/fedservice.Dockerfile
new file mode 100644
index 0000000..5e07572
--- /dev/null
+++ b/docker/fedservice.Dockerfile
@@ -0,0 +1,21 @@
+FROM python:3.12-bookworm
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    git \
+    python3-dev \
+    build-essential \
+    python3-pip \
+    libffi-dev \
+    libssl-dev \
+    xmlsec1 \
+    libyaml-dev
+RUN pip3 install --upgrade pip setuptools
+COPY . /fedservice
+RUN pip3 install -r fedservice/docker/requirements.docker
+RUN pip3 install /fedservice
+COPY docker/start.sh .
+ENTRYPOINT ["/start.sh"]
+#RUN cp /src/fedservice/setup_federation/entity.py /
+#RUN sed -e "s@'templates'@'data/templates'@" -e "s@sys.path.insert(0, dir_path)@sys.path.insert(0, dir_path)\n    app.config['SECRET_KEY'] = os.urandom(12).hex()@" /src/fedservice/setup_federation/entity.py > /entity.py && \
+#        chmod u+x /entity.py
+
diff --git a/docker/requirements.docker b/docker/requirements.docker
new file mode 100644
index 0000000..377029f
--- /dev/null
+++ b/docker/requirements.docker
@@ -0,0 +1,4 @@
+-e git+https://github.com/IdentityPython/idpy-oidc.git@dpop_add#egg=idpyoidc
+-e git+https://github.com/rohe/openid4v.git#egg=openid4v
+-e git+https://github.com/rohe/idpy-sdjwt.git#egg=idpysdjwt
+flask
diff --git a/docker/start.sh b/docker/start.sh
new file mode 100755
index 0000000..611b2f3
--- /dev/null
+++ b/docker/start.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+for file in conf.json views.py; do
+	if [ ! -f /"${1}"/"${file}" ]; then
+		echo "No ${file} found, copying to /wallet_provider/"
+		cp /fedservice/setup_federation/"${1}"/"${file}" /"${1}"/
+	else
+		echo "${file} found, leaving alone. Beware when upgrading."
+
+	fi
+done
+echo "Starting wallet_provider."
+/fedservice/setup_federation/entity.py "$@"
diff --git a/setup_federation/entity.py b/setup_federation/entity.py
index f4975f9..97663fe 100755
--- a/setup_federation/entity.py
+++ b/setup_federation/entity.py
@@ -24,12 +24,16 @@ def init_app(dir_name, **kwargs) -> Flask:
 
     # Session key for the application session
     app.config['SECRET_KEY'] = os.urandom(12).hex()
-
+    app.config.from_prefixed_env(prefix="FEDSERVICE")
     entity = importer(f"{dir_name}.views.entity")
     app.register_blueprint(entity)
 
     # Initialize the oidc_provider after views to be able to set correct urls
     app.cnf = load_config_file(f"{dir_name}/conf.json")
+    if os.environ.get('FEDSERVICE_ENTITYID'):
+        entity_id = os.environ.get('FEDSERVICE_ENTITYID')
+        print(f"Setting entity_id to {entity_id} from env")
+        app.cnf['entity']['entity_id'] = entity_id
     app.cnf["cwd"] = dir_path
     app.server = make_federation_combo(**app.cnf["entity"])
     if isinstance(app.server, FederationCombo):
@@ -48,6 +52,10 @@ def init_app(dir_name, **kwargs) -> Flask:
     if "logging" in app.cnf:
         configure_logging(config=app.cnf["logging"])
     _web_conf = app.cnf["webserver"]
+    if os.environ.get('FEDSERVICE_WEBCERT_KEY'):
+        _web_conf['server_key'] = os.environ.get('FEDSERVICE_WEBCERT_KEY')
+        _web_conf['server_chain'] = os.environ.get('FEDSERVICE_WEBCERT_CHAIN')
+        _web_conf['server_cert'] = os.environ.get('FEDSERVICE_WEBCERT_CERT')
     context = create_context(dir_path, _web_conf)
     _cert = "{}/{}".format(dir_path, lower_or_upper(_web_conf, "server_cert"))
 
@@ -55,5 +63,7 @@ def init_app(dir_name, **kwargs) -> Flask:
     _trust_anchors = {k:v for k,v in app.federation_entity.function.trust_chain_collector.trust_anchors.items()}
     print(f"Trust Anchors: {_trust_anchors}")
     # app.rph.federation_entity.collector.web_cert_path = _cert
-    app.run(host=_web_conf.get('domain'), port=_web_conf.get('port'),
+    domain = os.environ.get('FEDSERVICE_BIND') or _web_conf.get('domain')
+    port = os.environ.get('FEDSERVICE_PORT') or _web_conf.get('port')
+    app.run(host=domain, port=port,
             debug=_web_conf.get("debug"), ssl_context=context)