Refactor tls so it's not pulled into command line utilities unecessar…

…ily. Also change default root and make it overridable. (#1060)

atrium/vestibulum/trccarrier/carrierfactory/servercapauth/capauth.go

@@ -10,6 +10,7 @@ import (
 	"github.com/trimble-oss/tierceron-hat/cap"
 	"github.com/trimble-oss/tierceron-hat/cap/tap"
 	"github.com/trimble-oss/tierceron/pkg/capauth"
+	"github.com/trimble-oss/tierceron/pkg/tls"
 	"github.com/trimble-oss/tierceron/pkg/vaulthelper/kv"
 	"google.golang.org/grpc"
 )
@@ -137,7 +138,7 @@ func Memorize(memorizeFields map[string]interface{}, logger *log.Logger) {
 func Start(featherAuth *FeatherAuth, env string, logger *log.Logger) error {
 	logger.Println("Cap server.")
 
-	creds, credErr := capauth.GetServerCredentials(logger)
+	creds, credErr := tls.GetServerCredentials(logger)
 	if credErr != nil {
 		logger.Printf("Couldn't server creds: %v\n", creds)
 		return credErr

atrium/vestibulum/trcflow/deploy/process.go

@@ -227,7 +227,7 @@ func PluginDeployFlow(pluginConfig map[string]interface{}, logger *log.Logger) e
 	case "agent":
 		agentPath = "/home/azuredeploy/bin/" + vaultPluginSignature["trcplugin"].(string)
 	default:
-		agentPath = "/etc/opt/vault/plugins/" + vaultPluginSignature["trcplugin"].(string)
+		agentPath = coreopts.BuildOptions.GetVaultInstallRoot() + "/plugins/" + vaultPluginSignature["trcplugin"].(string)
 	}
 
 	if _, err := os.Stat(agentPath); errors.Is(err, os.ErrNotExist) {
@@ -303,7 +303,7 @@ func PluginDeployFlow(pluginConfig map[string]interface{}, logger *log.Logger) e
 			if err != nil {
 				eUtils.LogErrorMessage(&carrierDriverConfig.CoreConfig, fmt.Sprintf("PluginDeployFlow failure: Could not set needed capabilities for env: %s and plugin %s error: %s\n", carrierDriverConfig.Env, pluginName, err.Error()), false)
 			}
-			ipcLockErr := ipcLockCapSet.SetFile("/etc/opt/vault/plugins/" + vaultPluginSignature["trcplugin"].(string))
+			ipcLockErr := ipcLockCapSet.SetFile(coreopts.BuildOptions.GetVaultInstallRoot() + "/plugins/" + vaultPluginSignature["trcplugin"].(string))
 			if ipcLockErr != nil {
 				eUtils.LogErrorMessage(&carrierDriverConfig.CoreConfig, fmt.Sprintf("PluginDeployFlow failure: Could not apply needed capabilities for env: %s and plugin %s error: %s\n", carrierDriverConfig.Env, pluginName, ipcLockErr.Error()), false)
 			}
@@ -416,7 +416,7 @@ func PluginDeployedUpdate(driverConfig *eUtils.DriverConfig, mod *helperkv.Modif
 					if pluginData["trctype"] == "agent" {
 						agentPath = "/home/azuredeploy/bin/" + pluginName
 					} else {
-						agentPath = "/etc/opt/vault/plugins/" + pluginName
+						agentPath = coreopts.BuildOptions.GetVaultInstallRoot() + "/plugins/" + pluginName
 					}
 
 					logger.Println("Checking file.")

buildopts/coreopts/buildopts.go

@@ -9,6 +9,7 @@ type Option func(*OptionsBuilder)
 type OptionsBuilder struct {
 	GetFolderPrefix              func(custom []string) string
 	GetSupportedTemplates        func(custom []string) []string
+	GetVaultInstallRoot          func() string
 	IsLocalEndpoint              func(addr string) bool
 	GetSupportedDomains          func(bool) []string
 	GetSupportedEndpoints        func(bool) []string
@@ -34,6 +35,7 @@ func LoadOptions() Option {
 		optionsBuilder.GetFolderPrefix = GetFolderPrefix
 		optionsBuilder.GetSupportedTemplates = GetSupportedTemplates
 		optionsBuilder.IsLocalEndpoint = IsLocalEndpoint
+		optionsBuilder.GetVaultInstallRoot = GetVaultInstallRoot
 		optionsBuilder.GetSupportedDomains = GetSupportedDomains
 		optionsBuilder.GetSupportedEndpoints = GetSupportedEndpoints
 		optionsBuilder.GetLocalHost = GetLocalHost

buildopts/coreopts/options_common.go

@@ -40,10 +40,16 @@ func GetSupportedTemplates(custom []string) []string {
 	return []string{}
 }
 
+// Determines if running tierceron in the default local development mode
+// with the default test host.
 func IsLocalEndpoint(addr string) bool {
 	return strings.HasPrefix(addr, "https://tierceron.test:1234")
 }
 
+func GetVaultInstallRoot() string {
+	return "/usr/local/vault"
+}
+
 // GetSupportedEndpoints - return a list of supported endpoints.  Override this function to provide
 // a list of supported endpoints.
 func GetSupportedEndpoints(prod bool) []string {

docker/trcvaultplugin/Dockerfile

@@ -1,2 +1,2 @@
 FROM scratch
-ADD trc-vault-plugin /etc/opt/vault/plugins/trc-vault-plugin
+ADD trc-vault-plugin /usr/local/vault/plugins/trc-vault-plugin

docker/trcvaultplugincarrier/Dockerfile

@@ -1,2 +1,2 @@
 FROM scratch
-ADD trc-vault-carrier-plugin /etc/opt/vault/plugins/trc-vault-carrier-plugin
+ADD trc-vault-carrier-plugin /usr/local/vault/plugins/trc-vault-carrier-plugin

installation/trccloud/terraform/azure/cloudboot/trc_templates/Vault/Tierceron/scripts/install.sh.tpl.tmpl

@@ -53,24 +53,24 @@ sudo mv vault /usr/src/app/vault
 sudo chmod 0700 /usr/src/app/vault
 sudo chown root:root /usr/src/app/vault
 sudo setcap cap_ipc_lock=+ep /usr/src/app/vault
-sudo mkdir -p /etc/opt/vault/data/
-sudo mkdir -p /etc/opt/vault/plugins/
-sudo chmod 0700 /etc/opt/vault/plugins/
+sudo mkdir -p {{or .vaultRoot "/usr/local/vault"}}/data/
+sudo mkdir -p {{or .vaultRoot "/usr/local/vault"}}/plugins/
+sudo chmod 0700 {{or .vaultRoot "/usr/local/vault"}}/plugins/
 # Download 
 # Manually Download/copy carrier to plugins directory
-# sudo mv trc-vault-carrier-plugin /etc/opt/vault/plugins/
-sudo mkdir -p /etc/opt/vault/certs/
+# sudo mv trc-vault-carrier-plugin {{or .vaultRoot "/usr/local/vault"}}/plugins/
+sudo mkdir -p {{or .vaultRoot "/usr/local/vault"}}/certs/
 #copy everything from /tmp
-sudo mv /tmp/serv_*.pem /etc/opt/vault/certs/
-sudo mv /tmp/Digi*.crt.pem /etc/opt/vault/certs/
-sudo chown -R root:root /etc/opt/vault/certs
-sudo chmod 600 /etc/opt/vault/certs/*.pem
+sudo mv /tmp/serv_*.pem {{or .vaultRoot "/usr/local/vault"}}/certs/
+sudo mv /tmp/Digi*.crt.pem {{or .vaultRoot "/usr/local/vault"}}/certs/
+sudo chown -R root:root {{or .vaultRoot "/usr/local/vault"}}/certs
+sudo chmod 600 {{or .vaultRoot "/usr/local/vault"}}/certs/*.pem
 
 privateip=$(hostname -I | cut -d' ' -f1); sed -i "s/127.0.0.1/$privateip/g" /tmp/vault_properties.hcl
 #get pem files locally 
-sudo mv /tmp/vault_properties.hcl /etc/opt/vault/vault_properties.hcl
-sudo chown root:root /etc/opt/vault/vault_properties.hcl
-sudo chmod -R 0700 /etc/opt/vault/
+sudo mv /tmp/vault_properties.hcl {{or .vaultRoot "/usr/local/vault"}}/vault_properties.hcl
+sudo chown root:root {{or .vaultRoot "/usr/local/vault"}}/vault_properties.hcl
+sudo chmod -R 0700 {{or .vaultRoot "/usr/local/vault"}}/
 
 # AGENT BLOCK: begin
 # When building out TrcDb instances, remove this AGENT BLOCK section from .tpl....
@@ -205,7 +205,7 @@ After=systemd-user-sessions.service
 Type=simple
 Environment="VAULT_API_ADDR=https://${HOST}:${HOSTPORT}"
 Environment="GOMAXPROCS=$(nproc)"
-ExecStart=/usr/src/app/vault server -config /etc/opt/vault/vault_properties.hcl
+ExecStart=/usr/src/app/vault server -config {{or .vaultRoot "/usr/local/vault"}}/vault_properties.hcl
 LimitMEMLOCK=infinity
 
 #end script

pkg/capauth/agentconfig.go

@@ -18,6 +18,7 @@ import (
 	"github.com/trimble-oss/tierceron/atrium/vestibulum/trcdb/opts/prod"
 	"github.com/trimble-oss/tierceron/buildopts/coreopts"
 	"github.com/trimble-oss/tierceron/buildopts/memprotectopts"
+	"github.com/trimble-oss/tierceron/pkg/tls"
 	eUtils "github.com/trimble-oss/tierceron/pkg/utils"
 	helperkv "github.com/trimble-oss/tierceron/pkg/vaulthelper/kv"
 	"google.golang.org/grpc"
@@ -119,7 +120,7 @@ func (agentconfig *AgentConfigs) PenseFeatherQuery(featherCtx *cap.FeatherContex
 		return nil, featherErr
 	}
 
-	creds, credErr := GetTransportCredentials()
+	creds, credErr := tls.GetTransportCredentials()
 
 	if credErr != nil {
 		return nil, credErr
@@ -290,7 +291,7 @@ func PenseQuery(trcshDriverConfig *TrcshDriverConfig, pense string) (*string, er
 	// TODO: add domain if it's missing because that might actually happen...  Pull the domain from
 	// vaddress in config..  that should always be the same...
 
-	creds, err := GetTransportCredentials()
+	creds, err := tls.GetTransportCredentials()
 	if err != nil {
 		return nil, err
 	}

pkg/capauth/creds.go

@@ -1,92 +1,12 @@
 package capauth
 
 import (
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/pem"
 	"errors"
 	"fmt"
-	"log"
-	"math/rand"
 	"net"
-	"os"
 	"strings"
-	"time"
-
-	"github.com/trimble-oss/tierceron/pkg/utils"
-	"google.golang.org/grpc/credentials"
-)
-
-const (
-	ServCert           = "/etc/opt/vault/certs/serv_cert.pem"
-	ServCertPrefixPath = "/etc/opt/vault/certs/"
-	ServCertLocal      = "./serv_cert.pem"
-	ServKey            = "/etc/opt/vault/certs/serv_key.pem"
 )
 
-var MashupCertPool *x509.CertPool
-
-func ReadServerCert(certName string) ([]byte, error) {
-	var err error
-	if len(certName) == 0 {
-		if utils.IsWindows() {
-			return os.ReadFile(ServCertLocal)
-		}
-		if _, err = os.Stat(ServCert); err == nil {
-			return os.ReadFile(ServCert)
-		}
-	} else if _, err = os.Stat(ServCertPrefixPath + certName); err == nil { //To support &certName=??
-		return os.ReadFile(ServCertPrefixPath + certName)
-	} else {
-		if utils.IsWindows() {
-			return os.ReadFile(ServCertLocal)
-		}
-	}
-	return nil, err
-}
-
-func GetTlsConfig(certName string) (*tls.Config, error) {
-	// I don't think we're doing this right...?.?
-	// Comment out for now...
-	rootCertPool := x509.NewCertPool()
-	pem, err := ReadServerCert(certName)
-	if err != nil {
-		return nil, err
-	}
-	if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
-		return nil, errors.New("couldn't append certs to root")
-	}
-	// clientCert := make([]tls.Certificate, 0, 1)
-	// certs, err := tls.LoadX509KeyPair(ServCert, ServKey)
-	// if err != nil {
-	// 	return nil, err
-	// }
-	// clientCert = append(clientCert, certs)
-	return &tls.Config{
-		RootCAs: rootCertPool,
-		//		Certificates: clientCert,
-	}, nil
-}
-
-func init() {
-	rand.Seed(time.Now().UnixNano())
-	mashupCertBytes, err := ReadServerCert("")
-	if err != nil {
-		fmt.Println("Cert read failure.")
-		return
-	}
-
-	mashupBlock, _ := pem.Decode([]byte(mashupCertBytes))
-
-	mashupClientCert, parseErr := x509.ParseCertificate(mashupBlock.Bytes)
-	if parseErr != nil {
-		fmt.Println("Cert parse read failure.")
-		return
-	}
-	MashupCertPool = x509.NewCertPool()
-	MashupCertPool.AddCert(mashupClientCert)
-}
-
 func LocalIp(env string) (string, error) {
 
 	interfaces, err := net.Interfaces()
@@ -144,41 +64,3 @@ func LocalAddr(env string) (string, error) {
 
 	return localHost, nil
 }
-
-func GetTransportCredentials() (credentials.TransportCredentials, error) {
-
-	mashupKeyBytes, err := ReadServerCert("")
-	if err != nil {
-		return nil, err
-	}
-
-	return credentials.NewTLS(&tls.Config{
-		ServerName: "",
-		Certificates: []tls.Certificate{
-			{
-				Certificate: [][]byte{mashupKeyBytes},
-			},
-		},
-		InsecureSkipVerify: false}), nil
-}
-
-func GetServerCredentials(logger *log.Logger) (credentials.TransportCredentials, error) {
-	mashupCertBytes, err := os.ReadFile(ServCert)
-	if err != nil {
-		logger.Printf("Couldn't load cert: %v\n", err)
-		return nil, err
-	}
-
-	mashupKeyBytes, err := os.ReadFile(ServKey)
-	if err != nil {
-		logger.Printf("Couldn't load key: %v\n", err)
-		return nil, err
-	}
-
-	cert, err := tls.X509KeyPair(mashupCertBytes, mashupKeyBytes)
-	if err != nil {
-		logger.Printf("Couldn't load cert: %v\n", err)
-		return nil, err
-	}
-	return credentials.NewServerTLSFromCert(&cert), nil
-}

pkg/core/dbutil/dbutil.go

@@ -10,6 +10,7 @@ import (
 	"github.com/trimble-oss/tierceron/atrium/vestibulum/trcdb/opts/prod"
 	"github.com/trimble-oss/tierceron/pkg/capauth"
 	"github.com/trimble-oss/tierceron/pkg/core"
+	"github.com/trimble-oss/tierceron/pkg/tls"
 	"github.com/trimble-oss/tierceron/pkg/validator"
 
 	"github.com/xo/dburl"
@@ -24,7 +25,7 @@ func OpenDirectConnection(config *core.CoreConfig, url string, username string,
 	}
 
 	var conn *sql.DB
-	tlsConfig, err := capauth.GetTlsConfig(certName)
+	tlsConfig, err := tls.GetTlsConfig(certName)
 	if err != nil {
 		return nil, err
 	}