Merge pull request #205 from medizininformatik-initiative/feature/203…

…-support-self-signed-certificates

#203 - Support self-signed certificates

Dockerfile

@@ -19,10 +19,17 @@ ENV FEASIBILITY_DATABASE_HOST="feasibility-network"
 ENV FEASIBILITY_DATABASE_PORT=5432
 ENV FEASIBILITY_DATABASE_USER=postgres
 ENV FEASIBILITY_DATABASE_PASSWORD=password
+ENV CERTIFICATE_PATH=/opt/codex-feasibility-backend/certs
+ENV TRUSTSTORE_PATH=/opt/codex-feasibility-backend/truststore
+ENV TRUSTSTORE_FILE=self-signed-truststore.jks
+
+RUN mkdir -p $CERTIFICATE_PATH $TRUSTSTORE_PATH
+RUN chown feasibility:feasibility $CERTIFICATE_PATH $TRUSTSTORE_PATH
 
 HEALTHCHECK --interval=5s --start-period=10s CMD curl -s -f http://localhost:8090/actuator/health || exit 1
 
-ENTRYPOINT ["java","-jar","feasibility-gui-backend.jar"]
+COPY ./docker-entrypoint.sh /
+ENTRYPOINT ["/bin/bash", "/docker-entrypoint.sh"]
 
 ARG GIT_REF=""
 ARG BUILD_TIME=""

README.md

@@ -120,6 +120,16 @@ If the number of total results is below threshold, no result will be provided.
 | PRIVACY_THRESHOLD_SITES                                       | If the number of responding sites (above PRIVACY_THRESHOLD_SITES_RESULT) is below this number, only respond with a total amount of patients                   |         | 20      |
 | PRIVACY_THRESHOLD_SITES_RESULT                                | Any site that reports a number below this threshold is considered as non-responding (or zero) in regard to PRIVACY_THRESHOLD_SITES                            |         | 20      |
 
+## Support for self-signed certificates
+
+The feasibility backend supports the use of self-signed certificates from your own CAs.
+On each startup, the feasibility backend will search through the folder /app/certs inside the container, add all found
+CA *.pem files to a java truststore and start the application with this truststore.
+
+Using docker-compose, mount a folder from your host (e.g.: ./certs) to the /app/certs folder,
+add your *.pem files (one for each CA you would like to support) to the folder and ensure that they
+have the .pem extension.
+
 ## Setting up Development
 
 In order to run this project the following steps need to be followed:

docker-entrypoint.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+TRUSTSTORE_FILE="/opt/codex-feasibility-backend/truststore/self-signed-truststore.jks"
+TRUSTSTORE_PASS=${TRUSTSTORE_PASS:-changeit}
+KEY_PASS=${KEY_PASS:-changeit}
+
+shopt -s nullglob
+IFS=$'\n'
+ca_files=(certs/*.pem)
+
+if [ ! "${#ca_files[@]}" -eq 0 ]; then
+
+    echo "# At least one CA file with extension *.pem found in certs folder -> starting feasibility backend with own CAs"
+
+    if [[ -f "$TRUSTSTORE_FILE" ]]; then
+          echo "## Truststore already exists -> resetting truststore"
+          rm "$TRUSTSTORE_FILE"
+    fi
+
+    keytool -genkey -alias self-signed-truststore -keyalg RSA -keystore "$TRUSTSTORE_FILE" -storepass "$TRUSTSTORE_PASS" -keypass "$KEY_PASS" -dname "CN=self-signed,OU=self-signed,O=self-signed,L=self-signed,S=self-signed,C=TE"
+    keytool -delete -alias self-signed-truststore -keystore "$TRUSTSTORE_FILE" -storepass "$TRUSTSTORE_PASS" -noprompt
+
+    for filename in "${ca_files[@]}"; do
+
+      echo "### ADDING CERT: $filename"
+      keytool -delete -alias "$filename" -keystore "$TRUSTSTORE_FILE" -storepass "$TRUSTSTORE_PASS" -noprompt > /dev/null 2>&1
+      keytool -importcert -alias "$filename" -file "$filename" -keystore "$TRUSTSTORE_FILE" -storepass "$TRUSTSTORE_PASS" -noprompt
+
+    done
+
+    java -Djavax.net.ssl.trustStore="$TRUSTSTORE_FILE" -Djavax.net.ssl.trustStorePassword="$TRUSTSTORE_PASS" -jar feasibility-gui-backend.jar
+else
+    echo "# No CA *.pem cert files found in /opt/codex-feasibility-backend/certs -> starting feasibility backend without own CAs"
+    java -jar feasibility-gui-backend.jar
+fi