feat/pass send push messages

.env

@@ -13,3 +13,10 @@ WEBSOCKET_LISTEN_ADDR=:8081
 SECURITY_RATE_LIMIT_IP=1000
 SECURITY_RATE_LIMIT_BE=100
 SECURITY_RATE_LIMIT_MOBILE=100
+
+PASS_ADDR=:8082
+FAKE_MOBILE_PUSH=true
+
+AWS_ACCESS_KEY_ID=test
+AWS_SECRET_ACCESS_KEY=test
+AWS_ENDPOINT="http://localhost:4566"

.gitignore

@@ -22,3 +22,4 @@ licenses-errors
 
 data/
 .env.testing
+

Makefile

@@ -41,7 +41,7 @@ tests-e2e: ## run end to end tests
 	go test ./e2e-tests/mobile/... -count=1
 	go test ./e2e-tests/support/... -count=1
 	go test ./e2e-tests/system/... -count=1
-
+	PASS_ADDR="localhost:8088" go test ./e2e-tests/pass/... -count=1
 
 vendor-licenses: ## report vendor licenses
 	go-licenses report ./cmd/api --template licenses.tpl > licenses.json 2> licenses-errors

cmd/pass/main.go

@@ -0,0 +1,25 @@
+package main
+
+import (
+	"github.com/kelseyhightower/envconfig"
+
+	"github.com/twofas/2fas-server/config"
+	"github.com/twofas/2fas-server/internal/common/logging"
+	"github.com/twofas/2fas-server/internal/pass"
+)
+
+func main() {
+	logging.Init(logging.Fields{"service_name": "pass"})
+
+	var cfg config.PassConfig
+	err := envconfig.Process("", &cfg)
+	if err != nil {
+		logging.Fatal(err.Error())
+	}
+
+	server := pass.NewServer(cfg)
+
+	if err := server.Run(); err != nil {
+		logging.Fatal(err.Error())
+	}
+}

config/pass_config.go

@@ -0,0 +1,13 @@
+package config
+
+import "time"
+
+type PassConfig struct {
+	Addr                                string        `envconfig:"PASS_ADDR" default:":8082"`
+	KMSKeyID                            string        `envconfig:"KMS_KEY_ID" default:"alias/pass_service_signing_key"`
+	AWSEndpoint                         string        `envconfig:"AWS_ENDPOINT" default:""`
+	AWSRegion                           string        `envconfig:"AWS_REGION" default:"us-east-2"`
+	FirebaseServiceAccount              string        `envconfig:"FIREBASE_SA"`
+	FakeMobilePush                      bool          `envconfig:"FAKE_MOBILE_PUSH" default:"false"`
+	PairingRequestTokenValidityDuration time.Duration `envconfig:"PAIRING_REQUEST_TOKEN_VALIDITY_DURATION" default:"8765h"` // 1 year
+}

deployments/pass/appspec.yml

@@ -0,0 +1,9 @@
+version: 0.0
+Resources:
+  - TargetService:
+      Type: AWS::ECS::Service
+      Properties:
+        TaskDefinition: <TASK_DEFINITION>
+        LoadBalancerInfo:
+          ContainerName: "2fas-pass"
+          ContainerPort: 8082

deployments/pass/buildspec.yml

@@ -0,0 +1,38 @@
+version: 0.2
+
+env:
+  secrets-manager:
+    DOCKERHUB_USERNAME: hub.docker.com:username
+    DOCKERHUB_PASS: hub.docker.com:password
+
+phases:
+  pre_build:
+    commands:
+      - IMAGE_TAG=$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | cut -c 1-7)
+      - REPOSITORY_URI=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com/$IMAGE_REPO_NAME
+      - echo Logging in to Docker HUB to avoid rate limit
+      - echo "$DOCKERHUB_PASS" | docker login --username $DOCKERHUB_USERNAME --password-stdin
+      - echo Logging in to Amazon ECR
+      - aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com
+
+  build:
+    commands:
+      - echo Build started on `date`
+      - echo Building the Docker image
+      - docker build -f docker/pass/Dockerfile -t $REPOSITORY_URI:latest .
+      - docker tag $REPOSITORY_URI:latest $REPOSITORY_URI:$IMAGE_TAG
+
+  post_build:
+    commands:
+      - echo Build completed on `date`
+      - echo Pushing the Docker images latest, $IMAGE_TAG
+      - docker push $REPOSITORY_URI:latest
+      - docker push $REPOSITORY_URI:$IMAGE_TAG
+      - sed -i 's/<AWS_ACCOUNT_ID>/'$AWS_ACCOUNT_ID'/g' deployments/pass/taskdef.json
+      - sed -i 's/<IMAGE_NAME>/'$AWS_ACCOUNT_ID'\.dkr\.ecr\.'$AWS_DEFAULT_REGION'\.amazonaws.com\/'$IMAGE_REPO_NAME'\:'$IMAGE_TAG'/g' deployments/pass/taskdef.json
+
+artifacts:
+  files:
+    - imageDetail.json
+    - deployments/pass/appspec.yml
+    - deployments/pass/taskdef.json

deployments/pass/taskdef.json

@@ -0,0 +1,45 @@
+{
+  "executionRoleArn": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/2fas-pass_ecsTaskExecutionRole",
+  "taskRoleArn": "arn:aws:iam::<AWS_ACCOUNT_ID>:role/2fas-pass_ecsTaskRole",
+  "containerDefinitions": [
+    {
+      "name": "2fas-pass",
+      "image": "<IMAGE_NAME>",
+      "essential": true,
+      "portMappings": [
+        {
+          "hostPort": 8082,
+          "protocol": "tcp",
+          "containerPort": 8082
+        }
+      ],
+      "environmentFiles": [
+        {
+          "value": "arn:aws:s3:::2fas-production-env/pass.env",
+          "type": "s3"
+        }
+      ],
+      "secrets": [
+        {
+          "name": "FIREBASE_SA",
+          "valueFrom": "arn:aws:secretsmanager:us-east-2:<AWS_ACCOUNT_ID>:secret:prod/pass-8pVN76:pass_firebase_sa::"
+        }
+      ],
+      "logConfiguration": {
+        "logDriver": "awslogs",
+        "options": {
+          "awslogs-group" : "/ecs/2fas-pass",
+          "awslogs-region": "us-east-2",
+          "awslogs-stream-prefix": "ecs"
+        }
+      }
+    }
+  ],
+  "requiresCompatibilities": [
+    "FARGATE"
+  ],
+  "networkMode": "awsvpc",
+  "family": "2fas-pass",
+  "cpu": "256",
+  "memory": "512"
+}

docker-compose.yml

@@ -82,6 +82,41 @@ services:
       - shared-volume:/tmp/2fas
     command: chown -R 1000:1000 /tmp/2fas
 
+  pass:
+    build:
+      context: .
+      dockerfile: docker/pass/Dockerfile
+    group_add:
+      - '1000'
+    ports:
+      - "8088:8082"
+    environment:
+      # overwrite AWS_ENDPOINT from .env file. One in env is used to running app from local also.
+      AWS_ENDPOINT: http://localstack-main:4566
+      AWS_REGION: us-east-1
+    env_file:
+      - .env
+    depends_on:
+      localstack:
+        condition: service_healthy
+
+  localstack:
+    container_name: "${LOCALSTACK_DOCKER_NAME:-localstack-main}"
+    image: localstack/localstack
+    ports:
+      - "127.0.0.1:4566:4566"
+    environment:
+      - DEBUG=1
+    healthcheck:
+      test: >-
+        curl -s localhost:4566/_localstack/health | grep -q '"kms": "running"'
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    volumes:
+      - "./e2e-tests/localstack_init.sh:/etc/localstack/init/ready.d/localstack_init.sh"  # ready hook
+      - "./data/localstack:/var/lib/localstack"
+      - "/var/run/docker.sock:/var/run/docker.sock"
 
 volumes:
   go-modules:

docker/pass/Dockerfile

@@ -0,0 +1,30 @@
+FROM golang:1.21-alpine as build
+
+ENV GO111MODULE=on \
+    CGO_ENABLED=0 \
+    GOOS=linux \
+    GOARCH=amd64
+
+WORKDIR /go/src/2fas
+
+COPY go.mod go.sum ./
+
+RUN go mod download -x
+
+COPY . .
+
+RUN mkdir -p bin
+
+RUN go build -trimpath -o bin/pass ./cmd/pass/main.go
+
+FROM alpine:latest
+
+RUN adduser 2fas -D
+
+USER 2fas
+
+WORKDIR /home/2fas/
+
+COPY --from=build /go/src/2fas/bin/* /usr/local/bin/
+
+CMD ["pass"]

e2e-tests/localstack_init.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+apt install --assume-yes jq
+
+AWS_REGION=us-east-1
+KEY_ALIAS=pass_service_signing_key
+
+response=$(awslocal kms create-key \
+  --region $AWS_REGION \
+  --key-usage SIGN_VERIFY \
+  --customer-master-key-spec ECC_NIST_P256)
+
+key_id=$(echo "${response}" | jq -r '.KeyMetadata.KeyId')
+
+awslocal kms create-alias \
+  --region $AWS_REGION \
+  --alias-name "alias/$KEY_ALIAS" \
+  --target-key-id "${key_id}"