// Reads the configuration file for storage setup, and sets up the cryptoservice // mapping func setUpCryptoservices(configuration *viper.Viper, allowedBackends []string) ( signer.CryptoServiceIndex, error) { storeConfig, err := utils.ParseStorage(configuration, allowedBackends) if err != nil { return nil, err } var keyStore trustmanager.KeyStore if storeConfig.Backend == utils.MemoryBackend { keyStore = trustmanager.NewKeyMemoryStore( passphrase.ConstantRetriever("memory-db-ignore")) } else { defaultAlias := configuration.GetString("storage.default_alias") if defaultAlias == "" { // backwards compatibility - support this environment variable defaultAlias = configuration.GetString(defaultAliasEnv) } if defaultAlias == "" { return nil, fmt.Errorf("must provide a default alias for the key DB") } logrus.Debug("Default Alias: ", defaultAlias) dbStore, err := keydbstore.NewKeyDBStore( passphraseRetriever, defaultAlias, storeConfig.Backend, storeConfig.Source) if err != nil { return nil, fmt.Errorf("failed to create a new keydbstore: %v", err) } logrus.Debugf("Using %s DB: %s", storeConfig.Backend, storeConfig.Source) health.RegisterPeriodicFunc( "DB operational", dbStore.HealthCheck, time.Second*60) keyStore = dbStore } cryptoService := cryptoservice.NewCryptoService("", keyStore) cryptoServices := make(signer.CryptoServiceIndex) cryptoServices[data.ED25519Key] = cryptoService cryptoServices[data.ECDSAKey] = cryptoService return cryptoServices, nil }
// parses the configuration and returns a backing store for the TUF files func getStore(configuration *viper.Viper, allowedBackends []string) ( storage.MetaStore, error) { storeConfig, err := utils.ParseStorage(configuration, allowedBackends) if err != nil { return nil, err } logrus.Infof("Using %s backend", storeConfig.Backend) if storeConfig.Backend == utils.MemoryBackend { return storage.NewMemStorage(), nil } store, err := storage.NewSQLStorage(storeConfig.Backend, storeConfig.Source) if err != nil { return nil, fmt.Errorf("Error starting DB driver: %s", err.Error()) } health.RegisterPeriodicFunc( "DB operational", store.CheckHealth, time.Second*60) return store, nil }
// Reads the configuration file for storage setup, and sets up the cryptoservice // mapping func setUpCryptoservices(configuration *viper.Viper, allowedBackends []string, doBootstrap bool) ( signer.CryptoServiceIndex, error) { backend := configuration.GetString("storage.backend") if !tufutils.StrSliceContains(allowedBackends, backend) { return nil, fmt.Errorf("%s is not an allowed backend, must be one of: %s", backend, allowedBackends) } var keyService signed.CryptoService switch backend { case notary.MemoryBackend: keyService = cryptoservice.NewCryptoService(trustmanager.NewKeyMemoryStore( passphrase.ConstantRetriever("memory-db-ignore"))) case notary.RethinkDBBackend: var sess *gorethink.Session storeConfig, err := utils.ParseRethinkDBStorage(configuration) if err != nil { return nil, err } defaultAlias, err := getDefaultAlias(configuration) if err != nil { return nil, err } tlsOpts := tlsconfig.Options{ CAFile: storeConfig.CA, CertFile: storeConfig.Cert, KeyFile: storeConfig.Key, } if doBootstrap { sess, err = rethinkdb.AdminConnection(tlsOpts, storeConfig.Source) } else { sess, err = rethinkdb.UserConnection(tlsOpts, storeConfig.Source, storeConfig.Username, storeConfig.Password) } if err != nil { return nil, fmt.Errorf("Error starting %s driver: %s", backend, err.Error()) } s := keydbstore.NewRethinkDBKeyStore(storeConfig.DBName, storeConfig.Username, storeConfig.Password, passphraseRetriever, defaultAlias, sess) health.RegisterPeriodicFunc("DB operational", time.Minute, s.CheckHealth) if doBootstrap { keyService = s } else { keyService = keydbstore.NewCachedKeyService(s) } case notary.MySQLBackend, notary.SQLiteBackend, notary.PostgresBackend: storeConfig, err := utils.ParseSQLStorage(configuration) if err != nil { return nil, err } defaultAlias, err := getDefaultAlias(configuration) if err != nil { return nil, err } dbStore, err := keydbstore.NewSQLKeyDBStore( passphraseRetriever, defaultAlias, storeConfig.Backend, storeConfig.Source) if err != nil { return nil, fmt.Errorf("failed to create a new keydbstore: %v", err) } health.RegisterPeriodicFunc( "DB operational", time.Minute, dbStore.HealthCheck) keyService = keydbstore.NewCachedKeyService(dbStore) } if doBootstrap { err := bootstrap(keyService) if err != nil { logrus.Fatal(err.Error()) } os.Exit(0) } cryptoServices := make(signer.CryptoServiceIndex) cryptoServices[data.ED25519Key] = keyService cryptoServices[data.ECDSAKey] = keyService return cryptoServices, nil }
func main() { flag.Usage = usage flag.Parse() if debug { go debugServer(debugAddr) } // when the signer starts print the version for debugging and issue logs later logrus.Infof("Version: %s, Git commit: %s", version.NotaryVersion, version.GitCommit) filename := filepath.Base(configFile) ext := filepath.Ext(configFile) configPath := filepath.Dir(configFile) mainViper.SetConfigType(strings.TrimPrefix(ext, ".")) mainViper.SetConfigName(strings.TrimSuffix(filename, ext)) mainViper.AddConfigPath(configPath) err := mainViper.ReadInConfig() if err != nil { logrus.Error("Viper Error: ", err.Error()) logrus.Error("Could not read config at ", configFile) os.Exit(1) } logrus.SetLevel(logrus.Level(mainViper.GetInt("logging.level"))) tlsConfig, err := signerTLS(mainViper, true) if err != nil { logrus.Fatalf(err.Error()) } cryptoServices := make(signer.CryptoServiceIndex) configDBType := strings.ToLower(mainViper.GetString("storage.backend")) dbURL := mainViper.GetString("storage.db_url") if configDBType != dbType || dbURL == "" { usage() log.Fatalf("Currently only a MySQL database backend is supported.") } dbSQL, err := sql.Open(configDBType, dbURL) if err != nil { log.Fatalf("failed to open the database: %s, %v", dbURL, err) } defaultAlias := mainViper.GetString(defaultAliasEnv) logrus.Debug("Default Alias: ", defaultAlias) keyStore, err := keydbstore.NewKeyDBStore(passphraseRetriever, defaultAlias, configDBType, dbSQL) if err != nil { log.Fatalf("failed to create a new keydbstore: %v", err) } health.RegisterPeriodicFunc( "DB operational", keyStore.HealthCheck, time.Second*60) cryptoService := cryptoservice.NewCryptoService("", keyStore) cryptoServices[data.ED25519Key] = cryptoService cryptoServices[data.ECDSAKey] = cryptoService //RPC server setup kms := &api.KeyManagementServer{CryptoServices: cryptoServices, HealthChecker: health.CheckStatus} ss := &api.SignerServer{CryptoServices: cryptoServices, HealthChecker: health.CheckStatus} rpcAddr := mainViper.GetString("server.grpc_addr") lis, err := net.Listen("tcp", rpcAddr) if err != nil { log.Fatalf("failed to listen %v", err) } creds := credentials.NewTLS(tlsConfig) opts := []grpc.ServerOption{grpc.Creds(creds)} grpcServer := grpc.NewServer(opts...) pb.RegisterKeyManagementServer(grpcServer, kms) pb.RegisterSignerServer(grpcServer, ss) go grpcServer.Serve(lis) httpAddr := mainViper.GetString("server.http_addr") if httpAddr == "" { log.Fatalf("Server address is required") } //HTTP server setup server := http.Server{ Addr: httpAddr, Handler: api.Handlers(cryptoServices), TLSConfig: tlsConfig, } if debug { log.Println("RPC server listening on", rpcAddr) log.Println("HTTP server listening on", httpAddr) } err = server.ListenAndServeTLS("", "") if err != nil { log.Fatal("HTTPS server failed to start:", err) } }
func main() { flag.Usage = usage flag.Parse() if debug { go debugServer(DebugAddress) } // when the server starts print the version for debugging and issue logs later logrus.Infof("Version: %s, Git commit: %s", version.NotaryVersion, version.GitCommit) ctx := context.Background() filename := filepath.Base(configFile) ext := filepath.Ext(configFile) configPath := filepath.Dir(configFile) mainViper.SetConfigType(strings.TrimPrefix(ext, ".")) mainViper.SetConfigName(strings.TrimSuffix(filename, ext)) mainViper.AddConfigPath(configPath) // Automatically accept configuration options from the environment mainViper.SetEnvPrefix("NOTARY_SERVER") mainViper.SetEnvKeyReplacer(strings.NewReplacer(".", "_")) mainViper.AutomaticEnv() err := mainViper.ReadInConfig() if err != nil { logrus.Error("Viper Error: ", err.Error()) logrus.Error("Could not read config at ", configFile) os.Exit(1) } lvl, err := logrus.ParseLevel(mainViper.GetString("logging.level")) if err != nil { lvl = logrus.ErrorLevel logrus.Error("Could not parse log level from config. Defaulting to ErrorLevel") } logrus.SetLevel(lvl) // set up bugsnag and attach to logrus bugs := mainViper.GetString("reporting.bugsnag") if bugs != "" { apiKey := mainViper.GetString("reporting.bugsnag_api_key") releaseStage := mainViper.GetString("reporting.bugsnag_release_stage") bugsnag.Configure(bugsnag.Configuration{ APIKey: apiKey, ReleaseStage: releaseStage, }) hook, err := bugsnag_hook.NewBugsnagHook() if err != nil { logrus.Error("Could not attach bugsnag to logrus: ", err.Error()) } else { logrus.AddHook(hook) } } keyAlgo := mainViper.GetString("trust_service.key_algorithm") if keyAlgo == "" { logrus.Fatal("no key algorithm configured.") os.Exit(1) } ctx = context.WithValue(ctx, "keyAlgorithm", keyAlgo) var trust signed.CryptoService if mainViper.GetString("trust_service.type") == "remote" { logrus.Info("Using remote signing service") clientTLS, err := grpcTLS(mainViper) if err != nil { logrus.Fatal(err.Error()) } notarySigner := client.NewNotarySigner( mainViper.GetString("trust_service.hostname"), mainViper.GetString("trust_service.port"), clientTLS, ) trust = notarySigner minute := 1 * time.Minute health.RegisterPeriodicFunc( "Trust operational", // If the trust service fails, the server is degraded but not // exactly unheatlthy, so always return healthy and just log an // error. func() error { err := notarySigner.CheckHealth(minute) if err != nil { logrus.Error("Trust not fully operational: ", err.Error()) } return nil }, minute) } else { logrus.Info("Using local signing service") trust = signed.NewEd25519() } if mainViper.GetString("storage.backend") == "mysql" { logrus.Info("Using mysql backend") dbURL := mainViper.GetString("storage.db_url") store, err := storage.NewSQLStorage("mysql", dbURL) if err != nil { logrus.Fatal("Error starting DB driver: ", err.Error()) return // not strictly needed but let's be explicit } health.RegisterPeriodicFunc( "DB operational", store.CheckHealth, time.Second*60) ctx = context.WithValue(ctx, "metaStore", store) } else { logrus.Debug("Using memory backend") ctx = context.WithValue(ctx, "metaStore", storage.NewMemStorage()) } tlsConfig, err := serverTLS(mainViper) if err != nil { logrus.Fatal(err.Error()) } logrus.Info("Starting Server") err = server.Run( ctx, mainViper.GetString("server.addr"), tlsConfig, trust, mainViper.GetString("auth.type"), mainViper.Get("auth.options"), ) logrus.Error(err.Error()) return }
func main() { flag.Usage = usage flag.Parse() if debug { go debugServer(debugAddr) } // when the signer starts print the version for debugging and issue logs later logrus.Infof("Version: %s, Git commit: %s", version.NotaryVersion, version.GitCommit) filename := filepath.Base(configFile) ext := filepath.Ext(configFile) configPath := filepath.Dir(configFile) viper.SetConfigType(strings.TrimPrefix(ext, ".")) viper.SetConfigName(strings.TrimSuffix(filename, ext)) viper.AddConfigPath(configPath) err := viper.ReadInConfig() if err != nil { logrus.Error("Viper Error: ", err.Error()) logrus.Error("Could not read config at ", configFile) os.Exit(1) } logrus.SetLevel(logrus.Level(viper.GetInt("logging.level"))) certFile := viper.GetString("server.cert_file") keyFile := viper.GetString("server.key_file") if certFile == "" || keyFile == "" { usage() log.Fatalf("Certificate and key are mandatory") } tlsConfig := &tls.Config{ MinVersion: tls.VersionTLS12, PreferServerCipherSuites: true, CipherSuites: []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA, tls.TLS_RSA_WITH_AES_256_CBC_SHA}, } tlsConfig.Rand = rand.Reader cryptoServices := make(signer.CryptoServiceIndex) pin := viper.GetString(pinCode) pkcs11Lib := viper.GetString("crypto.pkcs11lib") if pkcs11Lib != "" { if pin == "" { log.Fatalf("Using PIN is mandatory with pkcs11") } ctx, session := SetupHSMEnv(pkcs11Lib, pin) defer cleanup(ctx, session) cryptoServices[data.RSAKey] = api.NewRSAHardwareCryptoService(ctx, session) } configDBType := strings.ToLower(viper.GetString("storage.backend")) dbURL := viper.GetString("storage.db_url") if configDBType != dbType || dbURL == "" { usage() log.Fatalf("Currently only a MySQL database backend is supported.") } dbSQL, err := sql.Open(configDBType, dbURL) if err != nil { log.Fatalf("failed to open the database: %s, %v", dbURL, err) } defaultAlias := viper.GetString(defaultAliasEnv) logrus.Debug("Default Alias: ", defaultAlias) keyStore, err := signer.NewKeyDBStore(passphraseRetriever, defaultAlias, configDBType, dbSQL) if err != nil { log.Fatalf("failed to create a new keydbstore: %v", err) } health.RegisterPeriodicFunc( "DB operational", keyStore.HealthCheck, time.Second*60) cryptoService := cryptoservice.NewCryptoService("", keyStore) cryptoServices[data.ED25519Key] = cryptoService cryptoServices[data.ECDSAKey] = cryptoService //RPC server setup kms := &api.KeyManagementServer{CryptoServices: cryptoServices} ss := &api.SignerServer{CryptoServices: cryptoServices} rpcAddr := viper.GetString("server.grpc_addr") lis, err := net.Listen("tcp", rpcAddr) if err != nil { log.Fatalf("failed to listen %v", err) } creds, err := credentials.NewServerTLSFromFile(certFile, keyFile) if err != nil { log.Fatalf("failed to generate credentials %v", err) } opts := []grpc.ServerOption{grpc.Creds(creds)} grpcServer := grpc.NewServer(opts...) pb.RegisterKeyManagementServer(grpcServer, kms) pb.RegisterSignerServer(grpcServer, ss) go grpcServer.Serve(lis) httpAddr := viper.GetString("server.http_addr") if httpAddr == "" { log.Fatalf("Server address is required") } //HTTP server setup server := http.Server{ Addr: httpAddr, Handler: api.Handlers(cryptoServices), TLSConfig: tlsConfig, } if debug { log.Println("RPC server listening on", rpcAddr) log.Println("HTTP server listening on", httpAddr) } err = server.ListenAndServeTLS(certFile, keyFile) if err != nil { log.Fatal("HTTP server failed to start:", err) } }