From cfb7c695f5983f4d929ed12e62c847c266e34e1e Mon Sep 17 00:00:00 2001
From: Jorge Moratinos Salcines <jorge.moratinossalcines@telefonica.com>
Date: Mon, 3 Feb 2025 12:37:54 +0100
Subject: [PATCH] Capif hostname change fixes on local deployment

---
 services/clean_capif_docker_services.sh | 11 +++++
 services/docker-compose-register.yml    |  1 +
 services/docker-compose-vault.yml       |  1 +
 services/register/Dockerfile            |  2 -
 services/run.sh                         | 24 +++++++++-
 services/vault/vault_prepare_certs.sh   | 62 ++++++++-----------------
 6 files changed, 56 insertions(+), 45 deletions(-)

diff --git a/services/clean_capif_docker_services.sh b/services/clean_capif_docker_services.sh
index dec71b82..b547fdb7 100755
--- a/services/clean_capif_docker_services.sh
+++ b/services/clean_capif_docker_services.sh
@@ -3,6 +3,8 @@
 # Directories variables setup (no modification needed)
 export SERVICES_DIR=$(dirname "$(readlink -f "$0")")
 export CAPIF_BASE_DIR=$(dirname "$SERVICES_DIR")
+# Path to the register config.yaml file
+REGISTER_CONFIG_FILE="$SERVICES_DIR/register/config.yaml"
 
 help() {
   echo "Usage: $1 <options>"
@@ -81,6 +83,15 @@ for FILE in "${FILES[@]}"; do
     fi
 done
 
+# Check if the backup config.yaml file exists before restoring
+if [ -f "$REGISTER_CONFIG_FILE.bak" ]; then
+  git update-index --no-assume-unchanged "$REGISTER_CONFIG_FILE.bak"
+  mv "$REGISTER_CONFIG_FILE.bak" "$REGISTER_CONFIG_FILE"
+  git update-index --no-assume-unchanged "$REGISTER_CONFIG_FILE"
+else
+  echo "Backup config file not found, skipping restore."
+fi
+
 docker network rm capif-network
 
 docker volume prune --all --force
diff --git a/services/docker-compose-register.yml b/services/docker-compose-register.yml
index 011e9063..9d5bc707 100644
--- a/services/docker-compose-register.yml
+++ b/services/docker-compose-register.yml
@@ -13,6 +13,7 @@ services:
       - VAULT_PORT=8200
       - LOG_LEVEL=${LOG_LEVEL}
       - TIMEOUT=10
+      - CAPIF_HOSTNAME=${CAPIF_HOSTNAME}
     extra_hosts:
       - host.docker.internal:host-gateway
       - vault:host-gateway
diff --git a/services/docker-compose-vault.yml b/services/docker-compose-vault.yml
index 82a38d0a..d2d8f6db 100644
--- a/services/docker-compose-vault.yml
+++ b/services/docker-compose-vault.yml
@@ -10,6 +10,7 @@ services:
     environment:
       - VAULT_DEV_ROOT_TOKEN_ID=dev-only-token
       - VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200
+      - CAPIF_HOSTNAME=${CAPIF_HOSTNAME}
     volumes:
       - ./vault/data:/vault/data
       - ./vault/config:/vault/config
diff --git a/services/register/Dockerfile b/services/register/Dockerfile
index bb03b219..24676e54 100644
--- a/services/register/Dockerfile
+++ b/services/register/Dockerfile
@@ -17,8 +17,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 RUN pip3 install --no-cache-dir -r requirements.txt
 RUN apt-get update && apt-get install -y --no-install-recommends openssl curl redis
 
-#ENV CAPIF_PRIV_KEY = $CAPIF_PRIV_KEY
-
 COPY . /usr/src/app
 
 EXPOSE 8080
diff --git a/services/run.sh b/services/run.sh
index 8a0094e6..6b748037 100755
--- a/services/run.sh
+++ b/services/run.sh
@@ -3,6 +3,8 @@
 # Directories variables setup (no modification needed)
 export SERVICES_DIR=$(dirname "$(readlink -f "$0")")
 export CAPIF_BASE_DIR=$(dirname "$SERVICES_DIR")
+# Path to the register config.yaml file
+REGISTER_CONFIG_FILE="$SERVICES_DIR/register/config.yaml"
 
 help() {
   echo "Usage: $1 <options>"
@@ -40,6 +42,13 @@ else
   exit 1
 fi
 
+# Check if yq is installed
+if ! command -v yq &> /dev/null
+then
+    echo "yq is not installed. Please install it first."
+    exit 1
+fi
+
 # Read params
 while getopts ":c:l:mshr" opt; do
   case $opt in
@@ -74,6 +83,7 @@ done
 
 echo Nginx hostname will be $HOSTNAME, deploy $DEPLOY, monitoring $MONITORING_STATE
 
+# Deploy Monitoring stack
 if [ "$MONITORING_STATE" == "true" ] ; then
     echo '***Monitoring set as true***'
     echo '***Creating Monitoring stack***'
@@ -90,7 +100,8 @@ fi
 
 docker network create capif-network
 
-docker compose -f "$SERVICES_DIR/docker-compose-vault.yml" up --detach --build $CACHED_INFO
+# Deploy Vault service
+CAPIF_HOSTNAME=$HOSTNAME docker compose -f "$SERVICES_DIR/docker-compose-vault.yml" up --detach --build $CACHED_INFO
 
 status=$?
 if [ $status -eq 0 ]; then
@@ -100,6 +111,7 @@ else
     exit $status
 fi
 
+# Deploy Capif services
 CAPIF_HOSTNAME=$HOSTNAME MONITORING=$MONITORING_STATE LOG_LEVEL=$LOG_LEVEL docker compose -f "$SERVICES_DIR/docker-compose-capif.yml" up --detach --build $CACHED_INFO
 
 status=$?
@@ -110,6 +122,15 @@ else
     exit $status
 fi
 
+# Backup Original config.yaml file
+cp $REGISTER_CONFIG_FILE $REGISTER_CONFIG_FILE.bak
+# Mark the file as assume-unchanged
+git update-index --assume-unchanged "$REGISTER_CONFIG_FILE"
+
+# Edit Register Service URL within ccf in the config.yaml file
+yq eval ".ccf.url = \"$HOSTNAME\"" -i "$REGISTER_CONFIG_FILE"
+
+# Deploy Register service
 CAPIF_PRIV_KEY_BASE_64=$(echo "$(cat nginx/certs/server.key)")
 CAPIF_PRIV_KEY=$CAPIF_PRIV_KEY_BASE_64 LOG_LEVEL=$LOG_LEVEL docker compose -f "$SERVICES_DIR/docker-compose-register.yml" up --detach --build $CACHED_INFO
 
@@ -121,6 +142,7 @@ else
     exit $status
 fi
 
+# Deploy Robot Mock Server
 if [ "$ROBOT_MOCK_SERVER" == "true" ] ; then
     echo '***Robot Mock Server set as true***'
     echo '***Creating Robot Mock Server stack***'
diff --git a/services/vault/vault_prepare_certs.sh b/services/vault/vault_prepare_certs.sh
index dbec8fdb..b209ecfe 100644
--- a/services/vault/vault_prepare_certs.sh
+++ b/services/vault/vault_prepare_certs.sh
@@ -1,13 +1,17 @@
 #!/bin/sh
 
-# Establecer las variables de entorno de Vault
+# Setup environment variables for Vault
+export VAULT_ADDR="http://$VAULT_DEV_LISTEN_ADDRESS"
+export VAULT_TOKEN=$VAULT_DEV_ROOT_TOKEN_ID
+HOSTNAME="$CAPIF_HOSTNAME"
 
-export VAULT_ADDR='http://0.0.0.0:8200'
-export VAULT_TOKEN="dev-only-token"
+echo "CAPIF_HOSTNAME: $HOSTNAME"
+echo "VAULT_ADDR: $VAULT_ADDR"
+echo "VAULT_TOKEN: $VAULT_TOKEN"
 
 vault secrets enable pki
 
-# Generar una CA en Vault
+# Generate a root CA
 vault secrets tune -max-lease-ttl=87600h pki
 
 vault write -field=certificate pki/root/generate/internal \
@@ -19,7 +23,7 @@ vault write pki/config/urls \
      issuing_certificates="$VAULT_ADDR/v1/pki/ca" \
      crl_distribution_points="$VAULT_ADDR/v1/pki/crl"
 
-# # Generar una CA intermedia en Vault
+# Generate an intermediate CA
 vault secrets enable -path=pki_int pki
 
 vault secrets tune -max-lease-ttl=43800h pki_int
@@ -29,34 +33,20 @@ vault write -format=json pki_int/intermediate/generate/internal \
      issuer_name="capif-intermediate" \
     | jq -r '.data.csr' > pki_intermediate.csr
 
-# Firmar la CA intermedia con la CA raíz
+# Sign the intermediate CA
 vault write -format=json pki/root/sign-intermediate \
      issuer_ref="root-2023" \
      csr=@pki_intermediate.csr \
      format=pem_bundle ttl="43800h" \
      | jq -r '.data.certificate' > capif_intermediate.cert.pem
 
-# Configurar la CA intermedia en Vault
+# Configure the intermediate CA
 vault write pki_int/intermediate/set-signed certificate=@capif_intermediate.cert.pem
 
-#Crear rol en Vault
-vault write pki_int/roles/my-ca use_csr_common_name=false require_cn=true use_csr_sans=false allowed_domains=capifcore allow_any_name=true allow_bare_domains=true allow_glob_domains=true allow_subdomains=true max_ttl=4300h ttl=4300h
+# Configure the role for the intermediate CA
+vault write pki_int/roles/my-ca use_csr_common_name=false require_cn=true use_csr_sans=false allowed_domains=$HOSTNAME allow_any_name=true allow_bare_domains=true allow_glob_domains=true allow_subdomains=true max_ttl=4300h ttl=4300h
 
-# Emitir un certificado firmado por la CA intermedia
-# vault write -format=json pki_int/issue/my-ca \
-#   common_name="capifcore" \
-#   format=pem_bundle ttl="438h" \
-#   | jq -r '.data.certificate' > ccf_cert.crt.pem \
-#   && jq -r '.data.issuing_ca' > root_ca.crt.pem \
-#   && jq -r '.data.private_key' > private_key.pem
-
-#   vault write -format=json pki_int/issue/my-ca \
-#   common_name="capifcore" \
-#   format=pem_bundle ttl="438h" \
-#   | jq -r '.data.private_key as $private_key | .data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$private_key, $issuing_ca, $certificate]' > cert_data.json
-
-
-#Create CSR
+# Generate a certificate
 openssl genrsa -out ./server.key 2048
 
 
@@ -65,7 +55,7 @@ STATE="Madrid"            # state or province name
 LOCALITY="Madrid"        # Locality Name (e.g. city)
 ORGNAME="Telefonica I+D" # Organization Name (eg, company)
 ORGUNIT="Innovation"                  # Organizational Unit Name (eg. section)
-COMMONNAME="capifcore"
+COMMONNAME="$HOSTNAME"
 EMAIL="inno@tid.es"    # certificate's email address
 # optional extra details
 CHALLENGE=""                # challenge password
@@ -74,7 +64,6 @@ COMPANY=""                  # company name
 # DAYS="-days 365"
 
 # create the certificate request
-#cat <<__EOF__ | openssl req -new $DAYS -nodes -keyout client.key -out client.csr
 cat <<__EOF__ | openssl req -new $DAYS -key ./server.key -out ./server.csr
 $COUNTRY
 $STATE
@@ -87,31 +76,20 @@ $CHALLENGE
 $COMPANY
 __EOF__
 
-# vault write -format=json pki_int/issue/my-ca \
-#   csr=@server.csr \
-#   format=pem_bundle ttl="438h" \
-#   | jq -r '.data.private_key as $private_key | .data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$private_key, $issuing_ca, $certificate]' > cert_data.json
 
-vault write -format=json pki_int/sign/my-ca  format=pem_bundle ttl="43000h" csr=@server.csr common_name="capifcore" | jq -r '.data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$issuing_ca, $certificate]' > cert_data.json
+vault write -format=json pki_int/sign/my-ca  format=pem_bundle ttl="43000h" csr=@server.csr common_name="$HOSTNAME" | jq -r '.data.issuing_ca as $issuing_ca | .data.certificate as $certificate | [$issuing_ca, $certificate]' > cert_data.json
 
 jq -r '.[0]' cert_data.json > root_ca.crt.pem
 jq -r '.[1]' cert_data.json > server_certificate.crt.pem
 
 openssl x509 -pubkey -noout -in server_certificate.crt.pem  > server_certificate_pub.pem
 
-# Guardar la clave privada en Vault
-
-#vault kv put secret/ca ca=@root_ca.crt.pem root_2023_ca.crt
-
-#cat root_2023_ca.crt root_2023_ca.crt > ca.crt
-
+# Concatenate the root and intermediate CA certificates
 cat > certificados_concatenados.crt << EOF
 $(cat "root_2023_ca.crt")
 $(cat "root_ca.crt.pem")
 EOF
 
-
-# vault kv put secret/ca ca=@root_2023_ca.crt
 vault kv put secret/ca ca=@certificados_concatenados.crt
 
 vault kv put secret/server_cert cert=@server_certificate.crt.pem
@@ -124,15 +102,15 @@ POLICY_NAME="my-policy"
 POLICY_FILE="my-policy.hcl"
 TOKEN_ID="read-ca-token"
 
-# Crear la política en Vault
+# Create a policy to read the CA
 echo "path \"secret/data/ca\" {
   capabilities = [\"read\"]
 }" > "$POLICY_FILE"
 
 vault policy write "$POLICY_NAME" "$POLICY_FILE"
 
-# Generar un nuevo token y asignar la política
+# Create a token with the policy
 TOKEN=$(vault token create -id="$TOKEN_ID" -policy="$POLICY_NAME" -format=json | jq -r '.auth.client_token')
 
-echo "Token generado:"
+echo "Generated Token:"
 echo "$TOKEN"
\ No newline at end of file
-- 
GitLab