Generate SSL certificate for Testrun UI

cmd/install

@@ -38,7 +38,7 @@ else
   TESTRUN_DIR="${TESTRUN_DIR}"
 
   # Check that user is in docker group
-  if ! (id -nGz "$USER" | grep -qzxF "docker"); then
+  if ! (id -nGz "$USER" | grep -qzxF "docker") && [ "$EUID" -ne 0 ]; then
     echo User is not in docker group. Follow https://docs.docker.com/engine/install/linux-postinstall/ to finish setting up docker.
     exit 1
   fi
@@ -69,6 +69,37 @@ cmd/build
 
 # Create local folders
 mkdir -p local/{devices,root_certs,risk_profiles}
+mkdir -p local/ui/certs
+
+# Add hosts entry
+HOST="127.0.0.1 testrun.io"
+grep -qxF "$HOST" /etc/hosts || echo $HOST | sudo tee -a /etc/hosts
+
+# Prepare for certificate generation
+UI_CERTS_DIR=$PWD/local/ui/certs
+CA_NAME=testrun.ca
+CRT_NAME=testrun
+
+# Generate CA certificate
+openssl genrsa -aes256 -out $UI_CERTS_DIR/$CA_NAME.key -passout pass:supersecurepassword 4096
+
+openssl req -x509 -new -nodes -key $UI_CERTS_DIR/$CA_NAME.key -passin pass:supersecurepassword -sha256 -days 1826 -out $UI_CERTS_DIR/$CA_NAME.crt -subj "/C=US/O=Google/CN=Testrun CA"
+
+# Trust CA certificate
+mkdir -p /usr/local/share/ca-certificates/
+cp $UI_CERTS_DIR/$CA_NAME.crt /usr/local/share/ca-certificates/$CA_NAME.crt
+
+# Create signing config file
+echo 'subjectAltName = DNS:testrun.io' >> $UI_CERTS_DIR/$CRT_NAME.ext
+
+# Create signing request
+openssl req -new -nodes -out $UI_CERTS_DIR/$CRT_NAME.csr -newkey rsa:4096 -keyout $UI_CERTS_DIR/$CRT_NAME.key -subj "/C=US/O=Google/CN=Testrun"
+
+# Complete signing
+openssl x509 -req -in $UI_CERTS_DIR/$CRT_NAME.csr -CA $UI_CERTS_DIR/$CA_NAME.crt -CAkey $UI_CERTS_DIR/$CA_NAME.key -passin pass:supersecurepassword -CAcreateserial -out $UI_CERTS_DIR/$CRT_NAME.signed.crt -days 500 -sha256 -extfile $UI_CERTS_DIR/$CRT_NAME.ext
+
+# Update trusted Ca certificates
+update-ca-certificates
 
 # Set file permissions on local
 # This does not work on GitHub actions

cmd/prepare

@@ -20,6 +20,6 @@
 echo Installing system dependencies
 
 # Install system dependencies
-sudo apt-get update && sudo apt-get install openvswitch-common openvswitch-switch python3 libpangocairo-1.0-0 ethtool
+sudo apt-get update && sudo apt-get install openvswitch-common openvswitch-switch python3 libpangocairo-1.0-0 ethtool openssl
 
 echo Finished installing system dependencies

framework/python/src/core/testrun.py

@@ -32,13 +32,16 @@
 from net_orc import network_orchestrator as net_orc
 from test_orc import test_orchestrator as test_orc
 
-from docker.errors import ImageNotFound
+from docker.errors import ImageNotFound, APIError
+from docker.types import Mount
 
 LOGGER = logger.get_logger('testrun')
 
 DEFAULT_CONFIG_FILE = 'local/system.json'
 EXAMPLE_CONFIG_FILE = 'local/system.json.example'
 
+LOCAL_CERTS_DIR = 'local/ui/certs'
+
 LOCAL_DEVICES_DIR = 'local/devices'
 RESOURCE_DEVICES_DIR = 'resources/devices'
 
@@ -506,21 +509,34 @@ def start_ui(self):
 
     client = docker.from_env()
 
+    certs_folder = os.path.join(self._root_dir,
+                                LOCAL_CERTS_DIR)
+
     try:
-      client.containers.run(image='testrun/ui',
-                            auto_remove=True,
-                            name='tr-ui',
-                            hostname='testrun.io',
-                            detach=True,
-                            ports={'80': 8080})
-    except ImageNotFound as ie:
+      client.containers.run(
+            image='testrun/ui',
+            auto_remove=True,
+            name='tr-ui',
+            hostname='testrun.io',
+            detach=True,
+            ports={
+              '443': 443
+            },
+            mounts=[
+              Mount(target='/certs',
+                    source=certs_folder,
+                    type='bind',
+                    read_only=True)
+            ]
+      )
+    except (APIError, ImageNotFound) as ie:
       LOGGER.error('An error occured whilst starting the UI. ' +
                    'Please investigate and try again.')
       LOGGER.error(ie)
       sys.exit(1)
 
     # TODO: Make port configurable
-    LOGGER.info('User interface is ready on http://localhost:8080')
+    LOGGER.info('User interface is ready on https://testrun.io')
 
   def _stop_ui(self):
     LOGGER.info('Stopping user interface')

modules/ui/nginx.conf

@@ -0,0 +1,14 @@
+server { 
+  listen 80;
+  listen 443 ssl;
+  server_name testrun.io;
+
+  ssl_certificate /certs/testrun.signed.crt;
+  ssl_certificate_key /certs/testrun.key;
+  ssl_protocols TLSv1.2 TLSv1.3;
+
+  location / {
+    root /usr/share/nginx/html;
+    try_files $uri /index.html;
+  }
+}

modules/ui/ui.Dockerfile

@@ -15,8 +15,12 @@
 # Image name: testrun/ui
 FROM nginx@sha256:4c0fdaa8b6341bfdeca5f18f7837462c80cff90527ee35ef185571e1c327beac
 
+# Copy application
 COPY modules/ui/dist/ /usr/share/nginx/html
 
-EXPOSE 8080
+# Copy configuration
+COPY /modules/ui/nginx.conf /etc/nginx/conf.d/default.conf
+
+EXPOSE 443
 
 CMD ["nginx", "-g", "daemon off;"]