Merge pull request #6 from ToukanLabs/feature/OE-9339-v2

OE-9339 - import sodium crypto key for email password encryption

.gitignore

@@ -4,3 +4,4 @@ local//
 local/*
 web/.env
 */.env
+.vscode/*

README.md

@@ -74,6 +74,21 @@ To access the bash shell inside the container; with the container already runnin
 
 `docker exec -it <container_name> bash`
 
+# Adding a crypto key
+This is needed from v4.0 onwards for encrypting/decrypting stored passwords for email servers (send as email feature).
+
+The key should be added as a docker secret. To generate a new key you can use:
+
+`openssl rand -hex 32`
+
+Note that the length can be changed.
+
+For testing/demo purposes, the container is capabale of generating a new key on first start-up. To do this set the following environment variable on the container:
+
+`GENERATE_TEMP_SODIUM_CRYPTO_KEY=TRUE`
+
+**NOTE:** If you wish to persist the generated key when a container is recreated then you can mount a volume at `/crypto-temp`
+
 # Accessing docker volumes on a [Windows] Host
 
 If you wish to share back docker volumes to a [Windows] host. Use the following image:

web/Dockerfile

@@ -155,11 +155,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
   && rm -rf /var/lib/apt/lists/* \
   && rm -rf /tmp/*
 
-# Install wkhtmltopdf
-RUN wget -O /wkhtml.deb https://downloads.wkhtmltopdf.org/0.12/0.12.5/wkhtmltox_0.12.5-1.${OS_VERSION}_amd64.deb \
+# Install wkhtmltopdf only in PHP 5 builds (i.e, for OE v3.x, WKHTML was retired in v4.0)
+RUN [ $(echo "7 >= ${PHP_VERSION}" | bc -l) = 1 ] && { wget -O /wkhtml.deb https://github.com/wkhtmltopdf/wkhtmltopdf/releases/download/0.12.5/wkhtmltox_0.12.5-1.${OS_VERSION}_amd64.deb \
   && dpkg -i --force-depends /wkhtml.deb \
   && rm /wkhtml.deb \
-  && rm -rf /tmp/*
+  && rm -rf /tmp/*; } || :
 
 # Dependencies for Puppeteer headless chrome browser - only install if PHP ver > 7
 RUN [ $(echo "7 <= ${PHP_VERSION}" | bc -l) = 1 ] && { apt-get update && apt-get install -y --no-install-recommends \

web/Dockerfile.allin1.v2

@@ -128,10 +128,11 @@ RUN curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash - \
   && apt-get clean -y \
   && rm -rf /var/lib/apt/lists/*
 
-# Install wkhtmltopdf
-RUN wget -O /wkhtml.deb https://downloads.wkhtmltopdf.org/0.12/0.12.5/wkhtmltox_0.12.5-1.${OS_VERSION}_amd64.deb \
-    && dpkg -i --force-depends /wkhtml.deb \
-    && rm /wkhtml.deb
+# Install wkhtmltopdf only in PHP 5 builds (i.e, for OE v3.x, WKHTML was retired in v4.0)
+RUN [ $(echo "7 >= ${PHP_VERSION}" | bc -l) = 1 ] && { wget -O /wkhtml.deb https://github.com/wkhtmltopdf/wkhtmltopdf/releases/download/0.12.5/wkhtmltox_0.12.5-1.${OS_VERSION}_amd64.deb \
+  && dpkg -i --force-depends /wkhtml.deb \
+  && rm /wkhtml.deb \
+  && rm -rf /tmp/*; } || :
 
 # SETUP apache config
 # Enable display_errors and error logging for PHP, plus configure timezone

web/Dockerfile.php7

@@ -155,11 +155,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
   && rm -rf /var/lib/apt/lists/* \
   && rm -rf /tmp/*
 
-# Install wkhtmltopdf
-RUN wget -O /wkhtml.deb https://downloads.wkhtmltopdf.org/0.12/0.12.5/wkhtmltox_0.12.5-1.${OS_VERSION}_amd64.deb \
+# Install wkhtmltopdf only in PHP 5 builds (i.e, for OE v3.x, WKHTML was retired in v4.0)
+RUN [ $(echo "7 >= ${PHP_VERSION}" | bc -l) = 1 ] && { wget -O /wkhtml.deb https://github.com/wkhtmltopdf/wkhtmltopdf/releases/download/0.12.5/wkhtmltox_0.12.5-1.${OS_VERSION}_amd64.deb \
   && dpkg -i --force-depends /wkhtml.deb \
   && rm /wkhtml.deb \
-  && rm -rf /tmp/*
+  && rm -rf /tmp/*; } || :
 
 # Dependencies for Puppeteer headless chrome browser - only install if PHP ver > 7
 RUN [ $(echo "7 <= ${PHP_VERSION}" | bc -l) = 1 ] && { apt-get update && apt-get install -y --no-install-recommends \

web/Dockerfile.php7.3

@@ -155,11 +155,11 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
   && rm -rf /var/lib/apt/lists/* \
   && rm -rf /tmp/*
 
-# Install wkhtmltopdf
-RUN wget -O /wkhtml.deb https://downloads.wkhtmltopdf.org/0.12/0.12.5/wkhtmltox_0.12.5-1.${OS_VERSION}_amd64.deb \
+# Install wkhtmltopdf only in PHP 5 builds (i.e, for OE v3.x, WKHTML was retired in v4.0)
+RUN [ $(echo "7 >= ${PHP_VERSION}" | bc -l) = 1 ] && { wget -O /wkhtml.deb https://github.com/wkhtmltopdf/wkhtmltopdf/releases/download/0.12.5/wkhtmltox_0.12.5-1.${OS_VERSION}_amd64.deb \
   && dpkg -i --force-depends /wkhtml.deb \
   && rm /wkhtml.deb \
-  && rm -rf /tmp/*
+  && rm -rf /tmp/*; } || :
 
 # Dependencies for Puppeteer headless chrome browser - only install if PHP ver > 7
 RUN [ $(echo "7 <= ${PHP_VERSION}" | bc -l) = 1 ] && { apt-get update && apt-get install -y --no-install-recommends \

web/docker-compose.yml

@@ -24,9 +24,8 @@ services:
       # Uncomment the next line for testing, or to use 10.4 with older versions of OE (prior to v4.0)
       # - "--sql-mode=NO_ENGINE_SUBSTITUTION,NO_AUTO_CREATE_USER"
 
-  web_5:
-    image: appertaopeneyes/web:latest
-    container_name: openeyes_web_5
+  web_7:
+    image: appertaopeneyes/web:php7
     environment:
       GIT_USER: ${GIT_USER:?'Please set your github user id in .env file'}
       TZ: 'Europe/London'
@@ -47,6 +46,7 @@ services:
       PHPI_TEST_SETTING: test-123
       WAIT_HOSTS_TIMEOUT: "300" # It can take a while for the mariadb container to initialise on first run
       ENABLE_CRON: "FALSE" # Remove this for live installs
+      GENERATE_TEMP_SODIUM_CRYPTO_KEY: "TRUE"
     secrets:
       - source: SSH_PRIVATE_KEY
       - source: SSH_AUTHORIZED_KEYS
@@ -60,52 +60,10 @@ services:
     volumes:
       - "oe-web:/var/www/openeyes"
       # Following is useful when using VS COde remote for development
-      - "php5_vscode:/root/.vscode-server"
+      - "php7_vscode:/root/.vscode-server"
     depends_on:
       - db
-    hostname: oe-web-php5
 
-#  web_7:
-#    image: appertaopeneyes/web:php7
-#    container_name: openeyes_web_7
-#    environment:
-#      GIT_USER: ${GIT_USER:?'Please set your github user id in .env file'}
-#      TZ: 'Europe/London'
-#      UID: '1'
-#      GID: '1'
-#      OE_MODE: 'DEV'
-#      OE_INSTITUTION_CODE: NEW
-#      OE_PORTAL_URI: ${OE_PORTAL_URI}
-#      OE_PORTAL_EXTERNAL_URI: ${OE_PORTAL_EXTERNAL_URI}
-#      OE_PORTAL_USERNAME: ${OE_PORTAL_USERNAME}
-#      OE_PORTAL_PASSWORD: ${OE_PORTAL_PASSWORD}
-#      OE_PORTAL_CLIENT_ID: ${OE_PORTAL_USERNAME}
-#      OE_PORTAL_CLIENT_SECRET: ${OE_PORTAL_CLIENT_SECRET}
-#      OE_PORTAL_ENABLED: "FALSE"
-#      SSH_SERVER_ENABLE: "TRUE"
-#      DATABASE_HOST: "db"
-#      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD:-example}
-#      PHPI_TEST_SETTING: test-123
-#      WAIT_HOSTS: "web_5:80" # Wait for web_5 to startup first - this prevents both containers trying to clone at the same time on first run
-#      WAIT_HOSTS_TIMEOUT: "3000" # It can take quite a while for web 5 to start on first run, so we need a long time-out
-#      WAIT_SLEEP_INTERVAL: "3" # reduces the number of messages sent to the log while waiting for web_5 to complete its first run
-#      ENABLE_CRON: "FALSE" # Remove this for live installs
-#    secrets:
-#      - source: SSH_PRIVATE_KEY
-#      - source: SSH_AUTHORIZED_KEYS
-#    ports:
-#      - "7777:80"
-#      - "22:22"
-#    stdin_open: true
-#    tty: true
-#    volumes:
-#      - "oe-web:/var/www/openeyes"
-#      # Following is useful when using VS COde remote for development
-#      - "php7_vscode:/root/.vscode-server"
-#    depends_on:
-#     - "db"
-#     - "web_5"
-#    hostname: oe-web-php7
 
 volumes:
   oe-web:

web/init.sh

@@ -72,6 +72,35 @@ mkdir -p /root/.ssh /run/.ssh
 # If SSH server is enabled, start it early in the process so that it is accessible for debugging
 [ "${SSH_SERVER_ENABLE^^}" == "TRUE" ] && service ssh start
 
+# Check if an encryption key has been set for email sending, etc.
+if [ -f '/run/secrets/SODIUM_CRYPTO_KEY' ] ; then
+  echo "** Sodium crypto key loaded from secret **"
+elif [ "${GENERATE_TEMP_SODIUM_CRYPTO_KEY^^}" = "TRUE" ]; then
+  # for demos, dev, etc., you may not want to generate a secret in advance. By setting GENERATE_TEMP_SODIUM_CRYPTO_KEY to TRUE,
+  # a new key will be generated on first run and stored. It will be loaded into the /run/secrets/SODIUM_CRYPTO_KEY
+  # at each startup.
+  # Note that this key will be lost if the container gets rebuilt, unless you mount the /crypto-temp folder as a volume
+  mkdir -p /crypto-temp
+  [ ! -f '/sodium_crypto_key_temp' ] && openssl rand -hex 32 > /crypto-temp/sodium_key || :
+  cp /crypto-temp/sodium_key /run/secrets/SODIUM_CRYPTO_KEY
+  echo "** sodium crypto key loaded from generated file **"
+else
+  echo ""
+  echo "*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x"
+  echo "x WARNING WARNING WARNING WARNING WARNING  WARNING WARNING WARNING WARNING WARNING WARNING WARNING *"
+  echo "*                                                                                                  x"
+  echo "x   No SODIUM_CRYPTO_KEY secret has been provided. This is required for send via email             *"
+  echo "*   feature of correspondence (used for encryption and decryption of email account passwords).     x"
+  echo "x                                                                                                  *"
+  echo "x   If you are note using this email feature then you can safely ignore this warning.              *"
+  echo "*                                                                                                  x"
+  echo "x   To generate a new key, run `openssl rand -hex 32` and copy the resulting key into a            *"
+  echo "*   docker secret named SODIUM_CRYPTO_KEY.                                                         x"
+  echo "x   You will then need to recreate this container with the secret                                  *"
+  echo "*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x*x"
+  echo ""
+fi
+
 # if we have mysql installed in the same image, then start the service
 [ "${LOCAL_DB^^}" == "TRUE" ] && service mysql start