diff --git a/api/server.go b/api/server.go index baf59fc..e5300c2 100644 --- a/api/server.go +++ b/api/server.go @@ -22,6 +22,19 @@ func (s *Server) StartServer(version string) error { VERSION = version secret_api := rest.NewApi() + if s.Builder.Conf.UseAuthenticatedSecretServer { + secret_api.Use(&rest.AuthBasicMiddleware{ + Realm: "Habitus secret service", + Authenticator: func(userId string, password string) bool { + if userId == s.Builder.Conf.AuthenticatedSecretServerUser && password == s.Builder.Conf.AuthenticatedSecretServerPassword { + return true + } + return false + }, + }) + } + + router, err := rest.MakeRouter( // system &rest.Route{"GET", "/v1/ping", s.ping}, diff --git a/configuration/config.go b/configuration/config.go index e4da5b6..d02d534 100644 --- a/configuration/config.go +++ b/configuration/config.go @@ -43,6 +43,9 @@ type Config struct { DockerMemory string DockerCPUSetCPUs string DockerCPUShares int + UseAuthenticatedSecretServer bool + AuthenticatedSecretServerPassword string + AuthenticatedSecretServerUser string } func (i *TupleArray) String() string { diff --git a/examples/security_env/Dockerfile b/examples/security_env/Dockerfile index 8b6ce18..a82a78b 100644 --- a/examples/security_env/Dockerfile +++ b/examples/security_env/Dockerfile @@ -1,4 +1,9 @@ -FROM alpine:3.5 -ARG host -ARG port -RUN wget -qO- http://$host:$port/v1/secrets/env/my_env_secret | less \ No newline at end of file +FROM ubuntu:16.04 +RUN apt-get update +RUN apt-get install wget -y +RUN apt-get install less -y +ARG habitus_host +ARG habitus_port +ARG habitus_password +ARG habitus_user +RUN wget --http-user=$habitus_user --http-password=$habitus_password -qO- http://$habitus_host:$habitus_port/v1/secrets/env/my_env_secret | less \ No newline at end of file diff --git a/examples/security_env/README.md b/examples/security_env/README.md index 08e65de..fd3f13e 100644 --- a/examples/security_env/README.md +++ b/examples/security_env/README.md @@ -1,3 +1,7 @@ Run this example using secrets -`habitus --build host=[ip of habitus endpoint] --host=unix:///var/run/docker.sock --binding=0.0.0.0 --secrets=true` \ No newline at end of file +`habitus -f examples/security_env/build.yml -d examples/security_env --secrets=true --authentication-secret-server=true --binding=[your ip] --build habitus_host=[your ip] --build habitus_port=8080 --build habitus_password=admin --build habitus_user=habitus` + +Make sure you set the EnvVar + +`export HABITUS_HOME=my_secret` \ No newline at end of file diff --git a/examples/security_env/build.yml b/examples/security_env/build.yml index e397499..e240e60 100644 --- a/examples/security_env/build.yml +++ b/examples/security_env/build.yml @@ -4,7 +4,7 @@ build: builder: name: builder dockerfile: Dockerfile - no_cache: true + no_cache: false secrets: my_env_secret: type: env diff --git a/examples/security_env/sd b/examples/security_env/sd new file mode 100644 index 0000000..3ee9b98 --- /dev/null +++ b/examples/security_env/sd @@ -0,0 +1 @@ +./habitus -f examples/security_env/build.yml -d examples/security_env --secrets=true --authentication-secret-server=false --binding=192.168.1.58 --build habitus_host=192.168.1.58 --build habitus_port=8080 --build habitus_password=admin --build habitus_user=habitus diff --git a/main.go b/main.go index 90d36ca..6f95c3f 100644 --- a/main.go +++ b/main.go @@ -85,6 +85,10 @@ func main() { flag.StringVar(&config.DockerCPUSetCPUs, "docker-cpuset-cpus", "", "CPU binding limits to apply to Docker build operations. More: https://docs.docker.com/engine/reference/commandline/build") flag.IntVar(&config.DockerCPUShares, "docker-cpu-shares", 1024, "CPU share weighting to apply to Docker build operations. More: https://docs.docker.com/engine/reference/commandline/build") + flag.BoolVar(&config.UseAuthenticatedSecretServer, "authentication-secret-server", false, "Enable basic authentication for secret server") + flag.StringVar(&config.AuthenticatedSecretServerPassword, "password-secret-server", "admin", "The password for basic authentication.") + flag.StringVar(&config.AuthenticatedSecretServerUser, "user-secret-server", "habitus", "The user for basic authentication.") + config.Logger = *log flag.Parse()