From 172e49bc8ebb0841fec9638cb0e7b680b0a27677 Mon Sep 17 00:00:00 2001 From: jp Date: Thu, 19 Dec 2024 11:57:23 +0100 Subject: [PATCH 01/11] added auto generated certs to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 9ad706a5..387a3367 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ docs/package-lock.json docs/.hugo_build.lock **.hugo_build.lock +certs From 62a96e0286f6d79ecc6483c0c7cfc0b0a2cfc502 Mon Sep 17 00:00:00 2001 From: jp Date: Thu, 19 Dec 2024 12:10:09 +0100 Subject: [PATCH 02/11] added docker compose with self-signed certificates --- docker-compose.yaml | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 7edd4429..8b007d3b 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -11,14 +11,34 @@ services: volumes: - mongodb_data_container:/data/db + cert-generator: + image: alpine + container_name: cert-generator + volumes: + - certs_data_containter:/certs + environment: + - DOMAIN=localhost + command: > + sh -c " + apk add --no-cache openssl && + cd /certs && + openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes -subj '/CN=${DOMAIN}' && + chmod 644 server.key server.crt + " + soarca: build: dockerfile: Dockerfile args: VERSION: "${GIT_VERSION}" container_name: soarca_server + volumes: + - certs_data_containter:/app/certs environment: PORT: 8080 + ENABLE_TLS: "true" + CERT_FILE: "/app/certs/server.crt" + CERT_KEY: "/app/certs/server.key" SOARCA_ALLOWED_ORIGINS: "*" GIN_MODE: "release" MONGODB_URI: "mongodb://mongodb_container:27017" @@ -36,10 +56,11 @@ services: - 127.0.0.1:8080:8080 depends_on: - mongodb_container + - cert-generator networks: db-net: - volumes: mongodb_data_container: + certs_data_containter: From d7042765a1009c86009ee2af200285fb6e50df07 Mon Sep 17 00:00:00 2001 From: jp Date: Thu, 19 Dec 2024 12:11:30 +0100 Subject: [PATCH 03/11] updated env --- .env.example | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.env.example b/.env.example index 01115576..e1958032 100644 --- a/.env.example +++ b/.env.example @@ -1,4 +1,8 @@ PORT: 8080 +ENABLE_TLS: false +CERT_FILE: "/certs/server.crt +CERT_KEY: "/certs/server.key" +MAX_EXECUTIONS=1000 SOARCA_ALLOWED_ORIGINS: "*" GIN_MODE: "release" MONGODB_URI: "mongodb://localhost:27017" @@ -19,7 +23,6 @@ MQTT_BROKER: "localhost" MQTT_PORT: 1883 HTTP_SKIP_CERT_VALIDATION: false - ### Integrations # The Hive From 376b4663a71b13c59ed2950e47c5ab57e6fd0824 Mon Sep 17 00:00:00 2001 From: jp Date: Thu, 19 Dec 2024 14:11:33 +0100 Subject: [PATCH 04/11] controller changes for tls --- internal/controller/controller.go | 40 +++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/internal/controller/controller.go b/internal/controller/controller.go index 0e13dec4..2fb27294 100644 --- a/internal/controller/controller.go +++ b/internal/controller/controller.go @@ -1,10 +1,12 @@ package controller import ( + "crypto/tls" "errors" "fmt" "os" "reflect" + p "soarca/internal/database/memory" "soarca/internal/logger" "soarca/pkg/core/capability" @@ -187,6 +189,44 @@ func Initialize() error { return err } +func createHTTPServer(app *gin.Engine, port string) *net_http.Server { + return &net_http.Server{ + Addr: ":" + port, + Handler: app, + TLSConfig: &tls.Config{ + MinVersion: tls.VersionTLS12, + }, + } +} +func validateCertificates(certFile string, keyFile string) error { + _, err := os.Stat(certFile) + if os.IsNotExist(err) { + return fmt.Errorf("certificate file not found: %s", certFile) + } + if os.IsNotExist(err) { + server := createHTTPServer(app, config) + _, err = os.Stat(keyFile) + return fmt.Errorf("key file not found: %s", keyFile) + } + return nil +} + +func runServer(app *gin.Engine, port string, enableTlS bool, certFile string, certKey string) error { + server := createHTTPServer(app, port) + if enableTlS { + err := validateCertificates(certFile, certKey) + if err != nil { + return fmt.Errorf("TLS configuration error: %w", err) + } + + log.Infof("Starting HTTPS server on port %s", config.Port) + return server.ListenAndServeTLS(config.CertFile, config.KeyFile) + } + + log.Infof("Starting HTTP server on port %s", config.Port) + return server.ListenAndServe() +} + func initializeCore(app *gin.Engine) error { origins := strings.Split(strings.ReplaceAll(utils.GetEnv("SOARCA_ALLOWED_ORIGINS", "*"), " ", ""), ",") routes.Cors(app, origins) From e2215bee6a7ed32f2cc572301c71f84976aac217 Mon Sep 17 00:00:00 2001 From: JP Date: Thu, 19 Dec 2024 14:29:05 +0100 Subject: [PATCH 05/11] env variable rename --- .env.example | 4 ++-- docker-compose.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.env.example b/.env.example index e1958032..83a5bc2f 100644 --- a/.env.example +++ b/.env.example @@ -1,7 +1,7 @@ PORT: 8080 ENABLE_TLS: false -CERT_FILE: "/certs/server.crt -CERT_KEY: "/certs/server.key" +CERT_FILE: "/certs/server.crt" +CERT_KEY_FILE: "/certs/server.key" MAX_EXECUTIONS=1000 SOARCA_ALLOWED_ORIGINS: "*" GIN_MODE: "release" diff --git a/docker-compose.yaml b/docker-compose.yaml index 8b007d3b..b9b99fbc 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -38,7 +38,7 @@ services: PORT: 8080 ENABLE_TLS: "true" CERT_FILE: "/app/certs/server.crt" - CERT_KEY: "/app/certs/server.key" + CERT_KEY_FILE: "/app/certs/server.key" SOARCA_ALLOWED_ORIGINS: "*" GIN_MODE: "release" MONGODB_URI: "mongodb://mongodb_container:27017" From b09119fb85f923093c987f4a0b80c4f1e8cffe0f Mon Sep 17 00:00:00 2001 From: JP Date: Thu, 19 Dec 2024 14:29:11 +0100 Subject: [PATCH 06/11] finished controller --- internal/controller/controller.go | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/internal/controller/controller.go b/internal/controller/controller.go index 2fb27294..7832f96e 100644 --- a/internal/controller/controller.go +++ b/internal/controller/controller.go @@ -4,9 +4,9 @@ import ( "crypto/tls" "errors" "fmt" + net_http "net/http" "os" "reflect" - p "soarca/internal/database/memory" "soarca/internal/logger" "soarca/pkg/core/capability" @@ -180,7 +180,18 @@ func Initialize() error { } port := utils.GetEnv("PORT", "8080") - err = app.Run(":" + port) + enableTLS, _ := strconv.ParseBool(utils.GetEnv("ENABLE_TLS", "false")) + certFile := utils.GetEnv("CERT_FILE", "./certs/server.crt") + keyFile := utils.GetEnv("CERT_KEY_FILE", "./certs/server.key") + + if enableTLS { + if certFile == "" || keyFile == "" { + err := fmt.Errorf("TLS enabled but certificate or key file not provided") + log.Error(err) + return err + } + } + err = runServer(app, port, enableTLS, certFile, keyFile) if err != nil { log.Error("failed to run gin") } @@ -198,32 +209,32 @@ func createHTTPServer(app *gin.Engine, port string) *net_http.Server { }, } } + func validateCertificates(certFile string, keyFile string) error { _, err := os.Stat(certFile) if os.IsNotExist(err) { return fmt.Errorf("certificate file not found: %s", certFile) } if os.IsNotExist(err) { - server := createHTTPServer(app, config) _, err = os.Stat(keyFile) return fmt.Errorf("key file not found: %s", keyFile) } return nil } -func runServer(app *gin.Engine, port string, enableTlS bool, certFile string, certKey string) error { +func runServer(app *gin.Engine, port string, enableTlS bool, certFile string, keyFile string) error { server := createHTTPServer(app, port) if enableTlS { - err := validateCertificates(certFile, certKey) + err := validateCertificates(certFile, keyFile) if err != nil { return fmt.Errorf("TLS configuration error: %w", err) } - log.Infof("Starting HTTPS server on port %s", config.Port) - return server.ListenAndServeTLS(config.CertFile, config.KeyFile) + log.Infof("Starting HTTPS server on port %s", port) + return server.ListenAndServeTLS(certFile, keyFile) } - log.Infof("Starting HTTP server on port %s", config.Port) + log.Infof("Starting HTTP server on port %s", port) return server.ListenAndServe() } From 88377745c2549bfa7b96caa8d33281602d382973 Mon Sep 17 00:00:00 2001 From: JP Date: Thu, 19 Dec 2024 15:48:23 +0100 Subject: [PATCH 07/11] use native run tls function by gin instead --- internal/controller/controller.go | 25 ++++++------------------- 1 file changed, 6 insertions(+), 19 deletions(-) diff --git a/internal/controller/controller.go b/internal/controller/controller.go index 7832f96e..caca18b6 100644 --- a/internal/controller/controller.go +++ b/internal/controller/controller.go @@ -1,10 +1,8 @@ package controller import ( - "crypto/tls" "errors" "fmt" - net_http "net/http" "os" "reflect" "soarca/internal/database/memory" @@ -191,25 +189,14 @@ func Initialize() error { return err } } - err = runServer(app, port, enableTLS, certFile, keyFile) + err = run(app, port, enableTLS, certFile, keyFile) if err != nil { log.Error("failed to run gin") } log.Info("exit") - return err } -func createHTTPServer(app *gin.Engine, port string) *net_http.Server { - return &net_http.Server{ - Addr: ":" + port, - Handler: app, - TLSConfig: &tls.Config{ - MinVersion: tls.VersionTLS12, - }, - } -} - func validateCertificates(certFile string, keyFile string) error { _, err := os.Stat(certFile) if os.IsNotExist(err) { @@ -222,20 +209,20 @@ func validateCertificates(certFile string, keyFile string) error { return nil } -func runServer(app *gin.Engine, port string, enableTlS bool, certFile string, keyFile string) error { - server := createHTTPServer(app, port) +func run(app *gin.Engine, port string, enableTlS bool, certFile string, keyFile string) error { + port = ":" + port if enableTlS { err := validateCertificates(certFile, keyFile) if err != nil { return fmt.Errorf("TLS configuration error: %w", err) } - log.Infof("Starting HTTPS server on port %s", port) - return server.ListenAndServeTLS(certFile, keyFile) + return app.RunTLS(port, certFile, keyFile) + } log.Infof("Starting HTTP server on port %s", port) - return server.ListenAndServe() + return app.Run(port) } func initializeCore(app *gin.Engine) error { From 619a8a3ddf0045934a65e0fec992c1c4e1321577 Mon Sep 17 00:00:00 2001 From: JP Date: Thu, 19 Dec 2024 15:49:56 +0100 Subject: [PATCH 08/11] fixed missing stat check --- internal/controller/controller.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/internal/controller/controller.go b/internal/controller/controller.go index caca18b6..66ed46ad 100644 --- a/internal/controller/controller.go +++ b/internal/controller/controller.go @@ -202,6 +202,8 @@ func validateCertificates(certFile string, keyFile string) error { if os.IsNotExist(err) { return fmt.Errorf("certificate file not found: %s", certFile) } + + _, err = os.Stat(keyFile) if os.IsNotExist(err) { _, err = os.Stat(keyFile) return fmt.Errorf("key file not found: %s", keyFile) From 324fd39fde9b1b48dc9ebd37ae2c16861f118823 Mon Sep 17 00:00:00 2001 From: JP Date: Thu, 19 Dec 2024 15:57:06 +0100 Subject: [PATCH 09/11] moved envs to run function --- internal/controller/controller.go | 27 ++++++++++----------------- 1 file changed, 10 insertions(+), 17 deletions(-) diff --git a/internal/controller/controller.go b/internal/controller/controller.go index 66ed46ad..2193b59a 100644 --- a/internal/controller/controller.go +++ b/internal/controller/controller.go @@ -177,19 +177,7 @@ func Initialize() error { return err } - port := utils.GetEnv("PORT", "8080") - enableTLS, _ := strconv.ParseBool(utils.GetEnv("ENABLE_TLS", "false")) - certFile := utils.GetEnv("CERT_FILE", "./certs/server.crt") - keyFile := utils.GetEnv("CERT_KEY_FILE", "./certs/server.key") - - if enableTLS { - if certFile == "" || keyFile == "" { - err := fmt.Errorf("TLS enabled but certificate or key file not provided") - log.Error(err) - return err - } - } - err = run(app, port, enableTLS, certFile, keyFile) + err = run(app) if err != nil { log.Error("failed to run gin") } @@ -211,9 +199,14 @@ func validateCertificates(certFile string, keyFile string) error { return nil } -func run(app *gin.Engine, port string, enableTlS bool, certFile string, keyFile string) error { - port = ":" + port - if enableTlS { +func run(app *gin.Engine) error { + port := utils.GetEnv("PORT", "8080") + + enableTLS, _ := strconv.ParseBool(utils.GetEnv("ENABLE_TLS", "false")) + certFile := utils.GetEnv("CERT_FILE", "./certs/server.crt") + keyFile := utils.GetEnv("CERT_KEY_FILE", "./certs/server.key") + + if enableTLS { err := validateCertificates(certFile, keyFile) if err != nil { return fmt.Errorf("TLS configuration error: %w", err) @@ -224,7 +217,7 @@ func run(app *gin.Engine, port string, enableTlS bool, certFile string, keyFile } log.Infof("Starting HTTP server on port %s", port) - return app.Run(port) + return app.Run(":" + port) } func initializeCore(app *gin.Engine) error { From beaa4db9ac3fa29d96cf07e50a0d0d617cc3dbe7 Mon Sep 17 00:00:00 2001 From: JP Date: Thu, 19 Dec 2024 15:58:31 +0100 Subject: [PATCH 10/11] fixed port --- internal/controller/controller.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/internal/controller/controller.go b/internal/controller/controller.go index 2193b59a..2c6c8e99 100644 --- a/internal/controller/controller.go +++ b/internal/controller/controller.go @@ -201,6 +201,7 @@ func validateCertificates(certFile string, keyFile string) error { func run(app *gin.Engine) error { port := utils.GetEnv("PORT", "8080") + port = ":" + port enableTLS, _ := strconv.ParseBool(utils.GetEnv("ENABLE_TLS", "false")) certFile := utils.GetEnv("CERT_FILE", "./certs/server.crt") @@ -217,7 +218,7 @@ func run(app *gin.Engine) error { } log.Infof("Starting HTTP server on port %s", port) - return app.Run(":" + port) + return app.Run(port) } func initializeCore(app *gin.Engine) error { From 465b9922b1a5f73d4ec3673cdc2c8e3161cea9b6 Mon Sep 17 00:00:00 2001 From: JP Date: Thu, 19 Dec 2024 16:02:43 +0100 Subject: [PATCH 11/11] fix linting --- internal/controller/controller.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/internal/controller/controller.go b/internal/controller/controller.go index 2c6c8e99..ddd0a755 100644 --- a/internal/controller/controller.go +++ b/internal/controller/controller.go @@ -193,7 +193,6 @@ func validateCertificates(certFile string, keyFile string) error { _, err = os.Stat(keyFile) if os.IsNotExist(err) { - _, err = os.Stat(keyFile) return fmt.Errorf("key file not found: %s", keyFile) } return nil @@ -202,7 +201,6 @@ func validateCertificates(certFile string, keyFile string) error { func run(app *gin.Engine) error { port := utils.GetEnv("PORT", "8080") port = ":" + port - enableTLS, _ := strconv.ParseBool(utils.GetEnv("ENABLE_TLS", "false")) certFile := utils.GetEnv("CERT_FILE", "./certs/server.crt") keyFile := utils.GetEnv("CERT_KEY_FILE", "./certs/server.key")