Feature/165 certificate setup (#194)

Https with certificate setup on install

Author: agalazis

.gitignore

@@ -5,3 +5,4 @@
 node_modules/
 target/
 *.zip
+service/web/config

Makefile

@@ -1,6 +1,7 @@
 
 run-backend: build-backend
-	cd service/web && go run cmd/pi-web-agent.go || cd -
+	ln -sfn ../system/etc/piwebagent2/config service/web/config \
+		&&cd service/web && go run cmd/pi-web-agent.go  || cd -
 
 run-frontend: 
 	cd ui/pi-web-agent-app && ng serve || cd -
@@ -11,13 +12,13 @@ test-backend:
 	cd service/web && go test ./test/ && cd -
 
 build-dev-ui:
-	cd ui/pi-web-agent-app && npm i && ng build --base-href / && cd -
+	npm --prefix ui/pi-web-agent-app i &&npm --prefix ui/pi-web-agent-app run ng build -- --base-href / 
 
 build-backend:
 	cd service/web && go build -o pi-web-agent cmd/pi-web-agent.go && cd -
 
 install-dev:
-	sudo apt-get update && sudo apt-get install git && curl -L https://git.io/vQhTU | bash -s -- --version 1.16
+	sudo apt-get update && sudo apt-get install git nodejs npm && curl -L https://git.io/vQhTU | bash -s -- --version 1.16
 
 uninstall-go:
 	curl -L https://git.io/vQhTU | bash -s -- --remove
@@ -40,7 +41,8 @@ make uninstall:
 
 
 build-rpi-ui:
-	cd ui/pi-web-agent-app && npm i && ng build --prod --base-href / && cd -
+	npm --prefix ui/pi-web-agent-app i \
+		&&npm --prefix ui/pi-web-agent-app run ng build -- --prod --base-href / 
 
 build-rpi-backend:
 	cd service/web && env GOOS=linux GOARCH=arm GOARM=5 go build -o pi-web-agent cmd/pi-web-agent.go && cd -

install.sh

@@ -32,7 +32,7 @@ function install_assets() {
 function install_config() {
     mkdir -p $CONFIG_DIR
     cp $CONFIG_FILE /$CONFIG_FILE
-    chown -R piwebagent2 /$CONFIG_FILE
+    chown -R piwebagent2 /$CONFIG_DIR
 }
 
 function prepare_unpack() {
@@ -41,6 +41,7 @@ function prepare_unpack() {
     echo $target
 }
 
+
 work_dir=$(prepare_unpack)
 set -e
 cd $work_dir

installation_paths

@@ -3,5 +3,6 @@ SERVICE_PATH=lib/systemd/system/piwebagent2.service
 BINARY_PATH=usr/bin/piwebagent2
 SHARED_PATH=usr/share/piwebagent2
 SUDOERS_PATH=etc/sudoers.d/piwebagent2
+PWA_CA_PATH=/etc/pwa_ca
 CONFIG_DIR=etc/piwebagent2/config
-CONFIG_FILE=${CONFIG_DIR}/config.env
+CONFIG_FILE=${CONFIG_DIR}/config.env

scripts/postinstall.sh

@@ -1,9 +1,35 @@
+#!/bin/bash
+
+function install_pwa_ca(){
+    PWA_CA_PATH='/etc/pwa_ca'
+    tmp=$(mktemp -d)
+    cd $tmp
+    git clone https://github.com/jsha/minica.git
+    cd minica 
+    go build
+    mkdir -p $PWA_CA_PATH
+    cd $PWA_CA_PATH
+	$tmp/minica/minica --domains rpi
+    groupadd pwassl
+    # group read execute for direcotries
+    find $PWA_CA_PATH -type d -print0 | xargs -0 chmod 750
+    # group read for files
+    find $PWA_CA_PATH -type f -print0 | xargs -0 chmod 640
+    sudo chown root:pwassl -R $PWA_CA_PATH
+    usermod -a -G pwassl piwebagent2 # pi web agent can only read
+    cd -
+}
+
 
 echo "Giving permissions to piwebagent to access its static content"
 chown piwebagent2 /usr/share/piwebagent2/assets
 
+echo "Setup PWA CA"
+install_pwa_ca
+
 echo "Enabling piwebagent2.service"
 systemctl enable piwebagent2.service
+
 echo "Starting piwebagent2.service"
 systemctl start piwebagent2.service
 

service/system/etc/piwebagent2/config/config.env

@@ -1,2 +1,5 @@
+TLS_CERT_FILE=/etc/pwa_ca/rpi/cert.pem
+TLS_KEY_FILE=/etc/pwa_ca/rpi/key.pem
 PASSWORD_HASH=
-PORT_NUMBER=8080
+PORT_NUMBER=8080
+TLS_PORT_NUMBER=8443

service/web/cmd/pi-web-agent.go

@@ -5,14 +5,19 @@ import (
 	"io"
 	"log"
 	"net/http"
+	"os"
 
 	net "github.com/vaslabs/pi-web-agent/net"
 	api "github.com/vaslabs/pi-web-agent/pkg"
 )
 
 func main() {
-
 	single_user_session := net.NewSession()
+	config := single_user_session.PWA_Config
+	addr := fmt.Sprintf(":%d", config.Port())
+	tls_addr := fmt.Sprintf(":%d", config.TLS_Port())
+	key_path := config.TLS_Key_File()
+	cert_path := config.TLS_Cert_File()
 
 	api_action_prefix := "/api/action/"
 
@@ -27,8 +32,21 @@ func main() {
 	http.HandleFunc(api_action_prefix, dummyHandler)
 	http.HandleFunc("/api/control/stream", action_dispatcher_handler)
 	http.Handle("/", http.FileServer(http.Dir("assets")))
+	if _, err := os.Stat(key_path); err == nil {
+		log.Println("Redirecting from ", addr)
+		go net.RedirectToHTTPS(addr, config.TLS_Port())
+		log.Println("Serving over TLS on ", tls_addr)
+		log.Fatal(
+			http.ListenAndServeTLS(
+				tls_addr,
+				cert_path,
+				key_path,
+				nil,
+			),
+		)
+	} else {
+		log.Println("Listening to ", addr)
+		log.Fatal(http.ListenAndServe(addr, nil))
+	}
 
-	addr := fmt.Sprintf(":%d", single_user_session.PWA_Config.Port())
-
-	log.Fatal(http.ListenAndServe(addr, nil))
 }

service/web/internal/configuration.go

@@ -2,13 +2,18 @@ package shell
 
 import (
 	"fmt"
+	"os"
+	"path"
 
 	"github.com/spf13/viper"
 )
 
 type RPI_Config interface {
 	Port() uint32
 	Password_Hash() string
+	TLS_Cert_File() string
+	TLS_Key_File() string
+	TLS_Port() uint32
 	Update_Passphrase(phrase string)
 }
 
@@ -17,16 +22,31 @@ type Dynamic_RPI_Config struct {
 }
 
 const (
-	PASSWORD_HASH_KEY = "PASSWORD_HASH"
-	PORT_NUMBER_KEY   = "PORT_NUMBER"
+	PASSWORD_HASH_KEY   = "PASSWORD_HASH"
+	PORT_NUMBER_KEY     = "PORT_NUMBER"
+	TLS_CERT_FILE_KEY   = "TLS_CERT_FILE"
+	TLS_KEY_FILE_KEY    = "TLS_KEY_FILE"
+	TLS_PORT_NUMBER_KEY = "TLS_PORT_NUMBER"
 )
 
+func (config *Dynamic_RPI_Config) Password_Hash() string {
+	return config.config.GetString(PASSWORD_HASH_KEY)
+}
+
 func (config *Dynamic_RPI_Config) Port() uint32 {
 	return config.config.GetUint32(PORT_NUMBER_KEY)
 }
 
-func (config *Dynamic_RPI_Config) Password_Hash() string {
-	return config.config.GetString(PASSWORD_HASH_KEY)
+func (config *Dynamic_RPI_Config) TLS_Cert_File() string {
+	return config.config.GetString(TLS_CERT_FILE_KEY)
+}
+
+func (config *Dynamic_RPI_Config) TLS_Key_File() string {
+	return config.config.GetString(TLS_KEY_FILE_KEY)
+}
+
+func (config *Dynamic_RPI_Config) TLS_Port() uint32 {
+	return config.config.GetUint32(TLS_PORT_NUMBER_KEY)
 }
 
 func (config *Dynamic_RPI_Config) Update_Passphrase(phrase string) {
@@ -41,13 +61,21 @@ func Load_PWA_config(path string) RPI_Config {
 }
 
 func Load_RPI_PWA_Config() RPI_Config {
-	return Load_PWA_config("/etc/piwebagent2/config")
+	pwa_path := "/etc/piwebagent2"
+	config_path := "config"
+	if _, err := os.Stat(pwa_path); err == nil {
+		return Load_PWA_config(path.Join(pwa_path, config_path))
+	}
+	return Load_PWA_config(config_path)
 }
 
 func load_PWA_config(path string) (*viper.Viper, error) {
 	config := viper.New()
 	config.SetDefault(PASSWORD_HASH_KEY, "")
 	config.SetDefault(PORT_NUMBER_KEY, uint32(8080))
+	config.SetDefault(TLS_PORT_NUMBER_KEY, uint32(8443))
+	config.SetDefault(TLS_CERT_FILE_KEY, "/etc/pwa_ca/rpi/cert.pem")
+	config.SetDefault(TLS_KEY_FILE_KEY, "/etc/pwa_ca/rpi/key.pem")
 	config.AddConfigPath(path)
 	config.SetConfigType("env")
 	config.WatchConfig()

service/web/net/https_redircet.go

@@ -0,0 +1,23 @@
+package net
+
+import (
+	"log"
+	"net"
+	"net/http"
+	"strconv"
+)
+
+func RedirectToHTTPS(httpAddr string, tlsPort uint32) {
+	httpSrv := http.Server{
+		Addr: httpAddr,
+		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			host, _, _ := net.SplitHostPort(r.Host)
+			u := r.URL
+			u.Host = net.JoinHostPort(host, strconv.FormatUint(uint64(tlsPort), 10))
+			u.Scheme = "https"
+			log.Println("Redirecting http request to:", u.String())
+			http.Redirect(w, r, u.String(), http.StatusMovedPermanently)
+		}),
+	}
+	log.Println(httpSrv.ListenAndServe())
+}