Update Docker Builds (#13)

.dockerignore

@@ -0,0 +1,29 @@
+# For humans
+LICENSE
+README.md
+
+# git stuff
+.git
+.gitignore
+.github
+
+# Development
+.vscode
+.env.template
+
+# OS Droppings
+.DS_Store
+
+# Node stuff
+node_modules
+build
+
+# Docker stuff
+.dockerignore
+Dockerfile
+Dockerfile.prod
+docker-compose.yaml
+
+# Local configuration
+fixtures
+.env

.env.template

@@ -0,0 +1,28 @@
+# This is a local configuration for developing courier; we do not recommend using
+# .env files in production. Instead, please see the configuration guide for details
+# on configuring courier in a production environment.
+#
+# To use this env file copy it to .env in your local directory and update the
+# configuration values as needed. The reasonable defaults below should allow you to
+# run courier locally without any changes.
+
+# Basic configuration details
+COURIER_MAINTENANCE=false
+COURIER_BIND_ADDR=:8842
+COURIER_MODE=debug
+COURIER_LOG_LEVEL=debug
+COURIER_CONSOLE_LOG=true
+
+# Courier TLS/mTLS details
+COURIER_MTLS_INSECURE=true
+#COURIER_MTLS_CERT_PATH=
+#COURIER_MTLS_POOL_PATH=
+
+# Local storage configuration
+COURIER_LOCAL_STORAGE_ENABLED=true
+COURIER_LOCAL_STORAGE_PATH=fixtures/
+
+# Google Secrets configuration
+COURIER_GCP_SECRET_MANAGER_ENABLED=false
+#COURIER_GCP_SECRET_MANAGER_CREDENTIALS=
+#COURIER_GCP_SECRET_MANAGER_PROJECT=

.github/pull_request_template.md

@@ -0,0 +1,28 @@
+### Scope of changes
+
+Briefly add notes if applicable and include the story ID
+
+### Type of change
+
+- [ ] bug fix
+- [ ] new feature
+- [ ] documentation
+- [ ] other (describe)
+
+### Acceptance criteria
+
+Describe how reviewers can test this change to be sure that it works correctly. Add a checklist if possible
+
+### Author checklist
+
+- [ ] I have manually tested the change and/or added automation in the form of unit tests or integration tests
+- [ ]  I have updated the dependencies list
+- [ ]  I have recompiled and included new protocol buffers to reflect changes I made
+- [ ]  I have added new test fixtures as needed to support added tests
+- [ ]   Check this box if a reviewer can merge this pull request after approval (leave it unchecked if you want to do it yourself)
+- [ ]  I have moved the associated Shortcut story to "Ready for Review"
+
+### Reviewer(s) checklist
+
+- [ ] Any new user-facing content that has been added for this PR has been QA'ed to ensure correct grammar, spelling, and understandability.
+

.github/workflows/containers.yml

@@ -0,0 +1,64 @@
+name: Containers
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "v*"
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  courier:
+    name: Courier
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      - name: Set Environment
+        id: vars
+        run: |
+          echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
+          echo "revision=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+
+      - name: Docker Metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          # list of Docker images to use as basenames for tags
+          # this should be configured for each container built
+          images: |
+            trisa/courier
+          tags: |
+            type=semver,pattern={{raw}}
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=sha,prefix=,suffix=,format=short
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Setup Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to DockerHub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
+
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          file: ./Dockerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            GIT_REVISION=${{ steps.vars.outputs.revision }}

.github/workflows/test.yml

@@ -1,4 +1,4 @@
-name: CI
+name: Tests
 on:
   push:
     branches:

.gitignore

@@ -9,7 +9,9 @@
 *.dylib
 
 # Environment variables
-*.env
+.env
+.secret
+fixtures
 
 # Test binary, built with `go test -c`
 *.test
@@ -25,6 +27,4 @@ go.work
 
 # macOS
 *.DS_Store
-
-# Google credentials
-*.json
+.DS_Store

containers/courier/Dockerfile → Dockerfile

@@ -1,17 +1,19 @@
 # Dynamic Builds
-ARG BUILDER_IMAGE=golang:1.21-buster
-ARG FINAL_IMAGE=debian:buster-slim
+ARG BUILDER_IMAGE=golang:1.21-bookworm
+ARG FINAL_IMAGE=debian:bookworm-slim
 
 # Build Stage
-FROM ${BUILDER_IMAGE} AS builder
+FROM --platform=${BUILDPLATFORM} ${BUILDER_IMAGE} AS builder
 
+# Build Args
 ARG GIT_REVISION=""
 
 # Ensure ca-certificates are up to date
 RUN update-ca-certificates
 
-# Use modeules for dependencies
+# Use modules for dependencies
 WORKDIR $GOPATH/src/github.com/trisacrypto/courier
+
 COPY go.mod .
 COPY go.sum .
 
@@ -20,25 +22,30 @@ ENV GO111MODULE=on
 RUN go mod download
 RUN go mod verify
 
-# Copy only what is needed for the build
-COPY cmd ./cmd
-COPY pkg ./pkg
+# Copy package
+COPY . .
 
 # Build the binary
-RUN go build -v -o /go/bin/courier -ldflags="-X 'github.com/trisacrypto/courier/pkg.GitVersion=$GIT_REVISION'" ./cmd/courier
+ARG TARGETOS
+ARG TARGETARCH
+RUN GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -v -o /go/bin/courier -ldflags="-X 'github.com/trisacrypto/courier/pkg.GitVersion=${GIT_REVISION}'" ./cmd/courier
 
 # Final Stage
-FROM ${FINAL_IMAGE} AS final
+FROM --platform=${BUILDPLATFORM} ${FINAL_IMAGE} AS final
 
 LABEL maintainer="TRISA <[email protected]>"
-LABEL description="Certificate Delivery Service"
+LABEL description="Courier TSP Certificate Delivery Service"
 
 # Ensure ca-certificates are up to date
 RUN set -x && apt-get update && \
-    DEBIAN_FRONTEND=noninteractive apt-get install -y ca-certificates && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y ca-certificates sqlite3 && \
     rm -rf /var/lib/apt/lists/*
 
 # Copy the binary to the production image from the builder stage.
 COPY --from=builder /go/bin/courier /usr/local/bin/courier
 
+# Create a user so that we don't run as root
+RUN groupadd -r courier && useradd -m -r -g courier courier
+USER courier
+
 CMD [ "/usr/local/bin/courier", "serve" ]

README.md

@@ -10,12 +10,39 @@ This tool is mostly used by TRISA Service Providers (TSPs) who have to handle ma
 TRISA certificate deliveries at a time. VASPs who want to automate certificate delivery
 may also use this service.
 
-## Deploying with Docker
+## Storage
+
+Courier can be configured to store PKCS12 passwords and x509 certificates in different backends. Currently available backends include:
+
+1. **Local storage**: stored as gzip text files in a specified directory
+2. **Google Secret Manager**: stored using Google Cloud Platform secrets
+
+At least one storage backend must be configured for Courier to function properly. If there is another storage backend that you would like implemented for Courier, please [create an issue to request it](https://github.com/trisacrypto/courier/issues)!
+
+## Deploying
+
+Courier is intended to be set up and run in your local environment. **We strongly recommend that you ensure the webhook is TLS encrypted**. Once you have a courier service setup, you can update the GDS with webhook delivery instructions.
+
+### Docker
 
 The simplest way to run the courier service is to use the docker image
 `trisa/courier:latest` and to configure it from the environment. This allows the
 courier service to be easily run on a Kubernetes cluster.
 
+### Build and Run
+
+Alternatively you can build and run the courier executable on your own instance. Use Go to build and install the executable as follows:
+
+```
+$ go install github.com/trisacrypto/courier/cmd/courier
+```
+
+You can then run the server as follows:
+
+```
+$ courier serve
+```
+
 ### Configuration
 
 This application is configured via the environment. The following environment

docker-compose.yaml

@@ -0,0 +1,24 @@
+version: "3"
+services:
+  courier:
+    build:
+      context: .
+      dockerfile: ./Dockerfile
+      args:
+        GIT_REVISION: ${GIT_REVISION}
+    image: trisa/courier
+    init: true
+    ports:
+      - 8842:8842
+    volumes:
+      - ./courier/data:/data
+    environment:
+      - COURIER_MAINTENANCE=false
+      - COURIER_BIND_ADDR=:8842
+      - COURIER_MODE=debug
+      - COURIER_LOG_LEVEL=debug
+      - COURIER_CONSOLE_LOG=true
+      - COURIER_MTLS_INSECURE=true
+      - COURIER_LOCAL_STORAGE_ENABLED=true
+      - COURIER_LOCAL_STORAGE_PATH=/data
+      - COURIER_GCP_SECRET_MANAGER_ENABLED=false

go.mod

@@ -1,6 +1,6 @@
 module github.com/trisacrypto/courier
 
-go 1.19
+go 1.21
 
 require (
 	cloud.google.com/go/secretmanager v1.11.2

go.sum

@@ -1,6 +1,7 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.110.6 h1:8uYAkj3YHTP/1iwReuHPxLSbdcyc+dSBbzFMrVwDR6Q=
+cloud.google.com/go v0.110.6/go.mod h1:+EYjdK8e5RME/VY/qLCAtuyALQ9q67dvuum8i+H5xsI=
 cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY=
 cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
 cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
@@ -50,6 +51,7 @@ github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm
 github.com/gin-gonic/gin v1.9.1 h1:4idEAncQnU5cB7BeOkPtxjfCSye0AAm1R0RVIqJ+Jmg=
 github.com/gin-gonic/gin v1.9.1/go.mod h1:hPrL7YrpYKXt5YId3A/Tnip5kqbEAP+KLuI3SUcPTeU=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
+github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=

pkg/store/store.go

@@ -2,6 +2,7 @@ package store
 
 import (
 	"context"
+	"io"
 )
 
 const (
@@ -11,7 +12,7 @@ const (
 
 // Store is a generic interface for storing and retrieving data.
 type Store interface {
-	Close() error
+	io.Closer
 	PasswordStore
 	CertificateStore
 }