Cleaning, fixing Elgamal parameter set, run jwt-keypair post install, tls

Author: biscofil

.gitignore

@@ -25,7 +25,6 @@ yarn-error.log
 /_docker/
 /.env.testing
 /apache2.conf
-/resources/js/github/vuesocial/
 /letsencrypt/
 .idea/
 setup/registry/registry-creds

Dockerfile

@@ -7,10 +7,6 @@ ENV APACHE_DOCUMENT_ROOT=/var/www/html/public
 RUN sed -ri -e 's!/var/www/html!${APACHE_DOCUMENT_ROOT}!g' /etc/apache2/sites-available/*.conf
 RUN sed -ri -e 's!/var/www/!${APACHE_DOCUMENT_ROOT}!g' /etc/apache2/apache2.conf /etc/apache2/conf-available/*.conf
 
-RUN echo "zend_extension=$(find /usr/local/lib/php/extensions/ -name xdebug.so)" > /usr/local/etc/php/conf.d/xdebug.ini \
-    && echo "xdebug.remote_enable=on" >> /usr/local/etc/php/conf.d/xdebug.ini \
-    && echo "xdebug.remote_autostart=off" >> /usr/local/etc/php/conf.d/xdebug.ini
-
 # Set the working directory
 WORKDIR /var/www/html
 
@@ -33,6 +29,6 @@ RUN chown -R www-data:www-data .
 
 # Install project dependencies
 RUN composer install
-RUN composer dump-autoload -o
+RUN composer dump-autoload
 
 RUN php artisan storage:link

README.md

@@ -25,34 +25,24 @@ helm repo update
 helm install ingress-nginx ingress-nginx/ingress-nginx
 # wait some time!
 
-# Install a private registry
-cd setup/registry
-./install.sh install
-# ./uninstall.sh
-
-# Create regcred in node namespace
-./setup/registry/install.sh regcred <namespace>
-
 ```
 
 # Install
 
 ```shell
-
 docker build -t biscofil/kairos_php:webserver .
 docker tag biscofil/kairos_php:webserver biscofil/kairos_php:webserver-1.0.0
-docker push biscofil/kairos_php:webserver-1.0.0
+kind load docker-image biscofil/kairos_php:webserver-1.0.0
 
-docker tag biscofil/kairos_php:webserver docker-registry.127.0.0.1.nip.io/kairos_php:webserver-1.0.0
+docker tag biscofil/kairos_php:webserver docker.io/kairos_php:webserver-1.0.0
 # echo registryPass | docker login -u admin docker-registry.127.0.0.1.nip.io --password-stdin
-docker push docker-registry.127.0.0.1.nip.io/kairos_php:webserver-1.0.0
+kind load docker-image docker.io/kairos_php:webserver-1.0.0
 
 # SSL
 
 ./cert.sh
 
 openssl req -x509 -nodes -days 2 -newkey rsa:2048 -keyout ingress-tls.key -out ingress-tls.crt -subj "/CN=kairos-webserver.127.0.0.1.nip.io"
-
 kubectl delete secret my-tls-secret 
 kubectl create secret tls my-tls-secret --key ingress-tls.key --cert ingress-tls.crt
 rm ingress-tls.key ingress-tls.crt
@@ -63,10 +53,9 @@ helm package helm
 
 # Deploy one node
 kubectl create ns node1
-# TODO generate random values in helm_secret.ini
-# php artisan key:generate
-# php artisan generate:jwt-keypair
-
+# generate random values into helm_secret.ini
+python3 generate_secret_ini_file.py
+# TODO: manually insert missing values in helm_secret.ini
 kubectl create secret generic kairos-secrets --from-env-file=helm_secret.ini --namespace node1
 helm install kairos Kairos-0.1.0.tgz --namespace node1 -f values.yaml
 helm upgrade kairos Kairos-0.1.0.tgz --namespace node1 -f values.yaml
@@ -82,59 +71,6 @@ helm upgrade kairos Kairos-0.1.0.tgz --namespace node1 -f values.yaml
     - remove folder creation in docker image
 - adapt `php artisan generate:jwt-keypair` to kubernertes
 
-# Legacy (deprecated)
-
-```shell
-#install docker (https://docs.docker.com/engine/install/ubuntu/)
-sudo apt-get update
-sudo apt-get install \
-    apt-transport-https \
-    ca-certificates \
-    curl \
-    gnupg \
-    lsb-release
-curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
-echo \
-  "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
-  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
-sudo apt-get update
-sudo apt-get install docker-ce docker-ce-cli containerd.io
-
-# install docker-compose (https://docs.docker.com/compose/install/)
-sudo curl -L "https://github.com/docker/compose/releases/download/1.29.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
-sudo chmod +x /usr/local/bin/docker-compose
-sudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
-
-
-# disable SSL commenting 000-default.conf
-mkdir helios
-
-U_ID=$(id -u $USER) G_ID=$(id -u $USER) docker-compose up -d
-docker pull certbot/certbot
-# RUN docker run -it --rm -v $(pwd)/letsencrypt/c.....
-# enable SSL commenting 000-default.conf
-U_ID=$(id -u $USER) G_ID=$(id -u $USER) docker-compose down
-U_ID=$(id -u $USER) G_ID=$(id -u $USER) docker-compose up -d
-# php artisan key:generate
-# php artisan generate:jwt-keypair
-# php artisan storage:link
-```
-
-# Adding SSL to the server domain.xyz (deprecated)
-
-```shell
-docker pull certbot/certbot
-U_ID=$(id -u $USER) G_ID=$(id -u $USER) docker-compose build
-U_ID=$(id -u $USER) G_ID=$(id -u $USER) docker-compose up -d
-U_ID=$(id -u $USER) G_ID=$(id -u $USER) docker-compose down
-docker run -it --rm -v $(pwd)/letsencrypt/certs:/etc/letsencrypt -v $(pwd)/letsencrypt/data:/data/letsencrypt \
-    certbot/certbot certonly \
-    --webroot \
-    --webroot-path=/data/letsencrypt \
-    -d domain.xyz \
-    --email your@email.com \
-    --agree-tos
-```
 
 # Docker changes (deprecated)
 

app/Models/Election.php

@@ -173,7 +173,7 @@ class Election extends Model
         //
         'min_peer_count_t' => 'int',
         'anonymization_method' => AnonymizationMethodEnum::class,
-        'cryptosystem' => CryptoSystemEnum::class,
+        'cryptosystem' => CryptoSystemEnum::class, // TODO also store parameters (P,G,Q)
         'public_key' => PublicKeyCaster::class,
         'private_key' => SecretKeyCaster::class,
         //

app/Providers/AppServiceProvider.php

@@ -5,72 +5,80 @@
 use App\Models\PeerServer;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Schema;
+use Illuminate\Support\Facades\DB;
 use Illuminate\Support\ServiceProvider;
 
 class AppServiceProvider extends ServiceProvider
 {
 
-    //    public const ActAsPeerServerKey = 'act_as_peer_server';
+  //    public const ActAsPeerServerKey = 'act_as_peer_server';
 
-    /**
-     * Register any application services.
-     * @return void
-     * @noinspection PhpMissingParentCallCommonInspection
-     */
-    public function register()
-    {
-        //
-    }
+  /**
+   * Register any application services.
+   * @return void
+   * @noinspection PhpMissingParentCallCommonInspection
+   */
+  public function register()
+  {
+    //
+  }
 
-    /**
-     * Bootstrap any application services.
-     *
-     * @return void
-     */
-    public function boot()
-    {
+  /**
+   * Bootstrap any application services.
+   *
+   * @return void
+   */
+  public function boot()
+  {
 
-        Schema::defaultStringLength(191);
+    try {
+      DB::connection();
+    } catch (\Exception $e) {
+      Log::warning('Leaving AppServiceProvider because DB connection is not made');
+      return;
+    }
 
-        $connection = config('database.default');
-        $driver = config("database.connections.{$connection}.driver");
-        if ($driver === "sqlite") {
-            \Illuminate\Support\Facades\DB::getDoctrineSchemaManager()
-                ->getDatabasePlatform()->registerDoctrineTypeMapping('point', 'string');
-        }
+    Schema::defaultStringLength(191);
 
-        $me = null;
-        try {
+    $connection = config('database.default');
+    $driver = config("database.connections.{$connection}.driver");
+    if ($driver === "sqlite") {
+      \Illuminate\Support\Facades\DB::getDoctrineSchemaManager()
+        ->getDatabasePlatform()->registerDoctrineTypeMapping('point', 'string');
+    }
 
-            // TODO if testing and if request contains "act_as_peer_server" then act as another peer
-            //            if (in_array(config('app.env'), ['testing', 'local'])
-            //                && $request->hasHeader(self::ActAsPeerServerKey)) {
-            //                $peerID = intval($request->header(self::ActAsPeerServerKey));
-            //                Log::warning("Acting as peer server $peerID");
-            //                $me = PeerServer::findOrFail($peerID);
-            //            } else {
-            $me = PeerServer::me(false);
-            //            }
+    $me = null;
+    try {
 
-        } catch (\Exception $e) {
-            Log::warning('Failed getCurrentServer() in AppServiceProvider');
-        }
-        // take the RSA keypair of the current server for JWT auth
+      // TODO if testing and if request contains "act_as_peer_server" then act as another peer
+      //            if (in_array(config('app.env'), ['testing', 'local'])
+      //                && $request->hasHeader(self::ActAsPeerServerKey)) {
+      //                $peerID = intval($request->header(self::ActAsPeerServerKey));
+      //                Log::warning("Acting as peer server $peerID");
+      //                $me = PeerServer::findOrFail($peerID);
+      //            } else {
+      $me = PeerServer::me(false);
+      //            }
 
-        if ($me) {
-            config(['app.locale' => $me->locale]);
-            //            config(['app.timezone' => $me->timezone]);
-            if ($me->jwt_public_key && $me->jwt_secret_key) {
-                config(['jwt.keys.private' => $me->jwt_secret_key->toString()]);
-                config(['jwt.keys.public' => $me->jwt_public_key->toString()]);
-            }
-        }
+    } catch (\Exception $e) {
+      Log::warning('Failed getCurrentServer() in AppServiceProvider');
+    }
+    // take the RSA keypair of the current server for JWT auth
 
-        /**
-         * can be accessed with @see getCurrentServer()
-         */
-        $this->app->singleton('peer_server_me', function ($app) use ($me) {
-            return $me;
-        });
+    if ($me) {
+      config(['app.locale' => $me->locale]);
+      //            config(['app.timezone' => $me->timezone]);
+      if ($me->jwt_public_key && $me->jwt_secret_key) {
+        config(['jwt.keys.private' => $me->jwt_secret_key->toString()]);
+        config(['jwt.keys.public' => $me->jwt_public_key->toString()]);
+      }
     }
+
+    /**
+     * can be accessed with @see getCurrentServer()
+     */
+    $this->app->singleton('peer_server_me', function ($app) use ($me) {
+      return $me;
+    });
+  }
 }

app/Voting/CryptoSystems/ElGamal/EGParameterSet.php

@@ -48,7 +48,8 @@ public function __construct(BigInteger $g, BigInteger $p, BigInteger $q)
     }
 
     /**
-     *
+     * TODO these can change, from one peer to the other
+     * TODO share your parameter with others
      */
     public static function getDefault(): self
     {

compile_js.sh

@@ -2,7 +2,8 @@
 # npm install
 
 # edit .env file
-npm ci
+# npm ci
+npm install
 # npm run test
 
 # export MIX_ENV_MODE="dev"

generate_secret_ini_file.py

@@ -0,0 +1,41 @@
+import secrets
+import string
+import base64
+import logging
+
+
+def generate_password(size):
+  # Generate a secure password
+  alphabet = string.ascii_letters + string.digits # + string.punctuation
+  return ''.join(secrets.choice(alphabet) for i in range(size))
+
+def generate_base64_password(size):
+  binary_string = secrets.token_bytes(size)
+  return base64.b64encode(binary_string).decode()
+
+config = {}
+with open("helm_secret.ini.example", "r") as f:
+  for line in f.readlines():
+    try:
+      if not line.strip():
+        continue
+      if "=" not in line:
+        key=line
+        value=""
+      else:
+        key, value = line.split('=')
+      key = key.strip()
+      value = value.strip()
+      config[key] = value
+    except ValueError:
+      # syntax error
+      logging.error(f"Syntax error in line: {line}")
+      pass
+
+config['JWT_SECRET'] = generate_password(64)
+config['DB_PASSWORD'] = generate_password(32)
+config['APP_KEY'] = 'base64:' + generate_base64_password(64)
+
+with open("helm_secret.ini", "w") as f:
+  for key, value in config.items():
+    f.write(f"{key}={value}\n")

helm/templates/db-env-configmap.yaml …lm/templates/database-env-configmap.yamlhelm/templates/db-env-configmap.yaml renamed to helm/templates/database-env-configmap.yaml helm/templates/db-env-configmap.yaml renamed to helm/templates/database-env-configmap.yaml

@@ -0,0 +1,37 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: kairos-init
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    spec:
+      initContainers:
+      - name: init-cont
+        image: busybox:1.31
+        command: ['sh', '-c', 'echo -e "Checking for the availability of MySQL Server deployment"; while ! nc -z {{.Values.database.serviceName}} 3306; do sleep 1; printf "-"; done; echo -e "  >> MySQL DB Server has started";']
+      containers:
+      - image: "{{ .Values.image }}:{{ .Chart.AppVersion }}"
+        imagePullPolicy: Always
+        name: kairos-init
+        envFrom:
+          - configMapRef:
+              name: kairos-webserver-env
+          - secretRef:
+              name: kairos-secrets
+        command: ["/bin/sh"]
+        args:
+          - -c
+          - >-
+              php artisan generate:jwt-keypair
+        resources:
+          requests:
+            ephemeral-storage: "100Mi"
+      restartPolicy: Never
+      volumes:
+        - name: kairos-webserver-claim
+          persistentVolumeClaim:
+            claimName: kairos-webserver-claim
+  backoffLimit: 1