From 13ca98d0605ba2c9dd3c10d1839f39f99aa97630 Mon Sep 17 00:00:00 2001 From: Chris Gilmer Date: Fri, 1 Nov 2019 23:20:41 +0000 Subject: [PATCH 1/3] DPS Auth requires Mutual TLS --- .../app-client-tls.container-definition.json | 22 +++++++++++++---- config/app.container-definition.json | 24 ------------------- pkg/cli/services.go | 9 +++++-- 3 files changed, 25 insertions(+), 30 deletions(-) diff --git a/config/app-client-tls.container-definition.json b/config/app-client-tls.container-definition.json index 1104263d4fb..76fd697cd2f 100644 --- a/config/app-client-tls.container-definition.json +++ b/config/app-client-tls.container-definition.json @@ -17,8 +17,6 @@ "production", "--debug-logging", "--log-task-metadata", - "--db-env", - "container", "--mutual-tls-enabled", "--tls-enabled" ], @@ -89,8 +87,20 @@ "value": "{{ .move_mil_dod_ca_cert }}" }, { - "name": "HTTP_MY_SERVER_NAME", - "value": "my.{{ .domain }}" + "name": "DPS_REDIRECT_URL", + "value": "{{ .DPS_REDIRECT_URL }}" + }, + { + "name": "DPS_COOKIE_NAME", + "value": "{{ .DPS_COOKIE_NAME }}" + }, + { + "name": "DPS_COOKIE_DOMAIN", + "value": ".sddc.army.mil" + }, + { + "name": "HTTP_DPS_SERVER_NAME", + "value": "dps.{{ .domain }}" }, { "name": "HTTP_ORDERS_SERVER_NAME", @@ -148,6 +158,10 @@ "name": "SERVE_SWAGGER_UI", "value": "{{ .SERVE_SWAGGER_UI }}" }, + { + "name": "SERVE_DPS", + "value": "{{ .SERVE_DPS }}" + }, { "name": "SERVE_ORDERS", "value": "{{ .SERVE_ORDERS }}" diff --git a/config/app.container-definition.json b/config/app.container-definition.json index 00f300a672f..7c6a00f83e6 100644 --- a/config/app.container-definition.json +++ b/config/app.container-definition.json @@ -93,14 +93,6 @@ "name": "HTTP_ADMIN_SERVER_NAME", "value": "admin.{{ .domain }}" }, - { - "name": "HTTP_ORDERS_SERVER_NAME", - "value": "orders.{{ .domain }}" - }, - { - "name": "HTTP_DPS_SERVER_NAME", - "value": "dps.{{ .domain }}" - }, { "name": "AWS_S3_BUCKET_NAME", "value": "transcom-ppp-app-{{ .environment }}-us-west-2" @@ -161,18 +153,6 @@ "name": "HTTP_SDDC_PORT", "value": "" }, - { - "name": "DPS_REDIRECT_URL", - "value": "{{ .DPS_REDIRECT_URL }}" - }, - { - "name": "DPS_COOKIE_NAME", - "value": "{{ .DPS_COOKIE_NAME }}" - }, - { - "name": "DPS_COOKIE_DOMAIN", - "value": ".sddc.army.mil" - }, { "name": "GEX_URL", "value": "https://gexweba.daas.dla.mil/msg_data/submit/" @@ -201,10 +181,6 @@ "name": "SERVE_SDDC", "value": "{{ .SERVE_SDDC }}" }, - { - "name": "SERVE_DPS", - "value": "{{ .SERVE_DPS }}" - }, { "name": "SERVE_API_INTERNAL", "value": "{{ .SERVE_API_INTERNAL }}" diff --git a/pkg/cli/services.go b/pkg/cli/services.go index fd5a980fcc7..3b0836c65a9 100644 --- a/pkg/cli/services.go +++ b/pkg/cli/services.go @@ -57,17 +57,22 @@ func CheckServices(v *viper.Viper) error { return errors.New("no service was enabled") } + // if DPS is enabled then the mutualTLSListener is needed too // if Orders is enabled then the mutualTLSListener is needed too + // if PRIME is enabled then the mutualTLSListener is needed too mutualTLSEnabled := v.GetBool(MutualTLSListenerFlag) if v.GetString(EnvironmentFlag) != EnvironmentDevelopment { + if dpsEnabled && !mutualTLSEnabled { + return errors.New(fmt.Sprintf("for dps service to be enabled both %s and the %s flags must be in use", ServeDPSFlag, MutualTLSListenerFlag)) + } if ordersEnabled && !mutualTLSEnabled { return errors.New(fmt.Sprintf("for orders service to be enabled both %s and the %s flags must be in use", ServeOrdersFlag, MutualTLSListenerFlag)) } if primeAPIEnabled && !mutualTLSEnabled { return errors.New(fmt.Sprintf("for prime service to be enabled both %s and the %s flags must be in use", ServePrimeFlag, MutualTLSListenerFlag)) } - if mutualTLSEnabled && !ordersEnabled && !primeAPIEnabled { - return errors.New("either orders service or prime service must be enabled for mutualTSL to be enabled") + if mutualTLSEnabled && !(dpsEnabled || ordersEnabled || primeAPIEnabled) { + return errors.New("either dps, orders or prime service must be enabled for mutualTSL to be enabled") } } From a719ca16f53734a85a2825561c36088abc92908d Mon Sep 17 00:00:00 2001 From: Chris Gilmer Date: Mon, 4 Nov 2019 19:06:38 +0000 Subject: [PATCH 2/3] Deploy to experimental --- .circleci/config.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index fd7a2f37795..3d747ef589b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -853,7 +853,7 @@ workflows: # if testing on experimental, you can disable these tests by using the commented block below. filters: branches: - ignore: placeholder_branch_name + ignore: cg_dps_mutual_tls - client_test: requires: @@ -861,7 +861,7 @@ workflows: # if testing on experimental, you can disable these tests by using the commented block below. filters: branches: - ignore: placeholder_branch_name + ignore: cg_dps_mutual_tls - server_test: requires: @@ -869,7 +869,7 @@ workflows: # if testing on experimental, you can disable these tests by using the commented block below. filters: branches: - ignore: placeholder_branch_name + ignore: cg_dps_mutual_tls - build_app: requires: @@ -910,28 +910,28 @@ workflows: - build_migrations filters: branches: - only: placeholder_branch_name + only: cg_dps_mutual_tls - deploy_experimental_tasks: requires: - deploy_experimental_migrations filters: branches: - only: placeholder_branch_name + only: cg_dps_mutual_tls - deploy_experimental_app: requires: - deploy_experimental_migrations filters: branches: - only: placeholder_branch_name + only: cg_dps_mutual_tls - deploy_experimental_app_client_tls: requires: - deploy_experimental_migrations filters: branches: - only: placeholder_branch_name + only: cg_dps_mutual_tls - check_circle_against_staging_sha: requires: From 901ca7ce06376b61a7d5aecf2cdc8fdb8430b6fa Mon Sep 17 00:00:00 2001 From: Chris Gilmer Date: Mon, 4 Nov 2019 19:32:53 +0000 Subject: [PATCH 3/3] Revert "Deploy to experimental" This reverts commit a719ca16f53734a85a2825561c36088abc92908d. --- .circleci/config.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 3d747ef589b..fd7a2f37795 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -853,7 +853,7 @@ workflows: # if testing on experimental, you can disable these tests by using the commented block below. filters: branches: - ignore: cg_dps_mutual_tls + ignore: placeholder_branch_name - client_test: requires: @@ -861,7 +861,7 @@ workflows: # if testing on experimental, you can disable these tests by using the commented block below. filters: branches: - ignore: cg_dps_mutual_tls + ignore: placeholder_branch_name - server_test: requires: @@ -869,7 +869,7 @@ workflows: # if testing on experimental, you can disable these tests by using the commented block below. filters: branches: - ignore: cg_dps_mutual_tls + ignore: placeholder_branch_name - build_app: requires: @@ -910,28 +910,28 @@ workflows: - build_migrations filters: branches: - only: cg_dps_mutual_tls + only: placeholder_branch_name - deploy_experimental_tasks: requires: - deploy_experimental_migrations filters: branches: - only: cg_dps_mutual_tls + only: placeholder_branch_name - deploy_experimental_app: requires: - deploy_experimental_migrations filters: branches: - only: cg_dps_mutual_tls + only: placeholder_branch_name - deploy_experimental_app_client_tls: requires: - deploy_experimental_migrations filters: branches: - only: cg_dps_mutual_tls + only: placeholder_branch_name - check_circle_against_staging_sha: requires: