feat(docker): add docker secrets

* Fix #58 - Add Docker Secrets

* Remove colon

Author: jason-fox

config.js

@@ -64,6 +64,68 @@ config.iota = {
         port: 4061
     },
 
+    /**
+     * Configuration for secured access to instances of the Context Broker secured with a PEP Proxy.
+     * For the authentication mechanism to work, the authentication attribute in the configuration has to be fully
+     * configured, and the authentication.enabled subattribute should have the value `true`.
+     *
+     * The Username and password should be considered as sensitive data and should not be stored in plaintext.
+     * Either encrypt the config and decrypt when initializing the instance or use environment variables secured by
+     * docker secrets.
+     */
+    //authentication: {
+    //enabled: false,
+    /**
+     * Type of the Identity Manager which is used when authenticating the IoT Agent.
+     * Either 'oauth2' or 'keystone'
+     */
+    //type: 'keystone',
+    /**
+     * Name of the additional header passed to retrieve the identity of the IoT Agent
+     */
+    //header: 'Authorization',
+    /**
+     * Hostname of the Identity Manager.
+     */
+    //host: 'localhost',
+    /**
+     * Port of the Identity Manager.
+     */
+    //port: '5000',
+    /**
+     * URL of the Identity Manager - a combination of the above
+     */
+    //url: 'localhost:5000',
+    /**
+     * KEYSTONE ONLY: Username for the IoT Agent
+     *  - Note this should not be stored in plaintext.
+     */
+    //user: 'IOTA_AUTH_USER',
+    /**
+     * KEYSTONE ONLY: Password for the IoT Agent
+     *    - Note this should not be stored in plaintext.
+     */
+    //password: 'IOTA_AUTH_PASSWORD',
+    /**
+     * OAUTH2 ONLY: URL path for retrieving the token
+     */
+    //tokenPath: '/oauth2/token',
+    /**
+     * OAUTH2 ONLY: Flag to indicate whether or not the token needs to be periodically refreshed.
+     */
+    //permanentToken: true,
+    /**
+     * OAUTH2 ONLY: ClientId for the IoT Agent
+     *    - Note this should not be stored in plaintext.
+     */
+    //clientId: 'IOTA_AUTH_CLIENT_ID',
+    /**
+     * OAUTH2 ONLY: ClientSecret for the IoT Agent
+     *    - Note this should not be stored in plaintext.
+     */
+    //clientSecret: 'IOTA_AUTH_CLIENT_SECRET'
+    //},
+
     /**
      * Default resource of the IoT Agent. This value must be different for every IoT Agent connecting to the IoT
      * Manager.

docker/Dockerfile

@@ -1,8 +1,28 @@
+#
+# Copyright 2019 Atos Spain S.A
+#
+# This file is part of iotagent-lora
+#
+# iotagent-lora is free software: you can redistribute it and/or
+# modify it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the License,
+# or (at your option) any later version.
+#
+# iotagent-lora is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# See the GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public
+# License along with iotagent-lora. If not, see http://www.gnu.org/licenses/.
+#
+
 ARG NODE_VERSION=8.15.0-slim
 FROM node:${NODE_VERSION}
 ARG GITHUB_ACCOUNT=Atos-Research-and-Innovation
 ARG GITHUB_REPOSITORY=IoTagent-LoRaWAN
 ARG DOWNLOAD=latest
+ARG SOURCE_BRANCH=master
 
 # Copying Build time arguments to environment variables so they are persisted at run time and can be 
 # inspected within a running container.
@@ -14,6 +34,12 @@ ENV DOWNLOAD=${DOWNLOAD}
 
 MAINTAINER FIWARE IoTAgent Team. Atos Spain S.A
 
+# IMPORTANT: For production environments use Docker Secrets to protect values of the sensitive ENV 
+# variables defined below, by adding _FILE to the name of the relevant variable.
+#
+# - IOTA_AUTH_USER, IOTA_AUTH_PASSWORD - when using Keystone Security
+# - IOTA_AUTH_CLIENT_ID, IOTA_AUTH_CLIENT_SECRET - when using OAuth2 Security
+
 #
 # The following RUN command retrieves the source code from GitHub.
 # 
@@ -31,8 +57,8 @@ MAINTAINER FIWARE IoTAgent Team. Atos Spain S.A
 #
 RUN if [ "${DOWNLOAD}" = "latest" ] ; \
 	then \
-		RELEASE="master"; \
-		echo "INFO: Building Latest Development"; \
+		RELEASE="${SOURCE_BRANCH}"; \
+		echo "INFO: Building Latest Development from ${SOURCE_BRANCH} branch."; \
 	elif [ "${DOWNLOAD}" = "stable" ]; \
 	then \
 		RELEASE=$(curl -s https://api.github.com/repos/"${GITHUB_ACCOUNT}"/"${GITHUB_REPOSITORY}"/releases/latest | grep 'tag_name' | cut -d\" -f4); \
@@ -41,13 +67,14 @@ RUN if [ "${DOWNLOAD}" = "latest" ] ; \
 	 	RELEASE="${DOWNLOAD}"; \
 	 	echo "INFO: Building Release: ${RELEASE}"; \
 	fi && \
+	RELEASE_CONCAT=$(echo "${RELEASE}" | tr / -); \
 	# Ensure that unzip is installed, and download the sources
 	apt-get update && \
 	apt-get install -y  --no-install-recommends unzip && \
 	wget --no-check-certificate -O source.zip https://github.com/"${GITHUB_ACCOUNT}"/"${GITHUB_REPOSITORY}"/archive/"${RELEASE}".zip && \
 	unzip source.zip && \
 	rm source.zip && \
-	mv "${GITHUB_REPOSITORY}-${RELEASE}" /opt/iotagent-lora && \
+	mv "${GITHUB_REPOSITORY}-${RELEASE_CONCAT}" /opt/iotagent-lora && \
 	# Remove unzip and clean apt cache
 	apt-get clean && \
 	apt-get remove -y unzip && \
@@ -65,13 +92,14 @@ RUN \
 	# Remove Git and clean apt cache
 	apt-get clean && \
 	apt-get remove -y git && \
-	apt-get -y autoremove
+	apt-get -y autoremove  && \
+	chmod +x docker/entrypoint.sh
 
 USER node
 ENV NODE_ENV=production
 
 # Expose 4041 for NORTH PORT
 EXPOSE ${IOTA_NORTH_PORT:-4041}
 
-ENTRYPOINT ["pm2-runtime", "bin/iotagent-lora"]
+ENTRYPOINT ["docker/entrypoint.sh"]
 CMD ["-- ", "config.js"]

docker/README.md

@@ -99,7 +99,7 @@ Further settings for the IoT Agent for the LoRaWaN Protocol itself - such as spe
 Protocol - can be found in the IoT Agent for the LoRaWaN Protocol
 [Users Guide](https://fiware-lorawan.readthedocs.io/en/latest/users_manual/index.html#configuration-provisioning).
 
-## How to build your own image
+## How to build an image
 
 The [Dockerfile](https://github.com/Atos-Research-and-Innovation/IoTagent-LoRaWAN/blob/master/docker/Dockerfile)
 associated with this image can be used to build an image in several ways:
@@ -124,13 +124,20 @@ docker build -t iot-agent . --build-arg DOWNLOAD=stable
 docker build -t iot-agent . --build-arg DOWNLOAD=1.7.0
 ```
 
--   To download code from your own fork of the GitHub repository add the `GITHUB_ACCOUNT` and `GITHUB_REPOSITORY`
-    arguments to the `docker build` command.
+## Building from your own fork
+
+To download code from your own fork of the GitHub repository add the `GITHUB_ACCOUNT`, `GITHUB_REPOSITORY` and
+`SOURCE_BRANCH` arguments (default `master`) to the `docker build` command.
 
 ```console
-docker build -t iot-agent . --build-arg GITHUB_ACCOUNT=<your account> --build-arg GITHUB_REPOSITORY=<your repo>
+docker build -t iot-agent . \
+    --build-arg GITHUB_ACCOUNT=<your account> \
+    --build-arg GITHUB_REPOSITORY=<your repo> \
+    --build-arg SOURCE_BRANCH=<your branch>
 ```
 
+## Building from your own source files
+
 Alternatively, if you want to build directly from your own sources, please copy the existing `Dockerfile` into file the
 root of the repository and amend it to copy over your local source using :
 
@@ -139,3 +146,21 @@ COPY . /opt/iotagent-lora/
 ```
 
 Full instructions can be found within the `Dockerfile` itself.
+
+### Docker Secrets
+
+As an alternative to passing sensitive information via environment variables, `_FILE` may be appended to some sensitive
+environment variables, causing the initialization script to load the values for those variables from files present in
+the container. In particular, this can be used to load passwords from Docker secrets stored in
+`/run/secrets/<secret_name>` files. For example:
+
+```console
+docker run --name iotagent -e IOTA_AUTH_PASSWORD_FILE=/run/secrets/password -d fiware/iotagent-lorawan
+```
+
+Currently, this `_FILE` suffix is supported for:
+
+-   `IOTA_AUTH_USER`
+-   `IOTA_AUTH_PASSWORD`
+-   `IOTA_AUTH_CLIENT_ID`
+-   `IOTA_AUTH_CLIENT_SECRET`

docker/entrypoint.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+#
+# Copyright 2019 Atos Spain S.A
+#
+# This file is part of iotagent-lora
+#
+# iotagent-lora is free software: you can redistribute it and/or
+# modify it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the License,
+# or (at your option) any later version.
+#
+# iotagent-lora is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# See the GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public
+# License along with iotagent-lora. If not, see http://www.gnu.org/licenses/.
+#
+
+# usage: file_env VAR [DEFAULT]
+#    ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+#  "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+	local var="$1"
+	local fileVar="${var}_FILE"
+	local def="${2:-}"
+	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+		echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+		exit 1
+	fi
+	local val="$def"
+	if [ "${!var:-}" ]; then
+		val="${!var}"
+	elif [ "${!fileVar:-}" ]; then
+		val="$(< "${!fileVar}")"
+	fi
+	export "$var"="$val"
+	unset "$fileVar"
+}
+
+file_env 'IOTA_AUTH_USER'
+file_env 'IOTA_AUTH_PASSWORD'
+file_env 'IOTA_AUTH_CLIENT_ID'
+file_env 'IOTA_AUTH_CLIENT_SECRET'
+
+
+if [[  -z "$IOTA_AUTH_ENABLED" ]]; then
+ echo "***********************************************"
+ echo "WARNING: It is recommended to enable authentication for secure connection"
+ echo "***********************************************"
+else
+    if  [[ -z "$IOTA_AUTH_USER" ]] || [ -z "$IOTA_AUTH_PASSWORD" ]]; then
+        echo "***********************************************"
+        echo "WARNING: Default IoT Agent Auth credentials have not been overridden"
+        echo "***********************************************"
+    else
+        echo "***********************************************"
+        echo "INFO: IoT Agent Auth credentials have been overridden"
+        echo "***********************************************"
+    fi
+fi
+
+pm2-runtime /opt/iotagent-lora/bin/iotagent-lora

docker/hooks/build

@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# Copyright 2019 Atos Spain S.A
+#
+# This file is part of iotagent-lora
+#
+# iotagent-lora is free software: you can redistribute it and/or
+# modify it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the License,
+# or (at your option) any later version.
+#
+# iotagent-lora is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# See the GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public
+# License along with iotagent-lora. If not, see http://www.gnu.org/licenses/.
+#
+
+docker build --build-arg SOURCE_BRANCH=$SOURCE_BRANCH -t $IMAGE_NAME .