From 2a6cb99cf7a21a273efe8dc793929b74149871f6 Mon Sep 17 00:00:00 2001
From: Peter Amstutz <pamstutz@veritasgenetics.com>
Date: Thu, 3 Jan 2019 14:53:25 -0500
Subject: [PATCH] 14660: Add workbench2 to arvbox.  Improve SSL support in
 arvbox.

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz@veritasgenetics.com>
---
 tools/arvbox/bin/arvbox                       | 13 +++-
 tools/arvbox/lib/arvbox/docker/api-setup.sh   |  7 +-
 tools/arvbox/lib/arvbox/docker/common.sh      |  7 +-
 .../arvbox/docker/service/nginx/run-service   | 45 +++++++++++-
 .../arvbox/docker/service/ready/run-service   |  2 +-
 .../lib/arvbox/docker/service/sso/run-service | 68 +++++++++++++++++--
 .../docker/service/websockets/run-service     |  2 +-
 .../lib/arvbox/docker/service/workbench/run   |  2 +
 .../docker/service/workbench/run-service      |  4 --
 .../service/workbench2/log/main/.gitstub      |  0
 .../arvbox/docker/service/workbench2/log/run  |  1 +
 .../lib/arvbox/docker/service/workbench2/run  |  8 +++
 .../docker/service/workbench2/run-service     | 23 +++++++
 13 files changed, 162 insertions(+), 20 deletions(-)
 create mode 100644 tools/arvbox/lib/arvbox/docker/service/workbench2/log/main/.gitstub
 create mode 120000 tools/arvbox/lib/arvbox/docker/service/workbench2/log/run
 create mode 100755 tools/arvbox/lib/arvbox/docker/service/workbench2/run
 create mode 100755 tools/arvbox/lib/arvbox/docker/service/workbench2/run-service

diff --git a/tools/arvbox/bin/arvbox b/tools/arvbox/bin/arvbox
index 69fc2cedee..e2f58cf139 100755
--- a/tools/arvbox/bin/arvbox
+++ b/tools/arvbox/bin/arvbox
@@ -50,6 +50,10 @@ if test -z "$COMPOSER_ROOT" ; then
     COMPOSER_ROOT="$ARVBOX_DATA/composer"
 fi
 
+if test -z "$WORKBENCH2_ROOT" ; then
+    WORKBENCH2_ROOT="$ARVBOX_DATA/workbench2"
+fi
+
 PG_DATA="$ARVBOX_DATA/postgres"
 VAR_DATA="$ARVBOX_DATA/var"
 PASSENGER="$ARVBOX_DATA/passenger"
@@ -158,7 +162,8 @@ run() {
         echo $localip > $iptemp
         chmod og+r $iptemp
         PUBLIC="--volume=$iptemp:/var/run/localip_override
-              --publish=80:80
+              --publish=443:443
+              --publish=3001:3001
               --publish=8000:8000
               --publish=8900:8900
               --publish=9001:9001
@@ -205,6 +210,9 @@ run() {
         if ! test -d "$COMPOSER_ROOT" ; then
             git clone https://github.com/curoverse/composer.git "$COMPOSER_ROOT"
         fi
+        if ! test -d "$WORKBENCH2_ROOT" ; then
+            git clone https://github.com/curoverse/arvados-workbench2.git "$WORKBENCH2_ROOT"
+        fi
 
         if test "$CONFIG" = test ; then
 
@@ -218,6 +226,7 @@ run() {
                        "--volume=$ARVADOS_ROOT:/usr/src/arvados:rw" \
                        "--volume=$SSO_ROOT:/usr/src/sso:rw" \
                        "--volume=$COMPOSER_ROOT:/usr/src/composer:rw" \
+                       "--volume=$WORKBENCH2_ROOT:/usr/src/workbench2:rw" \
                        "--volume=$PG_DATA:/var/lib/postgresql:rw" \
                        "--volume=$VAR_DATA:/var/lib/arvados:rw" \
                        "--volume=$PASSENGER:/var/lib/passenger:rw" \
@@ -261,6 +270,7 @@ run() {
                    "--volume=$ARVADOS_ROOT:/usr/src/arvados:rw" \
                    "--volume=$SSO_ROOT:/usr/src/sso:rw" \
                    "--volume=$COMPOSER_ROOT:/usr/src/composer:rw" \
+                   "--volume=$WORKBENCH2_ROOT:/usr/src/workbench2:rw" \
                    "--volume=$PG_DATA:/var/lib/postgresql:rw" \
                    "--volume=$VAR_DATA:/var/lib/arvados:rw" \
                    "--volume=$PASSENGER:/var/lib/passenger:rw" \
@@ -274,6 +284,7 @@ run() {
             updateconf
             wait_for_arvbox
             echo "The Arvados source code is checked out at: $ARVADOS_ROOT"
+	    echo "The Arvados testing root certificate is $VAR_DATA/root-cert.pem"
         else
             echo "Unknown configuration '$CONFIG'"
         fi
diff --git a/tools/arvbox/lib/arvbox/docker/api-setup.sh b/tools/arvbox/lib/arvbox/docker/api-setup.sh
index 6dd6a65695..ca706ea811 100755
--- a/tools/arvbox/lib/arvbox/docker/api-setup.sh
+++ b/tools/arvbox/lib/arvbox/docker/api-setup.sh
@@ -38,9 +38,6 @@ if ! test -s /var/lib/arvados/management_token ; then
 fi
 management_token=$(cat /var/lib/arvados/management_token)
 
-# self signed key will be created by SSO server script.
-test -s /var/lib/arvados/self-signed.key
-
 sso_app_secret=$(cat /var/lib/arvados/sso_app_secret)
 
 if test -s /var/lib/arvados/vm-uuid ; then
@@ -59,8 +56,8 @@ $RAILS_ENV:
   sso_app_id: arvados-server
   sso_provider_url: "https://$localip:${services[sso]}"
   sso_insecure: true
-  workbench_address: "http://$localip/"
-  websocket_address: "ws://$localip:${services[websockets]}/websocket"
+  workbench_address: "https://$localip/"
+  websocket_address: "wss://$localip:${services[websockets-ssl]}/websocket"
   git_repo_ssh_base: "git@$localip:"
   git_repo_https_base: "http://$localip:${services[arv-git-httpd]}/"
   new_users_are_active: true
diff --git a/tools/arvbox/lib/arvbox/docker/common.sh b/tools/arvbox/lib/arvbox/docker/common.sh
index a82a964ea9..d14e45d0b2 100644
--- a/tools/arvbox/lib/arvbox/docker/common.sh
+++ b/tools/arvbox/lib/arvbox/docker/common.sh
@@ -19,7 +19,9 @@ fi
 
 declare -A services
 services=(
-  [workbench]=80
+  [workbench]=443
+  [workbench2]=3000
+  [workbench2-ssl]=3001
   [api]=8004
   [controller]=8003
   [controller-ssl]=8000
@@ -32,7 +34,8 @@ services=(
   [keepstore1]=25108
   [ssh]=22
   [doc]=8001
-  [websockets]=8002
+  [websockets]=8005
+  [websockets-ssl]=8002
 )
 
 if test "$(id arvbox -u 2>/dev/null)" = 0 ; then
diff --git a/tools/arvbox/lib/arvbox/docker/service/nginx/run-service b/tools/arvbox/lib/arvbox/docker/service/nginx/run-service
index a55660eb8a..f2b0a89d2c 100755
--- a/tools/arvbox/lib/arvbox/docker/service/nginx/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/nginx/run-service
@@ -37,8 +37,8 @@ http {
   server {
     listen *:${services[controller-ssl]} ssl default_server;
     server_name controller;
-    ssl_certificate "/var/lib/arvados/self-signed.pem";
-    ssl_certificate_key "/var/lib/arvados/self-signed.key";
+    ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
+    ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
     location  / {
       proxy_pass http://controller;
       proxy_set_header Host \$http_host;
@@ -47,6 +47,47 @@ http {
       proxy_redirect off;
     }
   }
+
+upstream arvados-ws {
+  server localhost:${services[websockets]};
+}
+server {
+  listen *:${services[websockets-ssl]} ssl default_server;
+  server_name           websockets;
+
+  proxy_connect_timeout 90s;
+  proxy_read_timeout    300s;
+
+  ssl                   on;
+  ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
+  ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+
+  location / {
+    proxy_pass          http://arvados-ws;
+    proxy_set_header    Upgrade         \$http_upgrade;
+    proxy_set_header    Connection      "upgrade";
+    proxy_set_header Host \$http_host;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+  }
+}
+
+  upstream workbench2 {
+    server localhost:${services[workbench2]};
+  }
+  server {
+    listen *:${services[workbench2-ssl]} ssl default_server;
+    server_name workbench2;
+    ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
+    ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+    location  / {
+      proxy_pass http://workbench2;
+      proxy_set_header Host \$http_host;
+      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_redirect off;
+    }
+  }
+
 }
 
 EOF
diff --git a/tools/arvbox/lib/arvbox/docker/service/ready/run-service b/tools/arvbox/lib/arvbox/docker/service/ready/run-service
index 7766fb7ec7..4e1371eb67 100755
--- a/tools/arvbox/lib/arvbox/docker/service/ready/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/ready/run-service
@@ -90,6 +90,6 @@ fi
 
 echo
 echo "Your Arvados-in-a-box is ready!"
-echo "Workbench is running at http://$localip"
+echo "Workbench is running at https://$localip"
 
 rm -r /tmp/arvbox-ready
diff --git a/tools/arvbox/lib/arvbox/docker/service/sso/run-service b/tools/arvbox/lib/arvbox/docker/service/sso/run-service
index 2814059492..278d94e82e 100755
--- a/tools/arvbox/lib/arvbox/docker/service/sso/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/sso/run-service
@@ -35,8 +35,68 @@ if ! test -s /var/lib/arvados/sso_secret_token ; then
 fi
 secret_token=$(cat /var/lib/arvados/sso_secret_token)
 
-if ! test -s /var/lib/arvados/self-signed.key ; then
-  openssl req -new -x509 -nodes -out /var/lib/arvados/self-signed.pem -keyout /var/lib/arvados/self-signed.key -days 365 -subj '/CN=localhost'
+if test ! -s /var/lib/arvados/root-cert.pem ; then
+    # req           signing request sub-command
+    # -new          new certificate request
+    # -nodes        "no des" don't encrypt key
+    # -sha256       include sha256 fingerprint
+    # -x509         generate self-signed certificate
+    # -subj         certificate subject
+    # -reqexts      certificate request extension for subjectAltName
+    # -extensions   certificate request extension for subjectAltName
+    # -config       certificate generation configuration plus subjectAltName
+    # -out          certificate output
+    # -keyout       private key output
+    # -days         certificate lifetime
+    openssl req \
+	    -new \
+	    -nodes \
+	    -sha256 \
+	    -x509 \
+	    -subj "/C=US/ST=MA/O=Arvados testing/OU=arvbox/CN=arvbox testing root CA for ${uuid_prefix}" \
+	    -extensions x509_ext \
+	    -config <(cat /etc/ssl/openssl.cnf \
+			  <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
+            -out /var/lib/arvados/root-cert.pem \
+            -keyout /var/lib/arvados/root-cert.key \
+            -days 365
+fi
+
+if test ! -s /var/lib/arvados/server-cert-${localip}.pem ; then
+    # req           signing request sub-command
+    # -new          new certificate request
+    # -nodes        "no des" don't encrypt key
+    # -sha256       include sha256 fingerprint
+    # -subj         certificate subject
+    # -reqexts      certificate request extension for subjectAltName
+    # -extensions   certificate request extension for subjectAltName
+    # -config       certificate generation configuration plus subjectAltName
+    # -out          certificate output
+    # -keyout       private key output
+    # -days         certificate lifetime
+    openssl req \
+	    -new \
+	    -nodes \
+	    -sha256 \
+	    -subj "/C=US/ST=MA/O=Arvados testing for ${uuid_prefix}/OU=arvbox/CN=localhost" \
+	    -reqexts x509_ext \
+	    -extensions x509_ext \
+	    -config <(cat /etc/ssl/openssl.cnf \
+			  <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,IP:$localip")) \
+            -out /var/lib/arvados/server-cert-${localip}.csr \
+            -keyout /var/lib/arvados/server-cert-${localip}.key \
+            -days 365
+
+    openssl x509 \
+	    -req \
+	    -in /var/lib/arvados/server-cert-${localip}.csr \
+	    -CA /var/lib/arvados/root-cert.pem \
+	    -CAkey /var/lib/arvados/root-cert.key \
+	    -out /var/lib/arvados/server-cert-${localip}.pem \
+	    -set_serial $RANDOM$RANDOM \
+	    -extfile <(cat /etc/ssl/openssl.cnf \
+			  <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,IP:$localip")) \
+	    -extensions x509_ext
 fi
 
 cat >config/application.yml <<EOF
@@ -92,5 +152,5 @@ if test "$1" = "--only-setup" ; then
 fi
 
 exec bundle exec passenger start --port=${services[sso]} \
-     --ssl --ssl-certificate=/var/lib/arvados/self-signed.pem \
-     --ssl-certificate-key=/var/lib/arvados/self-signed.key
+     --ssl --ssl-certificate=/var/lib/arvados/server-cert-${localip}.pem \
+     --ssl-certificate-key=/var/lib/arvados/server-cert-${localip}.key
diff --git a/tools/arvbox/lib/arvbox/docker/service/websockets/run-service b/tools/arvbox/lib/arvbox/docker/service/websockets/run-service
index ebdf266c6b..4171308526 100755
--- a/tools/arvbox/lib/arvbox/docker/service/websockets/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/websockets/run-service
@@ -34,7 +34,7 @@ Postgres:
   user: arvados
   password: $database_pw
   host: localhost
-Listen: :8002
+Listen: localhost:${services[websockets]}
 EOF
 
 exec /usr/local/bin/arvados-ws -config /var/lib/arvados/arvados-ws.yml
diff --git a/tools/arvbox/lib/arvbox/docker/service/workbench/run b/tools/arvbox/lib/arvbox/docker/service/workbench/run
index 5615884f75..e65801b447 100755
--- a/tools/arvbox/lib/arvbox/docker/service/workbench/run
+++ b/tools/arvbox/lib/arvbox/docker/service/workbench/run
@@ -23,5 +23,7 @@ fi
 
 if test "$1" != "--only-deps" ; then
     exec bundle exec passenger start --port=${services[workbench]} \
+	 --ssl --ssl-certificate=/var/lib/arvados/server-cert-${localip}.pem \
+	 --ssl-certificate-key=/var/lib/arvados/server-cert-${localip}.key \
          --user arvbox
 fi
diff --git a/tools/arvbox/lib/arvbox/docker/service/workbench/run-service b/tools/arvbox/lib/arvbox/docker/service/workbench/run-service
index 366096ace7..5d37577555 100755
--- a/tools/arvbox/lib/arvbox/docker/service/workbench/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/workbench/run-service
@@ -33,10 +33,6 @@ if ! test -s /var/lib/arvados/workbench_secret_token ; then
 fi
 secret_token=$(cat /var/lib/arvados/workbench_secret_token)
 
-if ! test -s self-signed.key ; then
-  openssl req -new -x509 -nodes -out self-signed.pem -keyout self-signed.key -days 365 -subj '/CN=localhost'
-fi
-
 cat >config/application.yml <<EOF
 $RAILS_ENV:
   secret_token: $secret_token
diff --git a/tools/arvbox/lib/arvbox/docker/service/workbench2/log/main/.gitstub b/tools/arvbox/lib/arvbox/docker/service/workbench2/log/main/.gitstub
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/tools/arvbox/lib/arvbox/docker/service/workbench2/log/run b/tools/arvbox/lib/arvbox/docker/service/workbench2/log/run
new file mode 120000
index 0000000000..d6aef4a77d
--- /dev/null
+++ b/tools/arvbox/lib/arvbox/docker/service/workbench2/log/run
@@ -0,0 +1 @@
+/usr/local/lib/arvbox/logger
\ No newline at end of file
diff --git a/tools/arvbox/lib/arvbox/docker/service/workbench2/run b/tools/arvbox/lib/arvbox/docker/service/workbench2/run
new file mode 100755
index 0000000000..cd2f86a27e
--- /dev/null
+++ b/tools/arvbox/lib/arvbox/docker/service/workbench2/run
@@ -0,0 +1,8 @@
+#!/bin/sh
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+set -e
+
+/usr/local/lib/arvbox/runsu.sh $0-service $1
diff --git a/tools/arvbox/lib/arvbox/docker/service/workbench2/run-service b/tools/arvbox/lib/arvbox/docker/service/workbench2/run-service
new file mode 100755
index 0000000000..1aef132799
--- /dev/null
+++ b/tools/arvbox/lib/arvbox/docker/service/workbench2/run-service
@@ -0,0 +1,23 @@
+#!/bin/bash
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+exec 2>&1
+set -ex -o pipefail
+
+.  /usr/local/lib/arvbox/common.sh
+
+cd /usr/src/workbench2
+
+npm -d install --prefix /usr/local --global yarn
+
+yarn install
+
+if test "$1" = "--only-deps" ; then
+    exit
+fi
+
+echo "{\"API_HOST\": \"${localip}:${services[controller-ssl]}\"}" > /usr/src/workbench2/public/config.json
+export HTTPS=false
+exec yarn start
-- 
2.30.2