misc fixes - improved logged, Dockerfile (0.3.1) (#2)

ikreymer · web-flow · commit 5f6f91496fa0 · 2022-01-22T18:33:48.000-08:00
* misc fixes:
- add Dockerfile
- logging: signing: don't print auth token
- logging: verify: print domain cert fingerprint, print time ranges used for verification
- remove run_in_executor() for verify to match signing
- setup.py: update path
- ci: add release workflow on version releases
* bump version to 0.3.1
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,42 @@
+name: Publish Docker image
+on:
+  release:
+    types: [published]
+
+jobs:
+  push_to_registries:
+    name: Build authsign Docker image for release and push to Dockerhub
+    runs-on: ubuntu-latest
+    steps:
+      - 
+        name: Check out the repo
+        uses: actions/checkout@v2
+      -
+        name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: webrecorder/authsign
+          tags: |
+            type=match,pattern=(\d+\.\d+\.\d+),group=1
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      -
+        name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,19 @@
+FROM python:3.9
+
+WORKDIR /app
+
+ADD requirements.txt /app
+
+ADD setup.py /app
+ADD authsign /app/authsign
+
+ADD README.md /app
+ADD log.json /app
+
+RUN python setup.py install
+
+# override by using custom config.yaml, or setting the DOMAIN_OVERRIDE and EMAIL_OVERRIDE
+ADD config.sample.yaml config.yaml
+
+CMD uvicorn authsign.main:app --port 8080 --host 0.0.0.0 --log-config /app/log.json
+
diff --git a/authsign/__init__.py b/authsign/__init__.py
@@ -1 +1 @@
-__version__ = "0.3.0"
+__version__ = "0.3.1"
diff --git a/authsign/main.py b/authsign/main.py
@@ -12,7 +12,7 @@
 from authsign.log import log_message, log_failure
 
 
-loop = asyncio.get_event_loop()
+# loop = asyncio.get_event_loop()
 app = FastAPI()
 
 signer = None
@@ -31,6 +31,12 @@ async def startup_event():
     if os.environ.get("DOMAIN_OVERRIDE"):
         config["signing"]["domain"] = os.environ.get("DOMAIN_OVERRIDE")
 
+    if os.environ.get("EMAIL_OVERRIDE"):
+        config["signing"]["email"] = os.environ.get("EMAIL_OVERRIDE")
+
+    if os.environ.get("DATA_OVERRIDE"):
+        config["signing"]["data"] = os.environ.get("DATA_OVERRIDE")
+
     if os.environ.get("PORT_OVERRIDE"):
         config["signing"]["port"] = int(os.environ.get("PORT_OVERRIDE"))
 
@@ -67,8 +73,14 @@ async def sign_data(sign_req: SignReq, authorization: str = Header(None)):
 @app.post("/verify")
 async def verify_data(signed_hash: SignedHash):
     log_message("Verifying Signed Request...")
-    result = await loop.run_in_executor(None, verifier, signed_hash)
-    if result:
-        return result
+    # result = await loop.run_in_executor(None, verifier, signed_hash)
+    # if result:
+    #    return result
+    try:
+        result = verifier(signed_hash)
+        if result:
+            return result
+    except Exception as e:
+        pass
 
     raise HTTPException(status_code=400, detail="Not verified")
diff --git a/authsign/signer.py b/authsign/signer.py
@@ -138,7 +138,10 @@ def __init__(
 
         self.auth_token = auth_token
 
-        log_message("Accepting Auth Token: " + str(self.auth_token))
+        if self.auth_token:
+            log_message("Auth Token Enabled")
+        else:
+            log_message("Auth Token Not Enabled")
 
         self.rootpath = Path(output or "./data")
         self.rootpath.mkdir(exist_ok=True)
diff --git a/authsign/verifier.py b/authsign/verifier.py
@@ -34,12 +34,8 @@ def __init__(self, trusted_roots_filename=None):
         self.domain_cert_roots = trusted_roots["domain_cert_roots"]
         self.timestamp_cert_roots = trusted_roots["timestamp_cert_roots"]
 
-        log_message(
-            "{0} Domain Cert Root(s) Loaded".format(len(self.domain_cert_roots))
-        )
-        log_message(
-            "{0} Timestamp Cert Root(s) Loaded".format(len(self.timestamp_cert_roots))
-        )
+        log_message(f"{len(self.domain_cert_roots)} Domain Cert Root(s) Loaded")
+        log_message(f"{len(self.timestamp_cert_roots)} Timestamp Cert Root(s) Loaded")
 
     def timestamp_verify(self, text, signature, cert_pem):
         """Verify RFC 3161 timestamp given a cert, signature and text
@@ -67,9 +63,7 @@ def check_fingerprint(self, cert, trusted, name):
 
         log_assert(
             fingerprint in trusted,
-            "Trusted {0} Root Cert (sha-256 fingerprint: {1})".format(
-                name, fingerprint
-            ),
+            f"Trusted {name} Root Cert (sha-256 fingerprint: {fingerprint})",
         )
 
     def __call__(self, signed_req):
@@ -79,7 +73,7 @@ def __call__(self, signed_req):
             signed_req = SignedHash(**signed_req)
 
         try:
-            log_message("Signing Software: " + str(signed_req.software))
+            log_message(f"Signing Software: {str(signed_req.software)}")
 
             certs = crypto.validate_cert_chain(signed_req.domainCert.encode("ascii"))
             log_assert(certs, "Verify certificate chain for domain certificate")
@@ -108,18 +102,19 @@ def __call__(self, signed_req):
                 )
 
             domain = crypto.get_cert_subject_name(cert)
+            domain_fingerprint = crypto.get_fingerprint(cert)
+
             log_assert(
-                domain == signed_req.domain, "Domain Cert Matches Expected: " + domain
+                domain == signed_req.domain,
+                f"Domain Cert Matches Expected: '{domain}' (sha-256 fingerprint: {domain_fingerprint})",
             )
 
             created = parse_date(signed_req.created)
             log_assert(created, "Parsed signature date")
 
             log_assert(
                 is_time_range_valid(cert.not_valid_before, created, CERT_DURATION),
-                "Verify domain certificate was created within '{0}' of creation date".format(
-                    str(CERT_DURATION)
-                ),
+                f"Verify WACZ creation date '{created}' - cert creation date '{cert.not_valid_before}' <= '{CERT_DURATION}'",
             )
 
             timestamp = self.timestamp_verify(
@@ -134,9 +129,7 @@ def __call__(self, signed_req):
 
             log_assert(
                 is_time_range_valid(created, timestamp, STAMP_DURATION),
-                "Verify time signature created within '{0}' of creation date".format(
-                    str(STAMP_DURATION)
-                ),
+                f"Verify signed timestamp time '{timestamp}' - WACZ creation date '{created}' <= '{STAMP_DURATION}'",
             )
 
             timestamp_certs = crypto.validate_cert_chain(
diff --git a/setup.py b/setup.py
@@ -21,7 +21,7 @@ def read(*names, **kwargs):
     long_description_content_type="text/markdown",
     author="Webrecorder Software",
     author_email="info@webrecorder.net",
-    url="https://github.com/ikreymer/authsign",
+    url="https://github.com/webrecorder/authsign",
     packages=find_packages(exclude=["tests"]),
     install_requires=[
         line.strip()

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-__version__ = "0.3.0"`
	`1`	`+__version__ = "0.3.1"`