Merge pull request #110 from grahamgilbert/base_image

Update base image and squash migrations
grahamgilbert · Mar 28, 2022 · 3e4b53f · 3e4b53f
2 parents 4a97452 + 34d1d2d
commit 3e4b53f
Show file tree

Hide file tree

Showing 18 changed files with 378 additions and 105 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.7.9-alpine3.12
+FROM python:3.10.4-alpine3.15
 
 LABEL maintainer="[email protected]"
 

diff --git a/README.md b/README.md
@@ -1,41 +1,45 @@
-Crypt-Server
-============
-__[Crypt][1]__ is a tool for securely storing secrets such as FileVault 2 recovery keys. It is made up of a client app, and a Django web app for storing the keys.
+# Crypt-Server
+
+**[Crypt][1]** is a tool for securely storing secrets such as FileVault 2 recovery keys. It is made up of a client app, and a Django web app for storing the keys.
 
 This Docker image contains the fully configured Crypt Django web app. A default admin user has been preconfigured, use admin/password to login.
 If you intend on using the server for anything semi-serious it is a good idea to change the password or add a new admin user and delete the default one.
 
-__Features__
-=======
+## Features
+
 - Secrets are encrypted in the database
 - All access is audited - all reasons for retrieval and approval are logged along side the users performing the actions
 - Two step approval for retrieval of secrets is enabled by default
 - Approval permission can be given to all users (so just any two users need to approve the retrieval) or a specific group of users
 
-
   [1]: https://github.com/grahamgilbert/Crypt
 
 ## Installation instructions
+
 It is recommended that you use [Docker](https://github.com/grahamgilbert/Crypt-Server/blob/master/docs/Docker.md) to run this, but if you wish to run directly on a host, installation instructions are over in the [docs directory](https://github.com/grahamgilbert/Crypt-Server/blob/master/docs/Installation_on_Ubuntu_1404.md)
 
+### Migrating from versions earlier than Crypt 3.0
+
+Crypt 3 changed it's encryption backend, so when migrating from versions earlier than Crypt 3.0, you should first run Crypt 3.2.0 to perform the migration, and then upgrade to the latest version. The last version to support legacy migrations was Crypt 3.2.
+
 ## Settings
 
 All settings that would be entered into `settings.py` can also be passed into the Docker container as environment variables.
 
-* ``FIELD_ENCRYPTION_KEY`` - The key to use when encrypting the secrets. This is required.
+- `FIELD_ENCRYPTION_KEY` - The key to use when encrypting the secrets. This is required.
 
-* ``SEND_EMAIL`` - Crypt Server can send email notifcations when secrets are requested and approved. Set ``SEND_EMAIL`` to True, and set ``HOST_NAME`` to your server's host and URL scheme (e.g. ``https://crypt.example.com``). For configuring your email settings, see the [Django documentation](https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-EMAIL_HOST).
+- `SEND_EMAIL` - Crypt Server can send email notifcations when secrets are requested and approved. Set `SEND_EMAIL` to True, and set `HOST_NAME` to your server's host and URL scheme (e.g. `https://crypt.example.com`). For configuring your email settings, see the [Django documentation](https://docs.djangoproject.com/en/3.1/ref/settings/#std:setting-EMAIL_HOST).
 
-* ``EMAIL_SENDER`` - The email address to send emaiil notifications from when secrets are requests and approved. Ensure this is verified if you are using SES. Does nothing unless ``SEND_EMAIIL`` is True.
+- `EMAIL_SENDER` - The email address to send emaiil notifications from when secrets are requests and approved. Ensure this is verified if you are using SES. Does nothing unless `SEND_EMAIIL` is True.
 
-* ``APPROVE_OWN`` - By default, users with approval permissons can approve their own key requests. By setting this to False in settings.py (or by using the `APPROVE_OWN` environment variable with Docker), users cannot approve their own requests.
+- `APPROVE_OWN` - By default, users with approval permissons can approve their own key requests. By setting this to False in settings.py (or by using the `APPROVE_OWN` environment variable with Docker), users cannot approve their own requests.
 
-* ``ALL_APPROVE`` - By default, users need to be explicitly given approval permissions to approve key retrieval requests. By setting this to True in `settings.py`, all users are given this permission when they log in.
-
-* ``ROTATE_VIEWED_SECRETS`` - With a compatible client (such as Crypt 3.2.0 and greater), Crypt Server can instruct the client to rotate the secret and re-escrow it when the secret has been viewed. Enable by setting this to `True` or by using `ROTATE_VIEWED_SECRETS` and setting to `true`.
+- `ALL_APPROVE` - By default, users need to be explicitly given approval permissions to approve key retrieval requests. By setting this to True in `settings.py`, all users are given this permission when they log in.
 
+- `ROTATE_VIEWED_SECRETS` - With a compatible client (such as Crypt 3.2.0 and greater), Crypt Server can instruct the client to rotate the secret and re-escrow it when the secret has been viewed. Enable by setting this to `True` or by using `ROTATE_VIEWED_SECRETS` and setting to `true`.
 
 ## Screenshots
+
 Main Page:
 ![Crypt Main Page](https://raw.github.com/grahamgilbert/Crypt-Server/master/docs/images/home.png)
 

diff --git a/docker/run.sh b/docker/run.sh
@@ -4,7 +4,7 @@ set -e
 
 cd $APP_DIR
 ADMIN_PASS=${ADMIN_PASS:-}
-python3 generate_keyczart.py
+# python3 generate_keyczart.py
 python3 manage.py migrate --noinput
 
 if [ ! -z "$ADMIN_PASS" ] ; then

diff --git a/docker/run_docker.sh b/docker/run_docker.sh
@@ -1,5 +1,6 @@
 CWD=`pwd`
 docker rm -f crypt
+
 docker build -t macadmins/crypt .
 docker run -d \
     -e ADMIN_PASS=pass \
@@ -8,7 +9,6 @@ docker run -d \
     --name=crypt \
     --restart="always" \
     -v "$CWD/crypt.db":/home/docker/crypt/crypt.db \
-    -v "$CWD/keyset":/home/docker/crypt/keyset \
     -e FIELD_ENCRYPTION_KEY=jKAv1Sde8m6jCYFnmps0iXkUfAilweNVjbvoebBrDwg= \
     -p 8000-8050:8000-8050 \
     macadmins/crypt
diff --git a/docker/settings_import.py b/docker/settings_import.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
 from os import getenv
 import locale
 

diff --git a/fvserver/context_processors.py b/fvserver/context_processors.py
@@ -5,5 +5,8 @@
 def crypt_version(request):
     # return the value you want as a dictionary. you may add multiple values in there.
     current_dir = os.path.dirname(os.path.realpath(__file__))
-    version = plistlib.readPlist(os.path.join(current_dir, "version.plist"))
+    with open(
+        os.path.join(os.path.dirname(current_dir), "fvserver", "version.plist"), "rb"
+    ) as f:
+        version = plistlib.load(f)
     return {"CRYPT_VERSION": version["version"]}
diff --git a/fvserver/version.plist b/fvserver/version.plist
@@ -3,6 +3,6 @@
 <plist version="1.0">
 <dict>
 	<key>version</key>
-	<string>3.2.0.343</string>
+	<string>3.3.0.355</string>
 </dict>
 </plist>
diff --git a/remote_build.py b/remote_build.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python
 
 import subprocess
 import requests