Merge pull request #8 from anynines/blacklist-feature

Update ciphers, force TLS1.2, blacklist feature, tokens off

Author: Sven Schmidt

.final_builds/jobs/nginx/index.yml

@@ -27,6 +27,10 @@ builds:
     version: bf23c7f17dc12386697113e5170f7129b65f3922
     blobstore_id: d939ca5d-c945-4502-7047-f22f72d940ad
     sha1: e6ee0e61a611c0dfc4458c5374bdcac4bb69ca1a
+  ca7867c57b4f1297b6d282be27ef1bca0dc59ce7:
+    version: ca7867c57b4f1297b6d282be27ef1bca0dc59ce7
+    blobstore_id: 88ccd427-f240-401f-6d82-e299ee0beadd
+    sha1: 4ac02d0aa7eafd45508d881e1f8253ea06c3b39d
   d084a95312b47ff0db6e55e10f5d18f142fdb43f:
     version: d084a95312b47ff0db6e55e10f5d18f142fdb43f
     blobstore_id: 5dff7038-baa3-4e05-9198-4e13891c2d81

.final_builds/license/index.yml

@@ -0,0 +1,6 @@
+builds:
+  ae6a94b3e38944457867abb9a3ac4d796d712a59:
+    version: ae6a94b3e38944457867abb9a3ac4d796d712a59
+    blobstore_id: 75964d70-0d3e-45f5-461b-a9d6d3f4cfee
+    sha1: 86167b01b4313271b502312afe0c76f7907cb022
+format-version: "2"

.final_builds/packages/nginx/index.yml

@@ -1,11 +1,14 @@
----
 builds:
-  72fe31794ebd9c46b5f7f3d8348d63c27c5b2576:
-    version: 72fe31794ebd9c46b5f7f3d8348d63c27c5b2576
-    sha1: 47a6d77886ad8b98440a445f84afe39933e0db7c
-    blobstore_id: e914085d-2fa2-4705-9ad6-f89a838b7c1c
   37ed1ccf3a27d830e9efc88d695dcae6b243ec37:
     version: 37ed1ccf3a27d830e9efc88d695dcae6b243ec37
-    sha1: 23870a2f672c0fb009f85026a7cee62b3bea5e72
     blobstore_id: f68d5e72-a05e-47ea-8cc0-ff98ad6bae28
-format-version: '2'
+    sha1: 23870a2f672c0fb009f85026a7cee62b3bea5e72
+  72fe31794ebd9c46b5f7f3d8348d63c27c5b2576:
+    version: 72fe31794ebd9c46b5f7f3d8348d63c27c5b2576
+    blobstore_id: e914085d-2fa2-4705-9ad6-f89a838b7c1c
+    sha1: 47a6d77886ad8b98440a445f84afe39933e0db7c
+  8832f79a3ce14d3f25b5d14aaba0177bd58debbc:
+    version: 8832f79a3ce14d3f25b5d14aaba0177bd58debbc
+    blobstore_id: 89c6a7b3-8717-4419-72fc-6d7f81d56af9
+    sha1: cc5692b75e2ea96bb624f5c625dc79fbc8138794
+format-version: "2"

.final_builds/packages/virtual_host_service_api/index.yml

@@ -7,6 +7,10 @@ builds:
     version: d54906932a6789cac19d4bfbe0159cd99a21f5fe
     blobstore_id: 4b70a1da-db5b-4ccf-77a9-6adcef0841e9
     sha1: 85404c49c3ea20c3d1195d2be432a4c588fa261e
+  de65d33707b24b5f5ea78cdf4d03ba2c703481cc:
+    version: de65d33707b24b5f5ea78cdf4d03ba2c703481cc
+    blobstore_id: f6c75142-9ea7-4a01-630f-1266a6c971f3
+    sha1: 27e4025da119e3ab844b0d0c5a92a647a9c86ff4
   e70a5befc3df6dc3e3cedb81101e4699e15067de:
     version: e70a5befc3df6dc3e3cedb81101e4699e15067de
     blobstore_id: 177e2520-f2ec-4bca-8a6b-5a5d1533dbfb

.final_builds/packages/virtual_host_service_worker/index.yml

@@ -19,4 +19,8 @@ builds:
     version: dcb9d5f2e65718c99e22138ec7ba105da7ef8bef
     blobstore_id: c92076ab-764a-4634-9eec-c36e10d10204
     sha1: fded8c290925976c79ad33d41b63f455c97f34ec
+  f99880f0cbe4ad9bbbad4d46ec98f0d6244b0312:
+    version: f99880f0cbe4ad9bbbad4d46ec98f0d6244b0312
+    blobstore_id: ffedc3a2-9de3-4ad0-5425-9beb133f97a9
+    sha1: e3da817ae95fec2724ab900ea7be71b45d72dc5f
 format-version: "2"

acceptance-tests/manifests/reachability.yml

@@ -3,7 +3,7 @@ name: ssl-gateway
 
 releases:
 - name: ssl-gateway
-  version: 12+dev.6
+  version: 13+dev.1
 
 - name: rabbitmq36
   version: 5
@@ -95,7 +95,7 @@ properties:
     host: ssl-gateway-rabbitmq-0.node.dc1.((iaas.consul.domain))
 
   a9s_ssl_gateway:
-    default_apps_domain: ((iaas.cf.system_domain))
+    default_apps_domain: ((iaas.cf.app_domain))
     cf_routers: ((iaas.cf.router_ips))
     default_apps_domain_cert: ((default_app.certificate))
     default_apps_domain_ca_cert: ((default_app.ca))
@@ -135,23 +135,30 @@ variables:
   type: password
 - name: ssl_gw_rabbitmq_password
   type: password
-- name: default_ca
+- name: default_app_ca
   type: certificate
   options:
     is_ca: true
     common_name: ssl_gateway_default
 - name: default_app
   type: certificate
   options:
-    ca: default_ca
-    common_name: ((iaas.cf.system_domain))
+    ca: default_app_ca
+    common_name: default_app
 - name: ssltest
   type: certificate
   options:
-    ca: default_ca
+    ca: default_app_ca
     common_name: ssltest
 - name: ssltest2
   type: certificate
   options:
-    ca: default_ca
+    ca: default_app_ca
     common_name: ssltest2
+
+
+
+
+
+
+

acceptance-tests/run-testsuite.sh

@@ -10,6 +10,8 @@ export OPS_FILE=/home/vcap/bosh/anynines-PaaS-deployment/ssl-gateway/ops/vSphere
 export IAAS_CONFIG=/home/vcap/bosh/anynines-PaaS-deployment/iaas-config/a9s-staging-vsphere.yml
 export EXTERNAL_SECRETS=/home/vcap/bosh/anynines-deployment/secrets/external-secrets.yml
 export LOCALHOST_IP=172.27.1.5
+export ANYNINES_PAAS_DEPLOYMENT=/home/vcap/bosh/anynines-PaaS-deployment
+
 
 cf auth $CF_USER $CF_PASSWORD
 
@@ -30,4 +32,7 @@ cf create-domain ssl-gateway-acceptance ssltest.com
 bundle install
 rspec
 
-cf delete-org ssl-gateway-acceptance
+cf -f delete-org ssl-gateway-acceptance
+
+bosh deploy -n $ANYNINES_PAAS_DEPLOYMENT/ssl-gateway/ssl-gateway.yml -l $IAAS_CONFIG -o $OPS_FILE
+bosh clean-up --all

acceptance-tests/spec/support/cf_helpers.rb

@@ -1,7 +1,7 @@
 module CFHelpers
   def push_checker_app(name, port, domain=nil)
-    cmd = "cf push #{name} -f #{File.join(__dir__, "../../service-binding-checker/manifest.yml")}"
-    cmd << "-d #{domain}" if ENV["PORT"] == port.to_s
+    cmd = "cf push #{name}"
+    cmd << "-d #{domain}" if domain
     system(cmd)
   end
 

create-final-release.sh

@@ -0,0 +1,22 @@
+
+cd acceptance-tests
+./run-testsuite.sh
+cd ..
+
+bosh create-release --final --name=ssl-gateway --version=$VERSION --tarball=/tmp/ssl-gateway-v$VERSION.tgz
+
+sha=$(sha256sum /tmp/ssl-gateway-v$VERSION.tgz)
+
+cat <<EOF > release-versions.yml
+
+name: ssl-gateway-v$VERSION
+  url: https://s3-eu-west-1.amazonaws.com/anynines-bosh-releases/ssl-gateway-v$VERSION.tgz
+  sha: $sha
+  version: $VERSION
+EOF
+
+aws s3 cp /tmp/ssl-gateway-v$VERSION.tgz s3://anynines-bosh-releases/ssl-gateway-v$VERSION.tgz
+
+git add .
+# git commit -m "Create new final release ssl-gateway-v$VERSION"
+

release-versions.yml

@@ -0,0 +1,5 @@
+
+name: ssl-gateway-v1.0.0
+  url: https://s3-eu-west-1.amazonaws.com/anynines-bosh-releases/ssl-gateway-v1.0.0.tgz
+  sha: 7b5f7309cddb153a1bd6c468a0d911bc2811c69a8286ea068a7f4c448ae55f00  /tmp/ssl-gateway-v1.0.0.tgz
+  version: 1.0.0

releases/ssl-gateway/index.yml

@@ -17,8 +17,12 @@ builds:
     version: "7"
   be3bd329-08be-4325-8e11-4e749ebd6737:
     version: "5"
+  d38cdbbf-4b5d-4ee6-4881-30787fb2afc3:
+    version: 1.0.0
   ee88a057-6c45-4655-a4a3-29c611fe070c:
     version: "10"
+  ef01ded7-0364-465f-7a75-5f0d5d58f50e:
+    version: "13"
   fa6407ee-0cd1-4418-9e09-2c6ae19156ed:
     version: "6"
   fbe1d8d3-6898-42e5-8177-c9d09628be60:

releases/ssl-gateway/ssl-gateway-1.0.0.yml

@@ -0,0 +1,62 @@
+name: ssl-gateway
+version: 1.0.0
+commit_hash: 632e694
+uncommitted_changes: true
+jobs:
+- name: nginx
+  version: ca7867c57b4f1297b6d282be27ef1bca0dc59ce7
+  fingerprint: ca7867c57b4f1297b6d282be27ef1bca0dc59ce7
+  sha1: 4ac02d0aa7eafd45508d881e1f8253ea06c3b39d
+- name: virtual_host_service_api
+  version: 4ca130dd7b124570d801e3c45aa5219efe69e29b
+  fingerprint: 4ca130dd7b124570d801e3c45aa5219efe69e29b
+  sha1: 60713cd5d440bbe51ebd0aa381237d8190ee08a0
+- name: virtual_host_service_worker
+  version: 2bc642145b8991d0c4c9d6c4c6c900e27c95ff5c
+  fingerprint: 2bc642145b8991d0c4c9d6c4c6c900e27c95ff5c
+  sha1: 0703113c43f5c9dea9bb084798424ba7d6cefcf2
+packages:
+- name: libpq
+  version: d27de4889ebd19799ed3f0a663b642de80dca5bb
+  fingerprint: d27de4889ebd19799ed3f0a663b642de80dca5bb
+  sha1: 2b5faf4f70c3a19bac285439510639b632bacbf5
+  dependencies: []
+- name: libyaml
+  version: ec170fd1ca2cda520318a00bda317209f6976459
+  fingerprint: ec170fd1ca2cda520318a00bda317209f6976459
+  sha1: 492ad761f980078cc5b2cd73f26f2a8d3bf15c85
+  dependencies: []
+- name: nginx
+  version: 8832f79a3ce14d3f25b5d14aaba0177bd58debbc
+  fingerprint: 8832f79a3ce14d3f25b5d14aaba0177bd58debbc
+  sha1: cc5692b75e2ea96bb624f5c625dc79fbc8138794
+  dependencies: []
+- name: ruby
+  version: 9b91b689aa1f8f4690b55532c1ffcca32379bf4f
+  fingerprint: 9b91b689aa1f8f4690b55532c1ffcca32379bf4f
+  sha1: 73a6a7b79ebe418209612244b9f910ba8ae21abf
+  dependencies:
+  - libyaml
+  - zlib
+- name: virtual_host_service_api
+  version: de65d33707b24b5f5ea78cdf4d03ba2c703481cc
+  fingerprint: de65d33707b24b5f5ea78cdf4d03ba2c703481cc
+  sha1: 27e4025da119e3ab844b0d0c5a92a647a9c86ff4
+  dependencies:
+  - ruby
+  - libpq
+- name: virtual_host_service_worker
+  version: f99880f0cbe4ad9bbbad4d46ec98f0d6244b0312
+  fingerprint: f99880f0cbe4ad9bbbad4d46ec98f0d6244b0312
+  sha1: e3da817ae95fec2724ab900ea7be71b45d72dc5f
+  dependencies:
+  - ruby
+- name: zlib
+  version: 5995f47d27c11d09522a631a1a2ff2a0622d53db
+  fingerprint: 5995f47d27c11d09522a631a1a2ff2a0622d53db
+  sha1: ae413c53cf6f465d5e4724fb56156a86931f1cd9
+  dependencies: []
+license:
+  version: ae6a94b3e38944457867abb9a3ac4d796d712a59
+  fingerprint: ae6a94b3e38944457867abb9a3ac4d796d712a59
+  sha1: 86167b01b4313271b502312afe0c76f7907cb022

releases/ssl-gateway/ssl-gateway-13.yml

@@ -0,0 +1,62 @@
+name: ssl-gateway
+version: "13"
+commit_hash: 7d96c87
+uncommitted_changes: true
+jobs:
+- name: nginx
+  version: ca7867c57b4f1297b6d282be27ef1bca0dc59ce7
+  fingerprint: ca7867c57b4f1297b6d282be27ef1bca0dc59ce7
+  sha1: 4ac02d0aa7eafd45508d881e1f8253ea06c3b39d
+- name: virtual_host_service_api
+  version: 4ca130dd7b124570d801e3c45aa5219efe69e29b
+  fingerprint: 4ca130dd7b124570d801e3c45aa5219efe69e29b
+  sha1: 60713cd5d440bbe51ebd0aa381237d8190ee08a0
+- name: virtual_host_service_worker
+  version: 2bc642145b8991d0c4c9d6c4c6c900e27c95ff5c
+  fingerprint: 2bc642145b8991d0c4c9d6c4c6c900e27c95ff5c
+  sha1: 0703113c43f5c9dea9bb084798424ba7d6cefcf2
+packages:
+- name: libpq
+  version: d27de4889ebd19799ed3f0a663b642de80dca5bb
+  fingerprint: d27de4889ebd19799ed3f0a663b642de80dca5bb
+  sha1: 2b5faf4f70c3a19bac285439510639b632bacbf5
+  dependencies: []
+- name: libyaml
+  version: ec170fd1ca2cda520318a00bda317209f6976459
+  fingerprint: ec170fd1ca2cda520318a00bda317209f6976459
+  sha1: 492ad761f980078cc5b2cd73f26f2a8d3bf15c85
+  dependencies: []
+- name: nginx
+  version: 8832f79a3ce14d3f25b5d14aaba0177bd58debbc
+  fingerprint: 8832f79a3ce14d3f25b5d14aaba0177bd58debbc
+  sha1: cc5692b75e2ea96bb624f5c625dc79fbc8138794
+  dependencies: []
+- name: ruby
+  version: 9b91b689aa1f8f4690b55532c1ffcca32379bf4f
+  fingerprint: 9b91b689aa1f8f4690b55532c1ffcca32379bf4f
+  sha1: 73a6a7b79ebe418209612244b9f910ba8ae21abf
+  dependencies:
+  - libyaml
+  - zlib
+- name: virtual_host_service_api
+  version: de65d33707b24b5f5ea78cdf4d03ba2c703481cc
+  fingerprint: de65d33707b24b5f5ea78cdf4d03ba2c703481cc
+  sha1: 27e4025da119e3ab844b0d0c5a92a647a9c86ff4
+  dependencies:
+  - ruby
+  - libpq
+- name: virtual_host_service_worker
+  version: f99880f0cbe4ad9bbbad4d46ec98f0d6244b0312
+  fingerprint: f99880f0cbe4ad9bbbad4d46ec98f0d6244b0312
+  sha1: e3da817ae95fec2724ab900ea7be71b45d72dc5f
+  dependencies:
+  - ruby
+- name: zlib
+  version: 5995f47d27c11d09522a631a1a2ff2a0622d53db
+  fingerprint: 5995f47d27c11d09522a631a1a2ff2a0622d53db
+  sha1: ae413c53cf6f465d5e4724fb56156a86931f1cd9
+  dependencies: []
+license:
+  version: ae6a94b3e38944457867abb9a3ac4d796d712a59
+  fingerprint: ae6a94b3e38944457867abb9a3ac4d796d712a59
+  sha1: 86167b01b4313271b502312afe0c76f7907cb022