proxy/docker-entrypoint.sh at main · cipherstash/proxy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
#!/usr/bin/env bash
set -eu

postgres_ready () {
  psql ${DATABASE_URL} -c "SELECT 1" > /dev/null 2>&1
}

# Taken from: https://github.com/SixArm/urlencode.sh/blob/f43155fed3b6399f3a07d974f12beb7097f9c447/urlencode.sh
urlencode() {
  local length="${#1}"
  for ((i = 0; i < length; i++)); do
    local c="${1:i:1}"
    case $c in
      [a-zA-Z0-9.~_-])
        printf '%s' "$c"
        ;;
      *)
        printf '%%%02X' "'$c"
        ;;
    esac
  done
}

wait_for_postgres_or_exit() {
  host=${CS_DATABASE__HOST}
  port=${CS_DATABASE__PORT}
  max_retries=20
  interval=0.5
  attempt=1
  echo "Testing presence of PostgreSQL at ${host}:${port} with a maximum of ${max_retries} retries"

  until postgres_ready
  do
    if [ $attempt -lt $max_retries ]; then
      echo "Waiting for ${host}:${port}"
      sleep $interval
      attempt=$(expr $attempt + 1)
    else
      echo "Unable to connect to ${host}:${port} after ${max_retries} attempts"
      exit 64
    fi
  done
  echo "Connected to ${host}:${port} after ${attempt} attempts"
}

encoded_username=$(urlencode "${CS_DATABASE__USERNAME}")
encoded_password=$(urlencode "${CS_DATABASE__PASSWORD}")
DATABASE_URL="postgresql://${encoded_username}:${encoded_password}@${CS_DATABASE__HOST}:${CS_DATABASE__PORT}/${CS_DATABASE__NAME}"

: "${CS_DATABASE__AWS_BUNDLE_PATH:=./aws-rds-global-bundle.pem}"

# Optionally pull in the AWS RDS global certificate bundle. This is required
# to communicate with AWS RDS instances, if they are not configured to use some
# other certificates.
# (This assumes that ca-certificates is installed, for csplit and update-ca-certificates.)
case "${CS_DATABASE__INSTALL_AWS_RDS_CERT_BUNDLE:-}" in
  # Have a guess at some common yaml-et-al encoding failures:
  "") ;&
  "false") ;&
  "no") ;&
  "0")
    >&2 echo "Not installing AWS RDS certificate bundle."
    ;;

  # Okay, go ahead and install the bundle:
  *)
    set -x
    if [ ! -f "$CS_DATABASE__AWS_BUNDLE_PATH" ]; then
      >&2 echo "Unable to find AWS RDS certificate bundle at: $CS_DATABASE__AWS_BUNDLE_PATH"
      exit 1
    fi

    >&2 echo "Installing AWS RDS certificate bundle..."
    csplit --quiet --elide-empty-files --prefix /usr/local/share/ca-certificates/aws --suffix '.%d.crt' "$CS_DATABASE__AWS_BUNDLE_PATH" '/-----BEGIN CERTIFICATE-----/' '{*}'
    update-ca-certificates
    ;;
esac

# Optionally install EQL in the target database
case "${CS_DATABASE__INSTALL_EQL:-}" in
  "true") ;&
  "yes") ;&
  "1")
    >&2 echo "Installing EQL in target PostgreSQL database..."

    if [ ! -f "/opt/cipherstash-eql.sql" ]; then
      >&2 echo "error: unable to find EQL installer at: /opt/cipherstash-eql.sql"
      exit 1
    fi

    # Wait for postgres to become available
    wait_for_postgres_or_exit

    # Attempt to install EQL
    psql --file=/opt/cipherstash-eql.sql --quiet $DATABASE_URL > /dev/null 2>&1
    if [ $? != 0 ]; then
      >&2 echo "error: unable to install EQL in target PostgreSQL database!"
      exit 2
    fi
    >&2 echo "Successfully installed EQL in target PostgreSQL database."
    ;;
  *)
    >&2 echo "Not installing EQL in target PostgreSQL database."
    ;;
esac

# Optionally install example schema in the target database
case "${CS_DATABASE__INSTALL_EXAMPLE_SCHEMA:-}" in
  "true") ;&
  "yes") ;&
  "1")
    >&2 echo "Applying example schema in target PostgreSQL database..."

    SQL_FILENAME="/opt/schema-example.sql"

    if [ ! -f "${SQL_FILENAME}" ]; then
      >&2 echo "error: unable to find example schema at: ${SQL_FILENAME}"
      exit 1
    fi

    # Wait for postgres to become available
    wait_for_postgres_or_exit

    # Attempt to install EQL
    psql --file=${SQL_FILENAME} --quiet $DATABASE_URL > /dev/null 2>&1
    if [ $? != 0 ]; then
      >&2 echo "error: unable to apply example schema in target PostgreSQL database!"
      exit 2
    fi

    >&2 echo "Successfully applied example schema in target PostgreSQL database."
    >&2 echo "Example tables: users"
    ;;
  *)
    >&2 echo "Not installing example schema in target PostgreSQL database."
    ;;
esac

>&2 echo "Proxy container setup complete!"
>&2 echo "Running CipherStash Proxy..."

exec cipherstash-proxy "$@"