Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
COPY go.sum .
RUN go mod download && go mod verify

COPY . .

Check warning on line 20 in Dockerfile

View workflow job for this annotation

GitHub Actions / e2e-test

Attempting to Copy file that is excluded by .dockerignore

CopyIgnoredFile: Attempting to Copy file "." that is excluded by .dockerignore More info: https://docs.docker.com/go/dockerfile/rule/copy-ignored-file/

Check warning on line 20 in Dockerfile

View workflow job for this annotation

GitHub Actions / docker

Attempting to Copy file that is excluded by .dockerignore

CopyIgnoredFile: Attempting to Copy file "." that is excluded by .dockerignore More info: https://docs.docker.com/go/dockerfile/rule/copy-ignored-file/
RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go build -ldflags="-w -s -X 'github.com/nuts-foundation/nuts-node/core.GitCommit=${GIT_COMMIT}' -X 'github.com/nuts-foundation/nuts-node/core.GitBranch=${GIT_BRANCH}' -X 'github.com/nuts-foundation/nuts-node/core.GitVersion=${GIT_VERSION}'" -o /opt/nuts/nuts

# alpine
Expand All @@ -32,6 +32,11 @@
CMD curl -f http://localhost:8081/status || exit 1

RUN adduser -D -H -u 18081 nuts-usr

# Mountable directory for additional CA certificates (*.pem, *.crt) that HTTP clients trust, on top of the OS CA bundle.
RUN mkdir -p /etc/nuts/http-trust.d && chown 18081:18081 /etc/nuts/http-trust.d
ENV NUTS_HTTPCLIENT_TLS_EXTRACERTSDIR=/etc/nuts/http-trust.d

USER 18081:18081
WORKDIR /nuts

Expand Down
3 changes: 3 additions & 0 deletions README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -186,8 +186,10 @@ The following options can be configured on the server:
url Public facing URL of the server (required). Must be HTTPS when strictmode is set.
verbosity info Log level (trace, debug, info, warn, error)
httpclient.timeout 30s Request time-out for HTTP clients, such as '10s'. Refer to Golang's 'time.Duration' syntax for a more elaborate description of the syntax.
httpclient.tls.extracertsdir Directory containing additional CA certificates (*.pem, *.crt) that HTTP clients trust, on top of the OS CA bundle. When set, the directory must exist.
**Auth**
auth.authorizationendpoint.enabled false enables the v2 API's OAuth2 Authorization Endpoint, used by OpenID4VP and OpenID4VCI. This flag might be removed in a future version (or its default become 'true') as the use cases and implementation of OpenID4VP and OpenID4VCI mature.
auth.experimental.jwtbearerclient false enables the experimental RFC 7523 jwt-bearer two-VP token request flow. While disabled (the default), requests carrying a service-provider subject identifier are rejected. Subject to change without notice.
**Crypto**
crypto.storage Storage to use, 'fs' for file system (for development purposes), 'vaultkv' for HashiCorp Vault KV store, 'azure-keyvault' for Azure Key Vault, 'external' for an external backend (deprecated).
crypto.azurekv.hsm false Whether to store the key in a hardware security module (HSM). If true, the Azure Key Vault must be configured for HSM usage. Default: false
Expand Down Expand Up @@ -240,6 +242,7 @@ The following options can be configured on the server:
tracing.servicename Service name reported to the tracing backend. Defaults to 'nuts-node'.
**policy**
policy.directory ./config/policy Directory to read policy files from. Policy files are JSON files that contain a scope to PresentationDefinition mapping.
policy.authzen.endpoint Base URL of the AuthZen PDP endpoint. Required when any credential profile uses scope_policy 'dynamic'; the node refuses to start if such a profile is configured but this flag is empty.
======================================== =================================================================================================================================================================================================================================================================================================================================================================================================================================================================== ============================================================================================================================================================================================================================================================================================================================================

Options specific for ``did:nuts``/gRPC
Expand Down
10 changes: 10 additions & 0 deletions core/server_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,15 @@ type HTTPConfig struct {
type HTTPClientConfig struct {
// Timeout specifies the timeout for HTTP requests.
Timeout time.Duration `koanf:"timeout"`
// TLS contains TLS settings for HTTP clients.
TLS HTTPClientTLSConfig `koanf:"tls"`
}

// HTTPClientTLSConfig contains TLS settings for HTTP clients.
type HTTPClientTLSConfig struct {
// ExtraCertsDir specifies a directory with additional CA certificates (*.pem, *.crt) that HTTP clients trust,
// on top of the OS CA bundle.
ExtraCertsDir string `koanf:"extracertsdir"`
}

// TLSConfig specifies how TLS should be configured for connections.
Expand Down Expand Up @@ -269,6 +278,7 @@ func FlagSet() *pflag.FlagSet {
flagSet.StringSlice("didmethods", defaultCfg.DIDMethods, "Comma-separated list of enabled DID methods (without did: prefix). "+
"It also controls the order in which DIDs are returned by APIs, and which DID is used for signing if the verifying party does not impose restrictions on the DID method used.")
flagSet.Duration("httpclient.timeout", defaultCfg.HTTPClient.Timeout, "Request time-out for HTTP clients, such as '10s'. Refer to Golang's 'time.Duration' syntax for a more elaborate description of the syntax.")
flagSet.String("httpclient.tls.extracertsdir", defaultCfg.HTTPClient.TLS.ExtraCertsDir, "Directory containing additional CA certificates (*.pem, *.crt) that HTTP clients trust, on top of the OS CA bundle. When set, the directory must exist.")
flagSet.String("tls.certfile", defaultCfg.TLS.CertFile, "PEM file containing the certificate for the gRPC server (also used as client certificate). Required in strict mode.")
flagSet.String("tls.certkeyfile", defaultCfg.TLS.CertKeyFile, "PEM file containing the private key of the gRPC server certificate. Required in strict mode.")
flagSet.String("tls.truststorefile", defaultCfg.TLS.TrustStoreFile, "PEM file containing the trusted CA certificates for authenticating remote gRPC servers. Required in strict mode.")
Expand Down
12 changes: 12 additions & 0 deletions core/server_config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,18 @@ func TestNewNutsConfig_Load(t *testing.T) {

assert.Equal(t, "warn", cfg.Verbosity)
})

t.Run("ok - httpclient.tls.extracertsdir is parsed", func(t *testing.T) {
defer reset()
os.Args = []string{"command", "--httpclient.tls.extracertsdir", "/etc/nuts/http-trust.d"}
cfg := NewServerConfig()
cmd := testCommand()

err := cfg.Load(cmd.Flags())

require.NoError(t, err)
assert.Equal(t, "/etc/nuts/http-trust.d", cfg.HTTPClient.TLS.ExtraCertsDir)
})
}

func TestNewNutsConfig_PrintConfig(t *testing.T) {
Expand Down
5 changes: 4 additions & 1 deletion discovery/module_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -708,7 +708,10 @@ func TestModule_GetServiceActivation(t *testing.T) {
assert.Nil(t, presentation)
})
t.Run("activated, no VP", func(t *testing.T) {
m, ctx := setupModule(t, storageEngine)
// disable the background refresh loop, otherwise it races with this test's ListDIDs expectation
m, ctx := setupModule(t, storageEngine, func(module *Module) {
module.config.Client.RefreshInterval = 0
})
ctx.subjectManager.EXPECT().ListDIDs(gomock.Any(), aliceSubject).Return([]did.DID{aliceDID}, nil)
next := time.Now()
_ = m.store.updatePresentationRefreshTime(testServiceID, aliceSubject, nil, &next)
Expand Down
4 changes: 4 additions & 0 deletions docs/pages/deployment/docker.rst
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,10 @@ The default working directory within the container is ``/nuts`` that provides de
The container user (``18081``) has insufficient privileges by default to write to mounted directories.
The required permissions can be granted by making the container user the owner of the ``data`` directory on the host. (``chown -R 18081:18081 </path/to/host/data-dir>``)

* **/etc/nuts/http-trust.d/**: Directory with additional CA certificates (``*.pem``, ``*.crt``) that HTTP clients trust, on top of the OS CA bundle.
The image sets ``NUTS_HTTPCLIENT_TLS_EXTRACERTSDIR`` to this path by default, so mounting CA certificates here trusts them without rebuilding the image.
Files must be readable by the container user (``18081``); read-only is sufficient (``chmod -R o+r </path/to/host/ca-dir>``).

.. note::

- Nodes running the :ref:`recommended deployment <nuts-node-recommended-deployment>` (external storage configured for ``crypto.storage`` and ``storage.sql.connection``) that do not use did:nuts / gRPC network don't need to mount a ``data`` dir.
Expand Down
Loading
Loading