Add in production container build

.dockerignore

@@ -1,4 +1,5 @@
 Dockerfile
+.gem
 tmp
 log
 node_modules
@@ -7,3 +8,6 @@ db/*.sqlite3
 .git*
 vendor/bundle
 postgres-data
+/public/assets
+/public/packs
+coverage/

Dockerfile

@@ -0,0 +1,158 @@
+FROM ruby:3.2.2-slim
+
+# Set environment variables
+ENV RAILS_ROOT /app
+ENV RAILS_ENV production
+ENV NODE_ENV production
+ENV RAILS_SERVE_STATIC_FILES true
+ENV RAILS_LOG_TO_STDOUT true
+ENV LOGIN_CONFIG_FILE $RAILS_ROOT/tmp/application.yml
+ENV RAILS_LOG_LEVEL debug
+ENV BUNDLE_PATH /usr/local/bundle
+ENV YARN_VERSION 1.22.5
+ENV NODE_VERSION 16.20.0
+ENV BUNDLER_VERSION 2.4.4
+ENV POSTGRES_SSLMODE prefer
+ENV POSTGRES_NAME idp
+ENV POSTGRES_HOST postgres
+ENV POSTGRES_USERNAME postgres
+ENV POSTGRES_PASSWORD postgres
+ENV POSTGRES_WORKER_SSLMODE prefer
+ENV POSTGRES_WORKER_NAME idp-worker-jobs
+ENV POSTGRES_WORKER_HOST postgres-worker
+ENV POSTGRES_WORKER_USERNAME postgres
+ENV POSTGRES_WORKER_PASSWORD postgres
+ENV REDIS_IRS_ATTEMPTS_API_URL redis://redis:6379/2
+ENV REDIS_THROTTLE_URL redis://redis:6379/1
+ENV REDIS_URL redis://redis:6379
+ENV ASSET_HOST http://localhost:3000
+ENV DOMAIN_NAME localhost:3000
+
+# Prevent documentation installation
+RUN echo 'path-exclude=/usr/share/doc/*' > /etc/dpkg/dpkg.cfg.d/00_nodoc && \
+    echo 'path-exclude=/usr/share/man/*' >> /etc/dpkg/dpkg.cfg.d/00_nodoc && \
+    echo 'path-exclude=/usr/share/groff/*' >> /etc/dpkg/dpkg.cfg.d/00_nodoc && \
+    echo 'path-exclude=/usr/share/info/*' >> /etc/dpkg/dpkg.cfg.d/00_nodoc && \
+    echo 'path-exclude=/usr/share/lintian/*' >> /etc/dpkg/dpkg.cfg.d/00_nodoc && \
+    echo 'path-exclude=/usr/share/linda/*' >> /etc/dpkg/dpkg.cfg.d/00_nodoc
+
+# Create a new user and set up the working directory
+RUN addgroup --gid 1000 app && \
+    adduser --uid 1000 --gid 1000 --disabled-password --gecos "" app && \
+    mkdir -p $RAILS_ROOT && \
+    mkdir -p $BUNDLE_PATH && \
+    chown -R app:app $RAILS_ROOT && \
+    chown -R app:app $BUNDLE_PATH
+
+# Setup timezone data
+ENV TZ=Etc/UTC
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+
+# Install dependencies
+RUN apt-get update && \
+    apt-get install -y \
+    git-core \
+    curl \
+    zlib1g-dev \
+    build-essential \
+    libssl-dev \
+    libreadline-dev \
+    libyaml-dev \
+    libsqlite3-dev \
+    sqlite3 \
+    libxml2-dev \
+    libxslt1-dev \
+    libcurl4-openssl-dev \
+    software-properties-common \
+    libffi-dev \
+    libpq-dev \
+    unzip && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-x64.tar.xz" \
+  && tar -xJf "node-v$NODE_VERSION-linux-x64.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \
+  && rm "node-v$NODE_VERSION-linux-x64.tar.xz" \
+  && ln -s /usr/local/bin/node /usr/local/bin/nodejsv
+
+# Install Yarn
+RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | tee /usr/share/keyrings/yarn-archive-keyring.gpg >/dev/null
+RUN echo "deb [signed-by=/usr/share/keyrings/yarn-archive-keyring.gpg] https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
+RUN apt-get update && apt-get install -y yarn=1.22.5-1
+
+# Create the working directory
+WORKDIR $RAILS_ROOT
+
+# Set user
+USER app
+
+COPY .ruby-version $RAILS_ROOT/.ruby-version
+COPY Gemfile $RAILS_ROOT/Gemfile
+COPY Gemfile.lock $RAILS_ROOT/Gemfile.lock
+
+RUN bundle config build.nokogiri --use-system-libraries
+RUN bundle config set --local deployment 'true'
+RUN bundle config set --local path $BUNDLE_PATH
+RUN bundle config set --local without 'deploy development doc test'
+RUN bundle install --jobs $(nproc)
+RUN bundle binstubs --all
+
+COPY package.json $RAILS_ROOT/package.json
+COPY yarn.lock $RAILS_ROOT/yarn.lock
+RUN yarn install --production=true --frozen-lockfile --cache-folder .yarn-cache
+
+# Add the application code
+COPY --chown=app:app ./lib ./lib
+COPY --chown=app:app ./app ./app
+COPY --chown=app:app ./config ./config
+COPY --chown=app:app ./config.ru ./config.ru
+COPY --chown=app:app ./db ./db
+COPY --chown=app:app ./deploy ./deploy
+COPY --chown=app:app ./bin ./bin
+COPY --chown=app:app ./public ./public
+COPY --chown=app:app ./scripts ./scripts
+COPY --chown=app:app ./spec ./spec
+COPY --chown=app:app ./vendor ./vendor
+COPY --chown=app:app ./Rakefile ./Rakefile
+COPY --chown=app:app ./Makefile ./Makefile
+COPY --chown=app:app ./babel.config.js ./babel.config.js
+COPY --chown=app:app ./webpack.config.js ./webpack.config.js
+COPY --chown=app:app ./.browserslistrc ./.browserslistrc
+
+# Setup config files
+COPY --chown=app:app config/agencies.localdev.yml $RAILS_ROOT/config/agencies.yaml
+COPY --chown=app:app config/iaa_gtcs.localdev.yml $RAILS_ROOT/config/iaa_gtcs.yaml
+COPY --chown=app:app config/iaa_orders.localdev.yml $RAILS_ROOT/config/iaa_orders.yaml
+COPY --chown=app:app config/iaa_statuses.localdev.yml $RAILS_ROOT/config/iaa_statuses.yaml
+COPY --chown=app:app config/integration_statuses.localdev.yml $RAILS_ROOT/config/integration_statuses.yaml
+COPY --chown=app:app config/integrations.localdev.yml $RAILS_ROOT/config/integrations.yaml
+COPY --chown=app:app config/partner_account_statuses.localdev.yml $RAILS_ROOT/config/partner_account_statuses.yaml
+COPY --chown=app:app config/partner_accounts.localdev.yml $RAILS_ROOT/config/partner_accounts.yaml
+COPY --chown=app:app config/service_providers.localdev.yml $RAILS_ROOT/config/service_providers.yaml
+
+# Copy keys
+COPY --chown=app:app keys.example $RAILS_ROOT/keys
+
+# Copy pwned_passwords.txt
+COPY --chown=app:app pwned_passwords/pwned_passwords.txt.sample $RAILS_ROOT/pwned_passwords/pwned_passwords.txt
+
+# Copy robots.txt
+COPY --chown=app:app public/ban-robots.txt $RAILS_ROOT/public/robots.txt
+
+# Copy application.yml.default to application.yml
+COPY --chown=app:app ./config/application.yml.default.docker $RAILS_ROOT/config/application.yml
+
+# Generate and place SSL certificates for puma
+RUN openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 1825 \
+    -keyout $RAILS_ROOT/keys/localhost.key \
+    -out $RAILS_ROOT/keys/localhost.crt \
+    -subj "/C=US/ST=Fake/L=Fakerton/O=Dis/CN=localhost"
+
+# Precompile assets
+RUN bundle exec rake assets:precompile --trace
+
+# Expose the port the app runs on
+EXPOSE 3000
+
+# Start the application
+# CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0"]
+CMD ["bundle", "exec", "puma", "-b", "ssl://0.0.0.0:3000?key=/app/keys/localhost.key&cert=/app/keys/localhost.crt"]

Gemfile

@@ -43,6 +43,7 @@ gem 'maxminddb'
 gem 'multiset'
 gem 'net-sftp'
 gem 'newrelic_rpm', '~> 8.0'
+gem 'puma'
 gem 'pg'
 gem 'phonelib'
 gem 'premailer-rails', '>= 1.12.0'
@@ -108,7 +109,6 @@ group :development, :test do
   gem 'pry-doc'
   gem 'pry-rails'
   gem 'psych'
-  gem 'puma'
   gem 'rspec-rails', '~> 6.0'
   gem 'rubocop', '~> 1.43.0', require: false
   gem 'rubocop-performance', '~> 1.15.0', require: false

config/application.yml.default

@@ -72,8 +72,10 @@ doc_auth_error_glare_threshold: 40
 database_pool_extra_connections_for_worker: 4
 database_pool_idp: 5
 database_socket: ''
+database_sslmode: 'verify-full'
 database_statement_timeout: 2_500
 database_timeout: 5_000
+database_worker_jobs_sslmode: 'verify-full'
 deliver_mail_async: false
 deleted_user_accounts_report_configs: '[]'
 development_mailer_deliver_method: letter_opener

config/application.yml.default.docker

@@ -0,0 +1,28 @@
+# These configurations are used for review applications in the sandbox environment
+production:
+  attribute_encryption_key: 2086dfbd15f5b0c584f3664422a1d3409a0d2aa6084f65b6ba57d64d4257431c124158670c7655e45cabe64194f7f7b6c7970153c285bdb8287ec0c4f7553e25
+  asset_host: ['env', 'ASSET_HOST']
+  database_host: ['env', 'POSTGRES_HOST']
+  database_name: ['env', 'POSTGRES_NAME']
+  database_password: ['env', 'POSTGRES_PASSWORD']
+  database_sslmode: ['env', 'POSTGRES_SSLMODE']
+  database_username: ['env', 'POSTGRES_USERNAME']
+  database_worker_jobs_name: ['env', 'POSTGRES_WORKER_NAME']
+  database_worker_jobs_username: ['env', 'POSTGRES_WORKER_USERNAME']
+  database_worker_jobs_host: ['env', 'POSTGRES_WORKER_HOST']
+  database_worker_jobs_password: ['env', 'POSTGRES_WORKER_PASSWORD']
+  database_worker_jobs_sslmode: ['env', 'POSTGRES_WORKER_SSLMODE']
+  hmac_fingerprinter_key: a2c813d4dca919340866ba58063e4072adc459b767a74cf2666d5c1eef3861db26708e7437abde1755eb24f4034386b0fea1850a1cb7e56bff8fae3cc6ade96c
+  redis_irs_attempt_api_url: ['env', 'REDIS_IRS_ATTEMPTS_API_URL']
+  redis_throttle_url: ['env', 'REDIS_THROTTLE_URL']
+  redis_url: ['env', 'REDIS_URL']
+  password_pepper: f22d4b2cafac9066fe2f4416f5b7a32c
+  session_encryption_key: 27bad3c25711099429c1afdfd1890910f3b59f5a4faec1c85e945cb8b02b02f261ba501d99cfbb4fab394e0102de6fecf8ffe260f322f610db3e96b2a775c120
+  piv_cac_verify_token_secret: ee7f20f44cdc2ba0c6830f70470d1d1d059e1279cdb58134db92b35947b1528ef5525ece5910cf4f2321ab989a618feea12ef95711dbc62b9601e8520a34ee12
+  secret_key_base: development_secret_key_base
+  domain_name: ['env', 'DOMAIN_NAME']
+  use_kms: false
+  email_from: no-reply@identitysandbox.gov
+  aws_kms_key_id: alias/dev-login-dot-gov-keymaker
+  log_to_stdout: false
+  telephony_adapter: test

config/database.yml

@@ -83,7 +83,7 @@ production:
     pool: <%= primary_pool %>
     advisory_locks: <%= !IdentityConfig.store.database_socket.present? %>
     prepared_statements: <%= !IdentityConfig.store.database_socket.present? %>
-    sslmode: 'verify-full'
+    sslmode: <%= IdentityConfig.store.database_sslmode %>
     sslrootcert: '/usr/local/share/aws/rds-combined-ca-bundle.pem'
     migrations_paths: db/primary_migrate
   read_replica:
@@ -93,7 +93,7 @@ production:
     host: <%= IdentityConfig.store.database_read_replica_host %>
     password: <%= IdentityConfig.store.database_readonly_password %>
     pool: <%= primary_pool %>
-    sslmode: 'verify-full'
+    sslmode: <%= IdentityConfig.store.database_sslmode %>
     sslrootcert: '/usr/local/share/aws/rds-combined-ca-bundle.pem'
     replica: true
   worker_jobs:
@@ -103,6 +103,6 @@ production:
     host: <%= IdentityConfig.store.database_worker_jobs_host %>
     password: <%= IdentityConfig.store.database_worker_jobs_password %>
     pool: <%= worker_pool %>
-    sslmode: 'verify-full'
+    sslmode: <%= IdentityConfig.store.database_worker_jobs_sslmode %>
     sslrootcert: '/usr/local/share/aws/rds-combined-ca-bundle.pem'
     migrations_paths: db/worker_jobs_migrate

docker-compose-idp.yml

@@ -0,0 +1,53 @@
+version: "3.9"
+
+services:
+  identity_idp:
+    build: .
+    container_name: identity-idp
+    depends_on:
+      - postgres
+      - postgres-worker
+      - redis
+    ports:
+      - "3000:3000"
+    tty: true
+    stdin_open: true
+    environment:
+      POSTGRES_SSLMODE: 'prefer'
+      POSTGRES_NAME: idp
+      POSTGRES_HOST: postgres
+      POSTGRES_USERNAME: postgres
+      POSTGRES_PASSWORD: postgres
+      POSTGRES_WORKER_SSLMODE: 'prefer'
+      POSTGRES_WORKER_NAME: idp-worker-jobs
+      POSTGRES_WORKER_HOST: postgres-worker
+      POSTGRES_WORKER_USERNAME: postgres
+      POSTGRES_WORKER_PASSWORD: postgres
+      LOGIN_ENV: dev
+      RAILS_OFFLINE: 'true'
+
+  postgres:
+    image: postgres:14
+    container_name: postgres
+    environment:
+      POSTGRES_DB: idp
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: postgres
+  postgres-worker:
+    image: postgres:14
+    container_name: postgres-worker
+    environment:
+      POSTGRES_DB: idp-worker-jobs
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: postgres
+
+  redis:
+    image: redis:7
+    container_name: redis
+    #command: ["redis-server", "--requirepass", "${REDIS_PASSWORD}"]
+    #environment:
+      #REDIS_USER: ${REDIS_USER}
+      #REDIS_PASSWORD: ${REDIS_PASSWORD}
+
+# volumes:
+#   postgres-data:

lib/identity_config.rb

@@ -152,13 +152,15 @@ def self.build_store(config_map)
     config.add(:database_pool_extra_connections_for_worker, type: :integer)
     config.add(:database_pool_idp, type: :integer)
     config.add(:database_socket, type: :string)
+    config.add(:database_sslmode, type: :string)
     config.add(:database_statement_timeout, type: :integer)
     config.add(:database_timeout, type: :integer)
     config.add(:database_username, type: :string)
     config.add(:database_worker_jobs_name, type: :string)
     config.add(:database_worker_jobs_username, type: :string)
     config.add(:database_worker_jobs_host, type: :string)
     config.add(:database_worker_jobs_password, type: :string)
+    config.add(:database_worker_jobs_sslmode, type: :string)
     config.add(:deleted_user_accounts_report_configs, type: :json)
     config.add(:deliver_mail_async, type: :boolean)
     config.add(:development_mailer_deliver_method, type: :symbol, enum: [:file, :letter_opener])
@@ -385,10 +387,10 @@ def self.build_store(config_map)
     config.add(:recaptcha_secret_key_v3, type: :string)
     config.add(:recovery_code_length, type: :integer)
     config.add(:recurring_jobs_disabled_names, type: :json)
-    config.add(:redis_irs_attempt_api_url)
+    config.add(:redis_irs_attempt_api_url, type: :string)
     config.add(:redis_irs_attempt_api_pool_size, type: :integer)
-    config.add(:redis_throttle_url)
-    config.add(:redis_url)
+    config.add(:redis_throttle_url, type: :string)
+    config.add(:redis_url, type: :string)
     config.add(:redis_pool_size, type: :integer)
     config.add(:redis_session_pool_size, type: :integer)
     config.add(:redis_throttle_pool_size, type: :integer)