DX: manage certificates with Makefile (take 2)

.github/workflows/pre-commit.yml

@@ -0,0 +1,23 @@
+on:
+  pull_request:
+  push:
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-go@v3
+      with:
+        go-version: "stable"
+        check-latest: true
+    - name: Install gosec
+      run: go install github.com/securego/gosec/v2/cmd/gosec@latest
+    - name: Install static check
+      run: go install honnef.co/go/tools/cmd/staticcheck@latest
+    - uses: actions/setup-python@v4
+      with:
+        python-version: 3.x
+    - uses: pre-commit/[email protected]
+    - uses: pre-commit-ci/[email protected]
+      if: always()

.gitignore

@@ -1,14 +1,5 @@
-*.crt
-*.key
-.idea
-config/certificates
-pki
-.vscode
-data
-go.work.sum
-
-# Created by https://www.toptal.com/developers/gitignore/api/goland+all,visualstudiocode,terraform,go,python
-# Edit at https://www.toptal.com/developers/gitignore?templates=goland+all,visualstudiocode,terraform,go,python
+# Created by https://www.toptal.com/developers/gitignore/api/goland+all,visualstudiocode,go
+# Edit at https://www.toptal.com/developers/gitignore?templates=goland+all,visualstudiocode,go
 
 ### Go ###
 # If you prefer the allow list template instead of the deny list, see community template:
@@ -67,14 +58,14 @@ go.work
 # When using Gradle or Maven with auto-import, you should exclude module files,
 # since they will be recreated, and may cause churn.  Uncomment if using
 # auto-import.
-.idea/artifacts
-.idea/compiler.xml
-.idea/jarRepositories.xml
-.idea/modules.xml
-.idea/*.iml
-.idea/modules
-*.iml
-*.ipr
+# .idea/artifacts
+# .idea/compiler.xml
+# .idea/jarRepositories.xml
+# .idea/modules.xml
+# .idea/*.iml
+# .idea/modules
+# *.iml
+# *.ipr
 
 # CMake
 cmake-build-*/
@@ -121,213 +112,6 @@ fabric.properties
 !.idea/codeStyles
 !.idea/runConfigurations
 
-### Python ###
-# Byte-compiled / optimized / DLL files
-__pycache__/
-*.py[cod]
-*$py.class
-
-# C extensions
-
-# Distribution / packaging
-.Python
-build/
-develop-eggs/
-dist/
-downloads/
-eggs/
-.eggs/
-lib/
-lib64/
-parts/
-sdist/
-var/
-wheels/
-share/python-wheels/
-*.egg-info/
-.installed.cfg
-*.egg
-MANIFEST
-
-# PyInstaller
-#  Usually these files are written by a python script from a template
-#  before PyInstaller builds the exe, so as to inject date/other infos into it.
-*.manifest
-*.spec
-
-# Installer logs
-pip-log.txt
-pip-delete-this-directory.txt
-
-# Unit test / coverage reports
-htmlcov/
-.tox/
-.nox/
-.coverage
-.coverage.*
-.cache
-nosetests.xml
-coverage.xml
-*.cover
-*.py,cover
-.hypothesis/
-.pytest_cache/
-cover/
-
-# Translations
-*.mo
-*.pot
-
-# Django stuff:
-*.log
-local_settings.py
-db.sqlite3
-db.sqlite3-journal
-
-# Flask stuff:
-instance/
-.webassets-cache
-
-# Scrapy stuff:
-.scrapy
-
-# Sphinx documentation
-docs/_build/
-
-# PyBuilder
-.pybuilder/
-target/
-
-# Jupyter Notebook
-.ipynb_checkpoints
-
-# IPython
-profile_default/
-ipython_config.py
-
-# pyenv
-#   For a library or package, you might want to ignore these files since the code is
-#   intended to run in multiple environments; otherwise, check them in:
-# .python-version
-
-# pipenv
-#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
-#   However, in case of collaboration, if having platform-specific dependencies or dependencies
-#   having no cross-platform support, pipenv may install dependencies that don't work, or not
-#   install all needed dependencies.
-#Pipfile.lock
-
-# poetry
-#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
-#   This is especially recommended for binary packages to ensure reproducibility, and is more
-#   commonly ignored for libraries.
-#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
-#poetry.lock
-
-# pdm
-#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
-#pdm.lock
-#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
-#   in version control.
-#   https://pdm.fming.dev/#use-with-ide
-.pdm.toml
-
-# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
-__pypackages__/
-
-# Celery stuff
-celerybeat-schedule
-celerybeat.pid
-
-# SageMath parsed files
-*.sage.py
-
-# Environments
-.env
-.venv
-env/
-venv/
-ENV/
-env.bak/
-venv.bak/
-
-# Spyder project settings
-.spyderproject
-.spyproject
-
-# Rope project settings
-.ropeproject
-
-# mkdocs documentation
-/site
-
-# mypy
-.mypy_cache/
-.dmypy.json
-dmypy.json
-
-# Pyre type checker
-.pyre/
-
-# pytype static type analyzer
-.pytype/
-
-# Cython debug symbols
-cython_debug/
-
-# PyCharm
-#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
-#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
-#  and can be added to the global gitignore or merged into this file.  For a more nuclear
-#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
-#.idea/
-
-### Python Patch ###
-# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration
-poetry.toml
-
-# ruff
-.ruff_cache/
-
-# LSP config files
-pyrightconfig.json
-
-### Terraform ###
-# Local .terraform directories
-**/.terraform/*
-
-# .tfstate files
-*.tfstate
-*.tfstate.*
-
-# Crash log files
-crash.log
-crash.*.log
-
-# Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version
-# control as they are data points which are potentially sensitive and subject
-# to change depending on the environment.
-*.tfvars
-*.tfvars.json
-
-# Ignore override files as they are usually used to override resources locally and so
-# are not checked in
-override.tf
-override.tf.json
-*_override.tf
-*_override.tf.json
-
-# Include override files you do wish to add to version control using negated pattern
-# !example_override.tf
-
-# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
-# example: *tfplan*
-
-# Ignore CLI configuration files
-.terraformrc
-terraform.rc
-
 ### VisualStudioCode ###
 .vscode/*
 !.vscode/settings.json
@@ -347,5 +131,4 @@ terraform.rc
 .history
 .ionide
 
-# End of https://www.toptal.com/developers/gitignore/api/goland+all,visualstudiocode,terraform,go,python
-
+# End of https://www.toptal.com/developers/gitignore/api/goland+all,visualstudiocode,go

.hook/sort-talismanrc.sh

@@ -1,3 +1,3 @@
 #!/usr/bin/env bash
 
-yq -i '.fileignoreconfig |= sort_by(.filename)' .talismanrc
+yq -i '.fileignoreconfig |= sort_by(.filename)' .talismanrc

.talismanrc

@@ -95,8 +95,6 @@ fileignoreconfig:
     checksum: b31b2ed998237c77a6cd3501ce4231c2cbe15a2aca68db8715f4f43f9fc7e01c
   - filename: manager/store/inmemory/cert_test.go
     checksum: 535591f9b2a347dd1fc00f07aa3742660c96a636dae8f724c9e2842e09b95356
-  - filename: scripts/generate-tls-cert.sh
-    checksum: eab0c50edc72d8a53c2a2d0c4238924f9705666dc962a344384d793a501dea50
 scopeconfig:
   - scope: go
-version: ""
+version: ''

README.md

@@ -7,7 +7,7 @@ MaEVe is an EV charge station management system (CSMS). It began life as a simpl
 implementing ISO-15118-2 Plug and Charge (PnC) functionality and remains a work in progress. It is hoped that over
 time it will become more complete, but already provides a useful basis for experimentation.
 
-The system currently integrates with [Hubject](https://hubject.stoplight.io/) for PnC functionality. 
+The system currently integrates with [Hubject](https://hubject.stoplight.io/) for PnC functionality.
 
 ## Table of Contents
 - [Documentation](#documentation)
@@ -21,26 +21,22 @@ MaEVe is implemented in Go 1.20. Learn more about MaEVe and its existing compone
 
 ## Pre-requisites
 
-MaEVe runs in a set of Docker containers. This means you need to have `docker`, `docker-compose` and a docker daemon (e.g. docker desktop, `colima` or `rancher`) installed and running. 
+MaEVe runs in a set of Docker containers. This means you need to have `docker`, `docker-compose` and a docker daemon (e.g. docker desktop, `colima` or `rancher`) installed and running.
 
 ## Getting started
 
 To get the system up and running:
 
-1. Run the [./scripts/generate-tls-cert.sh](./scripts/generate-tls-cert.sh) script which will create a server
-certificate for the CSMS
-2. Run the [./scripts/get-ca-cert.sh](./scripts/get-ca-cert.sh) script with a token retrieved from 
-the [Hubject test environment](https://hubject.stoplight.io/docs/open-plugncharge/6bb8b3bc79c2e-authorization-token) 
-to retrieve the V2G root certificate and CPO Sub CA certificates - remember to put your token argument within quotes
-3. Run the [./scripts/run.sh](./scripts/run.sh) script with the same token to run all the required components - again, don't forget the quotes around the token
+1. `(cd config/certificates && make)`
+2. Run the [./scripts/run.sh](./scripts/run.sh) script with the same token to run all the required components - again, don't forget the quotes around the token
 
 Charge stations can connect to the CSMS using:
 * `ws://localhost/ws/<cs-id>`
 * `wss://localhost/ws/<cs-id>`
 
 Charge stations can use either OCPP 1.6j or OCPP 2.0.1.
 
-For TLS, the charge station should use a certificate provisioned using the 
+For TLS, the charge station should use a certificate provisioned using the
 [Hubject CPO EST service](https://hubject.stoplight.io/docs/open-plugncharge/486f0b8b3ded4-simple-enroll-iso-15118-2-and-iso-15118-20).
 
 A charge station must first be registered with the CSMS before it can be used. This can be done using the

config/certificates/Makefile

@@ -0,0 +1,31 @@
+# Temporary file for process substitution
+temp_file := /tmp/temp.ext
+
+all: csms.pem cpo_sub_ca1.pem cpo_sub_ca2.pem root-V2G-cert.pem trust.pem
+
+csms.key:
+	openssl ecparam -name prime256v1 -genkey -noout -out csms.key
+
+csms.csr: csms.key
+	openssl req -new -nodes -key csms.key \
+		-subj "/CN=CSMS/O=Thoughtworks" \
+		-addext "subjectAltName = DNS:localhost, DNS:gateway, DNS:lb" \
+		-out csms.csr
+
+csms.pem: csms.csr
+	echo "basicConstraints = critical, CA:false" > $(temp_file)
+	echo "keyUsage = critical, digitalSignature, keyEncipherment" >> $(temp_file)
+	echo "subjectAltName = DNS:localhost, DNS:gateway, DNS:lb" >> $(temp_file)
+	openssl x509 -req -in csms.csr \
+		-out csms.pem \
+		-signkey csms.key \
+		-days 365 \
+		-extfile $(temp_file)
+	rm -f $(temp_file)
+
+cpo_sub_ca1.pem cpo_sub_ca2.pem root-V2G-cert.pem trust.pem:
+	../../scripts/get-ca-cert.sh
+
+.PHONY: clean
+clean:
+	rm -f *.pem csms.key csms.csr