HIRS/package/scripts/db/db_create.sh

#!/bin/bash
#
###############################################################################
# HIRS DB creation
# Environment variables used:
# a. HIRS_MYSQL_ROOT_PWD: Set this variable if mysql root password is already set
# b. HIRS_DB_PWD: Set the pwd if default password to hirs_db user needs to be changed
################################################################################

LOG_FILE=$1
UNATTENDED=$2
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
SPRING_PROP_FILE="/etc/hirs/aca/application.properties"
ACA_PROP_FILE="/etc/hirs/aca/aca.properties"
DB_ADMIN_PWD=""
# Db Configuration files
DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
# Default Server Side Certificates
SSL_DB_SRV_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem";
SSL_DB_SRV_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.pem"; 
SSL_DB_SRV_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.key";
# Default Client Side Certificates
SSL_DB_CLIENT_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem";
SSL_DB_CLIENT_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.pem"; 
SSL_DB_CLIENT_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key";

touch $ACA_PROP_FILE
touch $LOG_FILE
touch $DB_SRV_CONF

# Make sure required paths exist
mkdir -p /etc/hirs/aca/
mkdir -p /var/log/hirs/

source $SCRIPT_DIR/start_mysqld.sh
source $ACA_PROP_FILE 

check_mysql_root_pwd () {
  # Check if DB root password needs to be obtained
 
  if [ -z $HIRS_MYSQL_ROOT_PWD ]; then
	 # Create a 32 character random password
	 echo "Using randomly generated password for the DB admin" | tee -a "$LOG_FILE"
	 DB_ADMIN_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
	 echo "DB Admin will be set to $DB_ADMIN_PWD , please make note for next mysql use."
     # Check UNATTENDED flag set m if not then prompt user for permission ot store mysql root password
	 if [ -z $UNATTENDED ]; then
	   read -p "Do you wish to save this password to the aca.properties file? " confirm
	   if [[ $confirm == [yY] || $confirm == [yY][eE][sS] ]]; then
	      echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE
	      echo "Mysql root password saved locally"
	    else
	      echo "Mysql root password not saved locally"
	   fi
	 else
	   echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE
	   echo "Mysql root password has been saved locally."
	 fi
	 mysqladmin --user=root password "$DB_ADMIN_PWD"
  else
    DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD
    echo "Using system variable supplied password" | tee -a "$LOG_FILE"
  fi
  # Make sure root password is correct
  $(mysql -u root -p$DB_ADMIN_PWD -e 'quit'  &> /dev/null);
  if [ $? -eq 0 ]; then
     echo "root password verified"  | tee -a "$LOG_FILE"
  else
     echo "MYSQL root password was not the default, not supplied,  or was incorrect"
     echo "      please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
     echo "      ********** ACA Mysql setup aborted ********" ;
     exit 1;
  fi
}

set_mysql_server_tls () {
  # Check DB server setup. If ssl params dont exist then we need to add them.
  if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then
    # Add TLS files to my.cnf
    echo "Updating $DB_SRV_CONF with ssl parameters..." | tee -a "$LOG_FILE"
    echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF"
    echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF"
    echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF"
    # Make sure mysql can access them
    chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
    # Make selinux contexts for config files, if selinux is enabled
    selinuxenabled
    if [ $? -eq 0 ]; then
       semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF  > /dev/null #adds the context type to file
       restorecon -v -F $DB_SRV_CONF      > /dev/null                 # changes the file's context type
    fi
  else
       echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE"
  fi
}

set_mysql_client_tls () {
# Update ACA property file with client cert info, if not there already
if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then 
  echo "Updating $DB_CLIENT_CONF with ssl parameters..." | tee -a "$LOG_FILE"
  echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF
  echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF
  echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF
  chown mysql:mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY 
  # Make selinux contexts for config files, if selinux is enabled
  selinuxenabled
  if [ $? -eq 0 ]; then
      semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null  #adds the context type to file
      restorecon -F $DB_CLIENT_CONF                         > /dev/null #changes the file's context type
  fi                           
fi
}

# Process HIRS DB USER
set_hirs_db_pwd () {

   RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
   if [ "$RESULT" = 1 ]; then
      echo "hirs-db user exists"
      HIRS_DB_PWD=$hirs_db_password
   else   
   # Check if Mysql HIRS DB  password set by system variable or set to random number
     if [ -z $HIRS_DB_PWD ]; then
       HIRS_DB_PWD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
     fi

     echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE
     echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE
  fi

}

# Create a hirs_db with client side TLS enabled
create_hirs_db_with_tls () {
  # Check if hirs_db not created and create it if it wasn't
  mysqlshow --user=root --password="$DB_ADMIN_PWD" | grep "hirs_db" > /dev/null 2>&1
  if [ $? -eq 0 ]; then
     echo "hirs_db exists, skipping hirs_db create"
  else
     mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql
     mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql
     mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
  fi
}

# HIRS ACA Mysqld processing ...
check_mariadb_install
check_for_container
set_mysql_server_tls
set_mysql_client_tls
start_mysqlsd
check_mysql_root_pwd
set_hirs_db_pwd
create_hirs_db_with_tls
mysqld_reboot
Initial release 2018-09-06 13:47:33 +00:00			`#!/bin/bash`
updated with package for the ACA [no ci] 2023-04-27 19:51:22 +00:00			`#`
			`###############################################################################`
			`# HIRS DB creation`
			`# Environment variables used:`
cleaned up dnf install and dnf remove 2023-05-03 16:54:35 +00:00			`# a. HIRS_MYSQL_ROOT_PWD: Set this variable if mysql root password is already set`
			`# b. HIRS_DB_PWD: Set the pwd if default password to hirs_db user needs to be changed`
updated with package for the ACA [no ci] 2023-04-27 19:51:22 +00:00			`################################################################################`

initial setup for DB TLS 2023-08-11 13:47:30 +00:00			`LOG_FILE=$1`
added a -h\|--help and -u\|--unattended option for aca_setup.sh 2023-08-31 20:29:40 +00:00			`UNATTENDED=$2`
added aca_setup.sh to support embedded tomcat [no ci] 2023-06-02 19:23:55 +00:00			`# Capture location of the script to allow from invocation from any location`
			`SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )`
initial setup for DB TLS 2023-08-11 13:47:30 +00:00			`SPRING_PROP_FILE="/etc/hirs/aca/application.properties"`
			`ACA_PROP_FILE="/etc/hirs/aca/aca.properties"`
			`DB_ADMIN_PWD=""`
			`# Db Configuration files`
			`DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"`
			`DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"`
			`# Default Server Side Certificates`
			`SSL_DB_SRV_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem";`
			`SSL_DB_SRV_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.pem";`
			`SSL_DB_SRV_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_srv_rsa_3k_sha384.key";`
			`# Default Client Side Certificates`
			`SSL_DB_CLIENT_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k_sha384_Cert_Chain.pem";`
			`SSL_DB_CLIENT_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.pem";`
			`SSL_DB_CLIENT_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key";`

			`touch $ACA_PROP_FILE`
			`touch $LOG_FILE`
Added aca_setup_check.sh 2023-08-23 20:30:06 +00:00			`touch $DB_SRV_CONF`
updated with package for the ACA [no ci] 2023-04-27 19:51:22 +00:00
initial setup for DB TLS 2023-08-11 13:47:30 +00:00			`# Make sure required paths exist`
			`mkdir -p /etc/hirs/aca/`
			`mkdir -p /var/log/hirs/`

Added aca_setup_check.sh 2023-08-23 20:30:06 +00:00			`source $SCRIPT_DIR/start_mysqld.sh`
			`source $ACA_PROP_FILE`
added script for generating pki keys/certs [no ci] 2023-05-19 20:35:46 +00:00
initial setup for DB TLS 2023-08-11 13:47:30 +00:00			`check_mysql_root_pwd () {`
			`# Check if DB root password needs to be obtained`
added a -h\|--help and -u\|--unattended option for aca_setup.sh 2023-08-31 20:29:40 +00:00
initial setup for DB TLS 2023-08-11 13:47:30 +00:00			`if [ -z $HIRS_MYSQL_ROOT_PWD ]; then`
			`# Create a 32 character random password`
			`echo "Using randomly generated password for the DB admin" \| tee -a "$LOG_FILE"`
			`DB_ADMIN_PWD=$(head -c 64 /dev/urandom \| md5sum \| tr -dc 'a-zA-Z0-9')`
Added aca_setup_check.sh 2023-08-23 20:30:06 +00:00			`echo "DB Admin will be set to $DB_ADMIN_PWD , please make note for next mysql use."`
cleaned up commented out code and unsused files 2023-09-01 15:15:49 +00:00			`# Check UNATTENDED flag set m if not then prompt user for permission ot store mysql root password`
added a -h\|--help and -u\|--unattended option for aca_setup.sh 2023-08-31 20:29:40 +00:00			`if [ -z $UNATTENDED ]; then`
			`read -p "Do you wish to save this password to the aca.properties file? " confirm`
			`if [[ $confirm == [yY] \|\| $confirm == [yY][eE][sS] ]]; then`
			`echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE`
			`echo "Mysql root password saved locally"`
			`else`
			`echo "Mysql root password not saved locally"`
			`fi`
			`else`
			`echo "mysql_admin_password=$DB_ADMIN_PWD" >> $ACA_PROP_FILE`
			`echo "Mysql root password has been saved locally."`
Added aca_setup_check.sh 2023-08-23 20:30:06 +00:00			`fi`
initial setup for DB TLS 2023-08-11 13:47:30 +00:00			`mysqladmin --user=root password "$DB_ADMIN_PWD"`
			`else`
			`DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD`
			`echo "Using system variable supplied password" \| tee -a "$LOG_FILE"`
			`fi`
			`# Make sure root password is correct`
			`$(mysql -u root -p$DB_ADMIN_PWD -e 'quit' &> /dev/null);`
			`if [ $? -eq 0 ]; then`
			`echo "root password verified" \| tee -a "$LOG_FILE"`
			`else`
			`echo "MYSQL root password was not the default, not supplied, or was incorrect"`
			`echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry."`
			`echo " ******** ACA Mysql setup aborted ******" ;`
			`exit 1;`
			`fi`
			`}`
added aca_setup.sh to support embedded tomcat [no ci] 2023-06-02 19:23:55 +00:00
initial setup for DB TLS 2023-08-11 13:47:30 +00:00			`set_mysql_server_tls () {`
			`# Check DB server setup. If ssl params dont exist then we need to add them.`
cleaned up unused file 2023-08-18 16:38:41 +00:00			`if [[ $(cat "$DB_SRV_CONF" \| grep -c "ssl") < 1 ]]; then`
initial setup for DB TLS 2023-08-11 13:47:30 +00:00			`# Add TLS files to my.cnf`
			`echo "Updating $DB_SRV_CONF with ssl parameters..." \| tee -a "$LOG_FILE"`
			`echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF"`
			`echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF"`
			`echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF"`
cleaned up unused file 2023-08-18 16:38:41 +00:00			`# Make sure mysql can access them`
added an aca_check_setup.sh script 2023-08-28 20:18:08 +00:00			`chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY`
Minor adjustment for RHEL OS with FIPS mode enabled 2023-08-31 13:27:58 +00:00			`# Make selinux contexts for config files, if selinux is enabled`
			`selinuxenabled`
Added check for selinux, adds context to cnf files 2023-08-31 13:50:11 +00:00			`if [ $? -eq 0 ]; then`
Minor adjustment for RHEL OS with FIPS mode enabled 2023-08-31 13:27:58 +00:00			`semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF > /dev/null #adds the context type to file`
added a -h\|--help and -u\|--unattended option for aca_setup.sh 2023-08-31 20:29:40 +00:00			`restorecon -v -F $DB_SRV_CONF > /dev/null # changes the file's context type`
Minor adjustment for RHEL OS with FIPS mode enabled 2023-08-31 13:27:58 +00:00			`fi`
initial setup for DB TLS 2023-08-11 13:47:30 +00:00			`else`
			`echo "mysql.cnf contians existing entry for ssl, skipping..." \| tee -a "$LOG_FILE"`
cleaned up unused file 2023-08-18 16:38:41 +00:00			`fi`
initial setup for DB TLS 2023-08-11 13:47:30 +00:00			`}`

			`set_mysql_client_tls () {`
			`# Update ACA property file with client cert info, if not there already`
			`if [[ $(cat "$DB_CLIENT_CONF" \| grep -c "ssl") < 1 ]]; then`
			`echo "Updating $DB_CLIENT_CONF with ssl parameters..." \| tee -a "$LOG_FILE"`
			`echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF`
			`echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF`
			`echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF`
added an aca_check_setup.sh script 2023-08-28 20:18:08 +00:00			`chown mysql:mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY`
Minor adjustment for RHEL OS with FIPS mode enabled 2023-08-31 13:27:58 +00:00			`# Make selinux contexts for config files, if selinux is enabled`
			`selinuxenabled`
Added check for selinux, adds context to cnf files 2023-08-31 13:50:11 +00:00			`if [ $? -eq 0 ]; then`
Minor adjustment for RHEL OS with FIPS mode enabled 2023-08-31 13:27:58 +00:00			`semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null #adds the context type to file`
added a -h\|--help and -u\|--unattended option for aca_setup.sh 2023-08-31 20:29:40 +00:00			`restorecon -F $DB_CLIENT_CONF > /dev/null #changes the file's context type`
Minor adjustment for RHEL OS with FIPS mode enabled 2023-08-31 13:27:58 +00:00			`fi`
added script for generating pki keys/certs [no ci] 2023-05-19 20:35:46 +00:00			`fi`
initial setup for DB TLS 2023-08-11 13:47:30 +00:00			`}`
added script for generating pki keys/certs [no ci] 2023-05-19 20:35:46 +00:00
Added aca_setup_check.sh 2023-08-23 20:30:06 +00:00			`# Process HIRS DB USER`
initial setup for DB TLS 2023-08-11 13:47:30 +00:00			`set_hirs_db_pwd () {`
cleaned up dnf install and dnf remove 2023-05-03 16:54:35 +00:00
Added aca_setup_check.sh 2023-08-23 20:30:06 +00:00			`RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"`
			`if [ "$RESULT" = 1 ]; then`
			`echo "hirs-db user exists"`
			`HIRS_DB_PWD=$hirs_db_password`
			`else`
			`# Check if Mysql HIRS DB password set by system variable or set to random number`
			`if [ -z $HIRS_DB_PWD ]; then`
			`HIRS_DB_PWD=$(head -c 64 /dev/urandom \| md5sum \| tr -dc 'a-zA-Z0-9')`
			`fi`
initial setup for DB TLS 2023-08-11 13:47:30 +00:00
Added aca_setup_check.sh 2023-08-23 20:30:06 +00:00			`echo "hirs_db_username=hirs_db" >> $ACA_PROP_FILE`
			`echo "hirs_db_password=$HIRS_DB_PWD" >> $ACA_PROP_FILE`
			`fi`
initial setup for DB TLS 2023-08-11 13:47:30 +00:00
			`}`

Added aca_setup_check.sh 2023-08-23 20:30:06 +00:00			`# Create a hirs_db with client side TLS enabled`
initial setup for DB TLS 2023-08-11 13:47:30 +00:00			`create_hirs_db_with_tls () {`
			`# Check if hirs_db not created and create it if it wasn't`
			`mysqlshow --user=root --password="$DB_ADMIN_PWD" \| grep "hirs_db" > /dev/null 2>&1`
			`if [ $? -eq 0 ]; then`
			`echo "hirs_db exists, skipping hirs_db create"`
			`else`
			`mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql`
			`mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql`
			`mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";`
			`fi`
Minor adjustment for RHEL OS with FIPS mode enabled 2023-08-31 13:27:58 +00:00			`}`

initial setup for DB TLS 2023-08-11 13:47:30 +00:00			`# HIRS ACA Mysqld processing ...`
Added aca_setup_check.sh 2023-08-23 20:30:06 +00:00			`check_mariadb_install`
initial setup for DB TLS 2023-08-11 13:47:30 +00:00			`check_for_container`
			`set_mysql_server_tls`
			`set_mysql_client_tls`
			`start_mysqlsd`
			`check_mysql_root_pwd`
Added aca_setup_check.sh 2023-08-23 20:30:06 +00:00			`set_hirs_db_pwd`
initial setup for DB TLS 2023-08-11 13:47:30 +00:00			`create_hirs_db_with_tls`
added a -h\|--help and -u\|--unattended option for aca_setup.sh 2023-08-31 20:29:40 +00:00			`mysqld_reboot`