mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-01-01 10:46:47 +00:00
189 lines
7.7 KiB
PowerShell
189 lines
7.7 KiB
PowerShell
|
#!/bin/bash
|
||
|
#
|
||
|
###############################################################################
|
||
|
# HIRS DB creation
|
||
|
# Environment variables used:
|
||
|
# a. HIRS_MYSQL_ROOT_PWD: Set this variable if mysql root password is already set
|
||
|
# b. HIRS_DB_PWD: Set the pwd if default password to hirs_db user needs to be changed
|
||
|
################################################################################
|
||
|
|
||
|
param (
|
||
|
[string]$LOG_FILE = $null,
|
||
|
[switch]$unattended = $false
|
||
|
)
|
||
|
|
||
|
$APP_HOME=(Split-Path -parent $PSCommandPath)
|
||
|
$ACA_COMMON_SCRIPT=(Join-Path "$APP_HOME" .. aca aca_common.ps1)
|
||
|
|
||
|
# Load other scripts
|
||
|
. $ACA_COMMON_SCRIPT
|
||
|
. $global:HIRS_REL_WIN_DB_MYSQL_UTIL
|
||
|
|
||
|
# Read aca.properties
|
||
|
read_aca_properties $global:HIRS_DATA_ACA_PROPERTIES_FILE
|
||
|
|
||
|
# Read spring application.properties
|
||
|
read_spring_properties $global:HIRS_DATA_SPRING_PROP_FILE
|
||
|
|
||
|
# Parameter check
|
||
|
if ($LOG_FILE) {
|
||
|
touch $LOG_FILE
|
||
|
$global:LOG_FILE=$LOG_FILE
|
||
|
} else {
|
||
|
set_up_log
|
||
|
}
|
||
|
|
||
|
touch $global:HIRS_DATA_ACA_PROPERTIES_FILE
|
||
|
touch $global:DB_CONF
|
||
|
|
||
|
# Make sure required paths exist
|
||
|
mkdir -F -p $global:HIRS_CONF_DIR 2>&1 > $null
|
||
|
mkdir -F -p $global:HIRS_DATA_LOG_DIR 2>&1 > $null
|
||
|
|
||
|
Function check_mysql_root_pwd () {
|
||
|
# Check if DB root password needs to be obtainedS
|
||
|
$DB_ADMIN_PWD=""
|
||
|
if (!$Env:HIRS_MYSQL_ROOT_PWD) {
|
||
|
# Create a 32 character random password
|
||
|
echo "Using randomly generated password for the DB admin" | WriteAndLog
|
||
|
$DB_ADMIN_PWD=(create_random)
|
||
|
Write-Host "NOT LOGGED: DB Admin will be set to $DB_ADMIN_PWD, please make note for next mysql use."
|
||
|
# Check unattended flag set m if not then prompt user for permission ot store mysql root password
|
||
|
if (!$unattended) {
|
||
|
$confirm=Read-Host 'Do you wish to save this password to the aca.properties file?'
|
||
|
if (($confirm -eq "y") -or ($confirm -eq "yes")) { # case-insensitive
|
||
|
add_new_aca_property -file:"$global:HIRS_DATA_ACA_PROPERTIES_FILE" -newKeyAndValue:"mysql_admin_password=$DB_ADMIN_PWD"
|
||
|
echo "Mysql root password saved locally" | WriteAndLog
|
||
|
} else {
|
||
|
echo "Mysql root password not saved locally" | WriteAndLog
|
||
|
}
|
||
|
} else { # unattended install
|
||
|
add_new_aca_property -file:"$global:HIRS_DATA_ACA_PROPERTIES_FILE" -newKeyAndValue:"mysql_admin_password=$DB_ADMIN_PWD"
|
||
|
echo "Mysql root password has been saved locally." | WriteAndLog
|
||
|
}
|
||
|
mysqladmin --user=root password "$DB_ADMIN_PWD"
|
||
|
} else {
|
||
|
$DB_ADMIN_PWD=$Env:HIRS_MYSQL_ROOT_PWD
|
||
|
echo "Using system variable supplied password" | WriteAndLog
|
||
|
}
|
||
|
# Make sure root password is correct
|
||
|
|
||
|
mysql -u root -p"$DB_ADMIN_PWD" -e 'quit' 2>&1 | WriteAndLog
|
||
|
if ($LastExitCode -eq 0) {
|
||
|
echo "Mysql root password verified" | WriteAndLog
|
||
|
} else {
|
||
|
echo "MYSQL root password was not the default, not supplied, or was incorrect" | WriteAndLog
|
||
|
echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry." | WriteAndLog
|
||
|
echo " ********** ACA Mysql setup aborted ********" | WriteAndLog
|
||
|
exit 1
|
||
|
}
|
||
|
return $DB_ADMIN_PWD
|
||
|
}
|
||
|
|
||
|
Function set_mysql_tls () {
|
||
|
# Check DB server setup. If ssl params dont exist then we need to add them.
|
||
|
if (!(Get-Content $global:DB_CONF | grep "ssl")) {
|
||
|
# Add TLS files to my.ini- Assumes [client] section at the end, and no [server] section
|
||
|
echo "Updating $global:DB_CONF with ssl parameters..." | WriteAndLog
|
||
|
echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $global:DB_CONF
|
||
|
echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $global:DB_CONF
|
||
|
echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $global:DB_CONF
|
||
|
echo "[server]" >> $global:DB_CONF
|
||
|
echo "ssl_ca=$global:SSL_DB_SRV_CHAIN" >> $global:DB_CONF
|
||
|
echo "ssl_cert=$global:SSL_DB_SRV_CERT" >> $global:DB_CONF
|
||
|
echo "ssl_key=$global:SSL_DB_SRV_KEY" >> $global:DB_CONF
|
||
|
ChangeFileBackslashToForwardSlash $global:DB_CONF
|
||
|
} else {
|
||
|
echo "$global:DB_CONF contains existing entry for ssl, skipping..." | WriteAndLog
|
||
|
}
|
||
|
}
|
||
|
|
||
|
# Process HIRS DB USER
|
||
|
Function set_hirs_db_pwd () {
|
||
|
param (
|
||
|
[string]$DB_ADMIN_PWD = $null
|
||
|
)
|
||
|
if (!$DB_ADMIN_PWD) {
|
||
|
echo "set_hirs_db_pwd was called without supplying a required variable" | WriteAndLog
|
||
|
}
|
||
|
|
||
|
$HIRS_PASS=""
|
||
|
if ($Env:HIRS_DB_PWD) {
|
||
|
$HIRS_PASS=$Env:HIRS_DB_PWD
|
||
|
echo "Using hirs_db password found in the environment variable HIRS_DB_PWD" | WriteAndLog
|
||
|
} elseif ($global:ACA_PROPERTIES.'hirs_db_password') {
|
||
|
$HIRS_PASS=$global:ACA_PROPERTIES.'hirs_db_password'
|
||
|
echo "Using hirs_db password found in the ACA properties file $global:HIRS_DATA_ACA_PROPERTIES_FILE" | WriteAndLog
|
||
|
} else {
|
||
|
echo "Using randomly generated password for the DB key password" | WriteAndLog
|
||
|
$HIRS_PASS=(create_random)
|
||
|
add_new_aca_property -file:"$global:HIRS_DATA_ACA_PROPERTIES_FILE" -newKeyAndValue:"hirs_db_username=hirs_db"
|
||
|
add_new_aca_property -file:"$global:HIRS_DATA_ACA_PROPERTIES_FILE" -newKeyAndValue:"hirs_db_password=$HIRS_PASS"
|
||
|
echo "Stored hirs_db password in the ACA properties file $global:HIRS_DATA_ACA_PROPERTIES_FILE" | WriteAndLog
|
||
|
}
|
||
|
|
||
|
$RESULT=(mysql -u root -p"$DB_ADMIN_PWD" -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")
|
||
|
if ($RESULT -eq 1) {
|
||
|
echo "hirs-db user exists" | WriteAndLog
|
||
|
}
|
||
|
|
||
|
return $HIRS_PASS
|
||
|
}
|
||
|
|
||
|
# Create a hirs_db with client side TLS enabled
|
||
|
Function create_hirs_db_with_tls () {
|
||
|
param (
|
||
|
[string]$DB_ADMIN_PWD = $null,
|
||
|
[string]$HIRS_PASS = $null
|
||
|
)
|
||
|
if (!$DB_ADMIN_PWD) {
|
||
|
echo "create_hirs_db_with_tls: DB_ADMIN_PWD not provided and is required" | WriteAndLog
|
||
|
}
|
||
|
if (!$HIRS_PASS) {
|
||
|
echo "create_hirs_db_with_tls: HIRS_PASS not provided and is required" | WriteAndLog
|
||
|
}
|
||
|
|
||
|
# Check if hirs_db not created and create it if it wasn't
|
||
|
mysqlshow -u root -p"$DB_ADMIN_PWD" | grep "hirs_db" 2>&1 > $null
|
||
|
if ($LastExitCode -eq 0) {
|
||
|
echo "hirs_db exists, skipping hirs_db create" | WriteAndLog
|
||
|
} else {
|
||
|
echo "Creating hirs_db database" | WriteAndLog
|
||
|
mysql -u root -p"$DB_ADMIN_PWD" -e "source $global:HIRS_REL_SCRIPTS_DB_CREATE_SQL"
|
||
|
mysql -u root -p"$DB_ADMIN_PWD" -e "source $global:HIRS_REL_SCRIPTS_DB_SECURE_MYSQL_SQL"
|
||
|
mysql -u root -p"$DB_ADMIN_PWD" -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '$HIRS_PASS'; FLUSH PRIVILEGES;"
|
||
|
}
|
||
|
}
|
||
|
|
||
|
Function create_hibernate_url () {
|
||
|
param (
|
||
|
[string]$ALG = $null
|
||
|
)
|
||
|
|
||
|
if ($ALG -eq "RSA") {
|
||
|
$CERT_CHAIN=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_RSA_PATH 'HIRS_rsa_3k_sha384_Cert_Chain.pem')
|
||
|
$CLIENT_DB_P12=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_RSA_PATH 'HIRS_db_client_rsa_3k_sha384.p12')
|
||
|
$ALIAS="hirs_aca_tls_rsa_3k_sha384"
|
||
|
} elseif ($ALG -eq "ECC") {
|
||
|
$CERT_CHAIN=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_ECC_PATH 'HIRS_ecc_512_sha384_Cert_Chain.pem')
|
||
|
$CLIENT_DB_P12=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_ECC_PATH 'HIRS_db_client_ecc_512_sha384.p12')
|
||
|
$ALIAS="hirs_aca_tls_ecc_512_sha384"
|
||
|
}
|
||
|
|
||
|
$CONNECTOR_URL="hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&user="+$global:ACA_PROPERTIES.'hirs_db_username'+"&password="+$global:ACA_PROPERTIES.'hirs_db_password'+"&sslMode=VERIFY_CA&serverSslCert=$CERT_CHAIN&keyStoreType=PKCS12&keyStorePassword="+$global:ACA_PROPERTIES.'hirs_pki_password'+"&keyStore=$CLIENT_DB_P12" | ChangeBackslashToForwardSlash
|
||
|
|
||
|
# Save connector information to the application properties file.
|
||
|
add_new_spring_property -file:"$global:HIRS_DATA_SPRING_PROP_FILE" -newKeyAndValue:"$CONNECTOR_URL"
|
||
|
}
|
||
|
|
||
|
# HIRS ACA Mysqld processing ...
|
||
|
check_mariadb_install -p
|
||
|
check_for_container -p
|
||
|
set_mysql_tls
|
||
|
start_mysqlsd -p
|
||
|
$DB_ADMIN_PWD=check_mysql_root_pwd
|
||
|
$HIRS_PASS=set_hirs_db_pwd -DB_ADMIN_PWD:"$DB_ADMIN_PWD"
|
||
|
create_hirs_db_with_tls -DB_ADMIN_PWD:"$DB_ADMIN_PWD" -HIRS_PASS:"$HIRS_PASS"
|
||
|
create_hibernate_url -ALG:"RSA"
|
||
|
mysqld_reboot -p
|