mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-24 07:06:46 +00:00
Merging latest changes into branch prior to PR
Merge branch 'main' into v3_issue_693-unittest
This commit is contained in:
commit
2db795de44
@ -22,9 +22,10 @@ RUN mkdir -p C:/ProgramData/hirs/log
|
|||||||
# Download and install Java 17
|
# Download and install Java 17
|
||||||
RUN ((New-Object System.Net.WebClient).DownloadFile('https://download.oracle.com/java/17/archive/jdk-17.0.8_windows-x64_bin.exe', 'C:/jdk-17.0.8_windows-x64_bin.exe'))
|
RUN ((New-Object System.Net.WebClient).DownloadFile('https://download.oracle.com/java/17/archive/jdk-17.0.8_windows-x64_bin.exe', 'C:/jdk-17.0.8_windows-x64_bin.exe'))
|
||||||
RUN Write-Host "Installing JDK..."
|
RUN Write-Host "Installing JDK..."
|
||||||
RUN ./jdk-17.0.8_windows-x64_bin.exe /s
|
RUN Start-Process -filepath 'C:/jdk-17.0.8_windows-x64_bin.exe' -Wait -PassThru -ArgumentList "/s"
|
||||||
RUN Write-Host "Finished installing JDK."
|
RUN Write-Host "Finished installing JDK."
|
||||||
|
|
||||||
|
RUN ls 'C:\Program Files'
|
||||||
RUN ls 'C:\Program Files\Java'
|
RUN ls 'C:\Program Files\Java'
|
||||||
RUN ls 'C:\Program Files\Java\jdk-17\'
|
RUN ls 'C:\Program Files\Java\jdk-17\'
|
||||||
|
|
||||||
@ -56,7 +57,7 @@ RUN Write-Host "Finished installing .NET SDK."
|
|||||||
RUN ((New-Object System.Net.WebClient).DownloadFile('https://aka.ms/vs/17/release/vs_buildtools.exe', 'C:/vs_buildtools.exe'))
|
RUN ((New-Object System.Net.WebClient).DownloadFile('https://aka.ms/vs/17/release/vs_buildtools.exe', 'C:/vs_buildtools.exe'))
|
||||||
RUN ((New-Object System.Net.WebClient).DownloadFile('https://aka.ms/vs/17/release/channel', 'C:/vs_channel.chman'))
|
RUN ((New-Object System.Net.WebClient).DownloadFile('https://aka.ms/vs/17/release/channel', 'C:/vs_channel.chman'))
|
||||||
RUN Write-Host "Installing Visual Studio Build Tools..."
|
RUN Write-Host "Installing Visual Studio Build Tools..."
|
||||||
RUN C:/vs_buildtools.exe --quiet --wait --norestart --nocache --channelUri C:/vs_channel.chman --installChannelUri C:/vs_channel.chman --add Microsoft.VisualStudio.Workload.VCTools --includeRecommended --installPath C:/vsbuildtools
|
RUN Start-Process -FilePath 'C:/vs_buildtools.exe' -ArgumentList \"--quiet --wait --norestart --nocache --channelUri C:/vs_channel.chman --installChannelUri C:/vs_channel.chman --add Microsoft.VisualStudio.Workload.VCTools --includeRecommended --installPath C:/vsbuildtools\" -Wait -PassThru
|
||||||
RUN Write-Host "Finished installing Visual Studio Build Tools."
|
RUN Write-Host "Finished installing Visual Studio Build Tools."
|
||||||
|
|
||||||
# Download and extract pre-built openssl
|
# Download and extract pre-built openssl
|
||||||
|
64
.github/workflows/build_aca_image.yml
vendored
64
.github/workflows/build_aca_image.yml
vendored
@ -1,64 +0,0 @@
|
|||||||
name: ACA Docker Image Build
|
|
||||||
on:
|
|
||||||
release:
|
|
||||||
types: [ published ]
|
|
||||||
workflow_dispatch:
|
|
||||||
inputs:
|
|
||||||
imagename:
|
|
||||||
description: 'ACA Docker Image Name'
|
|
||||||
default: 'aca-centos7'
|
|
||||||
required: false
|
|
||||||
type: string
|
|
||||||
jobs:
|
|
||||||
# run the package script for HIRS ACA, Provisioners, tcg_rim_tool, and tcg_eventlog_tool
|
|
||||||
Package:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
packages: write
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v2
|
|
||||||
- name: Set up JDK 11
|
|
||||||
uses: actions/setup-java@v2
|
|
||||||
with:
|
|
||||||
java-version: '8'
|
|
||||||
distribution: 'adopt'
|
|
||||||
server-id: github # Value of the distributionManagement/repository/id field of the pom.xml
|
|
||||||
settings-path: ${{ github.workspace }} # location for the settings.xml file
|
|
||||||
package_centos:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
packages: write
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v2
|
|
||||||
- name: directory setup
|
|
||||||
run: |
|
|
||||||
mkdir -p artifacts/jars
|
|
||||||
mkdir -p artifacts/wars
|
|
||||||
mkdir -p artifacts/rpms
|
|
||||||
- name: Create HIRS packages
|
|
||||||
run: |
|
|
||||||
echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u $ --password-stdin
|
|
||||||
docker run --rm \
|
|
||||||
-v $(pwd):/HIRS hirs/hirs-ci:centos7 /bin/bash \
|
|
||||||
-c 'pushd /HIRS; \
|
|
||||||
sh package/package.centos.sh; \
|
|
||||||
cp /HIRS/package/rpm/RPMS/noarch/* /.; \
|
|
||||||
cp /HIRS/package/rpm/RPMS/x86_64/* /.; \
|
|
||||||
cp /HIRS/scripts/aca_image_setup.sh /.; \
|
|
||||||
popd;' \
|
|
||||||
- name: Build and publish a release Docker image for ${{ github.repository }}
|
|
||||||
if: github.event_name == 'release'
|
|
||||||
uses: macbre/push-to-ghcr@master
|
|
||||||
with:
|
|
||||||
image_name: nsacyber/hirs/aca-centos7
|
|
||||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
dockerfile: "./.ci/docker/Dockerfile.acaimage"
|
|
||||||
- name: Build and publish a Docker image for ${{ github.repository }}
|
|
||||||
if: github.event_name == 'workflow_dispatch'
|
|
||||||
uses: macbre/push-to-ghcr@master
|
|
||||||
with:
|
|
||||||
image_name: nsacyber/hirs/${{ inputs.imagename }}
|
|
||||||
github_token: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
dockerfile: "./.ci/docker/Dockerfile.acaimage"
|
|
182
.github/workflows/create_aca_images.yml
vendored
Normal file
182
.github/workflows/create_aca_images.yml
vendored
Normal file
@ -0,0 +1,182 @@
|
|||||||
|
name: Create ACA Docker Image
|
||||||
|
on:
|
||||||
|
release:
|
||||||
|
types: [ published ]
|
||||||
|
workflow_dispatch:
|
||||||
|
inputs:
|
||||||
|
also_tag_latest:
|
||||||
|
description: 'Tag latest?'
|
||||||
|
required: false
|
||||||
|
type: boolean
|
||||||
|
env:
|
||||||
|
DOCKERFILE_ROCKY: aca-rocky
|
||||||
|
DOCKERFILE_WINDOWS: aca-windows
|
||||||
|
IMAGE_NAME_ROCKY: ghcr.io/nsacyber/hirs/aca-rocky
|
||||||
|
IMAGE_NAME_WINDOWS: ghcr.io/nsacyber/hirs/aca-windows
|
||||||
|
IMAGE_NAME_WINDOWS_COMPAT: ghcr.io/nsacyber/hirs/aca-windows-1809
|
||||||
|
PUBLIC_IMAGE_NAME: ghcr.io/nsacyber/hirs/aca
|
||||||
|
PUBLIC_IMAGE_TAG_LATEST: ghcr.io/nsacyber/hirs/aca:latest
|
||||||
|
TAG_LATEST: ${{ github.event_name == 'release' || inputs.also_tag_latest }} # The public docker image will be tagged 'latest' for releases, or if this option is manually selected.
|
||||||
|
jobs:
|
||||||
|
setup:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
outputs:
|
||||||
|
IMAGE_TAG: ${{ steps.setenv.outputs.IMAGE_TAG }}
|
||||||
|
ROCKY_IMAGE_TAG: ${{ steps.setenv.outputs.ROCKY_IMAGE_TAG }}
|
||||||
|
WINDOWS_IMAGE_TAG: ${{ steps.setenv.outputs.WINDOWS_IMAGE_TAG }}
|
||||||
|
WINDOWS_COMPAT_IMAGE_TAG: ${{ steps.setenv.outputs.WINDOWS_COMPAT_IMAGE_TAG }}
|
||||||
|
PUBLIC_IMAGE_TAG: ${{ steps.setenv.outputs.PUBLIC_IMAGE_TAG }}
|
||||||
|
steps:
|
||||||
|
- name: Set env
|
||||||
|
id: setenv
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
# Parse docker image tag from GitHub tag if available
|
||||||
|
if [ "${{ github.ref_type }}" = "tag" ]; then
|
||||||
|
# tags start with refs/tags/. Also remove v if it exists.
|
||||||
|
export IMAGE_TAG_VAR=${GITHUB_REF:10}
|
||||||
|
export IMAGE_TAG_VAR=${IMAGE_TAG_VAR//v/}
|
||||||
|
else
|
||||||
|
# Not a tag, use the commit hash. Do not tag as latest.
|
||||||
|
export IMAGE_TAG_VAR=${GITHUB_SHA:0:7}
|
||||||
|
fi
|
||||||
|
# To lowercase
|
||||||
|
export IMAGE_TAG_VAR=${IMAGE_TAG_VAR,,}
|
||||||
|
|
||||||
|
# Save to output
|
||||||
|
echo "IMAGE_TAG=$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "ROCKY_IMAGE_TAG=$IMAGE_NAME_ROCKY:$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "WINDOWS_IMAGE_TAG=$IMAGE_NAME_WINDOWS:$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "WINDOWS_COMPAT_IMAGE_TAG=$IMAGE_NAME_WINDOWS_COMPAT:$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT"
|
||||||
|
echo "PUBLIC_IMAGE_TAG=$PUBLIC_IMAGE_NAME:$IMAGE_TAG_VAR" >> "$GITHUB_OUTPUT"
|
||||||
|
- name: Print env
|
||||||
|
run: |
|
||||||
|
echo DOCKERFILE_ROCKY=$DOCKERFILE_ROCKY
|
||||||
|
echo DOCKERFILE_WINDOWS=$DOCKERFILE_WINDOWS
|
||||||
|
echo IMAGE_NAME_ROCKY=$IMAGE_NAME_ROCKY
|
||||||
|
echo IMAGE_NAME_WINDOWS=$IMAGE_NAME_WINDOWS
|
||||||
|
echo IMAGE_NAME_WINDOWS_COMPAT=$IMAGE_NAME_WINDOWS_COMPAT
|
||||||
|
echo PUBLIC_IMAGE_NAME=$PUBLIC_IMAGE_NAME
|
||||||
|
echo PUBLIC_IMAGE_TAG_LATEST=$PUBLIC_IMAGE_TAG_LATEST
|
||||||
|
echo TAG_LATEST=$TAG_LATEST
|
||||||
|
echo IMAGE_TAG=${{ steps.setenv.outputs.IMAGE_TAG }}
|
||||||
|
echo ROCKY_IMAGE_TAG=${{ steps.setenv.outputs.ROCKY_IMAGE_TAG }}
|
||||||
|
echo WINDOWS_IMAGE_TAG=${{ steps.setenv.outputs.WINDOWS_IMAGE_TAG }}
|
||||||
|
echo WINDOWS_COMPAT_IMAGE_TAG=${{ steps.setenv.outputs.WINDOWS_COMPAT_IMAGE_TAG }}
|
||||||
|
echo PUBLIC_IMAGE_TAG=${{ steps.setenv.outputs.PUBLIC_IMAGE_TAG }}
|
||||||
|
|
||||||
|
rocky-image:
|
||||||
|
needs: setup
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
env:
|
||||||
|
TAG: ${{ needs.setup.outputs.ROCKY_IMAGE_TAG }}
|
||||||
|
steps:
|
||||||
|
- name: Checkout main
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Login to GitHub Container Registry
|
||||||
|
uses: docker/login-action@v3
|
||||||
|
with:
|
||||||
|
registry: ghcr.io
|
||||||
|
username: ${{ github.actor }}
|
||||||
|
password: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
|
- name: Build and push a release Docker image for ${{ github.repository }}
|
||||||
|
uses: docker/build-push-action@v5
|
||||||
|
with:
|
||||||
|
context: "{{defaultContext}}:.ci/docker"
|
||||||
|
file: Dockerfile.${{env.DOCKERFILE_ROCKY}}
|
||||||
|
tags: ${{env.TAG}}
|
||||||
|
push: true
|
||||||
|
|
||||||
|
windows-11-image:
|
||||||
|
needs: setup
|
||||||
|
runs-on: windows-latest
|
||||||
|
env:
|
||||||
|
TAG: ${{ needs.setup.outputs.WINDOWS_IMAGE_TAG }}
|
||||||
|
steps:
|
||||||
|
- name: Checkout main
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Login to GitHub Container Registry
|
||||||
|
uses: docker/login-action@v3
|
||||||
|
with:
|
||||||
|
registry: ghcr.io
|
||||||
|
username: ${{ github.actor }}
|
||||||
|
password: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
|
- name: Build the docker image for ${{ github.repository }}
|
||||||
|
run: |
|
||||||
|
cd ./.ci/docker
|
||||||
|
docker build -f ./Dockerfile.${{env.DOCKERFILE_WINDOWS}} -t ${{env.TAG}} .
|
||||||
|
|
||||||
|
- name: Push the docker image
|
||||||
|
run: |
|
||||||
|
docker push ${{env.TAG}}
|
||||||
|
|
||||||
|
windows-compat-image: # This job uses a different runner and build arg than the other windows job.
|
||||||
|
needs: setup
|
||||||
|
runs-on: windows-2019
|
||||||
|
env:
|
||||||
|
TAG: ${{ needs.setup.outputs.WINDOWS_COMPAT_IMAGE_TAG }}
|
||||||
|
steps:
|
||||||
|
- name: Checkout main
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Login to GitHub Container Registry
|
||||||
|
uses: docker/login-action@v3
|
||||||
|
with:
|
||||||
|
registry: ghcr.io
|
||||||
|
username: ${{ github.actor }}
|
||||||
|
password: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
|
- name: Build the docker image for ${{ github.repository }}
|
||||||
|
run: |
|
||||||
|
cd ./.ci/docker
|
||||||
|
docker build -f ./Dockerfile.${{env.DOCKERFILE_WINDOWS}} -t ${{env.TAG}} --build-arg BASE_IMAGE_TAG=lts-windowsservercore-1809 .
|
||||||
|
|
||||||
|
- name: Push the docker image
|
||||||
|
run: |
|
||||||
|
docker push ${{env.TAG}}
|
||||||
|
|
||||||
|
|
||||||
|
manifest:
|
||||||
|
needs: [setup, rocky-image, windows-11-image, windows-compat-image]
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
env:
|
||||||
|
IMAGE1: ${{ needs.setup.outputs.ROCKY_IMAGE_TAG }}
|
||||||
|
IMAGE2: ${{ needs.setup.outputs.WINDOWS_IMAGE_TAG }}
|
||||||
|
IMAGE3: ${{ needs.setup.outputs.WINDOWS_COMPAT_IMAGE_TAG }}
|
||||||
|
PUB: ${{ needs.setup.outputs.PUBLIC_IMAGE_TAG }}
|
||||||
|
steps:
|
||||||
|
- name: Print env
|
||||||
|
run: |
|
||||||
|
echo IMAGE1=${{env.IMAGE1}}
|
||||||
|
echo IMAGE2=${{env.IMAGE2}}
|
||||||
|
echo IMAGE3=${{env.IMAGE3}}
|
||||||
|
echo PUB=${{env.PUB}}
|
||||||
|
|
||||||
|
- name: Checkout main
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Login to GitHub Container Registry
|
||||||
|
uses: docker/login-action@v3
|
||||||
|
with:
|
||||||
|
registry: ghcr.io
|
||||||
|
username: ${{ github.actor }}
|
||||||
|
password: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
|
- name: Create a new manifest
|
||||||
|
run: |
|
||||||
|
docker manifest create ${{env.PUB}} --amend ${{env.IMAGE1}} --amend ${{env.IMAGE2}} --amend ${{env.IMAGE3}}
|
||||||
|
|
||||||
|
- name: Push the new manifest
|
||||||
|
run: |
|
||||||
|
docker manifest push ${{env.PUB}}
|
||||||
|
|
||||||
|
- name: Create and push manifest latest if selected
|
||||||
|
if: env.TAG_LATEST != 'false'
|
||||||
|
run: |
|
||||||
|
docker manifest create $PUBLIC_IMAGE_TAG_LATEST --amend $IMAGE1 --amend $IMAGE2 --amend $IMAGE3
|
||||||
|
docker manifest push $PUBLIC_IMAGE_TAG_LATEST
|
||||||
|
|
@ -16,6 +16,8 @@ public interface CACredentialRepository extends JpaRepository<CertificateAuthori
|
|||||||
Page<CertificateAuthorityCredential> findByArchiveFlag(boolean archiveFlag, Pageable pageable);
|
Page<CertificateAuthorityCredential> findByArchiveFlag(boolean archiveFlag, Pageable pageable);
|
||||||
List<CertificateAuthorityCredential> findBySubject(String subject);
|
List<CertificateAuthorityCredential> findBySubject(String subject);
|
||||||
List<CertificateAuthorityCredential> findBySubjectSorted(String subject);
|
List<CertificateAuthorityCredential> findBySubjectSorted(String subject);
|
||||||
|
List<CertificateAuthorityCredential> findBySubjectAndArchiveFlag(String subject, boolean archiveFlag);
|
||||||
|
List<CertificateAuthorityCredential> findBySubjectSortedAndArchiveFlag(String subject, boolean archiveFlag);
|
||||||
CertificateAuthorityCredential findBySubjectKeyIdentifier(byte[] subjectKeyIdentifier);
|
CertificateAuthorityCredential findBySubjectKeyIdentifier(byte[] subjectKeyIdentifier);
|
||||||
CertificateAuthorityCredential findBySubjectKeyIdString(String subjectKeyIdString);
|
CertificateAuthorityCredential findBySubjectKeyIdStringAndArchiveFlag(String subjectKeyIdString, boolean archiveFlag);
|
||||||
}
|
}
|
||||||
|
@ -157,7 +157,7 @@ public final class CertificateStringMapBuilder {
|
|||||||
//Check if there is a subject organization
|
//Check if there is a subject organization
|
||||||
if (certificate.getAuthorityKeyIdentifier() != null
|
if (certificate.getAuthorityKeyIdentifier() != null
|
||||||
&& !certificate.getAuthorityKeyIdentifier().isEmpty()) {
|
&& !certificate.getAuthorityKeyIdentifier().isEmpty()) {
|
||||||
skiCA = caCredentialRepository.findBySubjectKeyIdString(certificate.getAuthorityKeyIdentifier());
|
skiCA = caCredentialRepository.findBySubjectKeyIdStringAndArchiveFlag(certificate.getAuthorityKeyIdentifier(), false);
|
||||||
} else {
|
} else {
|
||||||
log.error(String.format("Certificate (%s) for %s has no authority key identifier.",
|
log.error(String.format("Certificate (%s) for %s has no authority key identifier.",
|
||||||
certificate.getClass().toString(), certificate.getSubject()));
|
certificate.getClass().toString(), certificate.getSubject()));
|
||||||
@ -167,10 +167,10 @@ public final class CertificateStringMapBuilder {
|
|||||||
if (certificate.getIssuerSorted() == null
|
if (certificate.getIssuerSorted() == null
|
||||||
|| certificate.getIssuerSorted().isEmpty()) {
|
|| certificate.getIssuerSorted().isEmpty()) {
|
||||||
//Get certificates by subject
|
//Get certificates by subject
|
||||||
issuerCertificates = caCredentialRepository.findBySubject(certificate.getIssuer());
|
issuerCertificates = caCredentialRepository.findBySubjectAndArchiveFlag(certificate.getIssuer(), false);
|
||||||
} else {
|
} else {
|
||||||
//Get certificates by subject organization
|
//Get certificates by subject organization
|
||||||
issuerCertificates = caCredentialRepository.findBySubjectSorted(certificate.getIssuerSorted());
|
issuerCertificates = caCredentialRepository.findBySubjectSortedAndArchiveFlag(certificate.getIssuerSorted(), false);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
issuerCertificates.add(skiCA);
|
issuerCertificates.add(skiCA);
|
||||||
|
Loading…
Reference in New Issue
Block a user