Merge pull request #586 from nsacyber/v3_issue_578-rpm_update

Update ACA RPM to use executable war
This commit is contained in:
Cyrus 2023-09-20 07:33:15 -04:00 committed by GitHub
commit 37cbb78e3e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 460 additions and 1009 deletions

View File

@ -1,22 +1,23 @@
FROM rockylinux:8.6 FROM rockylinux:8.6
# Install packages for installing HIRS ACA SHELL ["/bin/bash", "-c"]
#RUN yum -y update && yum clean all
# Update and install OS-dependencies
RUN dnf update -y RUN dnf update -y
# Install Java 8 # Install Java
RUN dnf install java-1.8.0-openjdk-headless.x86_64 -y RUN dnf -y install java-17-openjdk-devel -y
# Install Tomcat # Install Tomcat
RUN useradd -r -d /opt/tomcat/ -s /bin/false -c "Tomcat User" tomcat #RUN useradd -r -d /opt/tomcat/ -s /bin/false -c "Tomcat User" tomcat
RUN dnf install wget -y #RUN dnf install wget -y
RUN wget https://dlcdn.apache.org/tomcat/tomcat-10/v10.1.1/bin/apache-tomcat-10.1.1.tar.gz #RUN wget https://dlcdn.apache.org/tomcat/tomcat-10/v10.1.1/bin/apache-tomcat-10.1.1.tar.gz
RUN mkdir /opt/tomcat #RUN mkdir /opt/tomcat
RUN tar -xzf apache-tomcat-10.1.1.tar.gz -C /opt/tomcat --strip-components=1 #RUN tar -xzf apache-tomcat-10.1.1.tar.gz -C /opt/tomcat --strip-components=1
# Install HIRS dependencies # Install HIRS dependencies
RUN dnf install -y mariadb-server rpmdevtools initscripts firewalld policycoreutils net-tools libtool cmake make git gcc-c++ && yum clean all RUN dnf install -y mariadb-server rpmdevtools initscripts firewalld policycoreutils net-tools libtool cmake make git gcc-c++ cronie && yum clean all
RUN dnf install -y openssl openssl-devel protobuf tpm2-tss-devel tpm2-abrmd libcurl-devel libssh-devel && yum clean all RUN dnf install -y wget openssl openssl-devel protobuf tpm2-tss-devel tpm2-abrmd libcurl-devel libssh-devel && yum clean all
# Install PACCOR for Device Info Gathering # Install PACCOR for Device Info Gathering
RUN mkdir paccor && pushd paccor && wget https://github.com/nsacyber/paccor/releases/download/v1.1.4r2/paccor-1.1.4-2.noarch.rpm && yum -y install paccor-*.rpm && popd RUN mkdir paccor && pushd paccor && wget https://github.com/nsacyber/paccor/releases/download/v1.1.4r2/paccor-1.1.4-2.noarch.rpm && yum -y install paccor-*.rpm && popd
@ -33,3 +34,5 @@ RUN dnf -y install packages-microsoft-prod.rpm
RUN dnf makecache RUN dnf makecache
RUN dnf -y install dotnet-sdk-6.0 RUN dnf -y install dotnet-sdk-6.0
RUN dotnet tool install --global dotnet-rpm RUN dotnet tool install --global dotnet-rpm
EXPOSE 8443

View File

@ -2,7 +2,7 @@ plugins {
id 'application' id 'application'
id 'java' id 'java'
id 'war' id 'war'
id "nebula.ospackage" version "9.1.1" id 'com.netflix.nebula.ospackage' version '11.4.0'
id 'org.springframework.boot' version '3.0.6' id 'org.springframework.boot' version '3.0.6'
id 'io.spring.dependency-management' version '1.1.0' id 'io.spring.dependency-management' version '1.1.0'
} }
@ -60,14 +60,6 @@ dependencies {
testImplementation libs.testng testImplementation libs.testng
} }
war {
from(buildDir) {
include 'VERSION'
into 'WEB-INF/classes'
}
archiveFileName = 'HIRS_AttestationCAPortal.war'
}
ospackage { ospackage {
packageName = 'HIRS_AttestationCA' packageName = 'HIRS_AttestationCA'
os = LINUX os = LINUX
@ -78,85 +70,30 @@ ospackage {
user 'root' user 'root'
fileMode = 0755 fileMode = 0755
def tpath="/opt"
addParentDirs = true addParentDirs = true
createDirectoryEntry true createDirectoryEntry true
preInstall "rm -rf /opt/hirs/default-properties" // copy setup scripts to /opt/hirs/aca
preInstall "mkdir -p /opt/hirs/default-properties/" into ('/opt/hirs/aca/scripts/') {
preInstall "mkdir -p /tmp/hirs/default-properties/" from '../package/scripts/'
// Setup /etc/hirs
into ('/etc/hirs/aca/') {
from '../HIRS_AttestationCA/src/main/resources/defaults.properties'
rename {'aca.properties'}
} }
into ('/etc/hirs/') { // copy the war file into /opt/hirs/aca
from '../HIRS_Utils/src/main/resources/banner.properties' into ('/opt/hirs/aca/') {
from '../HIRS_Utils/src/main/resources/persistence.properties' from '../HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war'
from '../HIRS_Utils/src/main/resources/logging.properties' user 'root'
} fileMode = 0755
// Setup tomcat files
// Create and package HIRS_AttestationCA:war
into ("${tpath}/tomcat/webapps") {
from war.outputs.files
from '../HIRS_AttestationCA/build/libs/HIRS_AttestationCA.war'
user 'root'
fileMode = 0755
}
into ("${tpath}/tomcat/lib") {
from 'libs'
from configurations.runtimeClasspath
}
into ("/opt/hirs/scripts/aca/") {
from '../package/conf/tomcat.service'
from '../package/scripts/install_tomcat.sh'
from '../package/scripts/aca/aca_property_setup.sh'
from '../package/scripts/aca/aca_setup.sh'
}
into ("/opt/hirs/scripts/pki/") {
from '../package/scripts/pki/ca.conf'
from '../package/scripts/pki/pki_setup.sh'
from '../package/scripts/pki/pki_chain_gen.sh'
}
into ("/opt/hirs/scripts/db/") {
from '../package/scripts/db/db_create.sh'
from '../package/scripts/db/db_create.sql'
from '../package/scripts/db/db_drop.sh'
from '../package/scripts/db/db_drop.sql'
from '../package/scripts/db/secure_mysql.sql'
}
into ("/opt/hirs/scripts/common") {
from '../package/scripts/common/'
}
into ('/opt/hirs/extras/aca/') {
from '../package/extras/aca/'
} }
// Copy json files to /tmp and move into /opt/hirs in postInstall section // Post Install
// Allows HIRS tools to be installed using the same files postInstall 'sh /opt/hirs/aca/scripts/aca/aca_setup.sh -u'
into ('/tmp/aca/default-properties/') { // add chrontab to run ACA at boot
from '../HIRS_AttestationCA/src/main/resources/vendor-table.json' postInstall 'echo "@reboot root /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w" >> /etc/crontab'
from '../HIRS_AttestationCA/src/main/resources/component-class.json' // run ACA after install
} postInstall '/opt/hirs/aca/scripts/aca/aca_bootRun.sh -w'
// Post Install postInstall 'chmod +x /opt/hirs/aca/scripts/aca/*'
postInstall file('../package/scripts/db/db_create.sh') // Uninstall
postInstall file('../package/scripts/pki/pki_setup.sh') preUninstall 'sh /opt/hirs/aca/scripts/aca/aca_remove_setup.sh'
postInstall 'mkdir -p /etc/hirs/aca/certificates'
postInstall 'cp /tmp/aca/default-properties/* /opt/hirs/default-properties/.'
postInstall 'rm -rf /tmp/aca/'
// postInstall file('../package/scripts/install_tomcat.sh')
postInstall 'sh /opt/tomcat/bin/catalina.sh start'
// Post Uninstall
// Copy files to /tmp that package manager will be expecting them there
preUninstall 'mkdir -p /tmp/aca/default-properties/'
preUninstall 'cp -f /opt/hirs/default-properties/* /tmp/aca/default-properties/.'
preUninstall file('../package/scripts/db/db_drop.sh')
buildRpm { buildRpm {
arch = X86_64 arch = X86_64
@ -165,5 +102,4 @@ ospackage {
buildDeb { buildDeb {
arch = 'amd64' arch = 'amd64'
} }
} }

Binary file not shown.

View File

@ -1,6 +1,6 @@
#Thu Feb 15 13:18:16 EST 2018
distributionBase=GRADLE_USER_HOME distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists distributionPath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-8.3-bin.zip
networkTimeout=10000
zipStoreBase=GRADLE_USER_HOME zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists zipStorePath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-bin.zip

310
gradlew vendored
View File

@ -1,74 +1,129 @@
#!/usr/bin/env bash #!/bin/sh
#
# Copyright © 2015-2021 the original authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
############################################################################## ##############################################################################
## #
## Gradle start up script for UN*X # Gradle start up script for POSIX generated by Gradle.
## #
# Important for running:
#
# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
# noncompliant, but you have some other compliant shell such as ksh or
# bash, then to run this script, type that shell name before the whole
# command line, like:
#
# ksh Gradle
#
# Busybox and similar reduced shells will NOT work, because this script
# requires all of these POSIX shell features:
# * functions;
# * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
# «${var#prefix}», «${var%suffix}», and «$( cmd )»;
# * compound commands having a testable exit status, especially «case»;
# * various built-in commands including «command», «set», and «ulimit».
#
# Important for patching:
#
# (2) This script targets any POSIX shell, so it avoids extensions provided
# by Bash, Ksh, etc; in particular arrays are avoided.
#
# The "traditional" practice of packing multiple parameters into a
# space-separated string is a well documented source of bugs and security
# problems, so this is (mostly) avoided, by progressively accumulating
# options in "$@", and eventually passing that to Java.
#
# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
# see the in-line comments for details.
#
# There are tweaks for specific operating systems such as AIX, CygWin,
# Darwin, MinGW, and NonStop.
#
# (3) This script is generated from the Groovy template
# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
# within the Gradle project.
#
# You can find Gradle at https://github.com/gradle/gradle/.
#
############################################################################## ##############################################################################
# Attempt to set APP_HOME
# Resolve links: $0 may be a link
app_path=$0
# Need this for daisy-chained symlinks.
while
APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path
[ -h "$app_path" ]
do
ls=$( ls -ld "$app_path" )
link=${ls#*' -> '}
case $link in #(
/*) app_path=$link ;; #(
*) app_path=$APP_HOME$link ;;
esac
done
# This is normally unused
# shellcheck disable=SC2034
APP_BASE_NAME=${0##*/}
APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
DEFAULT_JVM_OPTS="" DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
APP_NAME="Gradle"
APP_BASE_NAME=`basename "$0"`
# Use the maximum available, or set MAX_FD != -1 to use that value. # Use the maximum available, or set MAX_FD != -1 to use that value.
MAX_FD="maximum" MAX_FD=maximum
warn ( ) { warn () {
echo "$*" echo "$*"
} } >&2
die ( ) { die () {
echo echo
echo "$*" echo "$*"
echo echo
exit 1 exit 1
} } >&2
# OS specific support (must be 'true' or 'false'). # OS specific support (must be 'true' or 'false').
cygwin=false cygwin=false
msys=false msys=false
darwin=false darwin=false
case "`uname`" in nonstop=false
CYGWIN* ) case "$( uname )" in #(
cygwin=true CYGWIN* ) cygwin=true ;; #(
;; Darwin* ) darwin=true ;; #(
Darwin* ) MSYS* | MINGW* ) msys=true ;; #(
darwin=true NONSTOP* ) nonstop=true ;;
;;
MINGW* )
msys=true
;;
esac esac
# Attempt to set APP_HOME
# Resolve links: $0 may be a link
PRG="$0"
# Need this for relative symlinks.
while [ -h "$PRG" ] ; do
ls=`ls -ld "$PRG"`
link=`expr "$ls" : '.*-> \(.*\)$'`
if expr "$link" : '/.*' > /dev/null; then
PRG="$link"
else
PRG=`dirname "$PRG"`"/$link"
fi
done
SAVED="`pwd`"
cd "`dirname \"$PRG\"`/" >/dev/null
APP_HOME="`pwd -P`"
cd "$SAVED" >/dev/null
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
# Determine the Java command to use to start the JVM. # Determine the Java command to use to start the JVM.
if [ -n "$JAVA_HOME" ] ; then if [ -n "$JAVA_HOME" ] ; then
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
# IBM's JDK on AIX uses strange locations for the executables # IBM's JDK on AIX uses strange locations for the executables
JAVACMD="$JAVA_HOME/jre/sh/java" JAVACMD=$JAVA_HOME/jre/sh/java
else else
JAVACMD="$JAVA_HOME/bin/java" JAVACMD=$JAVA_HOME/bin/java
fi fi
if [ ! -x "$JAVACMD" ] ; then if [ ! -x "$JAVACMD" ] ; then
die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
@ -77,7 +132,7 @@ Please set the JAVA_HOME variable in your environment to match the
location of your Java installation." location of your Java installation."
fi fi
else else
JAVACMD="java" JAVACMD=java
which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
Please set the JAVA_HOME variable in your environment to match the Please set the JAVA_HOME variable in your environment to match the
@ -85,76 +140,105 @@ location of your Java installation."
fi fi
# Increase the maximum file descriptors if we can. # Increase the maximum file descriptors if we can.
if [ "$cygwin" = "false" -a "$darwin" = "false" ] ; then if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
MAX_FD_LIMIT=`ulimit -H -n` case $MAX_FD in #(
if [ $? -eq 0 ] ; then max*)
if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
MAX_FD="$MAX_FD_LIMIT" # shellcheck disable=SC3045
fi MAX_FD=$( ulimit -H -n ) ||
ulimit -n $MAX_FD warn "Could not query maximum file descriptor limit"
if [ $? -ne 0 ] ; then esac
warn "Could not set maximum file descriptor limit: $MAX_FD" case $MAX_FD in #(
fi '' | soft) :;; #(
else *)
warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
fi # shellcheck disable=SC3045
fi ulimit -n "$MAX_FD" ||
warn "Could not set maximum file descriptor limit to $MAX_FD"
# For Darwin, add options to specify how the application appears in the dock
if $darwin; then
GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
fi
# For Cygwin, switch paths to Windows format before running java
if $cygwin ; then
APP_HOME=`cygpath --path --mixed "$APP_HOME"`
CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
JAVACMD=`cygpath --unix "$JAVACMD"`
# We build the pattern for arguments to be converted via cygpath
ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
SEP=""
for dir in $ROOTDIRSRAW ; do
ROOTDIRS="$ROOTDIRS$SEP$dir"
SEP="|"
done
OURCYGPATTERN="(^($ROOTDIRS))"
# Add a user-defined pattern to the cygpath arguments
if [ "$GRADLE_CYGPATTERN" != "" ] ; then
OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
fi
# Now convert the arguments - kludge to limit ourselves to /bin/sh
i=0
for arg in "$@" ; do
CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
else
eval `echo args$i`="\"$arg\""
fi
i=$((i+1))
done
case $i in
(0) set -- ;;
(1) set -- "$args0" ;;
(2) set -- "$args0" "$args1" ;;
(3) set -- "$args0" "$args1" "$args2" ;;
(4) set -- "$args0" "$args1" "$args2" "$args3" ;;
(5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
(6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
(7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
(8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
(9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
esac esac
fi fi
# Split up the JVM_OPTS And GRADLE_OPTS values into an array, following the shell quoting and substitution rules # Collect all arguments for the java command, stacking in reverse order:
function splitJvmOpts() { # * args from the command line
JVM_OPTS=("$@") # * the main class name
} # * -classpath
eval splitJvmOpts $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS # * -D...appname settings
JVM_OPTS[${#JVM_OPTS[*]}]="-Dorg.gradle.appname=$APP_BASE_NAME" # * --module-path (only if needed)
# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
exec "$JAVACMD" "${JVM_OPTS[@]}" -classpath "$CLASSPATH" org.gradle.wrapper.GradleWrapperMain "$@" # For Cygwin or MSYS, switch paths to Windows format before running java
if "$cygwin" || "$msys" ; then
APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
JAVACMD=$( cygpath --unix "$JAVACMD" )
# Now convert the arguments - kludge to limit ourselves to /bin/sh
for arg do
if
case $arg in #(
-*) false ;; # don't mess with options #(
/?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath
[ -e "$t" ] ;; #(
*) false ;;
esac
then
arg=$( cygpath --path --ignore --mixed "$arg" )
fi
# Roll the args list around exactly as many times as the number of
# args, so each arg winds up back in the position where it started, but
# possibly modified.
#
# NB: a `for` loop captures its iteration list before it begins, so
# changing the positional parameters here affects neither the number of
# iterations, nor the values presented in `arg`.
shift # remove old arg
set -- "$@" "$arg" # push replacement arg
done
fi
# Collect all arguments for the java command;
# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
# shell script including quotes and variable substitutions, so put them in
# double quotes to make sure that they get re-expanded; and
# * put everything else in single quotes, so that it's not re-expanded.
set -- \
"-Dorg.gradle.appname=$APP_BASE_NAME" \
-classpath "$CLASSPATH" \
org.gradle.wrapper.GradleWrapperMain \
"$@"
# Stop when "xargs" is not available.
if ! command -v xargs >/dev/null 2>&1
then
die "xargs is not available"
fi
# Use "xargs" to parse quoted args.
#
# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
#
# In Bash we could simply go:
#
# readarray ARGS < <( xargs -n1 <<<"$var" ) &&
# set -- "${ARGS[@]}" "$@"
#
# but POSIX shell has neither arrays nor command substitution, so instead we
# post-process each arg (as a line of input to sed) to backslash-escape any
# character that might be a shell metacharacter, then use eval to reverse
# that process (while maintaining the separation between arguments), and wrap
# the whole thing up as a single "set" statement.
#
# This will of course break if any of these variables contains a newline or
# an unmatched quote.
#
eval "set -- $(
printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
xargs -n1 |
sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
tr '\n' ' '
)" '"$@"'
exec "$JAVACMD" "$@"

66
gradlew.bat vendored
View File

@ -1,4 +1,20 @@
@if "%DEBUG%" == "" @echo off @rem
@rem Copyright 2015 the original author or authors.
@rem
@rem Licensed under the Apache License, Version 2.0 (the "License");
@rem you may not use this file except in compliance with the License.
@rem You may obtain a copy of the License at
@rem
@rem https://www.apache.org/licenses/LICENSE-2.0
@rem
@rem Unless required by applicable law or agreed to in writing, software
@rem distributed under the License is distributed on an "AS IS" BASIS,
@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@rem See the License for the specific language governing permissions and
@rem limitations under the License.
@rem
@if "%DEBUG%"=="" @echo off
@rem ########################################################################## @rem ##########################################################################
@rem @rem
@rem Gradle startup script for Windows @rem Gradle startup script for Windows
@ -8,20 +24,24 @@
@rem Set local scope for the variables with windows NT shell @rem Set local scope for the variables with windows NT shell
if "%OS%"=="Windows_NT" setlocal if "%OS%"=="Windows_NT" setlocal
@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
set DEFAULT_JVM_OPTS=
set DIRNAME=%~dp0 set DIRNAME=%~dp0
if "%DIRNAME%" == "" set DIRNAME=. if "%DIRNAME%"=="" set DIRNAME=.
@rem This is normally unused
set APP_BASE_NAME=%~n0 set APP_BASE_NAME=%~n0
set APP_HOME=%DIRNAME% set APP_HOME=%DIRNAME%
@rem Resolve any "." and ".." in APP_HOME to make it shorter.
for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
@rem Find java.exe @rem Find java.exe
if defined JAVA_HOME goto findJavaFromJavaHome if defined JAVA_HOME goto findJavaFromJavaHome
set JAVA_EXE=java.exe set JAVA_EXE=java.exe
%JAVA_EXE% -version >NUL 2>&1 %JAVA_EXE% -version >NUL 2>&1
if "%ERRORLEVEL%" == "0" goto init if %ERRORLEVEL% equ 0 goto execute
echo. echo.
echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
@ -35,7 +55,7 @@ goto fail
set JAVA_HOME=%JAVA_HOME:"=% set JAVA_HOME=%JAVA_HOME:"=%
set JAVA_EXE=%JAVA_HOME%/bin/java.exe set JAVA_EXE=%JAVA_HOME%/bin/java.exe
if exist "%JAVA_EXE%" goto init if exist "%JAVA_EXE%" goto execute
echo. echo.
echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
@ -45,44 +65,26 @@ echo location of your Java installation.
goto fail goto fail
:init
@rem Get command-line arguments, handling Windowz variants
if not "%OS%" == "Windows_NT" goto win9xME_args
if "%@eval[2+2]" == "4" goto 4NT_args
:win9xME_args
@rem Slurp the command line arguments.
set CMD_LINE_ARGS=
set _SKIP=2
:win9xME_args_slurp
if "x%~1" == "x" goto execute
set CMD_LINE_ARGS=%*
goto execute
:4NT_args
@rem Get arguments from the 4NT Shell from JP Software
set CMD_LINE_ARGS=%$
:execute :execute
@rem Setup the command line @rem Setup the command line
set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
@rem Execute Gradle @rem Execute Gradle
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
:end :end
@rem End local scope for the variables with windows NT shell @rem End local scope for the variables with windows NT shell
if "%ERRORLEVEL%"=="0" goto mainEnd if %ERRORLEVEL% equ 0 goto mainEnd
:fail :fail
rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
rem the _cmd.exe /c_ return code! rem the _cmd.exe /c_ return code!
if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 set EXIT_CODE=%ERRORLEVEL%
exit /b 1 if %EXIT_CODE% equ 0 set EXIT_CODE=1
if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
exit /b %EXIT_CODE%
:mainEnd :mainEnd
if "%OS%"=="Windows_NT" endlocal if "%OS%"=="Windows_NT" endlocal

View File

@ -1,18 +0,0 @@
#!/bin/bash
# script that pulls version information from git for populating the portal dispalyed version,
# RPM file names, and RPM embedded version information
# script should be invoked with 'source' so that the variables are in the scope of the caller
GIT_HASH=`git rev-parse HEAD | head -c6`
VERSION=`cat $SCRIPT_DIR/../VERSION`
GIT_COMMIT_UNIX_TIMESTAMP=`git show -s --format=%ct | xargs echo -n`
RELEASE="$((GIT_COMMIT_UNIX_TIMESTAMP)).$GIT_HASH"
DISPLAY_VERSION="$VERSION.$GIT_COMMIT_UNIX_TIMESTAMP.$GIT_HASH"
echo "Building version:"
echo "VERSION: $VERSION"
echo "GIT_COMMIT_UNIX_TIMESTAMP: $GIT_COMMIT_UNIX_TIMESTAMP"
echo "RELEASE: $RELEASE"
echo "DISPLAY_VERSION: $DISPLAY_VERSION"

View File

@ -1,131 +0,0 @@
#!/bin/bash
set -e
# Builds the centos 6/7 package for HIRS. This script can be passed a list of arguments that are relative paths to plugin script files.
# The plugin script files are provided the destination directory of where to put the plugin jar file.
# argument $1: Extra package name addendum string
# argument $2 to end: plugin script dirs.
# store the initial directory so this script can concatenate the relative paths specified for the plugin scripts
INITIAL_DIR=`pwd`
# Enter package directory
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
cd $SCRIPT_DIR/rpm
# Set variables
RPM_BUILD_DIR=`pwd`
# assign build version vars
source $SCRIPT_DIR/build_version_helper.sh
PLUGIN_SOURCE="$RPM_BUILD_DIR/PLUGIN_SOURCE"
PACKAGE_NAME_ADDENDUM="$1"
RPM_EXTRA_CLIENT_DEPENDENCIES="$2"
RPM_EXTRA_SERVER_DEPENDENCIES="$3"
# prepend comma on the extra dependency lists so it can be added to spec file as is, but only if there are
# extra dependencies (not empty)
if [ ! -z "$RPM_EXTRA_CLIENT_DEPENDENCIES" ]; then
RPM_EXTRA_CLIENT_DEPENDENCIES=", $RPM_EXTRA_CLIENT_DEPENDENCIES"
fi
if [ ! -z "$RPM_EXTRA_SERVER_DEPENDENCIES" ]; then
RPM_EXTRA_SERVER_DEPENDENCIES=", $RPM_EXTRA_SERVER_DEPENDENCIES"
fi
echo "extra client dependencies:$RPM_EXTRA_CLIENT_DEPENDENCIES"
echo "extra server dependencies:$RPM_EXTRA_SERVER_DEPENDENCIES"
# Clear old builds
rm -rf RPMS SRPMS $PLUGIN_SOURCE
# Create directories
mkdir -p BUILD BUILDROOT RPMS SOURCES SPECS SRPMS $PLUGIN_SOURCE
# build all plugins starting with fourth argument.
echo "Building plugins into $PLUGIN_SOURCE"
for plugin_script in "${@:4}"
do
# convert argument to absolute path if necessary
if [ "${plugin_script:0:1}" = "/" ]; then
plugin_abs_path_script=$plugin_script
else
plugin_abs_path_script="$INITIAL_DIR/$plugin_script"
fi
echo "Building Plugin: $plugin_abs_path_script"
$plugin_abs_path_script $PLUGIN_SOURCE
plugin_return_code=$?
if [ $plugin_return_code -ne 0 ]; then
echo "Failed to build plugin $plugin_abs_path_script. Aborting"
exit -1
fi
done
# Move specs & sources
cp *.spec SPECS
# Copy sources for TPM Module
tar -c -f SOURCES/tpm_module-$GIT_HASH.tar --exclude='dist' --exclude='build' ../../tpm_module/ --transform s/tpm_module/tpm_module-$GIT_HASH/
tar --append -f SOURCES/tpm_module-$GIT_HASH.tar ../../NOTICE
# Build RPM for TPM Module
rpmbuild --nodeps -ba SPECS/tpm-module.spec --define '_topdir '$RPM_BUILD_DIR --define 'VERSION '$VERSION --define 'RELEASE '$RELEASE --define 'GIT_HASH '$GIT_HASH || { echo 'Failed to package tpm_module'; exit 1; }
echo '************************************************************************************'
echo 'TPM Module RPM successfully built'
echo '************************************************************************************'
# Copy sources
tar -c -f SOURCES/HIRS-$GIT_HASH.tar ../../settings.gradle ../../build.gradle ../../VERSION ../../gradle.properties ../../gradlew ../../gradle/
tar --append -f SOURCES/HIRS-$GIT_HASH.tar --exclude='build' ../../HIRS_AttestationCA
tar --append -f SOURCES/HIRS-$GIT_HASH.tar --exclude='build' ../../HIRS_AttestationCAPortal
tar --append -f SOURCES/HIRS-$GIT_HASH.tar --exclude='build' ../../HIRS_Provisioner
tar --append -f SOURCES/HIRS-$GIT_HASH.tar --exclude='build' ../../HIRS_Structs
tar --append -f SOURCES/HIRS-$GIT_HASH.tar --exclude='build' ../../HIRS_Utils
tar --append -f SOURCES/HIRS-$GIT_HASH.tar --exclude='build' ../../TPM_Utils
# copy includes directory into release TAR
tar --append -f SOURCES/HIRS-$GIT_HASH.tar ../extras/
tar --append -f SOURCES/HIRS-$GIT_HASH.tar ../scripts/
tar --append -f SOURCES/HIRS-$GIT_HASH.tar ../../NOTICE
# Build HIRS CentOS6 RPMs. Provides PLUGIN_SOURCE variable to gradle task.
if [ -z "$ONLY_BUILD_EL7_RPMS" ]; then
echo "Building CentOS6 RPMs..."
rpmbuild --nodeps -ba SPECS/HIRS.spec --define 'build6 1' --define 'dist .el6' --define '_topdir '$RPM_BUILD_DIR --define 'VERSION '$VERSION --define 'RELEASE '$RELEASE --define 'GIT_HASH '$GIT_HASH --define 'DISPLAY_VERSION '$DISPLAY_VERSION --define 'PLUGIN_SOURCE '$PLUGIN_SOURCE --define 'PACKAGE_NAME_ADDENDUM '$PACKAGE_NAME_ADDENDUM --define 'RPM_EXTRA_CLIENT_DEPENDENCIES '"$RPM_EXTRA_CLIENT_DEPENDENCIES" --define 'RPM_EXTRA_SERVER_DEPENDENCIES '"$RPM_EXTRA_SERVER_DEPENDENCIES"|| { echo 'Failed to package HIRS'; exit 1; }
echo '************************************************************************************'
echo 'HIRS CentOS6 RPMs successfully built'
echo '************************************************************************************'
else
echo "Skipping building CentOS6 RPMs because of ONLY_BUILD_EL7_RPMS environment variable"
fi
# Cleanup before CENTOS 7 build
rm -rf BUILD BUILDROOT
## Build HIRS CentOS7 RPMs. Provides PLUGIN_SOURCE variable to gradle task
if [ -z "$ONLY_BUILD_EL6_RPMS" ]; then
rpmbuild --nodeps -ba SPECS/HIRS.spec --define 'build7 1' --define 'dist .el7' --define '_topdir '$RPM_BUILD_DIR --define 'VERSION '$VERSION --define 'RELEASE '$RELEASE --define 'GIT_HASH '$GIT_HASH --define 'DISPLAY_VERSION '$DISPLAY_VERSION --define 'PLUGIN_SOURCE '$PLUGIN_SOURCE --define 'PACKAGE_NAME_ADDENDUM '$PACKAGE_NAME_ADDENDUM --define 'RPM_EXTRA_CLIENT_DEPENDENCIES '"$RPM_EXTRA_CLIENT_DEPENDENCIES" --define 'RPM_EXTRA_SERVER_DEPENDENCIES '"$RPM_EXTRA_SERVER_DEPENDENCIES"|| { echo 'Failed to package HIRS'; exit 1; }
echo '************************************************************************************'
echo 'HIRS CentOS7 RPMs successfully built'
echo '************************************************************************************'
else
echo "Skipping building CentOS7 RPMs because of ONLY_BUILD_EL6_RPMS environment variable"
fi
# Cleanup
rm -rf BUILD BUILDROOT SOURCES SPECS $PLUGIN_SOURCE
# Build RPM for HIRS_ProvisionerTPM2
$SCRIPT_DIR/../HIRS_ProvisionerTPM2/package/package.tpm2.centos7.sh
if [ -f RPMS/x86_64/HIRS_Provisioner_TPM_2_0*.rpm ]; then
echo '************************************************************************************'
echo 'HIRS_ProvisionerTPM2 RPM successfully built'
echo '************************************************************************************'
else
echo 'Error: HIRS_ProvisionerTPM2 failed to package'
exit 1
fi

View File

@ -1,114 +0,0 @@
#!/bin/bash
# Define script directory
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# Set variables
GIT_HASH=`git rev-parse HEAD | head -c6`
# assign build version vars
source $SCRIPT_DIR/build_version_helper.sh
DEBIAN_FULL_VERSION=$VERSION.$RELEASE
OS=`lsb_release -c | awk '{print $2}'`
PROVISIONER_FULL_PACKAGE_NAME="hirs-provisioner"
# Enter package directory
mkdir -p $SCRIPT_DIR/deb
cd $SCRIPT_DIR/deb
# Clear old builds
rm -rf DEB_SOURCES
rm -f DEBS/hirs*.deb
rm -f DEBS/tpm-module*.deb
# Create directories
mkdir -p DEBS
# Copy Sources for HIRS_Provisioner
cd $SCRIPT_DIR/..
# build HIRS items.
./gradlew -PdisplayVersion=$DISPLAY_VERSION :HIRS_Provisioner:installDist
# Setup Provisioner directories
mkdir -p $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/debian
mkdir -p $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/bin
mkdir -p $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/lib
mkdir -p $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/scripts
mkdir -p $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/setup
# Copy Provisioner files
cp -r HIRS_Provisioner/build/install/HIRS_Provisioner/* $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner
rm -rf $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/bin/*.bat
cp -r HIRS_Provisioner/debian/* $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/debian
cp -r HIRS_Provisioner/man/* $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/debian
cp -r HIRS_Provisioner/scripts/* $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/scripts
cp -r HIRS_Provisioner/src/main/resources/*.properties $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/scripts/install
cp -r HIRS_Provisioner/setup/* $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/setup
cp HIRS_Provisioner/hirs-provisioner-config.sh $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/scripts
cp HIRS_Provisioner/scripts/install/*.sh $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/scripts
cp HIRS_Provisioner/setup/hirs-provisioner.properties $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/setup
cp HIRS_Provisioner/build/resources/main/defaults.properties $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/setup/provisioner.properties
cp HIRS_Utils/src/main/resources/logging.properties $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner
cp NOTICE $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/debian/copyright
sed -i "s/VER/$DEBIAN_FULL_VERSION/" $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/debian/changelog
sed -i "s/RELEASE/$OS/" $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/debian/changelog
# Build Debian package for HIRS Provisioner
echo "Building $PROVISIONER_FULL_PACKAGE_NAME"
cd $SCRIPT_DIR/deb/DEB_SOURCES/$PROVISIONER_FULL_PACKAGE_NAME/
debuild -i -us -uc -b
ret=$?
if [[ $ret -ne 0 ]]; then
echo "Failed to build HIRS Provisioner deb package"
exit 1
fi
mv $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner*.deb $SCRIPT_DIR/deb/DEBS/
echo "HIRS Provisioner deb building complete"
# TPM Module
cd $SCRIPT_DIR/..
# Compile the TPM Module
./gradlew :tpm_module:build
cd tpm_module
# Setup build directories
mkdir -p $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module/
mkdir -p $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module/debian
mkdir -p $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module/src
# Copy build files
cp tpm_module $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module/src/
cp -r debian/* $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module/debian
cp -r man/* $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module/debian
cp ../NOTICE $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module/debian/copyright
# Build Debian package for TPM Module
cd $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module/
debuild -i -us -uc -b
ret=$?
if [[ $ret -ne 0 ]]; then
echo "Failed to build tpm-module deb package"
exit 1
fi
mkdir -p $SCRIPT_DIR/deb/DEBS/
mv $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module*.deb $SCRIPT_DIR/deb/DEBS/
echo "TPM deb building complete"
# HIRS Provisioner TPM 2.0
cd $SCRIPT_DIR/deb
$SCRIPT_DIR/../HIRS_ProvisionerTPM2/package/package.tpm2.ubuntu.sh
if [ -f DEBS/HIRSProvisionerTPM2.0*.deb ]; then
echo 'HIRS Provisioner TPM 2.0 deb building complete'
else
echo 'Failed to build HIRS Provisioner TPM 2.0 deb package'
exit 1
fi

View File

@ -1,337 +0,0 @@
# need to run rpmbuild with either:
# --define 'build6 1' --define 'dist .el6'
# --define 'build7 1' --define 'dist .el7'
# rpm runs scripts with $1 holding the number of currently installed version of the package in question:
# Install the first time: 1
# Upgrade: 2 or higher (depending on the number of versions installed)
# Remove last version of package: 0
# from RedHat RPM Guide by Eric Foster-Johnston
Name : HIRS
Version : %{?VERSION}
Release : %{?RELEASE}%{?dist}
Source : %{name}-%{?GIT_HASH}.tar
Group : System Environment/Base
License : ASL 2.0
Summary : HIRS
BuildArch : noarch
BuildRoot : %{_tmppath}/%{name}-%{version}-root
BuildRequires : java-1.8.0-openjdk-devel
%description
Host Integrity at Runtime and Startup (HIRS) parent spec.
%prep
%setup -q -c
%define provisioner_package_name HIRS_Provisioner_TPM_1_2%{?PACKAGE_NAME_ADDENDUM}
%define __jar_repack 0
##########################
# HIRS_Provisioner_TPM_1_2
##########################
%package -n %{provisioner_package_name}
Summary : Host Integrity at Runtime and Startup (HIRS) Provisioner
Group : System Environment/Base
%if 0%{?build6}
Requires : tpm_module, java-1.8.0, wget, util-linux, chkconfig, sed, initscripts, coreutils, dmidecode, paccor, bash%{?RPM_EXTRA_CLIENT_DEPENDENCIES}
%endif
%if 0%{?build7}
Requires : tpm_module, java-1.8.0, wget, util-linux, chkconfig, sed, systemd, coreutils, dmidecode, paccor, bash%{?RPM_EXTRA_CLIENT_DEPENDENCIES}
%endif
%description -n %{provisioner_package_name}
Host Integrity at Runtime and Startup (HIRS) Provisioner.
%pre -n %{provisioner_package_name}
if [[ $(find /sys/devices -name "tpm0") ]]; then
echo "TPM detected"
if [ -f "/usr/lib/systemd/system/tcsd.service" ]; then
echo "Starting tcsd service"
systemctl start tcsd
ret=$?
if [[ $ret -ne 0 ]]; then
echo "WARNING: FAILED TO START tcsd SERVICE, PROVISIONING WILL FAIL WITHOUT THIS SERVICE"
fi
echo "Adding tcsd (Trousers) to run levels 1,3,5, and 6"
chkconfig --level 1356 tcsd on
else
echo "Starting tcsd service"
service tcsd start
ret=$?
if [[ $ret -ne 0 ]]; then
echo "WARNING: FAILED TO START tcsd SERVICE, PROVISIONING WILL FAIL WITHOUT THIS SERVICE"
fi
echo "Adding tcsd (Trousers) to run levels 1,3,5, and 6"
chkconfig --level 1356 tcsd on
fi
if [ ! -d "/sys/kernel/security/tpm0" ]; then
echo "Mounting security fs partition"
sed -i '$a securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0' /etc/fstab
mount -a
if [ -d "/sys/kernel/security/tpm0" ]; then
echo "SUCCESS: security fs partition mounted"
fi
fi
else
echo "WARNING: UNABLE TO LOCATE TPM DEVICE, TPM PROVISIONING WILL FAIL"
fi
%post -n %{provisioner_package_name}
# copy default property files into /etc/hirs if not present
mkdir -p /etc/hirs/
cp -n /opt/hirs/default-properties/provisioner/* /etc/hirs/
# copy common scripts into /opt/hirs/scripts/common
cp -f /opt/hirs/scripts/common/provisioner/* /opt/hirs/scripts/common/
echo 'Creating symlink for hirs-provisioner command'
ln -s -f /usr/share/hirs/provisioner/tpm_aca_provision /usr/sbin/tpm_aca_provision
chmod +x /usr/share/hirs/provisioner/tpm_aca_provision
ln -s -f /usr/share/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner
chmod +x /usr/share/hirs/provisioner/hirs-provisioner.sh
hirs-provisioner -c
%postun -n %{provisioner_package_name}
# don't run these during an upgrade
if [ "$1" = "0" ]; then
rm -rf /etc/hirs/provisioner
rm -rf /etc/hirs/certificates
rm -f /usr/sbin/hirs-provisioner
rm -rf /usr/share/hirs/provisioner
rm -rf /var/log/hirs/provisioner
# if there are no more HIRS packages remaining,
# remove all HIRS directories
if [[ -z `rpm -qa "HIRS*" | grep -v HIRS_Provisioner_TPM_1_2` ]]; then
rm -rf /etc/hirs
rm -rf /opt/hirs
rm -rf /usr/share/hirs
rm -rf /var/log/hirs
fi
fi
%files -n %{provisioner_package_name}
%license NOTICE
/etc/hirs/provisioner
%attr(664, root, root) /opt/hirs/default-properties/provisioner/logging.properties
%attr(774, root, root) /opt/hirs/scripts/common/provisioner/
/usr/share/hirs/provisioner
%{_mandir}/man1/hirs-provisioner.1.gz
####################
# HIRS_AttestationCA
####################
%package -n HIRS_AttestationCA
Summary : Host Integrity at Runtime and Startup (HIRS) Attestation Certificate Authority (HIRS AttestationCA)
Group : System Environment/Base
%if 0%{?build6}
Requires : mysql-server, openssl, tomcat6, java-1.8.0, rpmdevtools, coreutils, initscripts, chkconfig, sed, grep, iptables
Prefix : /usr/share/tomcat6
%endif
%if 0%{?build7}
Requires : mariadb-server, openssl, tomcat, java-1.8.0, rpmdevtools, coreutils, initscripts, chkconfig, sed, grep, firewalld, policycoreutils
Prefix : /usr/share/tomcat
%endif
%description -n HIRS_AttestationCA
Host Integrity at Runtime and Startup (HIRS) Attestation CA. Installs and creates keys for HIRS Attestation CA to support generating AIKs
%pre -n HIRS_AttestationCA
if [ ! -d $RPM_INSTALL_PREFIX ]; then
echo "error: Tomcat directory not found. Re-run this rpm installation with --prefix=\"<absolute-tomcat-directory>\""
exit 1
fi
%post -n HIRS_AttestationCA
# copy default property files into /etc/hirs if not present
mkdir -p /etc/hirs
cp -n /opt/hirs/default-properties/attestationca/* /etc/hirs/
# loop over common scripts and place into /opt/hirs/scripts/common
mkdir -p /opt/hirs/scripts/common/
cp -f /opt/hirs/scripts/common/aca/* /opt/hirs/scripts/common/
# run these only on a fresh install of the package
if [ $1 == 1 ]; then
# open necessary ports
sh /opt/hirs/scripts/common/firewall_configure_tomcat.sh
# Allow Tomcat to use port 3306 to communicate with MySQL
%if 0%{?build7}
if [ selinuxenabled ]; then
semodule -i /opt/hirs/extras/aca/tomcat-mysql-hirs.pp
fi
%endif
# create trust stores, configure tomcat and db
sh /opt/hirs/scripts/common/ssl_configure.sh server
# create the database
sh /opt/hirs/scripts/common/db_create.sh
fi
# modify mysql schema accordingly on upgrade
if [ $1 -gt 1 ]; then
#update version number on portal banner
echo %{?DISPLAY_VERSION} | tee '%{prefix}/webapps/HIRS_AttestationCAPortal/WEB-INF/classes/VERSION'
echo "Upgrading hirs_db schema!"
if [ %{version} == "1.0.4" ]; then
if (mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.0.4.sql); then
echo "Upgrade to version 1.0.4"
else
echo "Error upgrading HIRS database schema to 1.0.4!"
exit 1;
fi
elif [ %{version} == "1.1.0" ]; then
if (mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.0.4.sql && \
mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.1.0.sql); then
echo "Upgrade to version 1.1.0"
else
echo "Error upgrading HIRS database schema to 1.1.0!"
exit 1;
fi
elif [ %{version} == "1.1.1" ]; then
if (mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.0.4.sql && \
mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.1.0.sql && \
mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.1.1.sql); then
echo "Upgrade to version 1.1.1"
else
echo "Error upgrading HIRS database schema to 1.1.1!"
exit 1;
fi
fi
fi
sh /opt/hirs/scripts/aca/certificate_generate.sh
%preun -n HIRS_AttestationCA
# don't run these during an upgrade
if [ $1 == 0 ]; then
# if the Server isn't installed, deconfigure Tomcat and MySQL SSL and drop the database
if [[ -z `rpm -qa HIRS_Server` ]]; then
echo 'Restoring Tomcat and MySQL configuration'
sh /opt/hirs/scripts/common/ssl_deconfigure.sh server
echo 'Dropping local HIRS database'
sh /opt/hirs/scripts/common/db_drop.sh
fi
fi
%postun -n HIRS_AttestationCA
# don't run these during an upgrade
if [ $1 == 0 ]; then
# Removes WARS from the Tomcat installation as well as ACA configuration files and certificates
# (/etc/hirs/aca), and ACA installation (/opt/hirs/attestation-ca). Do not run during an upgrade
rm -f %{prefix}/webapps/HIRS_AttestationCA*.war
rm -rf %{prefix}/webapps/HIRS_AttestationCA*
rm -rf /etc/hirs/aca
rm -rf /opt/hirs/attestation-ca
# if the Server and Appraiser are not installed, remove certificates directory
if [[ -z `rpm -qa "HIRS_(Server|Appraiser)"` ]]; then
rm -rf /etc/hirs/certificates
fi
# if there are no more HIRS packages remaining,
# remove all HIRS directories
if [[ -z `rpm -qa "HIRS*" | grep -v HIRS_AttestationCA` ]]; then
rm -rf /etc/hirs
rm -rf /opt/hirs
rm -rf /usr/share/hirs
rm -rf /var/log/hirs
fi
fi
%files -n HIRS_AttestationCA
%license NOTICE
%attr(664, root, tomcat) %{prefix}/webapps/HIRS_AttestationCA.war
%attr(664, root, tomcat) %{prefix}/webapps/HIRS_AttestationCAPortal.war
%attr(774, root, tomcat) /etc/hirs/aca/
%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/logging.properties
%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/banner.properties
%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/persistence.properties
%attr(664, root, tomcat) /opt/hirs/default-properties/component-class.json
%attr(664, root, tomcat) /opt/hirs/default-properties/vendor-table.json
%attr(774, root, tomcat) /opt/hirs/scripts/common/aca
%attr(774, root, tomcat) /opt/hirs/scripts/aca
%attr(774, root, tomcat) /opt/hirs/extras/aca/tomcat-mysql-hirs.pp
%attr(774, root, tomcat) /opt/hirs/extras/aca/tomcat-mysql-hirs.te
####################
# Build and install
####################
%build
./gradlew -PpluginDir=%{?PLUGIN_SOURCE} -PdisplayVersion=%{?DISPLAY_VERSION} :HIRS_Provisioner:installDist :HIRS_AttestationCA:war :HIRS_AttestationCAPortal:war
%install
# prepare provisioner for packaging
cd HIRS_Provisioner
mkdir -p %{buildroot}/usr/share/hirs/provisioner
mkdir -p %{buildroot}/%{_mandir}/man1
cp -r build/install/HIRS_Provisioner/* %{buildroot}/usr/share/hirs/provisioner
sed -i '/exec "$JAVACMD" "$@"/i /opt/hirs/scripts/common/jvm_version_check.sh $JAVACMD' %{buildroot}/usr/share/hirs/provisioner/bin/HIRS_Provisioner
mkdir -p %{buildroot}/etc/hirs/provisioner/certs
cp scripts/install/hirs-provisioner.sh %{buildroot}/usr/share/hirs/provisioner/
cp scripts/install/tpm_aca_provision %{buildroot}/usr/share/hirs/provisioner/
cp hirs-provisioner-config.sh %{buildroot}/etc/hirs/provisioner
cp create-ek-cert.sh %{buildroot}/etc/hirs/provisioner
cp src/main/resources/defaults.properties %{buildroot}/etc/hirs/provisioner/provisioner.properties
cp -r setup %{buildroot}/etc/hirs/provisioner/
gzip -c man/hirs-provisioner.1 > %{buildroot}/%{_mandir}/man1/hirs-provisioner.1.gz
mkdir -p %{buildroot}/opt/hirs/scripts/common/provisioner
cp ../scripts/common/jvm_version_check.sh %{buildroot}/opt/hirs/scripts/common/provisioner/
# copy common scripts
mkdir -p %{buildroot}/opt/hirs/scripts/common/aca
cp ../scripts/common/* %{buildroot}/opt/hirs/scripts/common/aca/
# prepare ACA for packaging
cd ../HIRS_AttestationCA
mkdir -p %{buildroot}/opt/hirs/scripts/aca
cp ../scripts/aca/* %{buildroot}/opt/hirs/scripts/aca
mkdir -p %{buildroot}/opt/hirs/attestation-ca/
mkdir -p %{buildroot}/etc/hirs/aca/certificates/
mkdir -p %{buildroot}/etc/hirs/aca/client-files/
mkdir -p %{buildroot}%{prefix}/webapps/
cp build/libs/HIRS_AttestationCA.war %{buildroot}%{prefix}/webapps/
cp src/main/resources/defaults.properties %{buildroot}/etc/hirs/aca/aca.properties
# prepare ACA Portal for packaging
cd ../HIRS_AttestationCAPortal
mkdir -p %{buildroot}%{prefix}/webapps/
cp build/libs/HIRS_AttestationCAPortal.war %{buildroot}%{prefix}/webapps/
# note: no ACA Portal specific resource files to copy yet...
# creates the home directory for activemq user so SELinux doesn't complain
mkdir -p %{buildroot}/srv/activemq
mkdir -p %{buildroot}/etc/hirs/portal
cd ..
# copy over the properties files
mkdir -p %{buildroot}/opt/hirs/default-properties/provisioner
cp HIRS_Utils/src/main/resources/logging.properties %{buildroot}/opt/hirs/default-properties/provisioner/logging.properties
mkdir -p %{buildroot}/opt/hirs/default-properties/attestationca
cp HIRS_Utils/src/main/resources/persistence.properties %{buildroot}/opt/hirs/default-properties/attestationca/
cp HIRS_Utils/src/main/resources/logging.properties %{buildroot}/opt/hirs/default-properties/attestationca/
cp HIRS_Utils/src/main/resources/banner.properties %{buildroot}/opt/hirs/default-properties/attestationca/
cp HIRS_Utils/src/main/resources/component-class.json %{buildroot}/opt/hirs/default-properties/
cp -n HIRS_Utils/src/main/resources/vendor-table.json %{buildroot}/opt/hirs/default-properties/
# install extras
mkdir -p %{buildroot}/opt/hirs/extras
cp -r extras/ %{buildroot}/opt/hirs/

View File

@ -1,62 +0,0 @@
Name : tpm_module
Vendor : U.S. Government
Summary : Tool used to interface with the TPM
Version : %{?VERSION}
Release : %{?RELEASE}
Source : tpm_module-%{?GIT_HASH}.tar
Group : System Environment/Base
License : ASL 2.0
Requires : tpm-tools, trousers
BuildRequires : cpp
BuildRequires : gcc-c++
BuildRequires : trousers-devel
BuildArch : x86_64
BuildRoot : %{_tmppath}/%{name}-%{version}-root
%description
Trusted Platform Module (TPM) interface module. This software is designed to provide a platform-independent interface to a client's TPM. It imlpements functionality similar to and exceeding that of tpm-tools in some cases. This software is intended for use with the HIR reporting infrastructure to help clients generate integrity reports based on TPM data.
%prep
%setup -q -n %{name}-%{?GIT_HASH}
%build
rm -f main.d main.o tpm_module
make
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/usr/bin
mkdir -p $RPM_BUILD_ROOT/usr/share/man/man1
cp tpm_module $RPM_BUILD_ROOT/usr/bin/
gzip -c man/tpm_module.1 > $RPM_BUILD_ROOT/usr/share/man/man1/tpm_module.1.gz
%clean
rm -rf $RPM_BUILD_ROOT
%files
%license ../NOTICE
/usr/bin/tpm_module
/usr/share/man/man1/tpm_module.1.gz
%changelog
* Thu Feb 5 2015 3.11
- Modify to support new directory structure
* Mon May 5 2014 3.11
- Set up automatic builds
* Wed Jan 8 2014 3.10
- Added more comments, legal disclaimers, and changed behavior of error output.
* Wed Dec 4 2013 3.09
- Tweaked toggling of TSS_CAP_VERSION_INFO. Added additional debugging messages to describe errors.
* Mon Dec 2 2013 3.08
- TSS_CAP_VERSION_INFO is no longer required on quote2. Other tweaks for platform compatibility.
* Tue Oct 1 2013 3.08
- Improved commenting and documentation, fixed help info, changed behavior of clearing function
* Tue Jul 17 2012 3.07
- Fixed mask utility function handling of 'F' (70, not 80)
* Wed May 2 2012 3.06
- Corrected bug in changekeyauth function
* Tue May 1 2012 3.05
- Initial package release

View File

@ -6,7 +6,6 @@
# #
##################################################################################### #####################################################################################
USE_WAR=$1
CONFIG_FILE="/etc/hirs/aca/application.properties" CONFIG_FILE="/etc/hirs/aca/application.properties"
ALG=RSA ALG=RSA
RSA_PATH=rsa_3k_sha384_certs RSA_PATH=rsa_3k_sha384_certs
@ -14,6 +13,7 @@ ECC_PATH=ecc_512_sha384_certs
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
LOG_FILE=/dev/null LOG_FILE=/dev/null
GRADLE_WRAPPER="./gradlew" GRADLE_WRAPPER="./gradlew"
DEPLOYED_WAR=false
# Check for sudo or root user # Check for sudo or root user
if [ "$EUID" -ne 0 ] if [ "$EUID" -ne 0 ]
@ -21,7 +21,59 @@ if [ "$EUID" -ne 0 ]
exit 1 exit 1
fi fi
source $SCRIPT_DIR/../db/start_mysqld.sh help () {
echo " Setup script for the HIRS ACA"
echo " Syntax: sh aca_setup.sh [-u|h|sb|sp|--skip-db|--skip-pki]"
echo " options:"
echo " -p | --path Path to the HIRS_AttestationCAPortal.war file"
echo " -w | --war Use deployed war file"
echo " -h | --help Print this help"
echo
}
# Process parameters Argument handling
POSITIONAL_ARGS=()
ORIGINAL_ARGS=("$@")
while [[ $# -gt 0 ]]; do
case $1 in
-p|--path)
USE_WAR=YES
shift # past argument
WAR_PATH=$@
DEPLOYED_WAR=true
shift # past parameter
;;
-w|--war)
USE_WAR=YES
shift # past argument
WAR_PATH="/opt/hirs/aca/HIRS_AttestationCAPortal.war"
DEPLOYED_WAR=true
;;
-h|--help)
help
exit 0
shift # past argument
;;
-*|--*)
echo "aca_setup.sh: Unknown option $1"
help
exit 1
;;
*)
POSITIONAL_ARGS+=("$1") # save positional arg
# shift # past argument
break
;;
esac
done
if [ -z "${WAR_PATH}" ]; then
WAR_PATH="HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war"
fi
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
source $SCRIPT_DIR/../db/mysql_util.sh
if [ $ALG = "RSA" ]; then if [ $ALG = "RSA" ]; then
CERT_PATH="/etc/hirs/certificates/HIRS/$RSA_PATH" CERT_PATH="/etc/hirs/certificates/HIRS/$RSA_PATH"
@ -43,9 +95,11 @@ if [ ! -d "$CERT_PATH" ]; then
exit 1; exit 1;
fi fi
if [ ! -f "$GRADLE_WRAPPER" ]; then if [ $DEPLOYED_WAR = false ]; then
if [ ! -f "$GRADLE_WRAPPER" ]; then
echo "This script needs to be run from the HIRS top level project directory. Exiting." echo "This script needs to be run from the HIRS top level project directory. Exiting."
exit 1; exit 1;
fi
fi fi
echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index" echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index"
@ -71,10 +125,10 @@ WEB_TLS_PARAMS="--server.ssl.key-store-password=$hirs_pki_password \
# uncomment to show spring boot and hibernate properties used as gradle argumanets # uncomment to show spring boot and hibernate properties used as gradle argumanets
#echo "--args=\"$CONNECTOR_PARAMS $WEB_TLS_PARAMS\"" #echo "--args=\"$CONNECTOR_PARAMS $WEB_TLS_PARAMS\""
if [ "$USE_WAR" == "war" ]; then if [ -z "$USE_WAR" ]; then
echo "Booting the ACA from a $USE_WAR file..." echo "Booting the ACA from local build..."
java -jar HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war $CONNECTOR_PARAMS$WEB_TLS_PARAMS ./gradlew bootRun --args="$CONNECTOR_PARAMS$WEB_TLS_PARAMS"
else else
echo "Booting the ACA from local build..." echo "Booting the ACA from a war file..."
./gradlew bootRun --args="$CONNECTOR_PARAMS$WEB_TLS_PARAMS" java -jar $WAR_PATH $CONNECTOR_PARAMS$WEB_TLS_PARAMS &
fi fi

View File

@ -37,17 +37,13 @@ DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf" DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
ALL_CHECKS_PASSED=true ALL_CHECKS_PASSED=true
ALL_CERTS_PASSED=true ALL_CERTS_PASSED=true
source $SCRIPT_DIR/../db/mysql_util.sh
# Check for Admin privileges # Check for Admin privileges
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
echo "This script requires root. Please run as root" echo "This script requires root. Please run as root"
exit 1 exit 1
fi fi
# Check install setup pki files
if [ ! -d $CERT_PATH ]; then
echo "$CERT_PATH directory does not exist. Please run aca_setup.sh and try again."
exit 1;
fi
# Argument handling # Argument handling
@ -70,8 +66,32 @@ while [[ $# -gt 0 ]]; do
esac esac
done done
echo "Checking HIRS ACA Setup on this device..."
# Check if aca setup was performed
# Check is RPM was installed via RPM package
rpm -q --quiet HIRS_AttestationCA
if [ $? -eq 0 ]; then
echo "HIRS ACA was installed via rpm package on this device"
if [[ $(cat /etc/crontab | grep -c hirs/aca) > 0 ]]; then
echo " HIRS ACA is set to start on boot via crontab file"
else
echo " HIRS ACA is NOT set to start on boot via crontab file"
fi
else
echo "HIRS ACA was NOT installed via rpm package on this device"
fi
# Check install setup pki files
if [ ! -d $CERT_PATH ]; then
check_db_cleared
echo " $CERT_PATH directory does not exist."
echo " Exiting..."
echo "Please run aca_setup.sh and try again"
exit 1;
fi
source /etc/hirs/aca/aca.properties; source /etc/hirs/aca/aca.properties;
source $SCRIPT_DIR/../db/start_mysqld.sh
check_pwds () { check_pwds () {
@ -127,16 +147,16 @@ check_mysql_setup () {
} }
check_cert () { check_cert () {
TRUST_STORE=$1 TRUST_STORE=$1
CERT=$2 CERT=$2
RESULT=$(openssl verify -CAfile "$TRUST_STORE" $CERT) RESULT=$(openssl verify -CAfile "$TRUST_STORE" $CERT)
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
ALL_CHECKS_PASSED=false ALL_CHECKS_PASSED=false
ALL_CERTS_PASSED=false ALL_CERTS_PASSED=false
fi fi
if [ ! -z "${ARG_VERBOSE}" ]; then if [ ! -z "${ARG_VERBOSE}" ]; then
echo " "$RESULT echo " "$RESULT
fi fi
} }
check_pki () { check_pki () {
@ -250,8 +270,8 @@ check_fips () {
echo "Checking FIPS mode on this device..." echo "Checking FIPS mode on this device..."
echo " "$(sysctl -a | grep crypto.fips_enabled) echo " "$(sysctl -a | grep crypto.fips_enabled)
} }
# Run Checks
check_for_container check_for_container -p
check_pwds check_pwds
check_pki check_pki
check_mysql_setup check_mysql_setup

View File

@ -14,18 +14,24 @@ if [ "$EUID" -ne 0 ]; then
echo "This script requires root. ACA setup not removed. Please run as root." echo "This script requires root. ACA setup not removed. Please run as root."
exit 1 exit 1
fi fi
if [ ! -f /etc/hirs/aca/aca.properties ]; then
echo "aca.properties does not exist, aborting." source $SCRIPT_DIR/../db/mysql_util.sh
exit 1
fi # Make sure myswl root password is available and set $DB_ADIM_PWD before continuing...
check_mysql_root
# remove the hrs-db and hirs_db user # remove the hrs-db and hirs_db user
pushd $SCRIPT_DIR/../db/ pushd $SCRIPT_DIR/../db/ &>/dev/null
sh db_drop.sh sh db_drop.sh $DB_ADMIN_PWD
popd popd &>/dev/null
# remove pki files and config files # remove pki files and config files
echo "Removing certificates and config files..." echo "Removing certificates and config files..."
rm -rf /etc/hirs rm -rf /etc/hirs
# Remove crontab and current ACA process
echo "Removing the ACA crontab"
sed -i '/aca_bootRun.sh/d' /etc/crontab
echo "Shutting down the aca..."
ps axf | grep HIRS_AttestationCAPortal.war | grep -v grep | awk '{print "kill " $1}' | sh >/dev/null 2>&1
echo "ACA setup removal complete." echo "ACA setup removal complete."

View File

@ -17,7 +17,7 @@ help () {
echo " -u | --unattended Run unattended" echo " -u | --unattended Run unattended"
echo " -h | --help Print this Help." echo " -h | --help Print this Help."
echo " -sp | --skip-pki run the setup without pki setup." echo " -sp | --skip-pki run the setup without pki setup."
echo " -sb | --skip-db run the setup without databse setup." echo " -sb | --skip-db run the setup without database setup."
echo echo
} }

View File

@ -34,7 +34,7 @@ touch $DB_SRV_CONF
mkdir -p /etc/hirs/aca/ mkdir -p /etc/hirs/aca/
mkdir -p /var/log/hirs/ mkdir -p /var/log/hirs/
source $SCRIPT_DIR/start_mysqld.sh source $SCRIPT_DIR/mysql_util.sh
source $ACA_PROP_FILE source $ACA_PROP_FILE
check_mysql_root_pwd () { check_mysql_root_pwd () {
@ -66,7 +66,7 @@ check_mysql_root_pwd () {
# Make sure root password is correct # Make sure root password is correct
$(mysql -u root -p$DB_ADMIN_PWD -e 'quit' &> /dev/null); $(mysql -u root -p$DB_ADMIN_PWD -e 'quit' &> /dev/null);
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
echo "root password verified" | tee -a "$LOG_FILE" echo "Mysql root password verified" | tee -a "$LOG_FILE"
else else
echo "MYSQL root password was not the default, not supplied, or was incorrect" echo "MYSQL root password was not the default, not supplied, or was incorrect"
echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry." echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
@ -147,7 +147,7 @@ create_hirs_db_with_tls () {
# HIRS ACA Mysqld processing ... # HIRS ACA Mysqld processing ...
check_mariadb_install check_mariadb_install
check_for_container check_for_container -p
set_mysql_server_tls set_mysql_server_tls
set_mysql_client_tls set_mysql_client_tls
start_mysqlsd start_mysqlsd

View File

@ -4,9 +4,10 @@ SRV_CNF=/etc/my.cnf.d/mariadb-server.cnf
CLIENT_CNF=/etc/my.cnf.d/client.cnf CLIENT_CNF=/etc/my.cnf.d/client.cnf
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )";) SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )";)
LOG_FILE=/dev/null LOG_FILE=/dev/null
DB_ADMIN_PWD=$1
source /etc/hirs/aca/aca.properties; #source /etc/hirs/aca/aca.properties;
source $SCRIPT_DIR/start_mysqld.sh source $SCRIPT_DIR/mysql_util.sh
# Check for sudo or root user, not actually needed but a good idea # Check for sudo or root user, not actually needed but a good idea
if [ "$EUID" -ne 0 ] if [ "$EUID" -ne 0 ]
@ -14,12 +15,6 @@ if [ "$EUID" -ne 0 ]
exit 1 exit 1
fi fi
if [ -z $mysql_admin_password ]; then
read -p "Enter mysql root password" DB_ADMIN_PWD
else
DB_ADMIN_PWD=$mysql_admin_password
fi
if [ -d /opt/hirs/scripts/db ]; then if [ -d /opt/hirs/scripts/db ]; then
MYSQL_DIR="/opt/hirs/scripts/db" MYSQL_DIR="/opt/hirs/scripts/db"
else else
@ -29,7 +24,7 @@ fi
echo "dropping hirs_db database" echo "dropping hirs_db database"
if pgrep mysqld >/dev/null 2>&1; then if pgrep mysqld >/dev/null 2>&1; then
mysql -u root --password=$DB_ADMIN_PWD -e "FLUSH HOSTS; FLUSH LOGS; FLUSH STATUS; FLUSH PRIVILEGES; FLUSH USER_RESOURCES" mysql -u root --password=$DB_ADMIN_PWD -e "FLUSH HOSTS; FLUSH LOGS; FLUSH STATUS; FLUSH PRIVILEGES; FLUSH USER_RESOURCES"
mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';" mysql -u root --password=$DB_ADMIN_PWD -e "DROP USER 'hirs_db'@'localhost';"
mysql -u root --password=$DB_ADMIN_PWD -e "DROP DATABASE IF EXISTS hirs_db;" mysql -u root --password=$DB_ADMIN_PWD -e "DROP DATABASE IF EXISTS hirs_db;"
echo "hirs_db database and hirs_db user removed" echo "hirs_db database and hirs_db user removed"
@ -38,14 +33,10 @@ if pgrep mysqld >/dev/null 2>&1; then
fi fi
# reset the mysql root if the password was left in the properties fiel # reset the mysql root if the password was left in the properties fiel
if [ ! -z $mysql_admin_password ]; then if [ ! -z $DB_ADMIN_PWD ]; then
echo "Resetting mysql root password to empty" echo "Resetting mysql root password to empty"
mysql -u root --password=$mysql_admin_password -e "SET PASSWORD FOR "root@localhost" = PASSWORD('');" mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR "root@localhost" = PASSWORD('');"
echo "Current list of databases:"
mysql -u "root" -e "FLUSH LOGS;" mysql -u "root" -e "FLUSH LOGS;"
mysql -u "root" -e "SHOW DATABASES;"
echo "Current list of users:"
mysql -u root -e "Select user from mysql.user;"
else else
echo "Note root password was NOT reset" echo "Note root password was NOT reset"
fi fi
@ -62,5 +53,3 @@ mysql -u root -e "SHUTDOWN"
sleep 2 sleep 2
check_for_container check_for_container
start_mysqlsd start_mysqlsd
mysql -u root -e "SHOW VARIABLES LIKE '%ssl%'"

View File

@ -7,15 +7,18 @@
##################################################################################### #####################################################################################
SQL_SERVICE="mariadb" SQL_SERVICE="mariadb"
# Checks to see if running in a container
# -p to print status
check_for_container () { check_for_container () {
PRINT_STATUS=$1
# Check if we're in a Docker container # Check if we're in a Docker container
if [[ $(cat /proc/1/sched | head -n 1) == *"bash"* ]]; then if [[ $(cat /proc/1/sched | head -n 1) == *"bash"* ]]; then
#if [ -f /.dockerenv ]; then #if [ -f /.dockerenv ]; then
DOCKER_CONTAINER=true DOCKER_CONTAINER=true
echo "ACA is running in a container..." | tee -a "$LOG_FILE" if [[ $PRINT_STATUS == "-p" ]]; then echo "ACA is running in a container..." | tee -a "$LOG_FILE"; fi
else else
DOCKER_CONTAINER=false DOCKER_CONTAINER=false
echo "ACA is not running in a container..." | tee -a "$LOG_FILE" if [[ $PRINT_STATUS == "-p" ]]; then echo "ACA is not running in a container..." | tee -a "$LOG_FILE"; fi
fi fi
if [ -d /opt/hirs/scripts/db ]; then if [ -d /opt/hirs/scripts/db ]; then
MYSQL_DIR="/opt/hirs/scripts/db" MYSQL_DIR="/opt/hirs/scripts/db"
@ -36,24 +39,24 @@ check_mariadb_install () {
} }
# Starts mariadb during intial install # Starts mariadb during intial install
start_mysqlsd () { start_mysqlsd () {
PRINT_STATUS=$1
# Check if mysql is already running, if not initialize # Check if mysql is already running, if not initialize
if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
# Check if running in a container # Check if running in a container
if [ $DOCKER_CONTAINER = true ]; then if [ $DOCKER_CONTAINER = true ]; then
# if in Docker container, avoid services that invoke the D-Bus # if in Docker container, avoid services that invoke the D-Bus
echo "ACA is running in a container..."
# Check if mariadb is setup # Check if mariadb is setup
if [ ! -d "/var/lib/mysql/mysql/" ]; then if [ ! -d "/var/lib/mysql/mysql/" ]; then
echo "Installing mariadb" echo "Installing mariadb"
/usr/bin/mysql_install_db > "$LOG_FILE" /usr/bin/mysql_install_db & >> "$LOG_FILE"
chown -R mysql:mysql /var/lib/mysql/ chown -R mysql:mysql /var/lib/mysql/ & >> "$LOG_FILE"
fi fi
echo "Starting mysql...." if [[ $PRINT_STATUS == "-p" ]]; then echo "Starting mysql..."; fi
chown -R mysql:mysql /var/log/mariadb chown -R mysql:mysql /var/log/mariadb >> "$LOG_FILE";
/usr/bin/mysqld_safe & /usr/bin/mysqld_safe & >> "$LOG_FILE";
else #not a container else #not a container
systemctl enable $SQL_SERVICE systemctl enable $SQL_SERVICE & >> "$LOG_FILE";
systemctl start $SQL_SERVICE systemctl start $SQL_SERVICE & >> "$LOG_FILE";
fi fi
else # mysql process is running else # mysql process is running
# check if mysql service is running # check if mysql service is running
@ -61,18 +64,18 @@ start_mysqlsd () {
DB_STATUS=$(systemctl status mysql |grep 'running' | wc -l ) DB_STATUS=$(systemctl status mysql |grep 'running' | wc -l )
if [ $DB_STATUS -eq 0 ]; then if [ $DB_STATUS -eq 0 ]; then
echo "mariadb not running , attempting to restart" echo "mariadb not running , attempting to restart"
systemctl start mariadb systemctl start mariadb & >> "$LOG_FILE";
fi fi
fi fi
fi fi
# Wait for mysql to start before continuing. # Wait for mysql to start before continuing.
echo "Checking mysqld status..."| tee -a "$LOG_FILE" if [[ $PRINT_STATUS == "-p" ]]; then echo "Checking mysqld status..."| tee -a "$LOG_FILE"; fi
while ! mysqladmin ping -h "$localhost" --silent; do while ! mysqladmin ping -h "$localhost" --silent; do
sleep 1; sleep 1;
done done
echo "mysqld is running."| tee -a "$LOG_FILE" if [[ $PRINT_STATUS == "-p" ]]; then echo "mysqld is running."| tee -a "$LOG_FILE"; fi
} }
# Basic check for marai db status, attempts restart if not running # Basic check for marai db status, attempts restart if not running
@ -81,7 +84,7 @@ check_mysql () {
if [ $DOCKER_CONTAINER = true ]; then if [ $DOCKER_CONTAINER = true ]; then
if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
echo "mariadb not running , attempting to restart" echo "mariadb not running , attempting to restart"
/usr/bin/mysqld_safe & /usr/bin/mysqld_safe & >> "$LOG_FILE"
fi fi
else # not in a contianer else # not in a contianer
DB_STATUS=$(systemctl status mysql |grep 'running' | wc -l ) DB_STATUS=$(systemctl status mysql |grep 'running' | wc -l )
@ -89,18 +92,69 @@ check_mysql () {
echo "mariadb not running , attempting to restart" echo "mariadb not running , attempting to restart"
systemctl start mariadb systemctl start mariadb
fi fi
fi fi
# Wait for mysql to start before continuing. # Wait for mysql to start before continuing.
while ! mysqladmin ping -h "$localhost" --silent; do while ! mysqladmin ping -h "$localhost" --silent; do
sleep 1; sleep 1;
done done
echo " Mariadb is running." echo " Mariadb is running."
} }
# Check for mysql root password , abort if not available
check_mysql_root () {
if [ -z $HIRS_MYSQL_ROOT_PWD ]; then
if [ ! -f /etc/hirs/aca/aca.properties ]; then
echo "aca.properties does not exist."
else
source /etc/hirs/aca/aca.properties;
DB_ADMIN_PWD=$mysql_admin_password
fi
else #HIRS_MYSQL_ROOT_PWD set
DB_ADMIN_PWD=$HIRS_MYSQL_ROOT_PWD
fi
# Allow user to enter password if not using env variabel or file
if [ -z $DB_ADMIN_PWD ]; then
read -p "Enter mysql root password" DB_ADMIN_PWD
else
DB_ADMIN_PWD=$mysql_admin_password
fi
# Make sure root password is correct
$(mysql -u root -p$DB_ADMIN_PWD -e 'quit' &> /dev/null);
if [ $? -eq 0 ]; then
echo "root password verified" | tee -a "$LOG_FILE"
else
echo "MYSQL root password was not the default, not supplied, or was incorrect"
echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
echo " ********** ACA Mysql setup aborted ********" ;
exit 1;
fi
}
check_db_cleared () {
$(mysql -u root -e 'quit' &> /dev/null);
if [ $? -eq 0 ]; then
echo " Empty root password verified" | tee -a "$LOG_FILE"
else
echo " Mysql Root password is not empty"
fi
HIRS_DB_USER_EXISTS="$(mysql -uroot -sse "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
if [ $HIRS_DB_USER_EXISTS = 1 ]; then
echo " hirs_db user exists"
else
echo " hirs_db user does not exist"
fi
HIRS_DB_EXISTS=`mysql -uroot -e "SHOW DATABASES" | grep hirs_db`
if [[ $HIRS_DB_EXISTS == "hirs_db" ]]; then
echo " hirs_db databse exists"
else
echo " hirs_db database does not exists"
fi
}
# restart maraidb # restart maraidb
mysqld_reboot () { mysqld_reboot () {
# reboot mysql server # reboot mysql server

View File

@ -1,35 +0,0 @@
#!/bin/bash
tom_version="10.1.9"
tom_maj=$(echo "$tom_version" | cut -d '.' -f 1)
CATALINA_HOME=/opt/tomcat/
CATALINA_BASE=/opt/tomcat/
# Check if tomcat already installed
if [ -d "/opt/tomcat" ]; then
echo "tomcat already installed"
else
echo "installing $tom_version"
pushd /tmp
useradd -r -d /opt/tomcat/ -s /bin/false -c "Tomcat User" tomcat
dnf install wget -y
wget https://downloads.apache.org/tomcat/tomcat-$tom_maj/v$tom_version/bin/apache-tomcat-$tom_version.tar.gz
mkdir /opt/tomcat
tar -xzf apache-tomcat-$tom_version.tar.gz -C /opt/tomcat --strip-components=1
rm apache-tomcat-$tom_version.tar.gz
chown -R tomcat: /opt/tomcat
sudo sh -c 'chmod +x /opt/tomcat/bin/*.sh'
popd
fi
if [ -f /.dockerenv ]; then
echo "in a container..."
sh /opt/tomcat/bin/catalina.sh start
else
cp /opt/hirs/scripts/aca/tomcat.service /etc/systemd/system/.
systemctl daemon-reload
systemctl start tomcat
systemctl enable tomcat
fi
if [ $(pgrep -c FirewallD) == "1" ]; then
firewall-cmd --add-port=8080/tcp --permanent
firewall-cmd --add-port=8443/tcp --permanent
fi

View File

@ -3,7 +3,7 @@ plugins {
id "java" id "java"
// id "findbugs" // id "findbugs"
// id "checkstyle" // id "checkstyle"
id "nebula.ospackage" version "9.1.1" id "com.netflix.nebula.ospackage" version "11.4.0"
} }
// Get version from main project gradle // Get version from main project gradle
def packVersion = properties.get("packageVersion"); def packVersion = properties.get("packageVersion");

View File

@ -1,6 +1,6 @@
plugins { plugins {
id "java" id "java"
id "nebula.ospackage" version "9.1.1" id 'com.netflix.nebula.ospackage' version '11.4.0'
id 'com.intershop.gradle.jaxb' version '5.1.0' id 'com.intershop.gradle.jaxb' version '5.1.0'
} }