updated with package for the ACA [no ci]

2024-12-18 20:47:58 +00:00 · 2023-04-27 19:51:22 +00:00 · 2023-04-27 19:51:22 +00:00 · 665e90b176
commit 665e90b176
parent 6763e4a87d 0f8f266569
11 changed files with 237 additions and 155 deletions
--- a/HIRS_AttestationCA/build.gradle
+++ b/HIRS_AttestationCA/build.gradle
@ -25,12 +25,15 @@ dependencies {
    implementation project(':HIRS_Utils')

    implementation 'org.springframework.boot:spring-boot-starter-data-jpa:3.0.1'
+    implementation 'com.github.darrachequesne:spring-data-jpa-datatables:6.0.1'
+    implementation 'org.springframework.retry:spring-retry:2.0.0'

    implementation libs.bouncycastle
    implementation libs.commons.codec
    implementation libs.commons.lang3
    implementation libs.jakarta.api
    implementation libs.jakarta.xml
+    implementation libs.hibernate.core
    implementation libs.guava
    implementation libs.jackson.core
    implementation libs.jackson.databind
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/ReferenceManifest.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/ReferenceManifest.java
@ -152,4 +152,12 @@ public class ReferenceManifest  extends ArchivableEntity {
        }
        return null;
    }
+
+    public boolean isBase() {
+        return rimType.equals(BASE_RIM);
+    }
+
+    public boolean isSupport() {
+        return rimType.equals(SUPPORT_RIM);
+    }
 }
--- a/HIRS_AttestationCAPortal/build.gradle
+++ b/HIRS_AttestationCAPortal/build.gradle
@ -3,7 +3,7 @@ plugins {
    id 'java'
    id 'war'
    id "nebula.ospackage" version "9.1.1"
-    id 'org.springframework.boot' version '3.0.1'
+    id 'org.springframework.boot' version '3.0.6'
    id 'io.spring.dependency-management' version '1.1.0'
 }

@ -41,6 +41,7 @@ dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-web'
    implementation 'org.springframework.boot:spring-boot-starter-validation'
    implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
+    implementation 'com.github.darrachequesne:spring-data-jpa-datatables:6.0.1'
    implementation 'org.projectlombok:lombok'

    compileOnly 'org.projectlombok:lombok'
@ -59,4 +60,99 @@ war {
    archiveFileName = 'HIRS_AttestationCAPortal.war'
 }

+ospackage {
+    packageName = 'HIRS_AttestationCA'
+    os = LINUX
+    arch = NOARCH
+    version = "$packVersion"
+    release = '1'

+    user 'root'
+    fileMode = 0755
+
+    def tpath="/opt"
+
+    addParentDirs = true
+    createDirectoryEntry true 
+
+        preInstall "rm -rf /opt/hirs/default-properties"
+    preInstall "mkdir -p /opt/hirs/default-properties/"
+    preInstall "mkdir -p /tmp/hirs/default-properties/"
+
+    // Setup /etc/hirs
+    into ('/etc/hirs/aca/') {
+      from '../HIRS_AttestationCA/src/main/resources/defaults.properties'
+      rename {'aca.properties'}
+    }
+    into ('/etc/hirs/') {
+       from '../HIRS_Utils/src/main/resources/banner.properties'
+       from '../HIRS_Utils/src/main/resources/persistence.properties'
+       from '../HIRS_Utils/src/main/resources/logging.properties'
+    }
+    // Setup tomcat files
+    // Create and package HIRS_AttestationCA:war
+    into ("${tpath}/tomcat/webapps") {
+       from war.outputs.files
+       from '../HIRS_AttestationCA/build/libs/HIRS_AttestationCA.war'
+       user 'root'
+       fileMode = 0755
+    }
+    into ("${tpath}/tomcat/lib") {
+      from 'libs' 
+      from configurations.runtimeClasspath 
+    }
+    into ("/opt/hirs/scripts/aca/") {
+     from '../package/conf/tomcat.service'
+     from '../package/scripts/install_tomcat.sh'
+     from '../package/scripts/aca/certificate_generate.sh'
+    }
+    into ("/opt/hirs/scripts/common") {
+     from '../package/scripts/common/'
+    }
+    into ('/opt/hirs/extras/aca/') {
+      from '../package/extras/aca/'
+    }
+
+    // Copy json files to /tmp and move into /opt/hirs in postInstall section
+    // Allows HIRS tools to be installed using the same files
+    into ('/tmp/aca/default-properties/') {
+       from '../HIRS_AttestationCA/src/main/resources/vendor-table.json'
+       from '../HIRS_AttestationCA/src/main/resources/component-class.json'
+    }
+  // Post Install
+    postInstall file('../package/scripts/common/db_create.sh')
+  //  postInstall file('../package/scripts/common/ssl_configure.sh')
+  //  postInstall 'mkdir -p /etc/hirs/aca/client_files'
+    postInstall 'mkdir -p /etc/hirs/aca/certificates'
+    postInstall 'cp /tmp/aca/default-properties/* /opt/hirs/default-properties/.'
+    postInstall 'rm -rf /tmp/aca/'
+ //  postInstall file('../package/scripts/install_tomcat.sh')
+ //   Old post install files, to be removed...
+ // Note /etc/hirs/aca/certificates files are created by  certificate_generate.sh
+ //      /etc/hirs/aca/client-files files are created by  certificate_generate.sh
+ //      /etc/hirs/certificates/ files are created by ssl_configure.sh
+ //      /etc/hirs/certificates/mysql/  files are created by ssl_configure.sh
+ //      /etc/hirs/certificates/private/  files are created by ssl_configure.sh
+ //   postInstall file('../package/scripts/common/firewall_configure_tomcat.sh')
+ //   postInstall file('../package/scripts/common/ssl_configure.sh')
+ //   postInstall file('../package/scripts/aca/certificate_generate.sh')
+ //   postInstall 'if [ selinuxenabled ]; then semodule -i /opt/hirs/extras/aca/tomcat-mysql-hirs.pp; fi'
+     
+    postInstall 'sh /opt/tomcat/bin/catalina.sh start'
+
+    // Post Uninstall
+    // Copy files to /tmp that package manager will be expecting them there
+    preUninstall 'mkdir -p /tmp/aca/default-properties/'
+    preUninstall 'cp -f /opt/hirs/default-properties/* /tmp/aca/default-properties/.'
+    preUninstall file('../package/scripts/common/db_drop.sh')
+
+    //buildRpm.dependsOn ':HIRS_AttestationCA:war'
+
+    buildRpm {
+        arch = X86_64
+    }
+
+    buildDeb {
+        arch = 'amd64'
+    }
+}
--- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/PersistenceJPAConfig.java
+++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/PersistenceJPAConfig.java
@ -3,6 +3,7 @@ package hirs.attestationca.portal;
 import hirs.attestationca.persist.entity.userdefined.SupplyChainSettings;
 import lombok.extern.log4j.Log4j2;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
--- a/build.gradle
+++ b/build.gradle
@ -4,9 +4,6 @@ import org.gradle.api.tasks.Copy
 plugins {
    // Apply the application plugin to add support for building a CLI application in Java.
    id 'application'
-//    id 'java'
-//    id 'war'
-//    id  "nebula.ospackage" version "9.1.1"
 }

 // Global checkstyle file
@ -39,113 +36,3 @@ def gitHash = { ->
 project.ext["jarVersion"] = "${projectVersion}.${buildTime}.${gitHash}"
 project.ext["packageVersion"] = "${projectVersion}.${buildTime}.${gitHash}.el8"

-//subprojects {
-//
-//}
-
-//plugins {
-//    id 'application'
-//    id 'java'
-//    id 'war'
-//    id "nebula.ospackage" version "9.1.1"
-//    id 'org.springframework.boot' version '3.0.1'
-//    id 'io.spring.dependency-management' version '1.1.0'
-//}
-//
-//java {
-//    toolchain {
-//        languageVersion = JavaLanguageVersion.of(17)
-//    }
-//}
-//
-//configurations {
-//    compileOnly {
-//        extendsFrom annotationProcessor
-//    }
-//    jaxb
-//}
-//
-//repositories {
-//    flatDir { dirs "lib" }
-//    mavenCentral()
-//}
-//
-//dependencies {
-//    implementation project(':HIRS_Utils')
-//    implementation project(':HIRS_AttestationCA')
-//
-//    implementation 'org.springframework.boot:spring-boot-starter-web'
-//    implementation 'org.springframework.boot:spring-boot-starter-validation'
-//    implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
-//    implementation 'org.projectlombok:lombok:1.18.26'
-//    implementation 'org.bouncycastle:bcmail-jdk15on:1.70'
-//    implementation 'org.springframework.plugin:spring-plugin-core:3.0.0'
-//    implementation 'org.apache.httpcomponents:httpclient:4.5.7'
-//    implementation 'com.google.guava:guava:31.1-jre'
-//    implementation 'org.glassfish.web:jakarta.servlet.jsp.jstl:3.0.0'
-//    implementation 'com.github.marandus:pci-ids:0.3'
-//    implementation 'org.apache.httpcomponents.client5:httpclient5:5.2.1'
-//    implementation 'commons-codec:commons-codec:1.15'
-//    implementation 'org.apache.commons:commons-lang3:3.12.0'
-//    implementation 'org.apache.logging.log4j:log4j-core:2.19.0'
-//    implementation 'org.apache.logging.log4j:log4j-api:2.19.0'
-//    implementation 'com.eclipsesource.minimal-json:minimal-json:0.9.5'
-//    implementation 'com.fasterxml.jackson.core:jackson-core:2.14.2'
-//    implementation 'com.fasterxml.jackson.core:jackson-databind:2.14.2'
-//    implementation "org.glassfish.jaxb:jaxb-runtime:4.0.1"
-//    implementation 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.0'
-////    implementation 'com.sun.xml.bind:jaxb-impl:4.0.2' //creates duplicate error
-//    compileOnly 'org.projectlombok:lombok:1.18.26'
-//    runtimeOnly 'org.mariadb.jdbc:mariadb-java-client'
-//    annotationProcessor 'org.projectlombok:lombok:1.18.26'
-//    providedRuntime 'org.springframework.boot:spring-boot-starter-tomcat'
-//
-//    testImplementation 'org.springframework.boot:spring-boot-starter-test'
-//}
-//
-//war {
-//    from(buildDir) {
-//        include 'VERSION'
-//        into 'WEB-INF/classes'
-//    }
-//    archiveFileName = 'HIRS_AttestationCAPortal.war'
-//}
-//
-//tasks.register("spring-boot-properties") {
-//    group = 'Introspection'
-//    description = 'Print properties from all BOMs'
-//    doLast {
-//        println dependencyManagement.importedProperties
-//    }
-//}
-//
-////task generateXjcLibrary(type:Exec) {
-////    workingDir 'config'
-////
-////    commandLine './genXjcLibrary.sh'
-////}
-////compileJava.dependsOn generateXjcLibrary
-//
-////ospackage {
-////    packageName = 'HIRS_AttestationCA'
-////    os = LINUX
-////    arch = NOARCH
-////    release = '1'
-////
-////    user 'root'
-////    fileMode = 0755
-////
-////    addParentDirs = true
-////    createDirectoryEntry true
-////
-////    into ("/opt/tomcat/webapps") {
-////        from war.outputs.files
-////        from '../HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war'
-////        user 'root'
-////        fileMode = 0755
-////    }
-////
-////    buildRpm {
-////        arch = X86_64
-////    }
-////}
--- a/package/scripts/common/db_create.sh
+++ b/package/scripts/common/db_create.sh
@ -1,4 +1,37 @@
 #!/bin/bash
+#
+###############################################################################
+# HIRS DB creation
+# Environment variables used:
+# a. HIRS_MYSQL_ROOT_EXSITING_PWD: set this variable if mysql root password is already set
+# b. HIRS_MYSQL_ROOT_PWD: set this variable if mysql root password is already set
+# c. HIRS_DB_PWD: Set the pwd if default password to hirs_db user needs to be changed
+# HIRS_MYSQL_ROOT_NEW_PWD wil be ignored if HIRS_MYSQL_ROOT_EXSITING_PWD is set.
+################################################################################
+
+# Set Mysql root password
+if [ ! -z $HIRS_MYSQL_ROOT_EXSITING_PWD ]; then
+   HIRS_MYSQL_ROOT_PWD=$HIRS_MYSQL_ROOT_EXSITING_PWD
+elif [ ! -z $HIRS_MYSQL_ROOT_NEW_PWD ]; then
+   HIRS_MYSQL_ROOT_PWD=$HIRS_MYSQL_ROOT_NEW_PWD
+else  #assume root pasword needs to be set
+   HIRS_MYSQL_ROOT_PWD="root"
+fi
+
+if [ -z $HIRS_DB_PWD ]; then
+   HIRS_DB_PWD="hirs_db"
+fi
+
+# Set root password if not set
+if mysql -u root -e 'quit' &> /dev/null; then
+   echo "Setting root password"
+   mysqladmin -u root --silent password $HIRS_MYSQL_ROOT_PWD || true > /dev/null 2>&1
+fi
+
+echo "HIRS_DB_PWD is $HIRS_DB_PWD"
+echo "HIRS_MYSQL_ROOT_EXSITING_PWD is $HIRS_MYSQL_ROOT_EXSITING_PWD"
+echo "HIRS_MYSQL_ROOT_NEW_PWD is $HIRS_MYSQL_ROOT_NEW_PWD"
+echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD"

 # Check if we're in a Docker container
 if [ -f /.dockerenv ]; then
@ -7,35 +40,37 @@ else
    DOCKER_CONTAINER=false
 fi

-echo "Creating HIRS Database..."
-
-if [ $DOCKER_CONTAINER  = true ]; then
-    # If in Docker container, avoid services that invoke the D-Bus
-    if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
-        /usr/libexec/mariadb-prepare-db-dir
-        nohup /usr/bin/mysqld_safe --basedir=/usr &>/dev/null &
-        MYSQLD_PID=$(pgrep -u mysql mysqld)
-        /usr/libexec/mariadb-wait-ready $MYSQLD_PID
-    fi
-else
-    SQL_SERVICE=`/opt/hirs/scripts/common/get_db_service.sh`
-    chkconfig $SQL_SERVICE on
-    service $SQL_SERVICE start
+# Check if mysql is already running, if not initialize
+if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
+# Check if running in a container
+   if [ $DOCKER_CONTAINER  = true ]; then
+   # if in Docker container, avoid services that invoke the D-Bus
+       echo "ACA is running in a container..."
+       # Check if mariadb is setup
+       if [ ! -d "/var/lib/mysql/mysql/" ]; then
+           echo "Installing mariadb"
+           /usr/bin/mysql_install_db 
+           chown -R mysql:mysql /var/lib/mysql/  
+       fi
+       echo "Starting mysql...."
+       #nohup /usr/bin/mysqld_safe > /dev/null 2>&1 &
+       chown -R mysql:mysql /var/log/mariadb
+       /usr/bin/mysqld_safe &
+   else
+       SQL_SERVICE=`/opt/hirs/scripts/common/get_db_service.sh`
+       systemctl $SQL_SERVICE enable
+       systemctl $SQL_SERVICE start
+   fi
 fi

-if [[ -f /etc/redhat-release ]] ; then
-    CENTOS_VER=`/opt/hirs/scripts/common/get_centos_major_version.sh`
-elif [[ -f /etc/os-release ]] ; then
-    AMAZON_VER=`/opt/hirs/scripts/common/get_amazon_linux_major_version.sh`
-fi
-if [ $CENTOS_VER -eq "6" ] ; then
-    DB_CREATE_SCRIPT=/opt/hirs/scripts/common/db_create.sql.el6
-elif [ $CENTOS_VER -eq "7" ] || [ $AMAZON_VER -eq "2" ] ; then
-    DB_CREATE_SCRIPT=/opt/hirs/scripts/common/db_create.sql.el7
-else
-    echo "Unsupported Linux detected"
-    exit 1
-fi
+# Wait for mysql to start before continuing.
+echo "Checking mysqld status..."
+while ! mysqladmin ping -h "$localhost" --silent; do
+  sleep 1;
+done

-mysql -fu root < $DB_CREATE_SCRIPT
-mysql -fu root < /opt/hirs/scripts/common/secure_mysql.sql
+# Create the hirs_db database
+echo "Creating HIRS Database..." 
+mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/common/db_create.sql
+mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/common/secure_mysql.sql
+mysql -u root --password=$HIRS_MYSQL_ROOT_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
--- a/package/scripts/common/db_create.sql.el7
+++ b/package/scripts/common/db_create.sql.el7
@ -1,2 +1,2 @@
 CREATE DATABASE IF NOT EXISTS `hirs_db` CHARACTER SET = 'utf8mb4' COLLATE = 'utf8mb4_general_ci';
-GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "hirs_db" REQUIRE SSL;
+GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD";
--- a/package/scripts/common/db_drop.sh
+++ b/package/scripts/common/db_drop.sh
@ -1,4 +1,20 @@
-#!/usr/bin/env bash
+#!/bin/bash

+# Get the current password from the perstence.properties file
+#file="/etc/hirs/persistence.properties"
+# Change java key/value pairs into  valid bash key/value pairs
+#function prop {
+#    grep "${1}" ${file} | cut -d'=' -f2 | xargs
+#}
+
+#user="root"
+# user=$(prop 'persistence.db.user')
+#pwd=$(prop 'persistence.db.password')
+pwd="root"
+
+# Need to update when password get written to the persitence fil
 # delete the database
-mysql -u root < /opt/hirs/scripts/common/db_drop.sql
+
+if pgrep  mysqld >/dev/null 2>&1; then  
+    mysql -u "$user" --password="$pwd" < /opt/hirs/scripts/common/db_drop.sql
+fi
--- a/package/scripts/install_tomcat.sh
+++ b/package/scripts/install_tomcat.sh
@ -0,0 +1,35 @@
+#!/bin/bash
+tom_version="10.1.1"
+tom_maj=$(echo "$tom_version" | cut -d '.' -f 1)
+CATALINA_HOME=/opt/tomcat/
+CATALINA_BASE=/opt/tomcat/
+
+# Check if tomcat already installed 
+if [ -d "/opt/tomcat" ]; then
+   echo "tomcat already installed"
+else 
+   echo "installing $tom_version"
+   pushd /tmp
+   useradd -r -d /opt/tomcat/ -s /bin/false -c "Tomcat User" tomcat
+   dnf install wget -y
+   wget https://dlcdn.apache.org/tomcat/tomcat-$tom_maj/v$tom_version/bin/apache-tomcat-$tom_version.tar.gz
+   mkdir /opt/tomcat
+   tar -xzf apache-tomcat-$tom_version.tar.gz -C /opt/tomcat --strip-components=1
+   rm apache-tomcat-$tom_version.tar.gz
+   chown -R tomcat: /opt/tomcat
+   sudo sh -c 'chmod +x /opt/tomcat/bin/*.sh'
+   popd
+fi
+if [ -f /.dockerenv ]; then
+  echo "in a container..."
+  sh /opt/tomcat/bin/catalina.sh start
+else 
+  cp /opt/hirs/scripts/aca/tomcat.service   /etc/systemd/system/.
+  systemctl daemon-reload
+  systemctl start tomcat
+  systemctl enable tomcat
+fi
+if [ $(pgrep -c FirewallD) == "1" ]; then
+   firewall-cmd --add-port=8080/tcp --permanent
+   firewall-cmd --add-port=8443/tcp --permanent
+fi
--- a/settings.gradle
+++ b/settings.gradle
@ -5,34 +5,35 @@ include 'HIRS_Utils',
        'HIRS_AttestationCAPortal',
        ':tools:tcg_eventlog_tool',
        ':tools:tcg_rim_tool'
-        
+
 dependencyResolutionManagement {
    versionCatalogs {
        libs {
            version('springboot', '3.0.1')
            version('jackson', '2.14.2')
-            library('bouncycastle',  'org.bouncycastle:bcmail-jdk15on:1.70')
            library('commons-codec', 'commons-codec:commons-codec:1.15')
+            library('commons_io',    'commons-io:commons-io:2.11.0')
            library('commons-lang3', 'org.apache.commons:commons-lang3:3.12.0')
-            library('commons_io', 'commons-io:commons-io:2.11.0')
+            library('bouncycastle', 'org.bouncycastle:bcmail-jdk15on:1.70')
            library('glassfish_json',   'org.glassfish:javax.json:1.1.4')
            library('glassfish_jaxb_runtime',   'org.glassfish.jaxb:jaxb-runtime:2.3.1')
+            library('gson', 'com.google.code.gson:gson:2.10.1')
            library('guava', 'com.google.guava:guava:31.1-jre')
            library('minimal-json', 'com.eclipsesource.minimal-json:minimal-json:0.9.5')
            library('jakarta-servlet', 'org.glassfish.web:jakarta.servlet.jsp.jstl:3.0.0')
            library('jakarta-api', 'jakarta.persistence:jakarta.persistence-api:3.1.0')
            library('jakarta-xml', 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.0')
+            library('jcommander',    'com.beust:jcommander:1.82')
+            library('hibernate-core', 'org.hibernate:hibernate-core:6.1.7.Final')
            library('jackson-core', 'com.fasterxml.jackson.core', 'jackson-core').versionRef('jackson')
            library('jackson-databind', 'com.fasterxml.jackson.core', 'jackson-databind').versionRef('jackson')
-            library('jcommander', 'com.beust:jcommander:1.82')
- //           library('log4j2', 'org.apache.logging.log4j:log4j-api:2.17.1')
- //           library('log4j2-core', 'org.apache.logging.log4j:log4j-core:2.17.1')
-            library('lombok', 'org.projectlombok:lombok:1.18.26')
            library('pci', 'com.github.marandus:pci-ids:0.3')
-            library('testng', 'org.testng:testng:7.4.0')
+            library('ospackage', 'com.netflix.nebula:gradle-ospackage-plugin:11.2.0')
 //            library('spring-datajpa', 'org.springframework.boot', 'spring-boot-starter-data-jpa').version('springboot')
 //            library('spring-datajpa', 'org.springframework.boot', 'spring-boot-starter-web').version('springboot')
 //            library('spring-datajpa', 'org.springframework.boot', 'spring-boot-starter-validation').version('springboot')
+            library('lombok', 'org.projectlombok:lombok:1.18.26')
+            library('testng', 'org.testng:testng:7.4.0')
        }
    }
 }
--- a/tools/tcg_eventlog_tool/build.gradle
+++ b/tools/tcg_eventlog_tool/build.gradle
@ -128,4 +128,4 @@ ospackage {
    buildDeb {
        arch = X86_64
    }
-}
+}