diff --git a/HIRS_AttestationCA/build.gradle b/HIRS_AttestationCA/build.gradle index dd39cbb5..1580bfce 100644 --- a/HIRS_AttestationCA/build.gradle +++ b/HIRS_AttestationCA/build.gradle @@ -25,12 +25,15 @@ dependencies { implementation project(':HIRS_Utils') implementation 'org.springframework.boot:spring-boot-starter-data-jpa:3.0.1' + implementation 'com.github.darrachequesne:spring-data-jpa-datatables:6.0.1' + implementation 'org.springframework.retry:spring-retry:2.0.0' implementation libs.bouncycastle implementation libs.commons.codec implementation libs.commons.lang3 implementation libs.jakarta.api implementation libs.jakarta.xml + implementation libs.hibernate.core implementation libs.guava implementation libs.jackson.core implementation libs.jackson.databind diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/ReferenceManifest.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/ReferenceManifest.java index 0fda758e..4b363c59 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/ReferenceManifest.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/ReferenceManifest.java @@ -152,4 +152,12 @@ public class ReferenceManifest extends ArchivableEntity { } return null; } + + public boolean isBase() { + return rimType.equals(BASE_RIM); + } + + public boolean isSupport() { + return rimType.equals(SUPPORT_RIM); + } } diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle index d10f3763..6187e4d8 100644 --- a/HIRS_AttestationCAPortal/build.gradle +++ b/HIRS_AttestationCAPortal/build.gradle @@ -3,7 +3,7 @@ plugins { id 'java' id 'war' id "nebula.ospackage" version "9.1.1" - id 'org.springframework.boot' version '3.0.1' + id 'org.springframework.boot' version '3.0.6' id 'io.spring.dependency-management' version '1.1.0' } @@ -41,6 +41,7 @@ dependencies { implementation 'org.springframework.boot:spring-boot-starter-web' implementation 'org.springframework.boot:spring-boot-starter-validation' implementation 'org.springframework.boot:spring-boot-starter-data-jpa' + implementation 'com.github.darrachequesne:spring-data-jpa-datatables:6.0.1' implementation 'org.projectlombok:lombok' compileOnly 'org.projectlombok:lombok' @@ -59,4 +60,99 @@ war { archiveFileName = 'HIRS_AttestationCAPortal.war' } +ospackage { + packageName = 'HIRS_AttestationCA' + os = LINUX + arch = NOARCH + version = "$packVersion" + release = '1' + user 'root' + fileMode = 0755 + + def tpath="/opt" + + addParentDirs = true + createDirectoryEntry true + + preInstall "rm -rf /opt/hirs/default-properties" + preInstall "mkdir -p /opt/hirs/default-properties/" + preInstall "mkdir -p /tmp/hirs/default-properties/" + + // Setup /etc/hirs + into ('/etc/hirs/aca/') { + from '../HIRS_AttestationCA/src/main/resources/defaults.properties' + rename {'aca.properties'} + } + into ('/etc/hirs/') { + from '../HIRS_Utils/src/main/resources/banner.properties' + from '../HIRS_Utils/src/main/resources/persistence.properties' + from '../HIRS_Utils/src/main/resources/logging.properties' + } + // Setup tomcat files + // Create and package HIRS_AttestationCA:war + into ("${tpath}/tomcat/webapps") { + from war.outputs.files + from '../HIRS_AttestationCA/build/libs/HIRS_AttestationCA.war' + user 'root' + fileMode = 0755 + } + into ("${tpath}/tomcat/lib") { + from 'libs' + from configurations.runtimeClasspath + } + into ("/opt/hirs/scripts/aca/") { + from '../package/conf/tomcat.service' + from '../package/scripts/install_tomcat.sh' + from '../package/scripts/aca/certificate_generate.sh' + } + into ("/opt/hirs/scripts/common") { + from '../package/scripts/common/' + } + into ('/opt/hirs/extras/aca/') { + from '../package/extras/aca/' + } + + // Copy json files to /tmp and move into /opt/hirs in postInstall section + // Allows HIRS tools to be installed using the same files + into ('/tmp/aca/default-properties/') { + from '../HIRS_AttestationCA/src/main/resources/vendor-table.json' + from '../HIRS_AttestationCA/src/main/resources/component-class.json' + } + // Post Install + postInstall file('../package/scripts/common/db_create.sh') + // postInstall file('../package/scripts/common/ssl_configure.sh') + // postInstall 'mkdir -p /etc/hirs/aca/client_files' + postInstall 'mkdir -p /etc/hirs/aca/certificates' + postInstall 'cp /tmp/aca/default-properties/* /opt/hirs/default-properties/.' + postInstall 'rm -rf /tmp/aca/' + // postInstall file('../package/scripts/install_tomcat.sh') + // Old post install files, to be removed... + // Note /etc/hirs/aca/certificates files are created by certificate_generate.sh + // /etc/hirs/aca/client-files files are created by certificate_generate.sh + // /etc/hirs/certificates/ files are created by ssl_configure.sh + // /etc/hirs/certificates/mysql/ files are created by ssl_configure.sh + // /etc/hirs/certificates/private/ files are created by ssl_configure.sh + // postInstall file('../package/scripts/common/firewall_configure_tomcat.sh') + // postInstall file('../package/scripts/common/ssl_configure.sh') + // postInstall file('../package/scripts/aca/certificate_generate.sh') + // postInstall 'if [ selinuxenabled ]; then semodule -i /opt/hirs/extras/aca/tomcat-mysql-hirs.pp; fi' + + postInstall 'sh /opt/tomcat/bin/catalina.sh start' + + // Post Uninstall + // Copy files to /tmp that package manager will be expecting them there + preUninstall 'mkdir -p /tmp/aca/default-properties/' + preUninstall 'cp -f /opt/hirs/default-properties/* /tmp/aca/default-properties/.' + preUninstall file('../package/scripts/common/db_drop.sh') + + //buildRpm.dependsOn ':HIRS_AttestationCA:war' + + buildRpm { + arch = X86_64 + } + + buildDeb { + arch = 'amd64' + } +} diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/PersistenceJPAConfig.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/PersistenceJPAConfig.java index c9c14302..d03daf12 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/PersistenceJPAConfig.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/PersistenceJPAConfig.java @@ -3,6 +3,7 @@ package hirs.attestationca.portal; import hirs.attestationca.persist.entity.userdefined.SupplyChainSettings; import lombok.extern.log4j.Log4j2; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; diff --git a/build.gradle b/build.gradle index 00db93d6..d9ea99ac 100644 --- a/build.gradle +++ b/build.gradle @@ -4,9 +4,6 @@ import org.gradle.api.tasks.Copy plugins { // Apply the application plugin to add support for building a CLI application in Java. id 'application' -// id 'java' -// id 'war' -// id "nebula.ospackage" version "9.1.1" } // Global checkstyle file @@ -39,113 +36,3 @@ def gitHash = { -> project.ext["jarVersion"] = "${projectVersion}.${buildTime}.${gitHash}" project.ext["packageVersion"] = "${projectVersion}.${buildTime}.${gitHash}.el8" -//subprojects { -// -//} - -//plugins { -// id 'application' -// id 'java' -// id 'war' -// id "nebula.ospackage" version "9.1.1" -// id 'org.springframework.boot' version '3.0.1' -// id 'io.spring.dependency-management' version '1.1.0' -//} -// -//java { -// toolchain { -// languageVersion = JavaLanguageVersion.of(17) -// } -//} -// -//configurations { -// compileOnly { -// extendsFrom annotationProcessor -// } -// jaxb -//} -// -//repositories { -// flatDir { dirs "lib" } -// mavenCentral() -//} -// -//dependencies { -// implementation project(':HIRS_Utils') -// implementation project(':HIRS_AttestationCA') -// -// implementation 'org.springframework.boot:spring-boot-starter-web' -// implementation 'org.springframework.boot:spring-boot-starter-validation' -// implementation 'org.springframework.boot:spring-boot-starter-data-jpa' -// implementation 'org.projectlombok:lombok:1.18.26' -// implementation 'org.bouncycastle:bcmail-jdk15on:1.70' -// implementation 'org.springframework.plugin:spring-plugin-core:3.0.0' -// implementation 'org.apache.httpcomponents:httpclient:4.5.7' -// implementation 'com.google.guava:guava:31.1-jre' -// implementation 'org.glassfish.web:jakarta.servlet.jsp.jstl:3.0.0' -// implementation 'com.github.marandus:pci-ids:0.3' -// implementation 'org.apache.httpcomponents.client5:httpclient5:5.2.1' -// implementation 'commons-codec:commons-codec:1.15' -// implementation 'org.apache.commons:commons-lang3:3.12.0' -// implementation 'org.apache.logging.log4j:log4j-core:2.19.0' -// implementation 'org.apache.logging.log4j:log4j-api:2.19.0' -// implementation 'com.eclipsesource.minimal-json:minimal-json:0.9.5' -// implementation 'com.fasterxml.jackson.core:jackson-core:2.14.2' -// implementation 'com.fasterxml.jackson.core:jackson-databind:2.14.2' -// implementation "org.glassfish.jaxb:jaxb-runtime:4.0.1" -// implementation 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.0' -//// implementation 'com.sun.xml.bind:jaxb-impl:4.0.2' //creates duplicate error -// compileOnly 'org.projectlombok:lombok:1.18.26' -// runtimeOnly 'org.mariadb.jdbc:mariadb-java-client' -// annotationProcessor 'org.projectlombok:lombok:1.18.26' -// providedRuntime 'org.springframework.boot:spring-boot-starter-tomcat' -// -// testImplementation 'org.springframework.boot:spring-boot-starter-test' -//} -// -//war { -// from(buildDir) { -// include 'VERSION' -// into 'WEB-INF/classes' -// } -// archiveFileName = 'HIRS_AttestationCAPortal.war' -//} -// -//tasks.register("spring-boot-properties") { -// group = 'Introspection' -// description = 'Print properties from all BOMs' -// doLast { -// println dependencyManagement.importedProperties -// } -//} -// -////task generateXjcLibrary(type:Exec) { -//// workingDir 'config' -//// -//// commandLine './genXjcLibrary.sh' -////} -////compileJava.dependsOn generateXjcLibrary -// -////ospackage { -//// packageName = 'HIRS_AttestationCA' -//// os = LINUX -//// arch = NOARCH -//// release = '1' -//// -//// user 'root' -//// fileMode = 0755 -//// -//// addParentDirs = true -//// createDirectoryEntry true -//// -//// into ("/opt/tomcat/webapps") { -//// from war.outputs.files -//// from '../HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war' -//// user 'root' -//// fileMode = 0755 -//// } -//// -//// buildRpm { -//// arch = X86_64 -//// } -////} \ No newline at end of file diff --git a/package/scripts/common/db_create.sh b/package/scripts/common/db_create.sh index 0c605775..b705d329 100644 --- a/package/scripts/common/db_create.sh +++ b/package/scripts/common/db_create.sh @@ -1,4 +1,37 @@ #!/bin/bash +# +############################################################################### +# HIRS DB creation +# Environment variables used: +# a. HIRS_MYSQL_ROOT_EXSITING_PWD: set this variable if mysql root password is already set +# b. HIRS_MYSQL_ROOT_PWD: set this variable if mysql root password is already set +# c. HIRS_DB_PWD: Set the pwd if default password to hirs_db user needs to be changed +# HIRS_MYSQL_ROOT_NEW_PWD wil be ignored if HIRS_MYSQL_ROOT_EXSITING_PWD is set. +################################################################################ + +# Set Mysql root password +if [ ! -z $HIRS_MYSQL_ROOT_EXSITING_PWD ]; then + HIRS_MYSQL_ROOT_PWD=$HIRS_MYSQL_ROOT_EXSITING_PWD +elif [ ! -z $HIRS_MYSQL_ROOT_NEW_PWD ]; then + HIRS_MYSQL_ROOT_PWD=$HIRS_MYSQL_ROOT_NEW_PWD +else #assume root pasword needs to be set + HIRS_MYSQL_ROOT_PWD="root" +fi + +if [ -z $HIRS_DB_PWD ]; then + HIRS_DB_PWD="hirs_db" +fi + +# Set root password if not set +if mysql -u root -e 'quit' &> /dev/null; then + echo "Setting root password" + mysqladmin -u root --silent password $HIRS_MYSQL_ROOT_PWD || true > /dev/null 2>&1 +fi + +echo "HIRS_DB_PWD is $HIRS_DB_PWD" +echo "HIRS_MYSQL_ROOT_EXSITING_PWD is $HIRS_MYSQL_ROOT_EXSITING_PWD" +echo "HIRS_MYSQL_ROOT_NEW_PWD is $HIRS_MYSQL_ROOT_NEW_PWD" +echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD" # Check if we're in a Docker container if [ -f /.dockerenv ]; then @@ -7,35 +40,37 @@ else DOCKER_CONTAINER=false fi -echo "Creating HIRS Database..." - -if [ $DOCKER_CONTAINER = true ]; then - # If in Docker container, avoid services that invoke the D-Bus - if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then - /usr/libexec/mariadb-prepare-db-dir - nohup /usr/bin/mysqld_safe --basedir=/usr &>/dev/null & - MYSQLD_PID=$(pgrep -u mysql mysqld) - /usr/libexec/mariadb-wait-ready $MYSQLD_PID - fi -else - SQL_SERVICE=`/opt/hirs/scripts/common/get_db_service.sh` - chkconfig $SQL_SERVICE on - service $SQL_SERVICE start +# Check if mysql is already running, if not initialize +if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then +# Check if running in a container + if [ $DOCKER_CONTAINER = true ]; then + # if in Docker container, avoid services that invoke the D-Bus + echo "ACA is running in a container..." + # Check if mariadb is setup + if [ ! -d "/var/lib/mysql/mysql/" ]; then + echo "Installing mariadb" + /usr/bin/mysql_install_db + chown -R mysql:mysql /var/lib/mysql/ + fi + echo "Starting mysql...." + #nohup /usr/bin/mysqld_safe > /dev/null 2>&1 & + chown -R mysql:mysql /var/log/mariadb + /usr/bin/mysqld_safe & + else + SQL_SERVICE=`/opt/hirs/scripts/common/get_db_service.sh` + systemctl $SQL_SERVICE enable + systemctl $SQL_SERVICE start + fi fi -if [[ -f /etc/redhat-release ]] ; then - CENTOS_VER=`/opt/hirs/scripts/common/get_centos_major_version.sh` -elif [[ -f /etc/os-release ]] ; then - AMAZON_VER=`/opt/hirs/scripts/common/get_amazon_linux_major_version.sh` -fi -if [ $CENTOS_VER -eq "6" ] ; then - DB_CREATE_SCRIPT=/opt/hirs/scripts/common/db_create.sql.el6 -elif [ $CENTOS_VER -eq "7" ] || [ $AMAZON_VER -eq "2" ] ; then - DB_CREATE_SCRIPT=/opt/hirs/scripts/common/db_create.sql.el7 -else - echo "Unsupported Linux detected" - exit 1 -fi +# Wait for mysql to start before continuing. +echo "Checking mysqld status..." +while ! mysqladmin ping -h "$localhost" --silent; do + sleep 1; +done -mysql -fu root < $DB_CREATE_SCRIPT -mysql -fu root < /opt/hirs/scripts/common/secure_mysql.sql +# Create the hirs_db database +echo "Creating HIRS Database..." +mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/common/db_create.sql +mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/common/secure_mysql.sql +mysql -u root --password=$HIRS_MYSQL_ROOT_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;"; diff --git a/package/scripts/common/db_create.sql.el7 b/package/scripts/common/db_create.sql similarity index 53% rename from package/scripts/common/db_create.sql.el7 rename to package/scripts/common/db_create.sql index 87bc581c..8d4ee212 100644 --- a/package/scripts/common/db_create.sql.el7 +++ b/package/scripts/common/db_create.sql @@ -1,2 +1,2 @@ CREATE DATABASE IF NOT EXISTS `hirs_db` CHARACTER SET = 'utf8mb4' COLLATE = 'utf8mb4_general_ci'; -GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "hirs_db" REQUIRE SSL; +GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD"; diff --git a/package/scripts/common/db_drop.sh b/package/scripts/common/db_drop.sh index 80e3868f..21514124 100644 --- a/package/scripts/common/db_drop.sh +++ b/package/scripts/common/db_drop.sh @@ -1,4 +1,20 @@ -#!/usr/bin/env bash +#!/bin/bash +# Get the current password from the perstence.properties file +#file="/etc/hirs/persistence.properties" +# Change java key/value pairs into valid bash key/value pairs +#function prop { +# grep "${1}" ${file} | cut -d'=' -f2 | xargs +#} + +#user="root" +# user=$(prop 'persistence.db.user') +#pwd=$(prop 'persistence.db.password') +pwd="root" + +# Need to update when password get written to the persitence fil # delete the database -mysql -u root < /opt/hirs/scripts/common/db_drop.sql + +if pgrep mysqld >/dev/null 2>&1; then + mysql -u "$user" --password="$pwd" < /opt/hirs/scripts/common/db_drop.sql +fi diff --git a/package/scripts/install_tomcat.sh b/package/scripts/install_tomcat.sh new file mode 100644 index 00000000..f47f8d66 --- /dev/null +++ b/package/scripts/install_tomcat.sh @@ -0,0 +1,35 @@ +#!/bin/bash +tom_version="10.1.1" +tom_maj=$(echo "$tom_version" | cut -d '.' -f 1) +CATALINA_HOME=/opt/tomcat/ +CATALINA_BASE=/opt/tomcat/ + +# Check if tomcat already installed +if [ -d "/opt/tomcat" ]; then + echo "tomcat already installed" +else + echo "installing $tom_version" + pushd /tmp + useradd -r -d /opt/tomcat/ -s /bin/false -c "Tomcat User" tomcat + dnf install wget -y + wget https://dlcdn.apache.org/tomcat/tomcat-$tom_maj/v$tom_version/bin/apache-tomcat-$tom_version.tar.gz + mkdir /opt/tomcat + tar -xzf apache-tomcat-$tom_version.tar.gz -C /opt/tomcat --strip-components=1 + rm apache-tomcat-$tom_version.tar.gz + chown -R tomcat: /opt/tomcat + sudo sh -c 'chmod +x /opt/tomcat/bin/*.sh' + popd +fi +if [ -f /.dockerenv ]; then + echo "in a container..." + sh /opt/tomcat/bin/catalina.sh start +else + cp /opt/hirs/scripts/aca/tomcat.service /etc/systemd/system/. + systemctl daemon-reload + systemctl start tomcat + systemctl enable tomcat +fi +if [ $(pgrep -c FirewallD) == "1" ]; then + firewall-cmd --add-port=8080/tcp --permanent + firewall-cmd --add-port=8443/tcp --permanent +fi diff --git a/settings.gradle b/settings.gradle index e989f1b6..f06ebf20 100644 --- a/settings.gradle +++ b/settings.gradle @@ -5,34 +5,35 @@ include 'HIRS_Utils', 'HIRS_AttestationCAPortal', ':tools:tcg_eventlog_tool', ':tools:tcg_rim_tool' - + dependencyResolutionManagement { versionCatalogs { libs { version('springboot', '3.0.1') version('jackson', '2.14.2') - library('bouncycastle', 'org.bouncycastle:bcmail-jdk15on:1.70') library('commons-codec', 'commons-codec:commons-codec:1.15') + library('commons_io', 'commons-io:commons-io:2.11.0') library('commons-lang3', 'org.apache.commons:commons-lang3:3.12.0') - library('commons_io', 'commons-io:commons-io:2.11.0') + library('bouncycastle', 'org.bouncycastle:bcmail-jdk15on:1.70') library('glassfish_json', 'org.glassfish:javax.json:1.1.4') library('glassfish_jaxb_runtime', 'org.glassfish.jaxb:jaxb-runtime:2.3.1') + library('gson', 'com.google.code.gson:gson:2.10.1') library('guava', 'com.google.guava:guava:31.1-jre') library('minimal-json', 'com.eclipsesource.minimal-json:minimal-json:0.9.5') library('jakarta-servlet', 'org.glassfish.web:jakarta.servlet.jsp.jstl:3.0.0') library('jakarta-api', 'jakarta.persistence:jakarta.persistence-api:3.1.0') library('jakarta-xml', 'jakarta.xml.bind:jakarta.xml.bind-api:4.0.0') + library('jcommander', 'com.beust:jcommander:1.82') + library('hibernate-core', 'org.hibernate:hibernate-core:6.1.7.Final') library('jackson-core', 'com.fasterxml.jackson.core', 'jackson-core').versionRef('jackson') library('jackson-databind', 'com.fasterxml.jackson.core', 'jackson-databind').versionRef('jackson') - library('jcommander', 'com.beust:jcommander:1.82') - // library('log4j2', 'org.apache.logging.log4j:log4j-api:2.17.1') - // library('log4j2-core', 'org.apache.logging.log4j:log4j-core:2.17.1') - library('lombok', 'org.projectlombok:lombok:1.18.26') library('pci', 'com.github.marandus:pci-ids:0.3') - library('testng', 'org.testng:testng:7.4.0') + library('ospackage', 'com.netflix.nebula:gradle-ospackage-plugin:11.2.0') // library('spring-datajpa', 'org.springframework.boot', 'spring-boot-starter-data-jpa').version('springboot') // library('spring-datajpa', 'org.springframework.boot', 'spring-boot-starter-web').version('springboot') // library('spring-datajpa', 'org.springframework.boot', 'spring-boot-starter-validation').version('springboot') + library('lombok', 'org.projectlombok:lombok:1.18.26') + library('testng', 'org.testng:testng:7.4.0') } } } diff --git a/tools/tcg_eventlog_tool/build.gradle b/tools/tcg_eventlog_tool/build.gradle index 31ac32b2..6960d4e0 100644 --- a/tools/tcg_eventlog_tool/build.gradle +++ b/tools/tcg_eventlog_tool/build.gradle @@ -128,4 +128,4 @@ ospackage { buildDeb { arch = X86_64 } -} \ No newline at end of file +}