added aca_setup.sh to support embedded tomcat [no ci]

HIRS_AttestationCAPortal/build.gradle

@@ -102,12 +102,22 @@ ospackage {
       from configurations.runtimeClasspath 
     }
     into ("/opt/hirs/scripts/aca/") {
-     from '../package/scripts/pki/pki_chain_gen.sh'
-     from '../package/scripts/pki/pki_setup.sh'
-     from '../package/scripts/aca/aca_proprty_setup.sh'
      from '../package/conf/tomcat.service'
      from '../package/scripts/install_tomcat.sh'
-     from '../package/scripts/aca/certificate_generate.sh'
+     from '../package/scripts/aca/aca_property_setup.sh'
+     from '../package/scripts/aca/aca_setup.sh'
+    }
+    into ("/opt/hirs/scripts/pki/") {
+     from '../package/scripts/pki/ca.conf'
+     from '../package/scripts/pki/pki_setup.sh'
+     from '../package/scripts/pki/pki_chain_gen.sh'
+    }
+    into ("/opt/hirs/scripts/db/") {
+     from '../package/scripts/db/db_create.sh'
+     from '../package/scripts/db/db_create.sql'
+     from '../package/scripts/db/db_drop.sh'
+     from '../package/scripts/db/db_drop.sql'
+     from '../package/scripts/db/secure_mysql.sql'
     }
     into ("/opt/hirs/scripts/common") {
      from '../package/scripts/common/'
@@ -123,35 +133,14 @@ ospackage {
        from '../HIRS_AttestationCA/src/main/resources/component-class.json'
     }
   // Post Install
-//   println "*** Checking MYSQL Configuration ...."
-//    println " Myql password is $System.env.HIRS_MYSQL_ROOT_PWD"
-//   println " Myql password is ${System.getenv('HIRS_MYSQL_ROOT_PWD')} "
 
-//   if ( "$System.env.HIRS_MYSQL_ROOT_PWD".compareTo("null") == 0 ) {
-//      println "Gradle: Mysql Root password not set"
-//   }
-//   else {
-//      println "Gradle: Mysql Root Password set to $System.env.HIRS_MYSQL_ROOT_PWD" 
- //  }
+    postInstall file('../package/scripts/db/db_create.sh')
+    postInstall file('../package/scripts/pki/pki_setup.sh')
 
-     postInstall file('../package/scripts/common/db_create.sh')
-//   postInstall file('../package/scripts/pki/pki_setup.sh')  
-//  postInstall file('../package/scripts/common/ssl_configure.sh')
-  //  postInstall 'mkdir -p /etc/hirs/aca/client_files'
     postInstall 'mkdir -p /etc/hirs/aca/certificates'
     postInstall 'cp /tmp/aca/default-properties/* /opt/hirs/default-properties/.'
     postInstall 'rm -rf /tmp/aca/'
  //  postInstall file('../package/scripts/install_tomcat.sh')
- //   Old post install files, to be removed...
- // Note /etc/hirs/aca/certificates files are created by  certificate_generate.sh
- //      /etc/hirs/aca/client-files files are created by  certificate_generate.sh
- //      /etc/hirs/certificates/ files are created by ssl_configure.sh
- //      /etc/hirs/certificates/mysql/  files are created by ssl_configure.sh
- //      /etc/hirs/certificates/private/  files are created by ssl_configure.sh
- //   postInstall file('../package/scripts/common/firewall_configure_tomcat.sh')
- //   postInstall file('../package/scripts/common/ssl_configure.sh')
- //   postInstall file('../package/scripts/aca/certificate_generate.sh')
- //   postInstall 'if [ selinuxenabled ]; then semodule -i /opt/hirs/extras/aca/tomcat-mysql-hirs.pp; fi'
      
     postInstall 'sh /opt/tomcat/bin/catalina.sh start'
 
@@ -159,9 +148,7 @@ ospackage {
     // Copy files to /tmp that package manager will be expecting them there
     preUninstall 'mkdir -p /tmp/aca/default-properties/'
     preUninstall 'cp -f /opt/hirs/default-properties/* /tmp/aca/default-properties/.'
-    preUninstall file('../package/scripts/common/db_drop.sh')
-
-    //buildRpm.dependsOn ':HIRS_AttestationCA:war'
+    preUninstall file('../package/scripts/db/db_drop.sh')
 
     buildRpm {
         arch = X86_64

package/scripts/aca/aca_setup.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# Capture location of the script to allow from invocation from any location
+SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+
+pushd $SCRIPT_DIR
+
+sh ../db/db_create.sh
+if [ $? -eq 0 ]; then
+    echo "ACA database setup complete"
+  else
+    echo "Error setting up ACA DB"
+    exit 1
+fi
+sh ../pki/pki_setup.sh
+if [ $? -eq 0 ]; then 
+      echo "ACA PKI  setup complete"
+  else
+    echo "Error setting up ACA PKI"
+    exit 1
+fi
+ echo "ACA setup complete"
+
+popd

package/scripts/common/db_create.sql.el6

@@ -1,2 +0,0 @@
-CREATE DATABASE IF NOT EXISTS `hirs_db`;
-GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "hirs_db" REQUIRE SSL;

package/scripts/common/get_amazon_linux_major_version.sh

@@ -1 +0,0 @@
-cat /etc/os-release | grep -Eo "VERSION=\"[0-9]" | tail -c 2

package/scripts/common/my.cnf.el6

@@ -1,5 +0,0 @@
-#begin-hirs-cfg
-ssl-ca=/etc/hirs/certificates/mysql/hirs.ca.cert
-ssl-cert=/etc/hirs/certificates/mysql/hirs-cert.pem
-ssl-key=/etc/hirs/certificates/mysql/hirs-key.pem
-#end-hirs-cfg

package/scripts/common/upgrade_schema_1.0.4.sql

@@ -1,30 +0,0 @@
-DROP PROCEDURE IF EXISTS upgrade_schema_to_1_0_4;
-DELIMITER '//'
-
-CREATE PROCEDURE upgrade_schema_to_1_0_4()
-BEGIN
-IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='isDeltaChain')) THEN
-ALTER TABLE Certificate ADD isDeltaChain bit(1) DEFAULT NULL;
-END IF;
-
-IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='platformBase')) THEN
-ALTER TABLE Certificate ADD platformBase bit(1) DEFAULT NULL;
-END IF;
-
-IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='platformChainType')) THEN
-ALTER TABLE Certificate ADD platformChainType varchar(255) DEFAULT NULL;
-END IF;
-
-IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='SupplyChainValidationSummary' AND COLUMN_NAME='message')) THEN
-ALTER TABLE SupplyChainValidationSummary ADD message longtext;
-END IF;
-
-IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='TPMReport' AND COLUMN_NAME='rawQuote')) THEN
-ALTER TABLE TPMReport ADD rawQuote blob;
-END IF;
-END//
-DELIMITER ';'
-
-CALL upgrade_schema_to_1_0_4;
-DROP PROCEDURE upgrade_schema_to_1_0_4;
-

package/scripts/common/upgrade_schema_1.1.0.sql

@@ -1,16 +0,0 @@
-#commands here if there are schema changes in 1.1.0
-DROP PROCEDURE IF EXISTS upgrade_schema_to_1_1_0;
-DELIMITER '//'
-
-CREATE PROCEDURE upgrade_schema_to_1_1_0()
-BEGIN
-IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='componentFailures')) THEN
-ALTER TABLE Certificate ADD componentFailures varchar(255) DEFAULT NULL;
-END IF;
-
-END//
-DELIMITER ';'
-
-CALL upgrade_schema_to_1_1_0;
-DROP PROCEDURE upgrade_schema_to_1_1_0;
-

package/scripts/common/upgrade_schema_1.1.1.sql

@@ -1,23 +0,0 @@
-DROP PROCEDURE IF EXISTS upgrade_schema_to_1_1_1;
-DELIMITER '//'
-
-CREATE PROCEDURE upgrade_schema_to_1_1_1()
-BEGIN
-IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='tcgCredentialMajorVersion')) THEN
-ALTER TABLE Certificate ADD tcgCredentialMajorVersion int(11) DEFAULT NULL;
-END IF;
-
-IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='tcgCredentialMinorVersion')) THEN
-ALTER TABLE Certificate ADD tcgCredentialMinorVersion int(11) DEFAULT NULL;
-END IF;
-
-IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='tcgCredentialRevisionLevel')) THEN
-ALTER TABLE Certificate ADD tcgCredentialRevisionLevel int(11) DEFAULT NULL;
-END IF;
-
-END//
-DELIMITER ';'
-
-CALL upgrade_schema_to_1_1_1;
-DROP PROCEDURE upgrade_schema_to_1_1_1;
-

package/scripts/db/db_create.sh

@@ -8,6 +8,8 @@
 # HIRS_MYSQL_ROOT_NEW_PWD wil be ignored if HIRS_MYSQL_ROOT_EXSITING_PWD is set.
 ################################################################################
 
+# Capture location of the script to allow from invocation from any location
+SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
 # Set Mysql HIRS DB  password
 if [ -z $HIRS_DB_PWD ]; then
    HIRS_DB_PWD="hirs_db"
@@ -40,7 +42,7 @@ if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
        chown -R mysql:mysql /var/log/mariadb
        /usr/bin/mysqld_safe &
    else
-       SQL_SERVICE=`/opt/hirs/scripts/common/get_db_service.sh`
+       SQL_SERVICE="mariadb"
        systemctl $SQL_SERVICE enable
        systemctl $SQL_SERVICE start
    fi
@@ -51,9 +53,6 @@ echo "Checking mysqld status..."
 while ! mysqladmin ping -h "$localhost" --silent; do
   sleep 1;
 done
-
-# Test the root password, error if the password doesnt work
-
 if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then
     echo "HIRS_MYSQL_ROOT_PWD environment variable not set"
     mysql -fu root  -e 'quit'  &> /dev/null;
@@ -62,7 +61,7 @@ else
    $(mysql -u root -p$HIRS_MYSQL_ROOT_PWD -e 'quit'  &> /dev/null);
 fi
 if [ $? -eq 0 ]; then
- echo "root password verified" 
+ echo "root password verified"
 else
  echo "MYSQL root password was not the default, not supplied,  or was incorrect"
  echo "      please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
@@ -73,16 +72,21 @@ fi
 echo "HIRS_DB_PWD is $HIRS_DB_PWD"
 echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD"
 
-# Check if we're in a Docker container
-if [ -f /.dockerenv ]; then
-    DOCKER_CONTAINER=true
+if [ -d /opt/hirs/scripts/db ]; then
+   MYSQL_DIR="/opt/hirs/scripts/db"
 else
-    DOCKER_CONTAINER=false
+
+   MYSQL_DIR="$SCRIPT_DIR/../db"
 fi
 
-# Create the hirs_db database
-echo "Creating HIRS Database..." 
-mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/common/db_create.sql
-mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/common/secure_mysql.sql
-mysql -u root --password=$HIRS_MYSQL_ROOT_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
+echo "MYSQL_DIR is $MYSQL_DIR"
 
+# Check if hirs_db not created and create it if it wasn't
+mysqlshow --user=root --password="$HIRS_MYSQL_ROOT_PWD" | grep "hirs_db" > /dev/null 2>&1
+if [ $? -eq 0 ]; then
+   echo "hirs_db exists, skipping hirs_db create"
+else
+   mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < $MYSQL_DIR/db_create.sql
+   mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < $MYSQL_DIR/secure_mysql.sql
+   mysql -u root --password=$HIRS_MYSQL_ROOT_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
+fi

package/scripts/db/db_drop.sh

@@ -4,8 +4,8 @@ echo "dropping hirs database"
 
 if pgrep  mysqld >/dev/null 2>&1; then
   if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then
-    mysql -u "root" < /opt/hirs/scripts/common/db_drop.sql
+    mysql -u "root" < /opt/hirs/scripts/db/db_drop.sql
   else
-    mysql -u "root" -p$HIRS_MYSQL_ROOT_PWD  < /opt/hirs/scripts/common/db_drop.sq1
+    mysql -u "root" -p$HIRS_MYSQL_ROOT_PWD  < /opt/hirs/scripts/db/db_drop.sq1
   fi
 fi

package/scripts/db/secure_mysql.sql

@@ -0,0 +1,5 @@
+DELETE FROM mysql.user WHERE User='';
+DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
+DROP DATABASE IF EXISTS test;
+DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
+FLUSH PRIVILEGES

package/scripts/install_tomcat.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-tom_version="10.1.1"
+tom_version="10.1.9"
 tom_maj=$(echo "$tom_version" | cut -d '.' -f 1)
 CATALINA_HOME=/opt/tomcat/
 CATALINA_BASE=/opt/tomcat/
@@ -12,7 +12,7 @@ else
    pushd /tmp
    useradd -r -d /opt/tomcat/ -s /bin/false -c "Tomcat User" tomcat
    dnf install wget -y
-   wget https://dlcdn.apache.org/tomcat/tomcat-$tom_maj/v$tom_version/bin/apache-tomcat-$tom_version.tar.gz
+   wget https://downloads.apache.org/tomcat/tomcat-$tom_maj/v$tom_version/bin/apache-tomcat-$tom_version.tar.gz
    mkdir /opt/tomcat
    tar -xzf apache-tomcat-$tom_version.tar.gz -C /opt/tomcat --strip-components=1
    rm apache-tomcat-$tom_version.tar.gz

package/scripts/pki/pki_chain_gen.sh

@@ -85,7 +85,7 @@ fi
 
 mkdir -p "$ACTOR_ALT" "$ACTOR_ALT"/"$CERT_FOLDER" "$ACTOR_ALT"/ca/certs
 cp ca.conf "$ACTOR_ALT"/.
-pushd "$ACTOR_ALT"
+pushd "$ACTOR_ALT" &> /dev/null
 touch ca/db
 if [ ! -f "ca/serial.txt" ]; then
      echo "01" > ca/serial.txt

package/scripts/pki/pki_setup.sh

@@ -15,19 +15,39 @@ if [ -z $HIRS_PKI_PWD ]; then
    #PKI_PASS="xrb204k"
 fi
 
-# Create an ACA proerties file using the new password
+# Create an ACA properties file using the new password
 pushd $SCRIPT_DIR &> /dev/null
-sh ../aca/aca_property_setup.sh $PKI_PASS
+  if [ ! -f "/etc/hirs/aca/aca.properties" ]; then
+      if [ -d /opt/hirs/scripts/aca ]; then
+            ACA_SETUP_DIR="/opt/hirs/scripts/aca"
+         else
+            ACA_SETUP_DIR=="$SCRIPT_DIR/../aca"
+      fi
+      echo "ACA_SETUP_DIR is $ACA_SETUP_DIR"
+   sh $ACA_SETUP_DIR/aca_property_setup.sh $PKI_PASS
+  else
+     echo  "aca property file exists, skipping"
+  fi
+
 popd &> /dev/null
 
 # Create Cert Chains
-rm -rf /etc/hirs/certificates
-mkdir -p /etc/hirs/certificates/
+if [ ! -d "/etc/hirs/certificates" ]; then
+  
+   if [ -d /opt/hirs/scripts/pki ]; then
+            PKI_SETUP_DIR="/opt/hirs/scripts/pki"
+         else
+            PKI_SETUP_DIR=="$SCRIPT_DIR/../pki"
+      fi
+      echo "PKI_SETUP_DIR is $PKI_SETUP_DIR"
 
-pushd  /etc/hirs/certificates/
-
-cp $SCRIPT_DIR/ca.conf .
-sh $SCRIPT_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS"
-sh $SCRIPT_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" 
-
-popd
+  mkdir -p /etc/hirs/certificates/
+   
+  pushd  /etc/hirs/certificates/ &> /dev/null
+  cp $PKI_SETUP_DIR/ca.conf .
+  sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS"
+  sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" 
+  popd &> /dev/null
+else 
+  echo "/etc/hirs/certificates exists, skipping"
+fi