diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle index 151180e4..0d482ba5 100644 --- a/HIRS_AttestationCAPortal/build.gradle +++ b/HIRS_AttestationCAPortal/build.gradle @@ -102,12 +102,22 @@ ospackage { from configurations.runtimeClasspath } into ("/opt/hirs/scripts/aca/") { - from '../package/scripts/pki/pki_chain_gen.sh' - from '../package/scripts/pki/pki_setup.sh' - from '../package/scripts/aca/aca_proprty_setup.sh' from '../package/conf/tomcat.service' from '../package/scripts/install_tomcat.sh' - from '../package/scripts/aca/certificate_generate.sh' + from '../package/scripts/aca/aca_property_setup.sh' + from '../package/scripts/aca/aca_setup.sh' + } + into ("/opt/hirs/scripts/pki/") { + from '../package/scripts/pki/ca.conf' + from '../package/scripts/pki/pki_setup.sh' + from '../package/scripts/pki/pki_chain_gen.sh' + } + into ("/opt/hirs/scripts/db/") { + from '../package/scripts/db/db_create.sh' + from '../package/scripts/db/db_create.sql' + from '../package/scripts/db/db_drop.sh' + from '../package/scripts/db/db_drop.sql' + from '../package/scripts/db/secure_mysql.sql' } into ("/opt/hirs/scripts/common") { from '../package/scripts/common/' @@ -123,35 +133,14 @@ ospackage { from '../HIRS_AttestationCA/src/main/resources/component-class.json' } // Post Install -// println "*** Checking MYSQL Configuration ...." -// println " Myql password is $System.env.HIRS_MYSQL_ROOT_PWD" -// println " Myql password is ${System.getenv('HIRS_MYSQL_ROOT_PWD')} " -// if ( "$System.env.HIRS_MYSQL_ROOT_PWD".compareTo("null") == 0 ) { -// println "Gradle: Mysql Root password not set" -// } -// else { -// println "Gradle: Mysql Root Password set to $System.env.HIRS_MYSQL_ROOT_PWD" - // } + postInstall file('../package/scripts/db/db_create.sh') + postInstall file('../package/scripts/pki/pki_setup.sh') - postInstall file('../package/scripts/common/db_create.sh') -// postInstall file('../package/scripts/pki/pki_setup.sh') -// postInstall file('../package/scripts/common/ssl_configure.sh') - // postInstall 'mkdir -p /etc/hirs/aca/client_files' postInstall 'mkdir -p /etc/hirs/aca/certificates' postInstall 'cp /tmp/aca/default-properties/* /opt/hirs/default-properties/.' postInstall 'rm -rf /tmp/aca/' // postInstall file('../package/scripts/install_tomcat.sh') - // Old post install files, to be removed... - // Note /etc/hirs/aca/certificates files are created by certificate_generate.sh - // /etc/hirs/aca/client-files files are created by certificate_generate.sh - // /etc/hirs/certificates/ files are created by ssl_configure.sh - // /etc/hirs/certificates/mysql/ files are created by ssl_configure.sh - // /etc/hirs/certificates/private/ files are created by ssl_configure.sh - // postInstall file('../package/scripts/common/firewall_configure_tomcat.sh') - // postInstall file('../package/scripts/common/ssl_configure.sh') - // postInstall file('../package/scripts/aca/certificate_generate.sh') - // postInstall 'if [ selinuxenabled ]; then semodule -i /opt/hirs/extras/aca/tomcat-mysql-hirs.pp; fi' postInstall 'sh /opt/tomcat/bin/catalina.sh start' @@ -159,9 +148,7 @@ ospackage { // Copy files to /tmp that package manager will be expecting them there preUninstall 'mkdir -p /tmp/aca/default-properties/' preUninstall 'cp -f /opt/hirs/default-properties/* /tmp/aca/default-properties/.' - preUninstall file('../package/scripts/common/db_drop.sh') - - //buildRpm.dependsOn ':HIRS_AttestationCA:war' + preUninstall file('../package/scripts/db/db_drop.sh') buildRpm { arch = X86_64 diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh new file mode 100644 index 00000000..240dd683 --- /dev/null +++ b/package/scripts/aca/aca_setup.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# Capture location of the script to allow from invocation from any location +SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) + +pushd $SCRIPT_DIR + +sh ../db/db_create.sh +if [ $? -eq 0 ]; then + echo "ACA database setup complete" + else + echo "Error setting up ACA DB" + exit 1 +fi +sh ../pki/pki_setup.sh +if [ $? -eq 0 ]; then + echo "ACA PKI setup complete" + else + echo "Error setting up ACA PKI" + exit 1 +fi + echo "ACA setup complete" + +popd diff --git a/package/scripts/common/db_create.sql.el6 b/package/scripts/common/db_create.sql.el6 deleted file mode 100644 index d102f238..00000000 --- a/package/scripts/common/db_create.sql.el6 +++ /dev/null @@ -1,2 +0,0 @@ -CREATE DATABASE IF NOT EXISTS `hirs_db`; -GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "hirs_db" REQUIRE SSL; diff --git a/package/scripts/common/get_amazon_linux_major_version.sh b/package/scripts/common/get_amazon_linux_major_version.sh deleted file mode 100644 index 3d193c9e..00000000 --- a/package/scripts/common/get_amazon_linux_major_version.sh +++ /dev/null @@ -1 +0,0 @@ -cat /etc/os-release | grep -Eo "VERSION=\"[0-9]" | tail -c 2 diff --git a/package/scripts/common/my.cnf.el6 b/package/scripts/common/my.cnf.el6 deleted file mode 100644 index 7c869ded..00000000 --- a/package/scripts/common/my.cnf.el6 +++ /dev/null @@ -1,5 +0,0 @@ -#begin-hirs-cfg -ssl-ca=/etc/hirs/certificates/mysql/hirs.ca.cert -ssl-cert=/etc/hirs/certificates/mysql/hirs-cert.pem -ssl-key=/etc/hirs/certificates/mysql/hirs-key.pem -#end-hirs-cfg diff --git a/package/scripts/common/upgrade_schema_1.0.4.sql b/package/scripts/common/upgrade_schema_1.0.4.sql deleted file mode 100644 index abf8bf5f..00000000 --- a/package/scripts/common/upgrade_schema_1.0.4.sql +++ /dev/null @@ -1,30 +0,0 @@ -DROP PROCEDURE IF EXISTS upgrade_schema_to_1_0_4; -DELIMITER '//' - -CREATE PROCEDURE upgrade_schema_to_1_0_4() -BEGIN -IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='isDeltaChain')) THEN -ALTER TABLE Certificate ADD isDeltaChain bit(1) DEFAULT NULL; -END IF; - -IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='platformBase')) THEN -ALTER TABLE Certificate ADD platformBase bit(1) DEFAULT NULL; -END IF; - -IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='platformChainType')) THEN -ALTER TABLE Certificate ADD platformChainType varchar(255) DEFAULT NULL; -END IF; - -IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='SupplyChainValidationSummary' AND COLUMN_NAME='message')) THEN -ALTER TABLE SupplyChainValidationSummary ADD message longtext; -END IF; - -IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='TPMReport' AND COLUMN_NAME='rawQuote')) THEN -ALTER TABLE TPMReport ADD rawQuote blob; -END IF; -END// -DELIMITER ';' - -CALL upgrade_schema_to_1_0_4; -DROP PROCEDURE upgrade_schema_to_1_0_4; - diff --git a/package/scripts/common/upgrade_schema_1.1.0.sql b/package/scripts/common/upgrade_schema_1.1.0.sql deleted file mode 100644 index 57deb632..00000000 --- a/package/scripts/common/upgrade_schema_1.1.0.sql +++ /dev/null @@ -1,16 +0,0 @@ -#commands here if there are schema changes in 1.1.0 -DROP PROCEDURE IF EXISTS upgrade_schema_to_1_1_0; -DELIMITER '//' - -CREATE PROCEDURE upgrade_schema_to_1_1_0() -BEGIN -IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='componentFailures')) THEN -ALTER TABLE Certificate ADD componentFailures varchar(255) DEFAULT NULL; -END IF; - -END// -DELIMITER ';' - -CALL upgrade_schema_to_1_1_0; -DROP PROCEDURE upgrade_schema_to_1_1_0; - diff --git a/package/scripts/common/upgrade_schema_1.1.1.sql b/package/scripts/common/upgrade_schema_1.1.1.sql deleted file mode 100644 index e33af0bf..00000000 --- a/package/scripts/common/upgrade_schema_1.1.1.sql +++ /dev/null @@ -1,23 +0,0 @@ -DROP PROCEDURE IF EXISTS upgrade_schema_to_1_1_1; -DELIMITER '//' - -CREATE PROCEDURE upgrade_schema_to_1_1_1() -BEGIN -IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='tcgCredentialMajorVersion')) THEN -ALTER TABLE Certificate ADD tcgCredentialMajorVersion int(11) DEFAULT NULL; -END IF; - -IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='tcgCredentialMinorVersion')) THEN -ALTER TABLE Certificate ADD tcgCredentialMinorVersion int(11) DEFAULT NULL; -END IF; - -IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='tcgCredentialRevisionLevel')) THEN -ALTER TABLE Certificate ADD tcgCredentialRevisionLevel int(11) DEFAULT NULL; -END IF; - -END// -DELIMITER ';' - -CALL upgrade_schema_to_1_1_1; -DROP PROCEDURE upgrade_schema_to_1_1_1; - diff --git a/package/scripts/common/db_create.sh b/package/scripts/db/db_create.sh similarity index 74% rename from package/scripts/common/db_create.sh rename to package/scripts/db/db_create.sh index a59536bd..6dada853 100644 --- a/package/scripts/common/db_create.sh +++ b/package/scripts/db/db_create.sh @@ -8,6 +8,8 @@ # HIRS_MYSQL_ROOT_NEW_PWD wil be ignored if HIRS_MYSQL_ROOT_EXSITING_PWD is set. ################################################################################ +# Capture location of the script to allow from invocation from any location +SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; ) # Set Mysql HIRS DB password if [ -z $HIRS_DB_PWD ]; then HIRS_DB_PWD="hirs_db" @@ -40,7 +42,7 @@ if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then chown -R mysql:mysql /var/log/mariadb /usr/bin/mysqld_safe & else - SQL_SERVICE=`/opt/hirs/scripts/common/get_db_service.sh` + SQL_SERVICE="mariadb" systemctl $SQL_SERVICE enable systemctl $SQL_SERVICE start fi @@ -51,9 +53,6 @@ echo "Checking mysqld status..." while ! mysqladmin ping -h "$localhost" --silent; do sleep 1; done - -# Test the root password, error if the password doesnt work - if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then echo "HIRS_MYSQL_ROOT_PWD environment variable not set" mysql -fu root -e 'quit' &> /dev/null; @@ -62,7 +61,7 @@ else $(mysql -u root -p$HIRS_MYSQL_ROOT_PWD -e 'quit' &> /dev/null); fi if [ $? -eq 0 ]; then - echo "root password verified" + echo "root password verified" else echo "MYSQL root password was not the default, not supplied, or was incorrect" echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry." @@ -73,16 +72,21 @@ fi echo "HIRS_DB_PWD is $HIRS_DB_PWD" echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD" -# Check if we're in a Docker container -if [ -f /.dockerenv ]; then - DOCKER_CONTAINER=true +if [ -d /opt/hirs/scripts/db ]; then + MYSQL_DIR="/opt/hirs/scripts/db" else - DOCKER_CONTAINER=false + + MYSQL_DIR="$SCRIPT_DIR/../db" fi -# Create the hirs_db database -echo "Creating HIRS Database..." -mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/common/db_create.sql -mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/common/secure_mysql.sql -mysql -u root --password=$HIRS_MYSQL_ROOT_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;"; +echo "MYSQL_DIR is $MYSQL_DIR" +# Check if hirs_db not created and create it if it wasn't +mysqlshow --user=root --password="$HIRS_MYSQL_ROOT_PWD" | grep "hirs_db" > /dev/null 2>&1 +if [ $? -eq 0 ]; then + echo "hirs_db exists, skipping hirs_db create" +else + mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < $MYSQL_DIR/db_create.sql + mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < $MYSQL_DIR/secure_mysql.sql + mysql -u root --password=$HIRS_MYSQL_ROOT_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;"; +fi diff --git a/package/scripts/common/db_create.sql b/package/scripts/db/db_create.sql similarity index 100% rename from package/scripts/common/db_create.sql rename to package/scripts/db/db_create.sql diff --git a/package/scripts/common/db_drop.sh b/package/scripts/db/db_drop.sh similarity index 72% rename from package/scripts/common/db_drop.sh rename to package/scripts/db/db_drop.sh index 52229cbd..cb477ff8 100644 --- a/package/scripts/common/db_drop.sh +++ b/package/scripts/db/db_drop.sh @@ -4,8 +4,8 @@ echo "dropping hirs database" if pgrep mysqld >/dev/null 2>&1; then if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then - mysql -u "root" < /opt/hirs/scripts/common/db_drop.sql + mysql -u "root" < /opt/hirs/scripts/db/db_drop.sql else - mysql -u "root" -p$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/common/db_drop.sq1 + mysql -u "root" -p$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/db/db_drop.sq1 fi fi diff --git a/package/scripts/common/db_drop.sql b/package/scripts/db/db_drop.sql similarity index 100% rename from package/scripts/common/db_drop.sql rename to package/scripts/db/db_drop.sql diff --git a/package/scripts/db/secure_mysql.sql b/package/scripts/db/secure_mysql.sql new file mode 100644 index 00000000..8589affe --- /dev/null +++ b/package/scripts/db/secure_mysql.sql @@ -0,0 +1,5 @@ +DELETE FROM mysql.user WHERE User=''; +DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); +DROP DATABASE IF EXISTS test; +DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'; +FLUSH PRIVILEGES diff --git a/package/scripts/install_tomcat.sh b/package/scripts/install_tomcat.sh index f47f8d66..7a487fb0 100644 --- a/package/scripts/install_tomcat.sh +++ b/package/scripts/install_tomcat.sh @@ -1,5 +1,5 @@ #!/bin/bash -tom_version="10.1.1" +tom_version="10.1.9" tom_maj=$(echo "$tom_version" | cut -d '.' -f 1) CATALINA_HOME=/opt/tomcat/ CATALINA_BASE=/opt/tomcat/ @@ -12,7 +12,7 @@ else pushd /tmp useradd -r -d /opt/tomcat/ -s /bin/false -c "Tomcat User" tomcat dnf install wget -y - wget https://dlcdn.apache.org/tomcat/tomcat-$tom_maj/v$tom_version/bin/apache-tomcat-$tom_version.tar.gz + wget https://downloads.apache.org/tomcat/tomcat-$tom_maj/v$tom_version/bin/apache-tomcat-$tom_version.tar.gz mkdir /opt/tomcat tar -xzf apache-tomcat-$tom_version.tar.gz -C /opt/tomcat --strip-components=1 rm apache-tomcat-$tom_version.tar.gz diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh index 6aae0d58..bf2dd514 100644 --- a/package/scripts/pki/pki_chain_gen.sh +++ b/package/scripts/pki/pki_chain_gen.sh @@ -85,7 +85,7 @@ fi mkdir -p "$ACTOR_ALT" "$ACTOR_ALT"/"$CERT_FOLDER" "$ACTOR_ALT"/ca/certs cp ca.conf "$ACTOR_ALT"/. -pushd "$ACTOR_ALT" +pushd "$ACTOR_ALT" &> /dev/null touch ca/db if [ ! -f "ca/serial.txt" ]; then echo "01" > ca/serial.txt diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh index 8c73e860..6a69f104 100644 --- a/package/scripts/pki/pki_setup.sh +++ b/package/scripts/pki/pki_setup.sh @@ -15,19 +15,39 @@ if [ -z $HIRS_PKI_PWD ]; then #PKI_PASS="xrb204k" fi -# Create an ACA proerties file using the new password +# Create an ACA properties file using the new password pushd $SCRIPT_DIR &> /dev/null -sh ../aca/aca_property_setup.sh $PKI_PASS + if [ ! -f "/etc/hirs/aca/aca.properties" ]; then + if [ -d /opt/hirs/scripts/aca ]; then + ACA_SETUP_DIR="/opt/hirs/scripts/aca" + else + ACA_SETUP_DIR=="$SCRIPT_DIR/../aca" + fi + echo "ACA_SETUP_DIR is $ACA_SETUP_DIR" + sh $ACA_SETUP_DIR/aca_property_setup.sh $PKI_PASS + else + echo "aca property file exists, skipping" + fi + popd &> /dev/null # Create Cert Chains -rm -rf /etc/hirs/certificates -mkdir -p /etc/hirs/certificates/ +if [ ! -d "/etc/hirs/certificates" ]; then + + if [ -d /opt/hirs/scripts/pki ]; then + PKI_SETUP_DIR="/opt/hirs/scripts/pki" + else + PKI_SETUP_DIR=="$SCRIPT_DIR/../pki" + fi + echo "PKI_SETUP_DIR is $PKI_SETUP_DIR" -pushd /etc/hirs/certificates/ - -cp $SCRIPT_DIR/ca.conf . -sh $SCRIPT_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" -sh $SCRIPT_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" - -popd + mkdir -p /etc/hirs/certificates/ + + pushd /etc/hirs/certificates/ &> /dev/null + cp $PKI_SETUP_DIR/ca.conf . + sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" + sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" + popd &> /dev/null +else + echo "/etc/hirs/certificates exists, skipping" +fi