ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-06-01 07:01:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

added aca_setup.sh to support embedded tomcat [no ci]

Browse Source
This commit is contained in:
iadgovuser26 2023-06-02 19:23:55 +00:00 committed by iadgovuser26 iadgovuser26@empire.eclipse.ncsc.mil
parent 0a25e4841c
commit ae93a8bced
16 changed files with 99 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
HIRS_AttestationCAPortal/build.gradle
View File

@ -102,12 +102,22 @@ ospackage {
from configurations.runtimeClasspath from configurations.runtimeClasspath
} }
into ("/opt/hirs/scripts/aca/") { into ("/opt/hirs/scripts/aca/") {
from '../package/scripts/pki/pki_chain_gen.sh'
from '../package/scripts/pki/pki_setup.sh'
from '../package/scripts/aca/aca_proprty_setup.sh'
from '../package/conf/tomcat.service' from '../package/conf/tomcat.service'
from '../package/scripts/install_tomcat.sh' from '../package/scripts/install_tomcat.sh'
from '../package/scripts/aca/certificate_generate.sh' from '../package/scripts/aca/aca_property_setup.sh'
from '../package/scripts/aca/aca_setup.sh'
}
into ("/opt/hirs/scripts/pki/") {
from '../package/scripts/pki/ca.conf'
from '../package/scripts/pki/pki_setup.sh'
from '../package/scripts/pki/pki_chain_gen.sh'
}
into ("/opt/hirs/scripts/db/") {
from '../package/scripts/db/db_create.sh'
from '../package/scripts/db/db_create.sql'
from '../package/scripts/db/db_drop.sh'
from '../package/scripts/db/db_drop.sql'
from '../package/scripts/db/secure_mysql.sql'
} }
into ("/opt/hirs/scripts/common") { into ("/opt/hirs/scripts/common") {
from '../package/scripts/common/' from '../package/scripts/common/'
@ -123,35 +133,14 @@ ospackage {
from '../HIRS_AttestationCA/src/main/resources/component-class.json' from '../HIRS_AttestationCA/src/main/resources/component-class.json'
} }
// Post Install // Post Install
// println "*** Checking MYSQL Configuration ...."
// println " Myql password is $System.env.HIRS_MYSQL_ROOT_PWD"
// println " Myql password is ${System.getenv('HIRS_MYSQL_ROOT_PWD')} "
// if ( "$System.env.HIRS_MYSQL_ROOT_PWD".compareTo("null") == 0 ) { postInstall file('../package/scripts/db/db_create.sh')
// println "Gradle: Mysql Root password not set" postInstall file('../package/scripts/pki/pki_setup.sh')
// }
// else {
// println "Gradle: Mysql Root Password set to $System.env.HIRS_MYSQL_ROOT_PWD"
// }
postInstall file('../package/scripts/common/db_create.sh')
// postInstall file('../package/scripts/pki/pki_setup.sh')
// postInstall file('../package/scripts/common/ssl_configure.sh')
// postInstall 'mkdir -p /etc/hirs/aca/client_files'
postInstall 'mkdir -p /etc/hirs/aca/certificates' postInstall 'mkdir -p /etc/hirs/aca/certificates'
postInstall 'cp /tmp/aca/default-properties/* /opt/hirs/default-properties/.' postInstall 'cp /tmp/aca/default-properties/* /opt/hirs/default-properties/.'
postInstall 'rm -rf /tmp/aca/' postInstall 'rm -rf /tmp/aca/'
// postInstall file('../package/scripts/install_tomcat.sh') // postInstall file('../package/scripts/install_tomcat.sh')
// Old post install files, to be removed...
// Note /etc/hirs/aca/certificates files are created by certificate_generate.sh
// /etc/hirs/aca/client-files files are created by certificate_generate.sh
// /etc/hirs/certificates/ files are created by ssl_configure.sh
// /etc/hirs/certificates/mysql/ files are created by ssl_configure.sh
// /etc/hirs/certificates/private/ files are created by ssl_configure.sh
// postInstall file('../package/scripts/common/firewall_configure_tomcat.sh')
// postInstall file('../package/scripts/common/ssl_configure.sh')
// postInstall file('../package/scripts/aca/certificate_generate.sh')
// postInstall 'if [ selinuxenabled ]; then semodule -i /opt/hirs/extras/aca/tomcat-mysql-hirs.pp; fi'
postInstall 'sh /opt/tomcat/bin/catalina.sh start' postInstall 'sh /opt/tomcat/bin/catalina.sh start'
@ -159,9 +148,7 @@ ospackage {
// Copy files to /tmp that package manager will be expecting them there // Copy files to /tmp that package manager will be expecting them there
preUninstall 'mkdir -p /tmp/aca/default-properties/' preUninstall 'mkdir -p /tmp/aca/default-properties/'
preUninstall 'cp -f /opt/hirs/default-properties/* /tmp/aca/default-properties/.' preUninstall 'cp -f /opt/hirs/default-properties/* /tmp/aca/default-properties/.'
preUninstall file('../package/scripts/common/db_drop.sh') preUninstall file('../package/scripts/db/db_drop.sh')
//buildRpm.dependsOn ':HIRS_AttestationCA:war'
buildRpm { buildRpm {
arch = X86_64 arch = X86_64

23
package/scripts/aca/aca_setup.sh Normal file
View File

@ -0,0 +1,23 @@
#!/bin/bash
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
pushd $SCRIPT_DIR
sh ../db/db_create.sh
if [ $? -eq 0 ]; then
echo "ACA database setup complete"
else
echo "Error setting up ACA DB"
exit 1
fi
sh ../pki/pki_setup.sh
if [ $? -eq 0 ]; then
echo "ACA PKI setup complete"
else
echo "Error setting up ACA PKI"
exit 1
fi
echo "ACA setup complete"
popd

2
package/scripts/common/db_create.sql.el6
View File

@ -1,2 +0,0 @@
CREATE DATABASE IF NOT EXISTS `hirs_db`;
GRANT ALL ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "hirs_db" REQUIRE SSL;

1
package/scripts/common/get_amazon_linux_major_version.sh
View File

@ -1 +0,0 @@
cat /etc/os-release | grep -Eo "VERSION=\"[0-9]" | tail -c 2

5
package/scripts/common/my.cnf.el6
View File

@ -1,5 +0,0 @@
#begin-hirs-cfg
ssl-ca=/etc/hirs/certificates/mysql/hirs.ca.cert
ssl-cert=/etc/hirs/certificates/mysql/hirs-cert.pem
ssl-key=/etc/hirs/certificates/mysql/hirs-key.pem
#end-hirs-cfg

30
package/scripts/common/upgrade_schema_1.0.4.sql
View File

@ -1,30 +0,0 @@
DROP PROCEDURE IF EXISTS upgrade_schema_to_1_0_4;
DELIMITER '//'
CREATE PROCEDURE upgrade_schema_to_1_0_4()
BEGIN
IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='isDeltaChain')) THEN
ALTER TABLE Certificate ADD isDeltaChain bit(1) DEFAULT NULL;
END IF;
IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='platformBase')) THEN
ALTER TABLE Certificate ADD platformBase bit(1) DEFAULT NULL;
END IF;
IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='platformChainType')) THEN
ALTER TABLE Certificate ADD platformChainType varchar(255) DEFAULT NULL;
END IF;
IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='SupplyChainValidationSummary' AND COLUMN_NAME='message')) THEN
ALTER TABLE SupplyChainValidationSummary ADD message longtext;
END IF;
IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='TPMReport' AND COLUMN_NAME='rawQuote')) THEN
ALTER TABLE TPMReport ADD rawQuote blob;
END IF;
END//
DELIMITER ';'
CALL upgrade_schema_to_1_0_4;
DROP PROCEDURE upgrade_schema_to_1_0_4;

16
package/scripts/common/upgrade_schema_1.1.0.sql
View File

@ -1,16 +0,0 @@
#commands here if there are schema changes in 1.1.0
DROP PROCEDURE IF EXISTS upgrade_schema_to_1_1_0;
DELIMITER '//'
CREATE PROCEDURE upgrade_schema_to_1_1_0()
BEGIN
IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='componentFailures')) THEN
ALTER TABLE Certificate ADD componentFailures varchar(255) DEFAULT NULL;
END IF;
END//
DELIMITER ';'
CALL upgrade_schema_to_1_1_0;
DROP PROCEDURE upgrade_schema_to_1_1_0;

23
package/scripts/common/upgrade_schema_1.1.1.sql
View File

@ -1,23 +0,0 @@
DROP PROCEDURE IF EXISTS upgrade_schema_to_1_1_1;
DELIMITER '//'
CREATE PROCEDURE upgrade_schema_to_1_1_1()
BEGIN
IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='tcgCredentialMajorVersion')) THEN
ALTER TABLE Certificate ADD tcgCredentialMajorVersion int(11) DEFAULT NULL;
END IF;
IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='tcgCredentialMinorVersion')) THEN
ALTER TABLE Certificate ADD tcgCredentialMinorVersion int(11) DEFAULT NULL;
END IF;
IF(NOT EXISTS(SELECT * FROM information_schema.COLUMNS WHERE TABLE_SCHEMA='hirs_db' AND TABLE_NAME='Certificate' AND COLUMN_NAME='tcgCredentialRevisionLevel')) THEN
ALTER TABLE Certificate ADD tcgCredentialRevisionLevel int(11) DEFAULT NULL;
END IF;
END//
DELIMITER ';'
CALL upgrade_schema_to_1_1_1;
DROP PROCEDURE upgrade_schema_to_1_1_1;

32
package/scripts/common/db_create.sh → package/scripts/db/db_create.sh
View File

@ -8,6 +8,8 @@
# HIRS_MYSQL_ROOT_NEW_PWD wil be ignored if HIRS_MYSQL_ROOT_EXSITING_PWD is set. # HIRS_MYSQL_ROOT_NEW_PWD wil be ignored if HIRS_MYSQL_ROOT_EXSITING_PWD is set.
################################################################################ ################################################################################
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
# Set Mysql HIRS DB password # Set Mysql HIRS DB password
if [ -z $HIRS_DB_PWD ]; then if [ -z $HIRS_DB_PWD ]; then
HIRS_DB_PWD="hirs_db" HIRS_DB_PWD="hirs_db"
@ -40,7 +42,7 @@ if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
chown -R mysql:mysql /var/log/mariadb chown -R mysql:mysql /var/log/mariadb
/usr/bin/mysqld_safe & /usr/bin/mysqld_safe &
else else
SQL_SERVICE=`/opt/hirs/scripts/common/get_db_service.sh` SQL_SERVICE="mariadb"
systemctl $SQL_SERVICE enable systemctl $SQL_SERVICE enable
systemctl $SQL_SERVICE start systemctl $SQL_SERVICE start
fi fi
@ -51,9 +53,6 @@ echo "Checking mysqld status..."
while ! mysqladmin ping -h "$localhost" --silent; do while ! mysqladmin ping -h "$localhost" --silent; do
sleep 1; sleep 1;
done done
# Test the root password, error if the password doesnt work
if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then
echo "HIRS_MYSQL_ROOT_PWD environment variable not set" echo "HIRS_MYSQL_ROOT_PWD environment variable not set"
mysql -fu root -e 'quit' &> /dev/null; mysql -fu root -e 'quit' &> /dev/null;
@ -62,7 +61,7 @@ else
$(mysql -u root -p$HIRS_MYSQL_ROOT_PWD -e 'quit' &> /dev/null); $(mysql -u root -p$HIRS_MYSQL_ROOT_PWD -e 'quit' &> /dev/null);
fi fi
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
echo "root password verified" echo "root password verified"
else else
echo "MYSQL root password was not the default, not supplied, or was incorrect" echo "MYSQL root password was not the default, not supplied, or was incorrect"
echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry." echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
@ -73,16 +72,21 @@ fi
echo "HIRS_DB_PWD is $HIRS_DB_PWD" echo "HIRS_DB_PWD is $HIRS_DB_PWD"
echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD" echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD"
# Check if we're in a Docker container if [ -d /opt/hirs/scripts/db ]; then
if [ -f /.dockerenv ]; then MYSQL_DIR="/opt/hirs/scripts/db"
DOCKER_CONTAINER=true
else else
DOCKER_CONTAINER=false
MYSQL_DIR="$SCRIPT_DIR/../db"
fi fi
# Create the hirs_db database echo "MYSQL_DIR is $MYSQL_DIR"
echo "Creating HIRS Database..."
mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/common/db_create.sql
mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/common/secure_mysql.sql
mysql -u root --password=$HIRS_MYSQL_ROOT_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
# Check if hirs_db not created and create it if it wasn't
mysqlshow --user=root --password="$HIRS_MYSQL_ROOT_PWD" | grep "hirs_db" > /dev/null 2>&1
if [ $? -eq 0 ]; then
echo "hirs_db exists, skipping hirs_db create"
else
mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < $MYSQL_DIR/db_create.sql
mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < $MYSQL_DIR/secure_mysql.sql
mysql -u root --password=$HIRS_MYSQL_ROOT_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
fi

0
package/scripts/common/db_create.sql → package/scripts/db/db_create.sql
View File

4
package/scripts/common/db_drop.sh → package/scripts/db/db_drop.sh
View File

@ -4,8 +4,8 @@ echo "dropping hirs database"
if pgrep mysqld >/dev/null 2>&1; then if pgrep mysqld >/dev/null 2>&1; then
if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then
mysql -u "root" < /opt/hirs/scripts/common/db_drop.sql mysql -u "root" < /opt/hirs/scripts/db/db_drop.sql
else else
mysql -u "root" -p$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/common/db_drop.sq1 mysql -u "root" -p$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/db/db_drop.sq1
fi fi
fi fi

0
package/scripts/common/db_drop.sql → package/scripts/db/db_drop.sql
View File

5
package/scripts/db/secure_mysql.sql Normal file
View File

@ -0,0 +1,5 @@
DELETE FROM mysql.user WHERE User='';
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
DROP DATABASE IF EXISTS test;
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
FLUSH PRIVILEGES

4
package/scripts/install_tomcat.sh
View File

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
tom_version="10.1.1" tom_version="10.1.9"
tom_maj=$(echo "$tom_version" | cut -d '.' -f 1) tom_maj=$(echo "$tom_version" | cut -d '.' -f 1)
CATALINA_HOME=/opt/tomcat/ CATALINA_HOME=/opt/tomcat/
CATALINA_BASE=/opt/tomcat/ CATALINA_BASE=/opt/tomcat/
@ -12,7 +12,7 @@ else
pushd /tmp pushd /tmp
useradd -r -d /opt/tomcat/ -s /bin/false -c "Tomcat User" tomcat useradd -r -d /opt/tomcat/ -s /bin/false -c "Tomcat User" tomcat
dnf install wget -y dnf install wget -y
wget https://dlcdn.apache.org/tomcat/tomcat-$tom_maj/v$tom_version/bin/apache-tomcat-$tom_version.tar.gz wget https://downloads.apache.org/tomcat/tomcat-$tom_maj/v$tom_version/bin/apache-tomcat-$tom_version.tar.gz
mkdir /opt/tomcat mkdir /opt/tomcat
tar -xzf apache-tomcat-$tom_version.tar.gz -C /opt/tomcat --strip-components=1 tar -xzf apache-tomcat-$tom_version.tar.gz -C /opt/tomcat --strip-components=1
rm apache-tomcat-$tom_version.tar.gz rm apache-tomcat-$tom_version.tar.gz

2
package/scripts/pki/pki_chain_gen.sh
View File

@ -85,7 +85,7 @@ fi
mkdir -p "$ACTOR_ALT" "$ACTOR_ALT"/"$CERT_FOLDER" "$ACTOR_ALT"/ca/certs mkdir -p "$ACTOR_ALT" "$ACTOR_ALT"/"$CERT_FOLDER" "$ACTOR_ALT"/ca/certs
cp ca.conf "$ACTOR_ALT"/. cp ca.conf "$ACTOR_ALT"/.
pushd "$ACTOR_ALT" pushd "$ACTOR_ALT" &> /dev/null
touch ca/db touch ca/db
if [ ! -f "ca/serial.txt" ]; then if [ ! -f "ca/serial.txt" ]; then
echo "01" > ca/serial.txt echo "01" > ca/serial.txt

42
package/scripts/pki/pki_setup.sh
View File

@ -15,19 +15,39 @@ if [ -z $HIRS_PKI_PWD ]; then
#PKI_PASS="xrb204k" #PKI_PASS="xrb204k"
fi fi
# Create an ACA proerties file using the new password # Create an ACA properties file using the new password
pushd $SCRIPT_DIR &> /dev/null pushd $SCRIPT_DIR &> /dev/null
sh ../aca/aca_property_setup.sh $PKI_PASS if [ ! -f "/etc/hirs/aca/aca.properties" ]; then
if [ -d /opt/hirs/scripts/aca ]; then
ACA_SETUP_DIR="/opt/hirs/scripts/aca"
else
ACA_SETUP_DIR=="$SCRIPT_DIR/../aca"
fi
echo "ACA_SETUP_DIR is $ACA_SETUP_DIR"
sh $ACA_SETUP_DIR/aca_property_setup.sh $PKI_PASS
else
echo "aca property file exists, skipping"
fi
popd &> /dev/null popd &> /dev/null
# Create Cert Chains # Create Cert Chains
rm -rf /etc/hirs/certificates if [ ! -d "/etc/hirs/certificates" ]; then
mkdir -p /etc/hirs/certificates/
if [ -d /opt/hirs/scripts/pki ]; then
PKI_SETUP_DIR="/opt/hirs/scripts/pki"
else
PKI_SETUP_DIR=="$SCRIPT_DIR/../pki"
fi
echo "PKI_SETUP_DIR is $PKI_SETUP_DIR"
pushd /etc/hirs/certificates/ mkdir -p /etc/hirs/certificates/
cp $SCRIPT_DIR/ca.conf . pushd /etc/hirs/certificates/ &> /dev/null
sh $SCRIPT_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" cp $PKI_SETUP_DIR/ca.conf .
sh $SCRIPT_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS"
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS"
popd popd &> /dev/null
else
echo "/etc/hirs/certificates exists, skipping"
fi