diff --git a/.ci/docker/Dockerfile.rocky b/.ci/docker/Dockerfile.rocky index 507267d7..3743861d 100644 --- a/.ci/docker/Dockerfile.rocky +++ b/.ci/docker/Dockerfile.rocky @@ -1,22 +1,23 @@ FROM rockylinux:8.6 -# Install packages for installing HIRS ACA -#RUN yum -y update && yum clean all +SHELL ["/bin/bash", "-c"] + +# Update and install OS-dependencies RUN dnf update -y -# Install Java 8 -RUN dnf install java-1.8.0-openjdk-headless.x86_64 -y +# Install Java +RUN dnf -y install java-17-openjdk-devel -y # Install Tomcat -RUN useradd -r -d /opt/tomcat/ -s /bin/false -c "Tomcat User" tomcat -RUN dnf install wget -y -RUN wget https://dlcdn.apache.org/tomcat/tomcat-10/v10.1.1/bin/apache-tomcat-10.1.1.tar.gz -RUN mkdir /opt/tomcat -RUN tar -xzf apache-tomcat-10.1.1.tar.gz -C /opt/tomcat --strip-components=1 +#RUN useradd -r -d /opt/tomcat/ -s /bin/false -c "Tomcat User" tomcat +#RUN dnf install wget -y +#RUN wget https://dlcdn.apache.org/tomcat/tomcat-10/v10.1.1/bin/apache-tomcat-10.1.1.tar.gz +#RUN mkdir /opt/tomcat +#RUN tar -xzf apache-tomcat-10.1.1.tar.gz -C /opt/tomcat --strip-components=1 # Install HIRS dependencies RUN dnf install -y mariadb-server rpmdevtools initscripts firewalld policycoreutils net-tools libtool cmake make git gcc-c++ && yum clean all -RUN dnf install -y openssl openssl-devel protobuf tpm2-tss-devel tpm2-abrmd libcurl-devel libssh-devel && yum clean all +RUN dnf install -y wget openssl openssl-devel protobuf tpm2-tss-devel tpm2-abrmd libcurl-devel libssh-devel && yum clean all # Install PACCOR for Device Info Gathering RUN mkdir paccor && pushd paccor && wget https://github.com/nsacyber/paccor/releases/download/v1.1.4r2/paccor-1.1.4-2.noarch.rpm && yum -y install paccor-*.rpm && popd @@ -33,3 +34,5 @@ RUN dnf -y install packages-microsoft-prod.rpm RUN dnf makecache RUN dnf -y install dotnet-sdk-6.0 RUN dotnet tool install --global dotnet-rpm + +EXPOSE 8443 diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle index 13b1a08f..9072f95a 100644 --- a/HIRS_AttestationCAPortal/build.gradle +++ b/HIRS_AttestationCAPortal/build.gradle @@ -2,7 +2,7 @@ plugins { id 'application' id 'java' id 'war' - id "nebula.ospackage" version "9.1.1" + id 'com.netflix.nebula.ospackage' version '11.4.0' id 'org.springframework.boot' version '3.0.6' id 'io.spring.dependency-management' version '1.1.0' } @@ -60,14 +60,6 @@ dependencies { testImplementation libs.testng } -war { - from(buildDir) { - include 'VERSION' - into 'WEB-INF/classes' - } - archiveFileName = 'HIRS_AttestationCAPortal.war' -} - ospackage { packageName = 'HIRS_AttestationCA' os = LINUX @@ -78,85 +70,27 @@ ospackage { user 'root' fileMode = 0755 - def tpath="/opt" - addParentDirs = true createDirectoryEntry true - preInstall "rm -rf /opt/hirs/default-properties" - preInstall "mkdir -p /opt/hirs/default-properties/" - preInstall "mkdir -p /tmp/hirs/default-properties/" - - // Setup /etc/hirs - into ('/etc/hirs/aca/') { - from '../HIRS_AttestationCA/src/main/resources/defaults.properties' - rename {'aca.properties'} + // copy setup scripts to /opt/hirs/aca + into ('/opt/hirs/aca/scripts/') { + from '../package/scripts/' } - into ('/etc/hirs/') { - from '../HIRS_Utils/src/main/resources/banner.properties' - from '../HIRS_Utils/src/main/resources/persistence.properties' - from '../HIRS_Utils/src/main/resources/logging.properties' - } - // Setup tomcat files - // Create and package HIRS_AttestationCA:war - into ("${tpath}/tomcat/webapps") { - from war.outputs.files - from '../HIRS_AttestationCA/build/libs/HIRS_AttestationCA.war' - user 'root' - fileMode = 0755 - } - into ("${tpath}/tomcat/lib") { - from 'libs' - from configurations.runtimeClasspath - } - into ("/opt/hirs/scripts/aca/") { - from '../package/conf/tomcat.service' - from '../package/scripts/install_tomcat.sh' - from '../package/scripts/aca/aca_property_setup.sh' - from '../package/scripts/aca/aca_setup.sh' - } - into ("/opt/hirs/scripts/pki/") { - from '../package/scripts/pki/ca.conf' - from '../package/scripts/pki/pki_setup.sh' - from '../package/scripts/pki/pki_chain_gen.sh' - } - into ("/opt/hirs/scripts/db/") { - from '../package/scripts/db/db_create.sh' - from '../package/scripts/db/db_create.sql' - from '../package/scripts/db/db_drop.sh' - from '../package/scripts/db/db_drop.sql' - from '../package/scripts/db/secure_mysql.sql' - } - into ("/opt/hirs/scripts/common") { - from '../package/scripts/common/' - } - into ('/opt/hirs/extras/aca/') { - from '../package/extras/aca/' + // copy the war file into /opt/hirs/aca + into ('/opt/hirs/aca/') { + from '../HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war' + user 'root' + fileMode = 0755 } - // Copy json files to /tmp and move into /opt/hirs in postInstall section - // Allows HIRS tools to be installed using the same files - into ('/tmp/aca/default-properties/') { - from '../HIRS_AttestationCA/src/main/resources/vendor-table.json' - from '../HIRS_AttestationCA/src/main/resources/component-class.json' - } - // Post Install + // Post Install + postInstall 'sh /opt/hirs/aca/scripts/aca/aca_setup.sh -u' + postInstall 'sh /opt/hirs/aca/scripts/aca/aca_bootRun.sh -p /opt/hirs/aca/HIRS_AttestationCAPortal.war' +// Note need to add service or chron job to start on system boot - postInstall file('../package/scripts/db/db_create.sh') - postInstall file('../package/scripts/pki/pki_setup.sh') - - postInstall 'mkdir -p /etc/hirs/aca/certificates' - postInstall 'cp /tmp/aca/default-properties/* /opt/hirs/default-properties/.' - postInstall 'rm -rf /tmp/aca/' - // postInstall file('../package/scripts/install_tomcat.sh') - - postInstall 'sh /opt/tomcat/bin/catalina.sh start' - - // Post Uninstall - // Copy files to /tmp that package manager will be expecting them there - preUninstall 'mkdir -p /tmp/aca/default-properties/' - preUninstall 'cp -f /opt/hirs/default-properties/* /tmp/aca/default-properties/.' - preUninstall file('../package/scripts/db/db_drop.sh') + // Uninstall + preUninstall 'sh /opt/hirs/aca/scripts/aca/aca_remove_setup.sh' buildRpm { arch = X86_64 @@ -165,5 +99,4 @@ ospackage { buildDeb { arch = 'amd64' } - } diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar index 13372aef..943f0cbf 100644 Binary files a/gradle/wrapper/gradle-wrapper.jar and b/gradle/wrapper/gradle-wrapper.jar differ diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 11134f02..c30b486a 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ -#Thu Feb 15 13:18:16 EST 2018 distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-8.3-bin.zip +networkTimeout=10000 zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-bin.zip diff --git a/gradlew b/gradlew index 9d82f789..65dcd68d 100755 --- a/gradlew +++ b/gradlew @@ -1,74 +1,129 @@ -#!/usr/bin/env bash +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit + # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -DEFAULT_JVM_OPTS="" - -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum -warn ( ) { +warn () { echo "$*" -} +} >&2 -die ( ) { +die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac -# Attempt to set APP_HOME -# Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi -done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null - CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + # Determine the Java command to use to start the JVM. if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -77,7 +132,7 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" + JAVACMD=java which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the @@ -85,76 +140,105 @@ location of your Java installation." fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi -fi - -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi - -# For Cygwin, switch paths to Windows format before running java -if $cygwin ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi - # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" - fi - i=$((i+1)) - done - case $i in - (0) set -- ;; - (1) set -- "$args0" ;; - (2) set -- "$args0" "$args1" ;; - (3) set -- "$args0" "$args1" "$args2" ;; - (4) set -- "$args0" "$args1" "$args2" "$args3" ;; - (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" esac fi -# Split up the JVM_OPTS And GRADLE_OPTS values into an array, following the shell quoting and substitution rules -function splitJvmOpts() { - JVM_OPTS=("$@") -} -eval splitJvmOpts $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS -JVM_OPTS[${#JVM_OPTS[*]}]="-Dorg.gradle.appname=$APP_BASE_NAME" +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. -exec "$JAVACMD" "${JVM_OPTS[@]}" -classpath "$CLASSPATH" org.gradle.wrapper.GradleWrapperMain "$@" +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + +# Collect all arguments for the java command; +# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of +# shell script including quotes and variable substitutions, so put them in +# double quotes to make sure that they get re-expanded; and +# * put everything else in single quotes, so that it's not re-expanded. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/gradlew.bat b/gradlew.bat index aec99730..6689b85b 100644 --- a/gradlew.bat +++ b/gradlew.bat @@ -1,4 +1,20 @@ -@if "%DEBUG%" == "" @echo off +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -8,20 +24,24 @@ @rem Set local scope for the variables with windows NT shell if "%OS%"=="Windows_NT" setlocal -@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. -set DEFAULT_JVM_OPTS= - set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + @rem Find java.exe if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -35,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -45,44 +65,26 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windowz variants - -if not "%OS%" == "Windows_NT" goto win9xME_args -if "%@eval[2+2]" == "4" goto 4NT_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* -goto execute - -:4NT_args -@rem Get arguments from the 4NT Shell from JP Software -set CMD_LINE_ARGS=%$ - :execute @rem Setup the command line set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/package/build_version_helper.sh b/package/build_version_helper.sh deleted file mode 100644 index 4be1c747..00000000 --- a/package/build_version_helper.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -# script that pulls version information from git for populating the portal dispalyed version, -# RPM file names, and RPM embedded version information - -# script should be invoked with 'source' so that the variables are in the scope of the caller - -GIT_HASH=`git rev-parse HEAD | head -c6` -VERSION=`cat $SCRIPT_DIR/../VERSION` -GIT_COMMIT_UNIX_TIMESTAMP=`git show -s --format=%ct | xargs echo -n` -RELEASE="$((GIT_COMMIT_UNIX_TIMESTAMP)).$GIT_HASH" -DISPLAY_VERSION="$VERSION.$GIT_COMMIT_UNIX_TIMESTAMP.$GIT_HASH" - -echo "Building version:" -echo "VERSION: $VERSION" -echo "GIT_COMMIT_UNIX_TIMESTAMP: $GIT_COMMIT_UNIX_TIMESTAMP" -echo "RELEASE: $RELEASE" -echo "DISPLAY_VERSION: $DISPLAY_VERSION" diff --git a/package/package.centos.sh b/package/package.centos.sh deleted file mode 100755 index 0a74a5a1..00000000 --- a/package/package.centos.sh +++ /dev/null @@ -1,131 +0,0 @@ -#!/bin/bash - -set -e - -# Builds the centos 6/7 package for HIRS. This script can be passed a list of arguments that are relative paths to plugin script files. -# The plugin script files are provided the destination directory of where to put the plugin jar file. - -# argument $1: Extra package name addendum string -# argument $2 to end: plugin script dirs. - -# store the initial directory so this script can concatenate the relative paths specified for the plugin scripts -INITIAL_DIR=`pwd` - -# Enter package directory -SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" -cd $SCRIPT_DIR/rpm - -# Set variables -RPM_BUILD_DIR=`pwd` -# assign build version vars -source $SCRIPT_DIR/build_version_helper.sh - -PLUGIN_SOURCE="$RPM_BUILD_DIR/PLUGIN_SOURCE" -PACKAGE_NAME_ADDENDUM="$1" -RPM_EXTRA_CLIENT_DEPENDENCIES="$2" -RPM_EXTRA_SERVER_DEPENDENCIES="$3" - -# prepend comma on the extra dependency lists so it can be added to spec file as is, but only if there are -# extra dependencies (not empty) -if [ ! -z "$RPM_EXTRA_CLIENT_DEPENDENCIES" ]; then - RPM_EXTRA_CLIENT_DEPENDENCIES=", $RPM_EXTRA_CLIENT_DEPENDENCIES" -fi -if [ ! -z "$RPM_EXTRA_SERVER_DEPENDENCIES" ]; then - RPM_EXTRA_SERVER_DEPENDENCIES=", $RPM_EXTRA_SERVER_DEPENDENCIES" -fi - -echo "extra client dependencies:$RPM_EXTRA_CLIENT_DEPENDENCIES" -echo "extra server dependencies:$RPM_EXTRA_SERVER_DEPENDENCIES" - -# Clear old builds -rm -rf RPMS SRPMS $PLUGIN_SOURCE - -# Create directories -mkdir -p BUILD BUILDROOT RPMS SOURCES SPECS SRPMS $PLUGIN_SOURCE - - -# build all plugins starting with fourth argument. -echo "Building plugins into $PLUGIN_SOURCE" -for plugin_script in "${@:4}" -do - # convert argument to absolute path if necessary - if [ "${plugin_script:0:1}" = "/" ]; then - plugin_abs_path_script=$plugin_script - else - plugin_abs_path_script="$INITIAL_DIR/$plugin_script" - fi - echo "Building Plugin: $plugin_abs_path_script" - $plugin_abs_path_script $PLUGIN_SOURCE - plugin_return_code=$? - - if [ $plugin_return_code -ne 0 ]; then - echo "Failed to build plugin $plugin_abs_path_script. Aborting" - exit -1 - fi -done - -# Move specs & sources -cp *.spec SPECS - -# Copy sources for TPM Module -tar -c -f SOURCES/tpm_module-$GIT_HASH.tar --exclude='dist' --exclude='build' ../../tpm_module/ --transform s/tpm_module/tpm_module-$GIT_HASH/ -tar --append -f SOURCES/tpm_module-$GIT_HASH.tar ../../NOTICE - -# Build RPM for TPM Module -rpmbuild --nodeps -ba SPECS/tpm-module.spec --define '_topdir '$RPM_BUILD_DIR --define 'VERSION '$VERSION --define 'RELEASE '$RELEASE --define 'GIT_HASH '$GIT_HASH || { echo 'Failed to package tpm_module'; exit 1; } -echo '************************************************************************************' -echo 'TPM Module RPM successfully built' -echo '************************************************************************************' - -# Copy sources -tar -c -f SOURCES/HIRS-$GIT_HASH.tar ../../settings.gradle ../../build.gradle ../../VERSION ../../gradle.properties ../../gradlew ../../gradle/ -tar --append -f SOURCES/HIRS-$GIT_HASH.tar --exclude='build' ../../HIRS_AttestationCA -tar --append -f SOURCES/HIRS-$GIT_HASH.tar --exclude='build' ../../HIRS_AttestationCAPortal -tar --append -f SOURCES/HIRS-$GIT_HASH.tar --exclude='build' ../../HIRS_Provisioner -tar --append -f SOURCES/HIRS-$GIT_HASH.tar --exclude='build' ../../HIRS_Structs -tar --append -f SOURCES/HIRS-$GIT_HASH.tar --exclude='build' ../../HIRS_Utils -tar --append -f SOURCES/HIRS-$GIT_HASH.tar --exclude='build' ../../TPM_Utils - -# copy includes directory into release TAR -tar --append -f SOURCES/HIRS-$GIT_HASH.tar ../extras/ -tar --append -f SOURCES/HIRS-$GIT_HASH.tar ../scripts/ -tar --append -f SOURCES/HIRS-$GIT_HASH.tar ../../NOTICE - -# Build HIRS CentOS6 RPMs. Provides PLUGIN_SOURCE variable to gradle task. -if [ -z "$ONLY_BUILD_EL7_RPMS" ]; then - echo "Building CentOS6 RPMs..." - rpmbuild --nodeps -ba SPECS/HIRS.spec --define 'build6 1' --define 'dist .el6' --define '_topdir '$RPM_BUILD_DIR --define 'VERSION '$VERSION --define 'RELEASE '$RELEASE --define 'GIT_HASH '$GIT_HASH --define 'DISPLAY_VERSION '$DISPLAY_VERSION --define 'PLUGIN_SOURCE '$PLUGIN_SOURCE --define 'PACKAGE_NAME_ADDENDUM '$PACKAGE_NAME_ADDENDUM --define 'RPM_EXTRA_CLIENT_DEPENDENCIES '"$RPM_EXTRA_CLIENT_DEPENDENCIES" --define 'RPM_EXTRA_SERVER_DEPENDENCIES '"$RPM_EXTRA_SERVER_DEPENDENCIES"|| { echo 'Failed to package HIRS'; exit 1; } - echo '************************************************************************************' - echo 'HIRS CentOS6 RPMs successfully built' - echo '************************************************************************************' -else - echo "Skipping building CentOS6 RPMs because of ONLY_BUILD_EL7_RPMS environment variable" -fi - - -# Cleanup before CENTOS 7 build -rm -rf BUILD BUILDROOT - -## Build HIRS CentOS7 RPMs. Provides PLUGIN_SOURCE variable to gradle task -if [ -z "$ONLY_BUILD_EL6_RPMS" ]; then - rpmbuild --nodeps -ba SPECS/HIRS.spec --define 'build7 1' --define 'dist .el7' --define '_topdir '$RPM_BUILD_DIR --define 'VERSION '$VERSION --define 'RELEASE '$RELEASE --define 'GIT_HASH '$GIT_HASH --define 'DISPLAY_VERSION '$DISPLAY_VERSION --define 'PLUGIN_SOURCE '$PLUGIN_SOURCE --define 'PACKAGE_NAME_ADDENDUM '$PACKAGE_NAME_ADDENDUM --define 'RPM_EXTRA_CLIENT_DEPENDENCIES '"$RPM_EXTRA_CLIENT_DEPENDENCIES" --define 'RPM_EXTRA_SERVER_DEPENDENCIES '"$RPM_EXTRA_SERVER_DEPENDENCIES"|| { echo 'Failed to package HIRS'; exit 1; } - echo '************************************************************************************' - echo 'HIRS CentOS7 RPMs successfully built' - echo '************************************************************************************' -else - echo "Skipping building CentOS7 RPMs because of ONLY_BUILD_EL6_RPMS environment variable" -fi - -# Cleanup -rm -rf BUILD BUILDROOT SOURCES SPECS $PLUGIN_SOURCE - -# Build RPM for HIRS_ProvisionerTPM2 -$SCRIPT_DIR/../HIRS_ProvisionerTPM2/package/package.tpm2.centos7.sh -if [ -f RPMS/x86_64/HIRS_Provisioner_TPM_2_0*.rpm ]; then - echo '************************************************************************************' - echo 'HIRS_ProvisionerTPM2 RPM successfully built' - echo '************************************************************************************' -else - echo 'Error: HIRS_ProvisionerTPM2 failed to package' - exit 1 -fi diff --git a/package/package.ubuntu.sh b/package/package.ubuntu.sh deleted file mode 100755 index 2308cd00..00000000 --- a/package/package.ubuntu.sh +++ /dev/null @@ -1,114 +0,0 @@ -#!/bin/bash - -# Define script directory -SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" - -# Set variables -GIT_HASH=`git rev-parse HEAD | head -c6` -# assign build version vars -source $SCRIPT_DIR/build_version_helper.sh -DEBIAN_FULL_VERSION=$VERSION.$RELEASE -OS=`lsb_release -c | awk '{print $2}'` -PROVISIONER_FULL_PACKAGE_NAME="hirs-provisioner" - -# Enter package directory -mkdir -p $SCRIPT_DIR/deb -cd $SCRIPT_DIR/deb - -# Clear old builds -rm -rf DEB_SOURCES -rm -f DEBS/hirs*.deb -rm -f DEBS/tpm-module*.deb - -# Create directories -mkdir -p DEBS - -# Copy Sources for HIRS_Provisioner -cd $SCRIPT_DIR/.. - -# build HIRS items. -./gradlew -PdisplayVersion=$DISPLAY_VERSION :HIRS_Provisioner:installDist - -# Setup Provisioner directories -mkdir -p $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/debian -mkdir -p $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/bin -mkdir -p $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/lib -mkdir -p $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/scripts -mkdir -p $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/setup - -# Copy Provisioner files -cp -r HIRS_Provisioner/build/install/HIRS_Provisioner/* $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner -rm -rf $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/bin/*.bat -cp -r HIRS_Provisioner/debian/* $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/debian -cp -r HIRS_Provisioner/man/* $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/debian -cp -r HIRS_Provisioner/scripts/* $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/scripts -cp -r HIRS_Provisioner/src/main/resources/*.properties $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/scripts/install - -cp -r HIRS_Provisioner/setup/* $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/setup -cp HIRS_Provisioner/hirs-provisioner-config.sh $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/scripts -cp HIRS_Provisioner/scripts/install/*.sh $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/scripts -cp HIRS_Provisioner/setup/hirs-provisioner.properties $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/setup -cp HIRS_Provisioner/build/resources/main/defaults.properties $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner/setup/provisioner.properties -cp HIRS_Utils/src/main/resources/logging.properties $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/install-provisioner -cp NOTICE $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/debian/copyright - -sed -i "s/VER/$DEBIAN_FULL_VERSION/" $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/debian/changelog -sed -i "s/RELEASE/$OS/" $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner/debian/changelog - -# Build Debian package for HIRS Provisioner -echo "Building $PROVISIONER_FULL_PACKAGE_NAME" -cd $SCRIPT_DIR/deb/DEB_SOURCES/$PROVISIONER_FULL_PACKAGE_NAME/ -debuild -i -us -uc -b -ret=$? - -if [[ $ret -ne 0 ]]; then - echo "Failed to build HIRS Provisioner deb package" - exit 1 -fi - -mv $SCRIPT_DIR/deb/DEB_SOURCES/hirs-provisioner*.deb $SCRIPT_DIR/deb/DEBS/ - -echo "HIRS Provisioner deb building complete" - -# TPM Module -cd $SCRIPT_DIR/.. - -# Compile the TPM Module -./gradlew :tpm_module:build -cd tpm_module - -# Setup build directories -mkdir -p $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module/ -mkdir -p $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module/debian -mkdir -p $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module/src - -# Copy build files -cp tpm_module $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module/src/ -cp -r debian/* $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module/debian -cp -r man/* $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module/debian -cp ../NOTICE $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module/debian/copyright - -# Build Debian package for TPM Module -cd $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module/ -debuild -i -us -uc -b -ret=$? - -if [[ $ret -ne 0 ]]; then - echo "Failed to build tpm-module deb package" - exit 1 -fi - -mkdir -p $SCRIPT_DIR/deb/DEBS/ -mv $SCRIPT_DIR/deb/DEB_SOURCES/tpm-module*.deb $SCRIPT_DIR/deb/DEBS/ - -echo "TPM deb building complete" - -# HIRS Provisioner TPM 2.0 -cd $SCRIPT_DIR/deb -$SCRIPT_DIR/../HIRS_ProvisionerTPM2/package/package.tpm2.ubuntu.sh -if [ -f DEBS/HIRSProvisionerTPM2.0*.deb ]; then - echo 'HIRS Provisioner TPM 2.0 deb building complete' -else - echo 'Failed to build HIRS Provisioner TPM 2.0 deb package' - exit 1 -fi diff --git a/package/rpm/HIRS.spec b/package/rpm/HIRS.spec deleted file mode 100644 index 49d6a2ff..00000000 --- a/package/rpm/HIRS.spec +++ /dev/null @@ -1,337 +0,0 @@ -# need to run rpmbuild with either: -# --define 'build6 1' --define 'dist .el6' -# --define 'build7 1' --define 'dist .el7' - -# rpm runs scripts with $1 holding the number of currently installed version of the package in question: -# Install the first time: 1 -# Upgrade: 2 or higher (depending on the number of versions installed) -# Remove last version of package: 0 -# from RedHat RPM Guide by Eric Foster-Johnston - -Name : HIRS -Version : %{?VERSION} -Release : %{?RELEASE}%{?dist} -Source : %{name}-%{?GIT_HASH}.tar -Group : System Environment/Base -License : ASL 2.0 -Summary : HIRS -BuildArch : noarch -BuildRoot : %{_tmppath}/%{name}-%{version}-root -BuildRequires : java-1.8.0-openjdk-devel - -%description -Host Integrity at Runtime and Startup (HIRS) parent spec. - -%prep -%setup -q -c - -%define provisioner_package_name HIRS_Provisioner_TPM_1_2%{?PACKAGE_NAME_ADDENDUM} -%define __jar_repack 0 - -########################## -# HIRS_Provisioner_TPM_1_2 -########################## -%package -n %{provisioner_package_name} -Summary : Host Integrity at Runtime and Startup (HIRS) Provisioner -Group : System Environment/Base - -%if 0%{?build6} -Requires : tpm_module, java-1.8.0, wget, util-linux, chkconfig, sed, initscripts, coreutils, dmidecode, paccor, bash%{?RPM_EXTRA_CLIENT_DEPENDENCIES} -%endif - -%if 0%{?build7} -Requires : tpm_module, java-1.8.0, wget, util-linux, chkconfig, sed, systemd, coreutils, dmidecode, paccor, bash%{?RPM_EXTRA_CLIENT_DEPENDENCIES} -%endif - -%description -n %{provisioner_package_name} -Host Integrity at Runtime and Startup (HIRS) Provisioner. - -%pre -n %{provisioner_package_name} -if [[ $(find /sys/devices -name "tpm0") ]]; then - echo "TPM detected" - if [ -f "/usr/lib/systemd/system/tcsd.service" ]; then - echo "Starting tcsd service" - systemctl start tcsd - ret=$? - if [[ $ret -ne 0 ]]; then - echo "WARNING: FAILED TO START tcsd SERVICE, PROVISIONING WILL FAIL WITHOUT THIS SERVICE" - fi - echo "Adding tcsd (Trousers) to run levels 1,3,5, and 6" - chkconfig --level 1356 tcsd on - else - echo "Starting tcsd service" - service tcsd start - ret=$? - if [[ $ret -ne 0 ]]; then - echo "WARNING: FAILED TO START tcsd SERVICE, PROVISIONING WILL FAIL WITHOUT THIS SERVICE" - fi - echo "Adding tcsd (Trousers) to run levels 1,3,5, and 6" - chkconfig --level 1356 tcsd on - fi - if [ ! -d "/sys/kernel/security/tpm0" ]; then - echo "Mounting security fs partition" - sed -i '$a securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0' /etc/fstab - mount -a - if [ -d "/sys/kernel/security/tpm0" ]; then - echo "SUCCESS: security fs partition mounted" - fi - fi -else - echo "WARNING: UNABLE TO LOCATE TPM DEVICE, TPM PROVISIONING WILL FAIL" -fi - -%post -n %{provisioner_package_name} -# copy default property files into /etc/hirs if not present -mkdir -p /etc/hirs/ -cp -n /opt/hirs/default-properties/provisioner/* /etc/hirs/ - -# copy common scripts into /opt/hirs/scripts/common -cp -f /opt/hirs/scripts/common/provisioner/* /opt/hirs/scripts/common/ - -echo 'Creating symlink for hirs-provisioner command' -ln -s -f /usr/share/hirs/provisioner/tpm_aca_provision /usr/sbin/tpm_aca_provision -chmod +x /usr/share/hirs/provisioner/tpm_aca_provision -ln -s -f /usr/share/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner -chmod +x /usr/share/hirs/provisioner/hirs-provisioner.sh -hirs-provisioner -c - -%postun -n %{provisioner_package_name} -# don't run these during an upgrade -if [ "$1" = "0" ]; then - rm -rf /etc/hirs/provisioner - rm -rf /etc/hirs/certificates - rm -f /usr/sbin/hirs-provisioner - rm -rf /usr/share/hirs/provisioner - - rm -rf /var/log/hirs/provisioner - - # if there are no more HIRS packages remaining, - # remove all HIRS directories - if [[ -z `rpm -qa "HIRS*" | grep -v HIRS_Provisioner_TPM_1_2` ]]; then - rm -rf /etc/hirs - rm -rf /opt/hirs - rm -rf /usr/share/hirs - rm -rf /var/log/hirs - fi -fi - -%files -n %{provisioner_package_name} -%license NOTICE -/etc/hirs/provisioner -%attr(664, root, root) /opt/hirs/default-properties/provisioner/logging.properties -%attr(774, root, root) /opt/hirs/scripts/common/provisioner/ -/usr/share/hirs/provisioner -%{_mandir}/man1/hirs-provisioner.1.gz - -#################### -# HIRS_AttestationCA -#################### - -%package -n HIRS_AttestationCA -Summary : Host Integrity at Runtime and Startup (HIRS) Attestation Certificate Authority (HIRS AttestationCA) -Group : System Environment/Base - -%if 0%{?build6} -Requires : mysql-server, openssl, tomcat6, java-1.8.0, rpmdevtools, coreutils, initscripts, chkconfig, sed, grep, iptables -Prefix : /usr/share/tomcat6 -%endif - -%if 0%{?build7} -Requires : mariadb-server, openssl, tomcat, java-1.8.0, rpmdevtools, coreutils, initscripts, chkconfig, sed, grep, firewalld, policycoreutils -Prefix : /usr/share/tomcat -%endif - -%description -n HIRS_AttestationCA -Host Integrity at Runtime and Startup (HIRS) Attestation CA. Installs and creates keys for HIRS Attestation CA to support generating AIKs - -%pre -n HIRS_AttestationCA -if [ ! -d $RPM_INSTALL_PREFIX ]; then - echo "error: Tomcat directory not found. Re-run this rpm installation with --prefix=\"\"" - exit 1 -fi - -%post -n HIRS_AttestationCA -# copy default property files into /etc/hirs if not present -mkdir -p /etc/hirs -cp -n /opt/hirs/default-properties/attestationca/* /etc/hirs/ - -# loop over common scripts and place into /opt/hirs/scripts/common -mkdir -p /opt/hirs/scripts/common/ -cp -f /opt/hirs/scripts/common/aca/* /opt/hirs/scripts/common/ - -# run these only on a fresh install of the package -if [ $1 == 1 ]; then - # open necessary ports - sh /opt/hirs/scripts/common/firewall_configure_tomcat.sh - - # Allow Tomcat to use port 3306 to communicate with MySQL - %if 0%{?build7} - if [ selinuxenabled ]; then - semodule -i /opt/hirs/extras/aca/tomcat-mysql-hirs.pp - fi - %endif - - # create trust stores, configure tomcat and db - sh /opt/hirs/scripts/common/ssl_configure.sh server - - # create the database - sh /opt/hirs/scripts/common/db_create.sh -fi - -# modify mysql schema accordingly on upgrade -if [ $1 -gt 1 ]; then - #update version number on portal banner - echo %{?DISPLAY_VERSION} | tee '%{prefix}/webapps/HIRS_AttestationCAPortal/WEB-INF/classes/VERSION' - - echo "Upgrading hirs_db schema!" - if [ %{version} == "1.0.4" ]; then - if (mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.0.4.sql); then - echo "Upgrade to version 1.0.4" - else - echo "Error upgrading HIRS database schema to 1.0.4!" - exit 1; - fi - elif [ %{version} == "1.1.0" ]; then - if (mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.0.4.sql && \ - mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.1.0.sql); then - echo "Upgrade to version 1.1.0" - else - echo "Error upgrading HIRS database schema to 1.1.0!" - exit 1; - fi - elif [ %{version} == "1.1.1" ]; then - if (mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.0.4.sql && \ - mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.1.0.sql && \ - mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.1.1.sql); then - echo "Upgrade to version 1.1.1" - else - echo "Error upgrading HIRS database schema to 1.1.1!" - exit 1; - fi - fi -fi - -sh /opt/hirs/scripts/aca/certificate_generate.sh - -%preun -n HIRS_AttestationCA -# don't run these during an upgrade -if [ $1 == 0 ]; then - # if the Server isn't installed, deconfigure Tomcat and MySQL SSL and drop the database - if [[ -z `rpm -qa HIRS_Server` ]]; then - echo 'Restoring Tomcat and MySQL configuration' - sh /opt/hirs/scripts/common/ssl_deconfigure.sh server - - echo 'Dropping local HIRS database' - sh /opt/hirs/scripts/common/db_drop.sh - fi -fi - -%postun -n HIRS_AttestationCA -# don't run these during an upgrade -if [ $1 == 0 ]; then - # Removes WARS from the Tomcat installation as well as ACA configuration files and certificates - # (/etc/hirs/aca), and ACA installation (/opt/hirs/attestation-ca). Do not run during an upgrade - rm -f %{prefix}/webapps/HIRS_AttestationCA*.war - rm -rf %{prefix}/webapps/HIRS_AttestationCA* - rm -rf /etc/hirs/aca - rm -rf /opt/hirs/attestation-ca - - # if the Server and Appraiser are not installed, remove certificates directory - if [[ -z `rpm -qa "HIRS_(Server|Appraiser)"` ]]; then - rm -rf /etc/hirs/certificates - fi - - # if there are no more HIRS packages remaining, - # remove all HIRS directories - if [[ -z `rpm -qa "HIRS*" | grep -v HIRS_AttestationCA` ]]; then - rm -rf /etc/hirs - rm -rf /opt/hirs - rm -rf /usr/share/hirs - rm -rf /var/log/hirs - fi -fi - -%files -n HIRS_AttestationCA -%license NOTICE -%attr(664, root, tomcat) %{prefix}/webapps/HIRS_AttestationCA.war -%attr(664, root, tomcat) %{prefix}/webapps/HIRS_AttestationCAPortal.war -%attr(774, root, tomcat) /etc/hirs/aca/ -%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/logging.properties -%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/banner.properties -%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/persistence.properties -%attr(664, root, tomcat) /opt/hirs/default-properties/component-class.json -%attr(664, root, tomcat) /opt/hirs/default-properties/vendor-table.json -%attr(774, root, tomcat) /opt/hirs/scripts/common/aca -%attr(774, root, tomcat) /opt/hirs/scripts/aca -%attr(774, root, tomcat) /opt/hirs/extras/aca/tomcat-mysql-hirs.pp -%attr(774, root, tomcat) /opt/hirs/extras/aca/tomcat-mysql-hirs.te - -#################### -# Build and install -#################### - -%build -./gradlew -PpluginDir=%{?PLUGIN_SOURCE} -PdisplayVersion=%{?DISPLAY_VERSION} :HIRS_Provisioner:installDist :HIRS_AttestationCA:war :HIRS_AttestationCAPortal:war - -%install -# prepare provisioner for packaging -cd HIRS_Provisioner -mkdir -p %{buildroot}/usr/share/hirs/provisioner -mkdir -p %{buildroot}/%{_mandir}/man1 -cp -r build/install/HIRS_Provisioner/* %{buildroot}/usr/share/hirs/provisioner - -sed -i '/exec "$JAVACMD" "$@"/i /opt/hirs/scripts/common/jvm_version_check.sh $JAVACMD' %{buildroot}/usr/share/hirs/provisioner/bin/HIRS_Provisioner - -mkdir -p %{buildroot}/etc/hirs/provisioner/certs -cp scripts/install/hirs-provisioner.sh %{buildroot}/usr/share/hirs/provisioner/ -cp scripts/install/tpm_aca_provision %{buildroot}/usr/share/hirs/provisioner/ -cp hirs-provisioner-config.sh %{buildroot}/etc/hirs/provisioner -cp create-ek-cert.sh %{buildroot}/etc/hirs/provisioner -cp src/main/resources/defaults.properties %{buildroot}/etc/hirs/provisioner/provisioner.properties -cp -r setup %{buildroot}/etc/hirs/provisioner/ -gzip -c man/hirs-provisioner.1 > %{buildroot}/%{_mandir}/man1/hirs-provisioner.1.gz - -mkdir -p %{buildroot}/opt/hirs/scripts/common/provisioner -cp ../scripts/common/jvm_version_check.sh %{buildroot}/opt/hirs/scripts/common/provisioner/ - -# copy common scripts -mkdir -p %{buildroot}/opt/hirs/scripts/common/aca -cp ../scripts/common/* %{buildroot}/opt/hirs/scripts/common/aca/ - -# prepare ACA for packaging -cd ../HIRS_AttestationCA -mkdir -p %{buildroot}/opt/hirs/scripts/aca -cp ../scripts/aca/* %{buildroot}/opt/hirs/scripts/aca -mkdir -p %{buildroot}/opt/hirs/attestation-ca/ -mkdir -p %{buildroot}/etc/hirs/aca/certificates/ -mkdir -p %{buildroot}/etc/hirs/aca/client-files/ -mkdir -p %{buildroot}%{prefix}/webapps/ -cp build/libs/HIRS_AttestationCA.war %{buildroot}%{prefix}/webapps/ -cp src/main/resources/defaults.properties %{buildroot}/etc/hirs/aca/aca.properties - -# prepare ACA Portal for packaging -cd ../HIRS_AttestationCAPortal -mkdir -p %{buildroot}%{prefix}/webapps/ -cp build/libs/HIRS_AttestationCAPortal.war %{buildroot}%{prefix}/webapps/ -# note: no ACA Portal specific resource files to copy yet... - -# creates the home directory for activemq user so SELinux doesn't complain -mkdir -p %{buildroot}/srv/activemq -mkdir -p %{buildroot}/etc/hirs/portal - -cd .. - -# copy over the properties files -mkdir -p %{buildroot}/opt/hirs/default-properties/provisioner -cp HIRS_Utils/src/main/resources/logging.properties %{buildroot}/opt/hirs/default-properties/provisioner/logging.properties - -mkdir -p %{buildroot}/opt/hirs/default-properties/attestationca -cp HIRS_Utils/src/main/resources/persistence.properties %{buildroot}/opt/hirs/default-properties/attestationca/ -cp HIRS_Utils/src/main/resources/logging.properties %{buildroot}/opt/hirs/default-properties/attestationca/ -cp HIRS_Utils/src/main/resources/banner.properties %{buildroot}/opt/hirs/default-properties/attestationca/ -cp HIRS_Utils/src/main/resources/component-class.json %{buildroot}/opt/hirs/default-properties/ -cp -n HIRS_Utils/src/main/resources/vendor-table.json %{buildroot}/opt/hirs/default-properties/ - -# install extras -mkdir -p %{buildroot}/opt/hirs/extras -cp -r extras/ %{buildroot}/opt/hirs/ diff --git a/package/rpm/tpm-module.spec b/package/rpm/tpm-module.spec deleted file mode 100644 index 2689503b..00000000 --- a/package/rpm/tpm-module.spec +++ /dev/null @@ -1,62 +0,0 @@ -Name : tpm_module -Vendor : U.S. Government -Summary : Tool used to interface with the TPM -Version : %{?VERSION} -Release : %{?RELEASE} -Source : tpm_module-%{?GIT_HASH}.tar - -Group : System Environment/Base -License : ASL 2.0 - -Requires : tpm-tools, trousers -BuildRequires : cpp -BuildRequires : gcc-c++ -BuildRequires : trousers-devel - -BuildArch : x86_64 -BuildRoot : %{_tmppath}/%{name}-%{version}-root - -%description -Trusted Platform Module (TPM) interface module. This software is designed to provide a platform-independent interface to a client's TPM. It imlpements functionality similar to and exceeding that of tpm-tools in some cases. This software is intended for use with the HIR reporting infrastructure to help clients generate integrity reports based on TPM data. - -%prep -%setup -q -n %{name}-%{?GIT_HASH} - -%build -rm -f main.d main.o tpm_module -make - -%install -rm -rf $RPM_BUILD_ROOT -mkdir -p $RPM_BUILD_ROOT/usr/bin -mkdir -p $RPM_BUILD_ROOT/usr/share/man/man1 -cp tpm_module $RPM_BUILD_ROOT/usr/bin/ -gzip -c man/tpm_module.1 > $RPM_BUILD_ROOT/usr/share/man/man1/tpm_module.1.gz - -%clean -rm -rf $RPM_BUILD_ROOT - -%files -%license ../NOTICE -/usr/bin/tpm_module -/usr/share/man/man1/tpm_module.1.gz - -%changelog -* Thu Feb 5 2015 3.11 -- Modify to support new directory structure -* Mon May 5 2014 3.11 -- Set up automatic builds -* Wed Jan 8 2014 3.10 -- Added more comments, legal disclaimers, and changed behavior of error output. -* Wed Dec 4 2013 3.09 -- Tweaked toggling of TSS_CAP_VERSION_INFO. Added additional debugging messages to describe errors. -* Mon Dec 2 2013 3.08 -- TSS_CAP_VERSION_INFO is no longer required on quote2. Other tweaks for platform compatibility. -* Tue Oct 1 2013 3.08 -- Improved commenting and documentation, fixed help info, changed behavior of clearing function -* Tue Jul 17 2012 3.07 -- Fixed mask utility function handling of 'F' (70, not 80) -* Wed May 2 2012 3.06 -- Corrected bug in changekeyauth function -* Tue May 1 2012 3.05 -- Initial package release diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh index f98b85aa..903eeae4 100755 --- a/package/scripts/aca/aca_bootRun.sh +++ b/package/scripts/aca/aca_bootRun.sh @@ -6,7 +6,6 @@ # ##################################################################################### -USE_WAR=$1 CONFIG_FILE="/etc/hirs/aca/application.properties" ALG=RSA RSA_PATH=rsa_3k_sha384_certs @@ -21,6 +20,51 @@ if [ "$EUID" -ne 0 ] exit 1 fi +help () { + echo " Setup script for the HIRS ACA" + echo " Syntax: sh aca_setup.sh [-u|h|sb|sp|--skip-db|--skip-pki]" + echo " options:" + echo " -p | --path Path to the HIRS_AttestationCAPortal.war file" + echo " -h | --help Print this Help." + echo +} + +# Process parameters Argument handling +POSITIONAL_ARGS=() +ORIGINAL_ARGS=("$@") +while [[ $# -gt 0 ]]; do + case $1 in + -p|--path) + USE_WAR=YES + shift # past argument + WAR_PATH=$@ + shift # past parameter + ;; + -h|--help) + help + exit 0 + shift # past argument + ;; + -*|--*) + echo "aca_setup.sh: Unknown option $1" + help + exit 1 + ;; + *) + POSITIONAL_ARGS+=("$1") # save positional arg + # shift # past argument + break + ;; + esac +done + +if [ -z "${WAR_PATH}" ]; then + WAR_PATH="HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war" + NOT_USING_RPM=true +fi + +set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters + source $SCRIPT_DIR/../db/start_mysqld.sh if [ $ALG = "RSA" ]; then @@ -43,9 +87,11 @@ if [ ! -d "$CERT_PATH" ]; then exit 1; fi -if [ ! -f "$GRADLE_WRAPPER" ]; then +if [ $NOT_USING_RPM = true ]; then + if [ ! -f "$GRADLE_WRAPPER" ]; then echo "This script needs to be run from the HIRS top level project directory. Exiting." exit 1; + fi fi echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index" @@ -71,10 +117,11 @@ WEB_TLS_PARAMS="--server.ssl.key-store-password=$hirs_pki_password \ # uncomment to show spring boot and hibernate properties used as gradle argumanets #echo "--args=\"$CONNECTOR_PARAMS $WEB_TLS_PARAMS\"" -if [ "$USE_WAR" == "war" ]; then - echo "Booting the ACA from a $USE_WAR file..." - java -jar HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war $CONNECTOR_PARAMS$WEB_TLS_PARAMS +if [ -z "$USE_WAR" ]; then + echo "Booting the ACA from local build..." + ./gradlew bootRun --args="$CONNECTOR_PARAMS$WEB_TLS_PARAMS" else - echo "Booting the ACA from local build..." - ./gradlew bootRun --args="$CONNECTOR_PARAMS$WEB_TLS_PARAMS" + echo "Booting the ACA from a $USE_WAR file..." + java -jar $WAR_PATH $CONNECTOR_PARAMS$WEB_TLS_PARAMS & + # Note add check for ACA to get started fi diff --git a/package/scripts/aca/aca_remove_setup.sh b/package/scripts/aca/aca_remove_setup.sh index dfe800a9..2a0ae03a 100755 --- a/package/scripts/aca/aca_remove_setup.sh +++ b/package/scripts/aca/aca_remove_setup.sh @@ -28,4 +28,6 @@ popd echo "Removing certificates and config files..." rm -rf /etc/hirs +# Note add check for ACA running and stop the process if it is + echo "ACA setup removal complete." \ No newline at end of file diff --git a/package/scripts/db/start_mysqld.sh b/package/scripts/db/start_mysqld.sh index 7d39fa79..89b01346 100644 --- a/package/scripts/db/start_mysqld.sh +++ b/package/scripts/db/start_mysqld.sh @@ -89,7 +89,7 @@ check_mysql () { echo "mariadb not running , attempting to restart" systemctl start mariadb fi - fi + fi # Wait for mysql to start before continuing. diff --git a/package/scripts/install_tomcat.sh b/package/scripts/install_tomcat.sh deleted file mode 100644 index 7a487fb0..00000000 --- a/package/scripts/install_tomcat.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/bash -tom_version="10.1.9" -tom_maj=$(echo "$tom_version" | cut -d '.' -f 1) -CATALINA_HOME=/opt/tomcat/ -CATALINA_BASE=/opt/tomcat/ - -# Check if tomcat already installed -if [ -d "/opt/tomcat" ]; then - echo "tomcat already installed" -else - echo "installing $tom_version" - pushd /tmp - useradd -r -d /opt/tomcat/ -s /bin/false -c "Tomcat User" tomcat - dnf install wget -y - wget https://downloads.apache.org/tomcat/tomcat-$tom_maj/v$tom_version/bin/apache-tomcat-$tom_version.tar.gz - mkdir /opt/tomcat - tar -xzf apache-tomcat-$tom_version.tar.gz -C /opt/tomcat --strip-components=1 - rm apache-tomcat-$tom_version.tar.gz - chown -R tomcat: /opt/tomcat - sudo sh -c 'chmod +x /opt/tomcat/bin/*.sh' - popd -fi -if [ -f /.dockerenv ]; then - echo "in a container..." - sh /opt/tomcat/bin/catalina.sh start -else - cp /opt/hirs/scripts/aca/tomcat.service /etc/systemd/system/. - systemctl daemon-reload - systemctl start tomcat - systemctl enable tomcat -fi -if [ $(pgrep -c FirewallD) == "1" ]; then - firewall-cmd --add-port=8080/tcp --permanent - firewall-cmd --add-port=8443/tcp --permanent -fi diff --git a/tools/tcg_eventlog_tool/build.gradle b/tools/tcg_eventlog_tool/build.gradle index 6960d4e0..a35be3d6 100644 --- a/tools/tcg_eventlog_tool/build.gradle +++ b/tools/tcg_eventlog_tool/build.gradle @@ -3,7 +3,7 @@ plugins { id "java" // id "findbugs" // id "checkstyle" - id "nebula.ospackage" version "9.1.1" + id "com.netflix.nebula.ospackage" version "11.4.0" } // Get version from main project gradle def packVersion = properties.get("packageVersion"); diff --git a/tools/tcg_rim_tool/build.gradle b/tools/tcg_rim_tool/build.gradle index cd7aefbe..4acdd4a1 100644 --- a/tools/tcg_rim_tool/build.gradle +++ b/tools/tcg_rim_tool/build.gradle @@ -1,6 +1,6 @@ plugins { id "java" - id "nebula.ospackage" version "9.1.1" + id 'com.netflix.nebula.ospackage' version '11.4.0' id 'com.intershop.gradle.jaxb' version '5.1.0' }