mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-01-13 16:29:45 +00:00
338 lines
13 KiB
RPMSpec
338 lines
13 KiB
RPMSpec
# need to run rpmbuild with either:
|
|
# --define 'build6 1' --define 'dist .el6'
|
|
# --define 'build7 1' --define 'dist .el7'
|
|
|
|
# rpm runs scripts with $1 holding the number of currently installed version of the package in question:
|
|
# Install the first time: 1
|
|
# Upgrade: 2 or higher (depending on the number of versions installed)
|
|
# Remove last version of package: 0
|
|
# from RedHat RPM Guide by Eric Foster-Johnston
|
|
|
|
Name : HIRS
|
|
Version : %{?VERSION}
|
|
Release : %{?RELEASE}%{?dist}
|
|
Source : %{name}-%{?GIT_HASH}.tar
|
|
Group : System Environment/Base
|
|
License : ASL 2.0
|
|
Summary : HIRS
|
|
BuildArch : noarch
|
|
BuildRoot : %{_tmppath}/%{name}-%{version}-root
|
|
BuildRequires : java-1.8.0-openjdk-devel
|
|
|
|
%description
|
|
Host Integrity at Runtime and Startup (HIRS) parent spec.
|
|
|
|
%prep
|
|
%setup -q -c
|
|
|
|
%define provisioner_package_name HIRS_Provisioner_TPM_1_2%{?PACKAGE_NAME_ADDENDUM}
|
|
%define __jar_repack 0
|
|
|
|
##########################
|
|
# HIRS_Provisioner_TPM_1_2
|
|
##########################
|
|
%package -n %{provisioner_package_name}
|
|
Summary : Host Integrity at Runtime and Startup (HIRS) Provisioner
|
|
Group : System Environment/Base
|
|
|
|
%if 0%{?build6}
|
|
Requires : tpm_module, java-1.8.0, wget, util-linux, chkconfig, sed, initscripts, coreutils, dmidecode, paccor, bash%{?RPM_EXTRA_CLIENT_DEPENDENCIES}
|
|
%endif
|
|
|
|
%if 0%{?build7}
|
|
Requires : tpm_module, java-1.8.0, wget, util-linux, chkconfig, sed, systemd, coreutils, dmidecode, paccor, bash%{?RPM_EXTRA_CLIENT_DEPENDENCIES}
|
|
%endif
|
|
|
|
%description -n %{provisioner_package_name}
|
|
Host Integrity at Runtime and Startup (HIRS) Provisioner.
|
|
|
|
%pre -n %{provisioner_package_name}
|
|
if [[ $(find /sys/devices -name "tpm0") ]]; then
|
|
echo "TPM detected"
|
|
if [ -f "/usr/lib/systemd/system/tcsd.service" ]; then
|
|
echo "Starting tcsd service"
|
|
systemctl start tcsd
|
|
ret=$?
|
|
if [[ $ret -ne 0 ]]; then
|
|
echo "WARNING: FAILED TO START tcsd SERVICE, PROVISIONING WILL FAIL WITHOUT THIS SERVICE"
|
|
fi
|
|
echo "Adding tcsd (Trousers) to run levels 1,3,5, and 6"
|
|
chkconfig --level 1356 tcsd on
|
|
else
|
|
echo "Starting tcsd service"
|
|
service tcsd start
|
|
ret=$?
|
|
if [[ $ret -ne 0 ]]; then
|
|
echo "WARNING: FAILED TO START tcsd SERVICE, PROVISIONING WILL FAIL WITHOUT THIS SERVICE"
|
|
fi
|
|
echo "Adding tcsd (Trousers) to run levels 1,3,5, and 6"
|
|
chkconfig --level 1356 tcsd on
|
|
fi
|
|
if [ ! -d "/sys/kernel/security/tpm0" ]; then
|
|
echo "Mounting security fs partition"
|
|
sed -i '$a securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0' /etc/fstab
|
|
mount -a
|
|
if [ -d "/sys/kernel/security/tpm0" ]; then
|
|
echo "SUCCESS: security fs partition mounted"
|
|
fi
|
|
fi
|
|
else
|
|
echo "WARNING: UNABLE TO LOCATE TPM DEVICE, TPM PROVISIONING WILL FAIL"
|
|
fi
|
|
|
|
%post -n %{provisioner_package_name}
|
|
# copy default property files into /etc/hirs if not present
|
|
mkdir -p /etc/hirs/
|
|
cp -n /opt/hirs/default-properties/provisioner/* /etc/hirs/
|
|
|
|
# copy common scripts into /opt/hirs/scripts/common
|
|
cp -f /opt/hirs/scripts/common/provisioner/* /opt/hirs/scripts/common/
|
|
|
|
echo 'Creating symlink for hirs-provisioner command'
|
|
ln -s -f /usr/share/hirs/provisioner/tpm_aca_provision /usr/sbin/tpm_aca_provision
|
|
chmod +x /usr/share/hirs/provisioner/tpm_aca_provision
|
|
ln -s -f /usr/share/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner
|
|
chmod +x /usr/share/hirs/provisioner/hirs-provisioner.sh
|
|
hirs-provisioner -c
|
|
|
|
%postun -n %{provisioner_package_name}
|
|
# don't run these during an upgrade
|
|
if [ "$1" = "0" ]; then
|
|
rm -rf /etc/hirs/provisioner
|
|
rm -rf /etc/hirs/certificates
|
|
rm -f /usr/sbin/hirs-provisioner
|
|
rm -rf /usr/share/hirs/provisioner
|
|
|
|
rm -rf /var/log/hirs/provisioner
|
|
|
|
# if there are no more HIRS packages remaining,
|
|
# remove all HIRS directories
|
|
if [[ -z `rpm -qa "HIRS*" | grep -v HIRS_Provisioner_TPM_1_2` ]]; then
|
|
rm -rf /etc/hirs
|
|
rm -rf /opt/hirs
|
|
rm -rf /usr/share/hirs
|
|
rm -rf /var/log/hirs
|
|
fi
|
|
fi
|
|
|
|
%files -n %{provisioner_package_name}
|
|
%license NOTICE
|
|
/etc/hirs/provisioner
|
|
%attr(664, root, root) /opt/hirs/default-properties/provisioner/logging.properties
|
|
%attr(774, root, root) /opt/hirs/scripts/common/provisioner/
|
|
/usr/share/hirs/provisioner
|
|
%{_mandir}/man1/hirs-provisioner.1.gz
|
|
|
|
####################
|
|
# HIRS_AttestationCA
|
|
####################
|
|
|
|
%package -n HIRS_AttestationCA
|
|
Summary : Host Integrity at Runtime and Startup (HIRS) Attestation Certificate Authority (HIRS AttestationCA)
|
|
Group : System Environment/Base
|
|
|
|
%if 0%{?build6}
|
|
Requires : mysql-server, openssl, tomcat6, java-1.8.0, rpmdevtools, coreutils, initscripts, chkconfig, sed, grep, iptables
|
|
Prefix : /opt/tomcat6
|
|
%endif
|
|
|
|
%if 0%{?build7}
|
|
Requires : mariadb-server, openssl, tomcat, java-1.8.0, rpmdevtools, coreutils, initscripts, chkconfig, sed, grep, firewalld, policycoreutils
|
|
Prefix : /opt/tomcat
|
|
%endif
|
|
|
|
%description -n HIRS_AttestationCA
|
|
Host Integrity at Runtime and Startup (HIRS) Attestation CA. Installs and creates keys for HIRS Attestation CA to support generating AIKs
|
|
|
|
%pre -n HIRS_AttestationCA
|
|
if [ ! -d $RPM_INSTALL_PREFIX ]; then
|
|
echo "error: Tomcat directory not found. Re-run this rpm installation with --prefix=\"<absolute-tomcat-directory>\""
|
|
exit 1
|
|
fi
|
|
|
|
%post -n HIRS_AttestationCA
|
|
# copy default property files into /etc/hirs if not present
|
|
mkdir -p /etc/hirs
|
|
cp -n /opt/hirs/default-properties/attestationca/* /etc/hirs/
|
|
|
|
# loop over common scripts and place into /opt/hirs/scripts/common
|
|
mkdir -p /opt/hirs/scripts/common/
|
|
cp -f /opt/hirs/scripts/common/aca/* /opt/hirs/scripts/common/
|
|
|
|
# run these only on a fresh install of the package
|
|
if [ $1 == 1 ]; then
|
|
# open necessary ports
|
|
sh /opt/hirs/scripts/common/firewall_configure_tomcat.sh
|
|
|
|
# Allow Tomcat to use port 3306 to communicate with MySQL
|
|
%if 0%{?build7}
|
|
if [ selinuxenabled ]; then
|
|
semodule -i /opt/hirs/extras/aca/tomcat-mysql-hirs.pp
|
|
fi
|
|
%endif
|
|
|
|
# create trust stores, configure tomcat and db
|
|
sh /opt/hirs/scripts/common/ssl_configure.sh server
|
|
|
|
# create the database
|
|
sh /opt/hirs/scripts/common/db_create.sh
|
|
fi
|
|
|
|
# modify mysql schema accordingly on upgrade
|
|
if [ $1 -gt 1 ]; then
|
|
#update version number on portal banner
|
|
echo %{?DISPLAY_VERSION} | tee '%{prefix}/webapps/HIRS_AttestationCAPortal/WEB-INF/classes/VERSION'
|
|
|
|
echo "Upgrading hirs_db schema!"
|
|
if [ %{version} == "1.0.4" ]; then
|
|
if (mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.0.4.sql); then
|
|
echo "Upgrade to version 1.0.4"
|
|
else
|
|
echo "Error upgrading HIRS database schema to 1.0.4!"
|
|
exit 1;
|
|
fi
|
|
elif [ %{version} == "1.1.0" ]; then
|
|
if (mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.0.4.sql && \
|
|
mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.1.0.sql); then
|
|
echo "Upgrade to version 1.1.0"
|
|
else
|
|
echo "Error upgrading HIRS database schema to 1.1.0!"
|
|
exit 1;
|
|
fi
|
|
elif [ %{version} == "1.1.1" ]; then
|
|
if (mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.0.4.sql && \
|
|
mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.1.0.sql && \
|
|
mysql -u root hirs_db < /opt/hirs/scripts/common/upgrade_schema_1.1.1.sql); then
|
|
echo "Upgrade to version 1.1.1"
|
|
else
|
|
echo "Error upgrading HIRS database schema to 1.1.1!"
|
|
exit 1;
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
sh /opt/hirs/scripts/aca/certificate_generate.sh
|
|
|
|
%preun -n HIRS_AttestationCA
|
|
# don't run these during an upgrade
|
|
if [ $1 == 0 ]; then
|
|
# if the Server isn't installed, deconfigure Tomcat and MySQL SSL and drop the database
|
|
if [[ -z `rpm -qa HIRS_Server` ]]; then
|
|
echo 'Restoring Tomcat and MySQL configuration'
|
|
sh /opt/hirs/scripts/common/ssl_deconfigure.sh server
|
|
|
|
echo 'Dropping local HIRS database'
|
|
sh /opt/hirs/scripts/common/db_drop.sh
|
|
fi
|
|
fi
|
|
|
|
%postun -n HIRS_AttestationCA
|
|
# don't run these during an upgrade
|
|
if [ $1 == 0 ]; then
|
|
# Removes WARS from the Tomcat installation as well as ACA configuration files and certificates
|
|
# (/etc/hirs/aca), and ACA installation (/opt/hirs/attestation-ca). Do not run during an upgrade
|
|
rm -f %{prefix}/webapps/HIRS_AttestationCA*.war
|
|
rm -rf %{prefix}/webapps/HIRS_AttestationCA*
|
|
rm -rf /etc/hirs/aca
|
|
rm -rf /opt/hirs/attestation-ca
|
|
|
|
# if the Server and Appraiser are not installed, remove certificates directory
|
|
if [[ -z `rpm -qa "HIRS_(Server|Appraiser)"` ]]; then
|
|
rm -rf /etc/hirs/certificates
|
|
fi
|
|
|
|
# if there are no more HIRS packages remaining,
|
|
# remove all HIRS directories
|
|
if [[ -z `rpm -qa "HIRS*" | grep -v HIRS_AttestationCA` ]]; then
|
|
rm -rf /etc/hirs
|
|
rm -rf /opt/hirs
|
|
rm -rf /usr/share/hirs
|
|
rm -rf /var/log/hirs
|
|
fi
|
|
fi
|
|
|
|
%files -n HIRS_AttestationCA
|
|
%license NOTICE
|
|
%attr(664, root, tomcat) %{prefix}/webapps/HIRS_AttestationCA.war
|
|
%attr(664, root, tomcat) %{prefix}/webapps/HIRS_AttestationCAPortal.war
|
|
%attr(774, root, tomcat) /etc/hirs/aca/
|
|
%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/logging.properties
|
|
%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/banner.properties
|
|
%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/persistence.properties
|
|
%attr(664, root, tomcat) /opt/hirs/default-properties/component-class.json
|
|
%attr(664, root, tomcat) /opt/hirs/default-properties/vendor-table.json
|
|
%attr(774, root, tomcat) /opt/hirs/scripts/common/aca
|
|
%attr(774, root, tomcat) /opt/hirs/scripts/aca
|
|
%attr(774, root, tomcat) /opt/hirs/extras/aca/tomcat-mysql-hirs.pp
|
|
%attr(774, root, tomcat) /opt/hirs/extras/aca/tomcat-mysql-hirs.te
|
|
|
|
####################
|
|
# Build and install
|
|
####################
|
|
|
|
%build
|
|
./gradlew -PpluginDir=%{?PLUGIN_SOURCE} -PdisplayVersion=%{?DISPLAY_VERSION} :HIRS_Provisioner:installDist :HIRS_AttestationCA:war :HIRS_AttestationCAPortal:war
|
|
|
|
%install
|
|
# prepare provisioner for packaging
|
|
cd HIRS_Provisioner
|
|
mkdir -p %{buildroot}/usr/share/hirs/provisioner
|
|
mkdir -p %{buildroot}/%{_mandir}/man1
|
|
cp -r build/install/HIRS_Provisioner/* %{buildroot}/usr/share/hirs/provisioner
|
|
|
|
sed -i '/exec "$JAVACMD" "$@"/i /opt/hirs/scripts/common/jvm_version_check.sh $JAVACMD' %{buildroot}/usr/share/hirs/provisioner/bin/HIRS_Provisioner
|
|
|
|
mkdir -p %{buildroot}/etc/hirs/provisioner/certs
|
|
cp scripts/install/hirs-provisioner.sh %{buildroot}/usr/share/hirs/provisioner/
|
|
cp scripts/install/tpm_aca_provision %{buildroot}/usr/share/hirs/provisioner/
|
|
cp hirs-provisioner-config.sh %{buildroot}/etc/hirs/provisioner
|
|
cp create-ek-cert.sh %{buildroot}/etc/hirs/provisioner
|
|
cp src/main/resources/defaults.properties %{buildroot}/etc/hirs/provisioner/provisioner.properties
|
|
cp -r setup %{buildroot}/etc/hirs/provisioner/
|
|
gzip -c man/hirs-provisioner.1 > %{buildroot}/%{_mandir}/man1/hirs-provisioner.1.gz
|
|
|
|
mkdir -p %{buildroot}/opt/hirs/scripts/common/provisioner
|
|
cp ../scripts/common/jvm_version_check.sh %{buildroot}/opt/hirs/scripts/common/provisioner/
|
|
|
|
# copy common scripts
|
|
mkdir -p %{buildroot}/opt/hirs/scripts/common/aca
|
|
cp ../scripts/common/* %{buildroot}/opt/hirs/scripts/common/aca/
|
|
|
|
# prepare ACA for packaging
|
|
cd ../HIRS_AttestationCA
|
|
mkdir -p %{buildroot}/opt/hirs/scripts/aca
|
|
cp ../scripts/aca/* %{buildroot}/opt/hirs/scripts/aca
|
|
mkdir -p %{buildroot}/opt/hirs/attestation-ca/
|
|
mkdir -p %{buildroot}/etc/hirs/aca/certificates/
|
|
mkdir -p %{buildroot}/etc/hirs/aca/client-files/
|
|
mkdir -p %{buildroot}%{prefix}/webapps/
|
|
cp build/libs/HIRS_AttestationCA.war %{buildroot}%{prefix}/webapps/
|
|
cp src/main/resources/defaults.properties %{buildroot}/etc/hirs/aca/aca.properties
|
|
|
|
# prepare ACA Portal for packaging
|
|
cd ../HIRS_AttestationCAPortal
|
|
mkdir -p %{buildroot}%{prefix}/webapps/
|
|
cp build/libs/HIRS_AttestationCAPortal.war %{buildroot}%{prefix}/webapps/
|
|
# note: no ACA Portal specific resource files to copy yet...
|
|
|
|
# creates the home directory for activemq user so SELinux doesn't complain
|
|
mkdir -p %{buildroot}/srv/activemq
|
|
mkdir -p %{buildroot}/etc/hirs/portal
|
|
|
|
cd ..
|
|
|
|
# copy over the properties files
|
|
mkdir -p %{buildroot}/opt/hirs/default-properties/provisioner
|
|
cp HIRS_Utils/src/main/resources/logging.properties %{buildroot}/opt/hirs/default-properties/provisioner/logging.properties
|
|
|
|
mkdir -p %{buildroot}/opt/hirs/default-properties/attestationca
|
|
cp HIRS_AttestationCA/src/main/resources/persistence.properties %{buildroot}/opt/hirs/default-properties/attestationca/
|
|
cp HIRS_Utils/src/main/resources/logging.properties %{buildroot}/opt/hirs/default-properties/attestationca/
|
|
cp HIRS_Utils/src/main/resources/banner.properties %{buildroot}/opt/hirs/default-properties/attestationca/
|
|
cp HIRS_Utils/src/main/resources/component-class.json %{buildroot}/opt/hirs/default-properties/
|
|
cp -n HIRS_Utils/src/main/resources/vendor-table.json %{buildroot}/opt/hirs/default-properties/
|
|
|
|
# install extras
|
|
mkdir -p %{buildroot}/opt/hirs/extras
|
|
cp -r extras/ %{buildroot}/opt/hirs/
|