ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-21 05:53:27 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
19716d5819
HIRS/package/win/db/db_create.ps1
5B96790E3664F40075A67E6ADF737EDB15B4408DBC91A81228B31537B0CE3E26 1e3c7c78b0
Dockerfiles for v3 ACA. Also Powershell Package Scripts (#628) 
* Package scripts for powershell

* Adding dockerfiles
2023-11-09 11:54:51 -05:00

189 lines
7.7 KiB
PowerShell
Raw Blame History

#!/bin/bash
#
###############################################################################
# HIRS DB creation
# Environment variables used:
# a. HIRS_MYSQL_ROOT_PWD: Set this variable if mysql root password is already set
# b. HIRS_DB_PWD: Set the pwd if default password to hirs_db user needs to be changed
################################################################################
param (
[string]$LOG_FILE = $null,
[switch]$unattended = $false
)
$APP_HOME=(Split-Path -parent $PSCommandPath)
$ACA_COMMON_SCRIPT=(Join-Path "$APP_HOME" .. aca aca_common.ps1)
# Load other scripts
. $ACA_COMMON_SCRIPT
. $global:HIRS_REL_WIN_DB_MYSQL_UTIL
# Read aca.properties
read_aca_properties $global:HIRS_DATA_ACA_PROPERTIES_FILE
# Read spring application.properties
read_spring_properties $global:HIRS_DATA_SPRING_PROP_FILE
# Parameter check
if ($LOG_FILE) {
touch $LOG_FILE
$global:LOG_FILE=$LOG_FILE
} else {
set_up_log
}
touch $global:HIRS_DATA_ACA_PROPERTIES_FILE
touch $global:DB_CONF
# Make sure required paths exist
mkdir -F -p $global:HIRS_CONF_DIR 2>&1 > $null
mkdir -F -p $global:HIRS_DATA_LOG_DIR 2>&1 > $null
Function check_mysql_root_pwd () {
# Check if DB root password needs to be obtainedS
$DB_ADMIN_PWD=""
if (!$Env:HIRS_MYSQL_ROOT_PWD) {
# Create a 32 character random password
echo "Using randomly generated password for the DB admin" | WriteAndLog
$DB_ADMIN_PWD=(create_random)
Write-Host "NOT LOGGED: DB Admin will be set to $DB_ADMIN_PWD, please make note for next mysql use."
# Check unattended flag set m if not then prompt user for permission ot store mysql root password
if (!$unattended) {
$confirm=Read-Host 'Do you wish to save this password to the aca.properties file?'
if (($confirm -eq "y") -or ($confirm -eq "yes")) { # case-insensitive
add_new_aca_property -file:"$global:HIRS_DATA_ACA_PROPERTIES_FILE" -newKeyAndValue:"mysql_admin_password=$DB_ADMIN_PWD"
echo "Mysql root password saved locally" | WriteAndLog
} else {
echo "Mysql root password not saved locally" | WriteAndLog
}
} else { # unattended install
add_new_aca_property -file:"$global:HIRS_DATA_ACA_PROPERTIES_FILE" -newKeyAndValue:"mysql_admin_password=$DB_ADMIN_PWD"
echo "Mysql root password has been saved locally." | WriteAndLog
}
mysqladmin --user=root password "$DB_ADMIN_PWD"
} else {
$DB_ADMIN_PWD=$Env:HIRS_MYSQL_ROOT_PWD
echo "Using system variable supplied password" | WriteAndLog
}
# Make sure root password is correct
mysql -u root -p"$DB_ADMIN_PWD" -e 'quit' 2>&1 | WriteAndLog
if ($LastExitCode -eq 0) {
echo "Mysql root password verified" | WriteAndLog
} else {
echo "MYSQL root password was not the default, not supplied, or was incorrect" | WriteAndLog
echo " please set the HIRS_MYSQL_ROOT_PWD system variable and retry." | WriteAndLog
echo " ********** ACA Mysql setup aborted ********" | WriteAndLog
exit 1
}
return $DB_ADMIN_PWD
}
Function set_mysql_tls () {
# Check DB server setup. If ssl params dont exist then we need to add them.
if (!(Get-Content $global:DB_CONF | grep "ssl")) {
# Add TLS files to my.ini- Assumes [client] section at the end, and no [server] section
echo "Updating $global:DB_CONF with ssl parameters..." | WriteAndLog
echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $global:DB_CONF
echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $global:DB_CONF
echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $global:DB_CONF
echo "[server]" >> $global:DB_CONF
echo "ssl_ca=$global:SSL_DB_SRV_CHAIN" >> $global:DB_CONF
echo "ssl_cert=$global:SSL_DB_SRV_CERT" >> $global:DB_CONF
echo "ssl_key=$global:SSL_DB_SRV_KEY" >> $global:DB_CONF
ChangeFileBackslashToForwardSlash $global:DB_CONF
} else {
echo "$global:DB_CONF contains existing entry for ssl, skipping..." | WriteAndLog
}
}
# Process HIRS DB USER
Function set_hirs_db_pwd () {
param (
[string]$DB_ADMIN_PWD = $null
)
if (!$DB_ADMIN_PWD) {
echo "set_hirs_db_pwd was called without supplying a required variable" | WriteAndLog
}
$HIRS_PASS=""
if ($Env:HIRS_DB_PWD) {
$HIRS_PASS=$Env:HIRS_DB_PWD
echo "Using hirs_db password found in the environment variable HIRS_DB_PWD" | WriteAndLog
} elseif ($global:ACA_PROPERTIES.'hirs_db_password') {
$HIRS_PASS=$global:ACA_PROPERTIES.'hirs_db_password'
echo "Using hirs_db password found in the ACA properties file $global:HIRS_DATA_ACA_PROPERTIES_FILE" | WriteAndLog
} else {
echo "Using randomly generated password for the DB key password" | WriteAndLog
$HIRS_PASS=(create_random)
add_new_aca_property -file:"$global:HIRS_DATA_ACA_PROPERTIES_FILE" -newKeyAndValue:"hirs_db_username=hirs_db"
add_new_aca_property -file:"$global:HIRS_DATA_ACA_PROPERTIES_FILE" -newKeyAndValue:"hirs_db_password=$HIRS_PASS"
echo "Stored hirs_db password in the ACA properties file $global:HIRS_DATA_ACA_PROPERTIES_FILE" | WriteAndLog
}
$RESULT=(mysql -u root -p"$DB_ADMIN_PWD" -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")
if ($RESULT -eq 1) {
echo "hirs-db user exists" | WriteAndLog
}
return $HIRS_PASS
}
# Create a hirs_db with client side TLS enabled
Function create_hirs_db_with_tls () {
param (
[string]$DB_ADMIN_PWD = $null,
[string]$HIRS_PASS = $null
)
if (!$DB_ADMIN_PWD) {
echo "create_hirs_db_with_tls: DB_ADMIN_PWD not provided and is required" | WriteAndLog
}
if (!$HIRS_PASS) {
echo "create_hirs_db_with_tls: HIRS_PASS not provided and is required" | WriteAndLog
}
# Check if hirs_db not created and create it if it wasn't
mysqlshow -u root -p"$DB_ADMIN_PWD" | grep "hirs_db" 2>&1 > $null
if ($LastExitCode -eq 0) {
echo "hirs_db exists, skipping hirs_db create" | WriteAndLog
} else {
echo "Creating hirs_db database" | WriteAndLog
mysql -u root -p"$DB_ADMIN_PWD" -e "source $global:HIRS_REL_SCRIPTS_DB_CREATE_SQL"
mysql -u root -p"$DB_ADMIN_PWD" -e "source $global:HIRS_REL_SCRIPTS_DB_SECURE_MYSQL_SQL"
mysql -u root -p"$DB_ADMIN_PWD" -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '$HIRS_PASS'; FLUSH PRIVILEGES;"
}
}
Function create_hibernate_url () {
param (
[string]$ALG = $null
)
if ($ALG -eq "RSA") {
$CERT_CHAIN=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_RSA_PATH 'HIRS_rsa_3k_sha384_Cert_Chain.pem')
$CLIENT_DB_P12=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_RSA_PATH 'HIRS_db_client_rsa_3k_sha384.p12')
$ALIAS="hirs_aca_tls_rsa_3k_sha384"
} elseif ($ALG -eq "ECC") {
$CERT_CHAIN=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_ECC_PATH 'HIRS_ecc_512_sha384_Cert_Chain.pem')
$CLIENT_DB_P12=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_ECC_PATH 'HIRS_db_client_ecc_512_sha384.p12')
$ALIAS="hirs_aca_tls_ecc_512_sha384"
}
$CONNECTOR_URL="hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&user="+$global:ACA_PROPERTIES.'hirs_db_username'+"&password="+$global:ACA_PROPERTIES.'hirs_db_password'+"&sslMode=VERIFY_CA&serverSslCert=$CERT_CHAIN&keyStoreType=PKCS12&keyStorePassword="+$global:ACA_PROPERTIES.'hirs_pki_password'+"&keyStore=$CLIENT_DB_P12" | ChangeBackslashToForwardSlash
# Save connector information to the application properties file.
add_new_spring_property -file:"$global:HIRS_DATA_SPRING_PROP_FILE" -newKeyAndValue:"$CONNECTOR_URL"
}
# HIRS ACA Mysqld processing ...
check_mariadb_install -p
check_for_container -p
set_mysql_tls
start_mysqlsd -p
$DB_ADMIN_PWD=check_mysql_root_pwd
$HIRS_PASS=set_hirs_db_pwd -DB_ADMIN_PWD:"$DB_ADMIN_PWD"
create_hirs_db_with_tls -DB_ADMIN_PWD:"$DB_ADMIN_PWD" -HIRS_PASS:"$HIRS_PASS"
create_hibernate_url -ALG:"RSA"
mysqld_reboot -p
Reference in New Issue View Git Blame Copy Permalink