HIRS/package/rpm/HIRS.spec

# need to run rpmbuild with either:
# --define 'build6 1' --define 'dist .el6'
# --define 'build7 1' --define 'dist .el7'

# rpm runs scripts with $1 holding the number of currently installed version of the package in question:
# Install the first time:          1
# Upgrade:                         2 or higher (depending on the number of versions installed)
# Remove last version of package:  0
# from RedHat RPM Guide by Eric Foster-Johnston

Name            : HIRS
Version         : %{?VERSION}
Release         : %{?RELEASE}%{?dist}
Source          : %{name}-%{?GIT_HASH}.tar
Group           : System Environment/Base
License         : ASL 2.0
Summary         : HIRS
BuildArch       : noarch
BuildRoot       : %{_tmppath}/%{name}-%{version}-root
BuildRequires   : java-1.8.0-openjdk-devel

%description
Host Integrity at Runtime and Startup (HIRS) parent spec.

%prep
%setup -q -c

%define provisioner_package_name HIRS_Provisioner_TPM_1_2%{?PACKAGE_NAME_ADDENDUM}
%define __jar_repack 0

##########################
# HIRS_Provisioner_TPM_1_2
##########################
%package -n %{provisioner_package_name}
Summary         : Host Integrity at Runtime and Startup (HIRS) Provisioner
Group           : System Environment/Base

%if 0%{?build6}
Requires        : tpm_module, java-1.8.0, wget, util-linux, chkconfig, sed, initscripts, coreutils, dmidecode, paccor, bash%{?RPM_EXTRA_CLIENT_DEPENDENCIES}
%endif

%if 0%{?build7}
Requires        : tpm_module, java-1.8.0, wget, util-linux, chkconfig, sed, systemd, coreutils, dmidecode, paccor, bash%{?RPM_EXTRA_CLIENT_DEPENDENCIES}
%endif

%description -n %{provisioner_package_name}
Host Integrity at Runtime and Startup (HIRS) Provisioner.

%pre -n %{provisioner_package_name}
if [[ $(find /sys/devices -name "tpm0") ]]; then
    echo "TPM detected"
    if [ -f "/usr/lib/systemd/system/tcsd.service" ]; then
        echo "Starting tcsd service"
        systemctl start tcsd
        ret=$?
        if [[ $ret -ne 0 ]]; then
            echo "WARNING: FAILED TO START tcsd SERVICE, PROVISIONING WILL FAIL WITHOUT THIS SERVICE"
        fi
        echo "Adding tcsd (Trousers) to run levels 1,3,5, and 6"
        chkconfig --level 1356 tcsd on
    else
        echo "Starting tcsd service"
        service tcsd start
        ret=$?
        if [[ $ret -ne 0 ]]; then
            echo "WARNING: FAILED TO START tcsd SERVICE, PROVISIONING WILL FAIL WITHOUT THIS SERVICE"
        fi
        echo "Adding tcsd (Trousers) to run levels 1,3,5, and 6"
        chkconfig --level 1356 tcsd on
    fi
    if [ ! -d "/sys/kernel/security/tpm0" ]; then
        echo "Mounting security fs partition"
        sed -i '$a securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0' /etc/fstab
        mount -a
        if [ -d "/sys/kernel/security/tpm0" ]; then
	    echo "SUCCESS: security fs partition mounted"
        fi
    fi
else
    echo "WARNING: UNABLE TO LOCATE TPM DEVICE, TPM PROVISIONING WILL FAIL"
fi

%post -n %{provisioner_package_name}
# copy default property files into /etc/hirs if not present
mkdir -p /etc/hirs/
cp -n /opt/hirs/default-properties/provisioner/* /etc/hirs/

# copy common scripts into /opt/hirs/scripts/common
cp -f /opt/hirs/scripts/common/provisioner/* /opt/hirs/scripts/common/

echo 'Creating symlink for hirs-provisioner command'
ln -s -f /usr/share/hirs/provisioner/tpm_aca_provision /usr/sbin/tpm_aca_provision
chmod +x /usr/share/hirs/provisioner/tpm_aca_provision
ln -s -f /usr/share/hirs/provisioner/hirs-provisioner.sh /usr/sbin/hirs-provisioner
chmod +x /usr/share/hirs/provisioner/hirs-provisioner.sh
hirs-provisioner -c

%postun -n %{provisioner_package_name}
# don't run these during an upgrade
if [ "$1" = "0" ]; then
    rm -rf /etc/hirs/provisioner
    rm -rf /etc/hirs/certificates
    rm -f /usr/sbin/hirs-provisioner
    rm -rf /usr/share/hirs/provisioner

    rm -rf /var/log/hirs/provisioner

    # if there are no more HIRS packages remaining,
    # remove all HIRS directories
    if [[ -z `rpm -qa "HIRS*" | grep -v HIRS_Provisioner_TPM_1_2` ]]; then
        rm -rf /etc/hirs
        rm -rf /opt/hirs
        rm -rf /usr/share/hirs
        rm -rf /var/log/hirs
    fi
fi

%files -n %{provisioner_package_name}
%license NOTICE
/etc/hirs/provisioner
%attr(664, root, root) /opt/hirs/default-properties/provisioner/logging.properties
%attr(774, root, root) /opt/hirs/scripts/common/provisioner/
/usr/share/hirs/provisioner
%{_mandir}/man1/hirs-provisioner.1.gz

####################
# HIRS_AttestationCA
####################

%package -n HIRS_AttestationCA
Summary         : Host Integrity at Runtime and Startup (HIRS) Attestation Certificate Authority (HIRS AttestationCA)
Group           : System Environment/Base

%if 0%{?build6}
Requires        : mysql-server, openssl, tomcat6, java-1.8.0, rpmdevtools, coreutils, initscripts, chkconfig, sed, grep, iptables
Prefix          : /usr/share/tomcat6
%endif

%if 0%{?build7}
Requires        : mariadb-server, openssl, tomcat, java-1.8.0, rpmdevtools, coreutils, initscripts, chkconfig, sed, grep, firewalld, policycoreutils
Prefix          : /usr/share/tomcat
%endif

%description -n HIRS_AttestationCA
Host Integrity at Runtime and Startup (HIRS) Attestation CA. Installs and creates keys for HIRS Attestation CA to support generating AIKs

%pre -n HIRS_AttestationCA
if [ ! -d $RPM_INSTALL_PREFIX ]; then
    echo "error: Tomcat directory not found. Re-run this rpm installation with --prefix=\"<absolute-tomcat-directory>\""
    exit 1
fi

%post -n HIRS_AttestationCA
# copy default property files into /etc/hirs if not present
mkdir -p /etc/hirs
cp -n /opt/hirs/default-properties/attestationca/* /etc/hirs/

# loop over common scripts and place into /opt/hirs/scripts/common
mkdir -p /opt/hirs/scripts/common/
cp -f /opt/hirs/scripts/common/aca/* /opt/hirs/scripts/common/

# run these only on a fresh install of the package
if [ "$1" = "1" ]; then
    # open necessary ports
    sh /opt/hirs/scripts/common/firewall_configure_tomcat.sh

    # Allow Tomcat to use port 3306 to communicate with MySQL
    %if 0%{?build7}
    if [ selinuxenabled ]; then
        semodule -i /opt/hirs/extras/aca/tomcat-mysql-hirs.pp
    fi
    %endif

    # create trust stores, configure tomcat and db
    sh /opt/hirs/scripts/common/ssl_configure.sh server

    # create the database
    sh /opt/hirs/scripts/common/db_create.sh
fi

sh /opt/hirs/scripts/aca/certificate_generate.sh

%preun -n HIRS_AttestationCA
# don't run these during an upgrade
if [ "$1" = "0" ]; then
    # if the Server isn't installed, deconfigure Tomcat and MySQL SSL and drop the database
    if [[ -z `rpm -qa HIRS_Server` ]]; then
        echo 'Restoring Tomcat and MySQL configuration'
        sh /opt/hirs/scripts/common/ssl_deconfigure.sh server

        echo 'Dropping local HIRS database'
        sh /opt/hirs/scripts/common/db_drop.sh
    fi
fi

%postun -n HIRS_AttestationCA
# don't run these during an upgrade
if [ "$1" = "0" ]; then
    # Removes WARS from the Tomcat installation as well as ACA configuration files and certificates
    # (/etc/hirs/aca), and ACA installation (/opt/hirs/attestation-ca). Do not run during an upgrade
    rm -f %{prefix}/webapps/HIRS_AttestationCA*.war
    rm -rf %{prefix}/webapps/HIRS_AttestationCA*
    rm -rf /etc/hirs/aca
    rm -rf /opt/hirs/attestation-ca

    # if the Server and Appraiser are not installed, remove certificates directory
    if [[ -z `rpm -qa "HIRS_(Server|Appraiser)"` ]]; then
        rm -rf /etc/hirs/certificates
    fi

    # if there are no more HIRS packages remaining,
    # remove all HIRS directories
    if [[ -z `rpm -qa "HIRS*" | grep -v HIRS_AttestationCA` ]]; then
        rm -rf /etc/hirs
        rm -rf /opt/hirs
        rm -rf /usr/share/hirs
        rm -rf /var/log/hirs
    fi
fi

%files -n HIRS_AttestationCA
%license NOTICE
%attr(664, root, tomcat) %{prefix}/webapps/HIRS_AttestationCA.war
%attr(664, root, tomcat) %{prefix}/webapps/HIRS_AttestationCAPortal.war
%attr(774, root, tomcat) /etc/hirs/aca/
%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/logging.properties
%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/banner.properties
%attr(664, root, tomcat) /opt/hirs/default-properties/attestationca/persistence.properties
%attr(664, root, tomcat) /opt/hirs/default-properties/component-class.json
%attr(774, root, tomcat) /opt/hirs/scripts/common/aca
%attr(774, root, tomcat) /opt/hirs/scripts/aca
%attr(774, root, tomcat) /opt/hirs/extras/aca/tomcat-mysql-hirs.pp
%attr(774, root, tomcat) /opt/hirs/extras/aca/tomcat-mysql-hirs.te

####################
# Build and install
####################

%build
./gradlew -PpluginDir=%{?PLUGIN_SOURCE} -PdisplayVersion=%{?DISPLAY_VERSION} :HIRS_Provisioner:installDist :HIRS_AttestationCA:war :HIRS_AttestationCAPortal:war

%install
# prepare provisioner for packaging
cd HIRS_Provisioner
mkdir -p %{buildroot}/usr/share/hirs/provisioner
mkdir -p %{buildroot}/%{_mandir}/man1
cp -r build/install/HIRS_Provisioner/* %{buildroot}/usr/share/hirs/provisioner

sed -i '/exec "$JAVACMD" "$@"/i /opt/hirs/scripts/common/jvm_version_check.sh $JAVACMD' %{buildroot}/usr/share/hirs/provisioner/bin/HIRS_Provisioner

mkdir -p %{buildroot}/etc/hirs/provisioner/certs
cp scripts/install/hirs-provisioner.sh %{buildroot}/usr/share/hirs/provisioner/
cp scripts/install/tpm_aca_provision %{buildroot}/usr/share/hirs/provisioner/
cp hirs-provisioner-config.sh %{buildroot}/etc/hirs/provisioner
cp create-ek-cert.sh %{buildroot}/etc/hirs/provisioner
cp src/main/resources/defaults.properties %{buildroot}/etc/hirs/provisioner/provisioner.properties
cp -r setup %{buildroot}/etc/hirs/provisioner/
gzip -c man/hirs-provisioner.1 > %{buildroot}/%{_mandir}/man1/hirs-provisioner.1.gz

mkdir -p %{buildroot}/opt/hirs/scripts/common/provisioner
cp ../scripts/common/jvm_version_check.sh %{buildroot}/opt/hirs/scripts/common/provisioner/

# copy common scripts
mkdir -p %{buildroot}/opt/hirs/scripts/common/aca
cp ../scripts/common/* %{buildroot}/opt/hirs/scripts/common/aca/

# prepare ACA for packaging
cd ../HIRS_AttestationCA
mkdir -p %{buildroot}/opt/hirs/scripts/aca
cp ../scripts/aca/* %{buildroot}/opt/hirs/scripts/aca
mkdir -p %{buildroot}/opt/hirs/attestation-ca/
mkdir -p %{buildroot}/etc/hirs/aca/certificates/
mkdir -p %{buildroot}/etc/hirs/aca/client-files/
mkdir -p %{buildroot}%{prefix}/webapps/
cp build/libs/HIRS_AttestationCA.war %{buildroot}%{prefix}/webapps/
cp src/main/resources/defaults.properties %{buildroot}/etc/hirs/aca/aca.properties

# prepare ACA Portal for packaging
cd ../HIRS_AttestationCAPortal
mkdir -p %{buildroot}%{prefix}/webapps/
cp build/libs/HIRS_AttestationCAPortal.war %{buildroot}%{prefix}/webapps/
# note: no ACA Portal specific resource files to copy yet...

# creates the home directory for activemq user so SELinux doesn't complain
mkdir -p %{buildroot}/srv/activemq
mkdir -p %{buildroot}/etc/hirs/portal

cd ..

# copy over the properties files
mkdir -p %{buildroot}/opt/hirs/default-properties/provisioner
cp HIRS_Utils/src/main/resources/logging.properties %{buildroot}/opt/hirs/default-properties/provisioner/logging.properties

mkdir -p %{buildroot}/opt/hirs/default-properties/attestationca
cp HIRS_Utils/src/main/resources/persistence.properties %{buildroot}/opt/hirs/default-properties/attestationca/
cp HIRS_Utils/src/main/resources/logging.properties %{buildroot}/opt/hirs/default-properties/attestationca/
cp HIRS_Utils/src/main/resources/banner.properties %{buildroot}/opt/hirs/default-properties/attestationca/
cp HIRS_Utils/src/main/resources/component-class.json %{buildroot}/opt/hirs/default-properties/

# install extras
mkdir -p %{buildroot}/opt/hirs/extras
cp -r extras/ %{buildroot}/opt/hirs/