Skip to content

Commit

Permalink
GRP-3021: dont configure ssl chain file if not there
Browse files Browse the repository at this point in the history
  • Loading branch information
@mchyzer
mchyzer committed Jan 31, 2021
1 parent f43f9ee commit ee4ab51
Show file tree
Hide file tree
Showing 10 changed files with 236 additions and 49 deletions.
8 changes: 4 additions & 4 deletions container_files/httpd/ssl-enabled.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ SSLHonorCipherOrder on
SSLCompression off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLUseStapling __GROUPER_SSL_USE_STAPLING__
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
Expand All @@ -17,11 +17,11 @@ __GROUPER_PROXY_PASS__ RewriteEngine on
__GROUPER_PROXY_PASS__ RewriteRule "^/$" "/grouper/" [R]

SSLEngine on
SSLCertificateChainFile /etc/pki/tls/certs/cachain.pem
SSLCertificateChainFile __GROUPER_SSL_CHAIN_FILE__

SSLCertificateFile /etc/pki/tls/certs/host-cert.pem
SSLCertificateFile __GROUPER_SSL_CERT_FILE__

SSLCertificateKeyFile /etc/pki/tls/private/host-key.pem
SSLCertificateKeyFile __GROUPER_SSL_KEY_FILE__

# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
Expand Down
22 changes: 0 additions & 22 deletions container_files/tier-support/ssl-enabled.conf
View file

This file was deleted.

11 changes: 11 additions & 0 deletions container_files/tier-support/test/grouperContainerUnitTestSelfSigned.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,19 @@ testContainerSelfSigned() {
docker run --detach --name $containerName --publish 443:443 -e GROUPER_SELF_SIGNED_CERT=true -e GROUPER_LOG_TO_HOST=true $imageName ui
sleep $globalSleepSecondsAfterRun

assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "SSLUseStapling on"
assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "SSLCertificateFile /etc/pki/tls/certs/localhost.crt"
assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "SSLCertificateKeyFile /etc/pki/tls/private/localhost.key"
assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf "SSLCertificateChainFile"
assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "Listen 443 https"
assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf "__"
assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf cachain.pem
assertFileContains /etc/httpd/conf.d/ssl-enabled.conf /etc/pki/tls/certs/localhost.crt
assertEnvVar GROUPER_SSL_USE_CHAIN_FILE "false"
assertEnvVar GROUPER_SSL_CERT_FILE "/etc/pki/tls/certs/localhost.crt"
assertEnvVar GROUPER_SSL_KEY_FILE "/etc/pki/tls/private/localhost.key"
assertEnvVar GROUPER_SSL_USE_STAPLING "true"


assertFileContains /etc/httpd/conf.d/grouper-www.conf "ProxyPass /grouper ajp://localhost:8009/grouper timeout=3600"
assertFileContains /etc/httpd/conf.d/grouper-www.conf "#ProxyPass /grouper-ws ajp://localhost:8009/grouper timeout=3600"
Expand Down
5 changes: 5 additions & 0 deletions container_files/tier-support/test/grouperContainerUnitTestSlashRoot.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,12 +20,17 @@ testContainerSlashRoot() {
rm -rf someDir
mkdir -p someDir/tmp
echo 'whatever' > someDir/tmp/temp.txt
mkdir -p someDir/opt/grouper/grouperWebapp/WEB-INF/classes
echo 'someSettings' > someDir/opt/grouper/grouperWebapp/WEB-INF/classes/log4j_additional.properties

docker run --detach --name $containerName --mount type=bind,src=$someDir,dst=/opt/grouper/slashRoot --publish 443:443 $imageName ui
sleep $globalSleepSecondsAfterRun

assertFileExists /tmp/temp.txt

assertFileContains /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties "someSettings"


#rm -rf someDir

}
Expand Down
16 changes: 13 additions & 3 deletions container_files/tier-support/test/grouperContainerUnitTestUi.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,17 +30,27 @@ testContainerUi() {
assertFileExists "/opt/grouper/grouperWebapp/WEB-INF/lib/grouper-messaging-activemq-$grouperVersion.jar"
assertFileExists "/opt/grouper/grouperWebapp/WEB-INF/libUiAndDaemon/grouper-messaging-activemq-$grouperVersion.jar"

assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "Listen 443 https"
assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf "__"
assertFileContains /etc/httpd/conf/httpd.conf "Listen 80"
assertFileContains /opt/tier-support/supervisord.conf "program:shibbolethsp"
assertFileContains /opt/tier-support/supervisord.conf "program:tomee"
assertFileContains /opt/tier-support/supervisord.conf "program:httpd"
assertFileContains /opt/tier-support/supervisord.conf "user=shibd"
assertFileNotContains /opt/tier-support/supervisord.conf "program:hsqldb"
assertFileNotContains /opt/tier-support/supervisord.conf "__"
assertFileContains /etc/httpd/conf.d/ssl-enabled.conf cachain.pem

assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "SSLUseStapling on"
assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf "SSLCertificateChainFile /etc/pki/tls/certs/cachain.pem"
assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "SSLCertificateFile /etc/pki/tls/certs/host-cert.pem"
assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "SSLCertificateKeyFile /etc/pki/tls/private/host-key.pem"
assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "Listen 443 https"
assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf "__"
assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf cachain.pem
assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf /etc/pki/tls/certs/localhost.crt
assertEnvVar GROUPER_SSL_USE_CHAIN_FILE "false"
assertEnvVar GROUPER_SSL_CERT_FILE "/etc/pki/tls/certs/host-cert.pem"
assertEnvVar GROUPER_SSL_KEY_FILE "/etc/pki/tls/certs/cachain.pem"
assertEnvVarNot GROUPER_SSL_CHAIN_FILE "/etc/pki/tls/certs/cachain.pem"
assertEnvVar GROUPER_SSL_USE_STAPLING "true"

assertFileContains /opt/tomee/conf/Catalina/localhost/grouper.xml 'cookies="true"'

Expand Down
69 changes: 69 additions & 0 deletions container_files/tier-support/test/grouperContainerUnitTestUi2.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
#!/bin/bash

testContainerUi2() {

if [ "$#" -ne 0 ]; then
echo "You must enter exactly 0 command line arguments"
exit 1
fi

dockerRemoveContainer

echo
echo '################'
echo Running container as ui
echo "docker run --detach --name $containerName --publish 443:443 -e GROUPER_SSL_USE_STAPLING=false -e GROUPER_SSL_CERT_FILE=/a/b/cert -e GROUPER_SSL_KEY_FILE=/a/b/key -e GROUPER_SSL_CHAIN_FILE=/a/b/chain $imageName ui"
echo '################'
echo

docker run --detach --name $containerName --publish 443:443 -e GROUPER_SSL_USE_STAPLING=false -e GROUPER_SSL_CERT_FILE=/a/b/cert -e GROUPER_SSL_KEY_FILE=/a/b/key -e GROUPER_SSL_CHAIN_FILE=/a/b/chain $imageName ui
sleep $globalSleepSecondsAfterRun


assertFileContains /opt/tomee/conf/server.xml 'address="0.0.0.0"'
assertFileContains /opt/tomee/conf/server.xml 'allowedRequestAttributesPattern=".*"'

assertFileExists /opt/grouper/grouperWebapp/WEB-INF/libWs/axis2-kernel-1.6.4.jar
assertFileNotExists /opt/grouper/grouperWebapp/WEB-INF/lib/axis2-kernel-1.6.4.jar
assertFileExists /opt/grouper/grouperWebapp/WEB-INF/libScim/stax-api-1.0-2.jar
assertFileNotExists /opt/grouper/grouperWebapp/WEB-INF/lib/stax-api-1.0-2.jar
assertFileExists "/opt/grouper/grouperWebapp/WEB-INF/lib/grouper-messaging-activemq-$grouperVersion.jar"
assertFileExists "/opt/grouper/grouperWebapp/WEB-INF/libUiAndDaemon/grouper-messaging-activemq-$grouperVersion.jar"

assertFileContains /etc/httpd/conf/httpd.conf "Listen 80"
assertFileContains /opt/tier-support/supervisord.conf "program:shibbolethsp"
assertFileContains /opt/tier-support/supervisord.conf "program:tomee"
assertFileContains /opt/tier-support/supervisord.conf "program:httpd"
assertFileContains /opt/tier-support/supervisord.conf "user=shibd"
assertFileNotContains /opt/tier-support/supervisord.conf "program:hsqldb"
assertFileNotContains /opt/tier-support/supervisord.conf "__"

assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "SSLUseStapling off"
assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "SSLCertificateFile /a/b/cert"
assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "SSLCertificateKeyFile /a/b/key"
assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "SSLCertificateChainFile /a/b/chain"
assertFileContains /etc/httpd/conf.d/ssl-enabled.conf "Listen 443 https"
assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf "__"
assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf cachain.pem
assertFileNotContains /etc/httpd/conf.d/ssl-enabled.conf /etc/pki/tls/certs/localhost.crt
assertEnvVar GROUPER_SSL_USE_CHAIN_FILE "true"
assertEnvVar GROUPER_SSL_CERT_FILE "/a/b/cert"
assertEnvVar GROUPER_SSL_KEY_FILE "/a/b/key"
assertEnvVar GROUPER_SSL_CHAIN_FILE "/a/b/chain"
assertEnvVar GROUPER_SSL_USE_STAPLING "false"

assertNumberOfTomcatProcesses 1
# bad cert apache wont start
assertNumberOfApacheProcesses 0
assertNumberOfShibProcesses 1

assertNotListeningOnPort 443
assertNotListeningOnPort 80
assertListeningOnPort 8009
assertNotListeningOnPort 9001
assertListeningOnPort 8080
#assertListeningOnPort 8005


}
export -f testContainerUi2
6 changes: 6 additions & 0 deletions container_files/tier-support/test/rebuildTestContainer.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,12 @@ export reldir=`dirname $0`
mkdir -p $reldir/slashRoot/usr/local/bin
rsync -avzpl $grouperContainerGitPath/container_files/usr-local-bin/* $reldir/slashRoot/usr/local/bin

mkdir -p $reldir/slashRoot/etc/httpd/conf.d
rsync -avzpl $grouperContainerGitPath/container_files/httpd/ssl-enabled.conf $reldir/slashRoot/etc/httpd/conf.d

mkdir -p $reldir/slashRoot/opt/tier-support/originalFiles
rsync -avzpl $reldir/etc/httpd/conf.d/ssl-enabled.conf $reldir/slashRoot/opt/tier-support/originalFiles

rsync -avzpl $grouperContainerGitPath/container_files/tier-support/test/grouper*.sh $reldir

#mkdir -p $reldir/slashRoot/opt/tomee/conf
Expand Down
79 changes: 77 additions & 2 deletions container_files/usr-local-bin/libraryPrep.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ prep_daemon() {
}

prep_scim() {

if [ -z "$GROUPER_SCIM" ]; then
echo "grouperContainer; INFO: (libraryPrep.sh-prep_scim) export GROUPER_SCIM=true"
export GROUPER_SCIM=true
Expand All @@ -111,6 +112,7 @@ prep_scim() {
}

prep_ui() {

if [ -z "$GROUPER_UI" ]; then
echo "grouperContainer; INFO: (libraryPrep.sh-prep_ui) export GROUPER_UI=true"
export GROUPER_UI=true
Expand Down Expand Up @@ -174,6 +176,7 @@ prep_runScim() {


prep_ws() {

if [ -z "$GROUPER_WS" ]; then
echo "grouperContainer; INFO: (libraryPrep.sh-prep_ws) export GROUPER_WS=true"
export GROUPER_WS=true
Expand Down Expand Up @@ -293,6 +296,80 @@ prep_finishBegin() {
echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_USE_SSL=true"
export GROUPER_USE_SSL=true
fi
if [ "$GROUPER_USE_SSL" = "true" ]; then
if [ -z "$GROUPER_SELF_SIGNED_CERT" ] && [ -z "$GROUPER_SSL_CERT_FILE" ] && [ ! -f /etc/pki/tls/certs/host-cert.pem ] ; then

echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_SELF_SIGNED_CERT and GROUPER_SSL_CERT_FILE are not specified and /etc/pki/tls/certs/host-cert.pem does not exist, so: export GROUPER_SELF_SIGNED_CERT=true"
export GROUPER_SELF_SIGNED_CERT=true

fi
if [ "$GROUPER_SELF_SIGNED_CERT" = "true" ]; then

# default the cert path to self signed and no chain file
if [ -z "$GROUPER_SSL_CERT_FILE" ] ; then
echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_SSL_CERT_FILE=/etc/pki/tls/certs/localhost.crt"
export GROUPER_SSL_CERT_FILE=/etc/pki/tls/certs/localhost.crt
fi
if [ -z "$GROUPER_SSL_KEY_FILE" ] ; then
echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_SSL_KEY_FILE=/etc/pki/tls/private/localhost.key"
export GROUPER_SSL_KEY_FILE=/etc/pki/tls/private/localhost.key
fi
if [ -z "$GROUPER_SSL_CHAIN_FILE" ] && [ -z "$GROUPER_SSL_USE_CHAIN_FILE" ] ; then
echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_SSL_USE_CHAIN_FILE=false"
export GROUPER_SSL_USE_CHAIN_FILE=false
fi

fi
# default the cert path
if [ -z "$GROUPER_SSL_CERT_FILE" ] ; then
echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_SSL_CERT_FILE=/etc/pki/tls/certs/host-cert.pem"
export GROUPER_SSL_CERT_FILE=/etc/pki/tls/certs/host-cert.pem
fi
if [ -z "$GROUPER_SSL_KEY_FILE" ] ; then
echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_SSL_KEY_FILE=/etc/pki/tls/private/host-key.pem"
export GROUPER_SSL_KEY_FILE=/etc/pki/tls/private/host-key.pem
fi
if [ -z "$GROUPER_SSL_CHAIN_FILE" ] ; then

if [ -f /etc/pki/tls/certs/cachain.pem ]; then

echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_SSL_USE_CHAIN_FILE=true"
export GROUPER_SSL_USE_CHAIN_FILE=true
echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_SSL_CHAIN_FILE=/etc/pki/tls/certs/cachain.pem"
export GROUPER_SSL_CHAIN_FILE=/etc/pki/tls/certs/cachain.pem
else

echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_SSL_USE_CHAIN_FILE=false"
export GROUPER_SSL_USE_CHAIN_FILE=false

fi
fi
if [ -z "$GROUPER_SSL_USE_CHAIN_FILE" ] ; then

if [ -z "$GROUPER_SSL_CHAIN_FILE" ]; then

echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_SSL_USE_CHAIN_FILE=false"
export GROUPER_SSL_USE_CHAIN_FILE=false

else

echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_SSL_USE_CHAIN_FILE=true"
export GROUPER_SSL_USE_CHAIN_FILE=true

fi

fi
if [ -z "$GROUPER_SSL_USE_STAPLING" ] ; then

echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_SSL_USE_STAPLING=true"
export GROUPER_SSL_USE_STAPLING=true

fi

fi



if [ -z "$GROUPER_RUN_PROCESSES_AS_USERS" ]; then
echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_RUN_PROCESSES_AS_USERS=true"
export GROUPER_RUN_PROCESSES_AS_USERS=true
Expand All @@ -315,8 +392,6 @@ prep_finishBegin() {
echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_APACHE_AJP_TIMEOUT_SECONDS=3600"
export GROUPER_APACHE_AJP_TIMEOUT_SECONDS=3600
fi


if [ -z "$GROUPER_APACHE_SSL_PORT" ] ; then
echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_APACHE_SSL_PORT=443"
export GROUPER_APACHE_SSL_PORT=443
Expand Down
8 changes: 8 additions & 0 deletions container_files/usr-local-bin/librarySetupFiles.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,14 @@ setupFiles_localLogging() {
echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_localLogging) /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties is not the original file so will not be edited"
fi
fi
if [ -f /opt/grouper/grouperWebapp/WEB-INF/classes/log4j_additional.properties ]; then
echo >> /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties
cat /opt/grouper/grouperWebapp/WEB-INF/classes/log4j_additional.properties >> /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties
returnCode=$?
echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_localLogging) cat /opt/grouper/grouperWebapp/WEB-INF/classes/log4j_additional.properties >> /opt/grouper/grouperWebapp/WEB-INF/classes/log4j.properties, result: $returnCode"
if [ $returnCode != 0 ]; then exit $returnCode; fi

fi

}

Expand Down
Loading

0 comments on commit ee4ab51

Please sign in to comment.