From f180d77b26a97eec8025112757fa5e70c01522aa Mon Sep 17 00:00:00 2001
From: Chris Hyzer <mchyzer@isc.upenn.edu>
Date: Thu, 5 May 2022 14:09:48 -0400
Subject: [PATCH] GRP-4026: ability for container to add ssl anchor cert for
 OS/java

---
 container_files/api/log4j2.xml                | 155 ++++++++++++------
 container_files/tomee/bin/setenv.sh           |   2 +-
 container_files/usr-local-bin/libraryPrep.sh  |   5 +
 .../usr-local-bin/librarySetupFilesTomcat.sh  |  34 ++++
 4 files changed, 142 insertions(+), 54 deletions(-)

diff --git a/container_files/api/log4j2.xml b/container_files/api/log4j2.xml
index c0209b0d..8f035ce8 100644
--- a/container_files/api/log4j2.xml
+++ b/container_files/api/log4j2.xml
@@ -2,125 +2,174 @@
 <Configuration status="info">
     <Properties>
         <Property name="layout">%d{ISO8601}: [%t] %-5p %C{1}.%M(%L) - %x - %m%n</Property>
+        <Property name="env">__ENV__</Property>
+        <Property name="usertoken">__USERTOKEN__</Property>
+        <Property name="grouplogprefix">__GROUPER_LOG_PREFIX__</Property>
     </Properties>
     <Appenders>
-        <File name="CATALINA" fileName="/tmp/logpipe">
-            <PatternLayout pattern="tomee;catalina.out;${env:ENV};${env:USERTOKEN};${layout}"/>
-        </File>
         <Console name="stderr" target="SYSTEM_ERR">
-          <PatternLayout pattern="__GROUPER_LOG_PREFIX__;${ENV};${USERTOKEN};${layout}"/>
+          <PatternLayout pattern="${grouplogprefix};${env}${usertoken}${layout}"/>
         </Console>
-        <File name="__LOGPIPE__grouper_error" fileName="/tmp/logpipe">
-            <PatternLayout pattern="__GROUPER_LOG_PREFIX__;grouper_error.log;${ENV};${USERTOKEN};${layout}"/>
-        </File>
-        <RollingFile name="__FILE__grouper_error" fileName="/opt/grouper/logs/grouper.log" filePattern="/opt/grouper/logs/grouper.log.%d{yyyy-MM-dd}" >
-            <PatternLayout pattern="__GROUPER_LOG_PREFIX__;grouper_error.log;${ENV};${USERTOKEN};${layout}"/>
+        <RollingFile name="file_catalina" fileName="/opt/grouper/logs/catalina.out" filePattern="/opt/grouper/logs/catalina.out.%d{yyyy-MM-dd}" >
+            <PatternLayout pattern="${grouplogprefix};catalina.out;${env}${usertoken}${layout}"/>
             <Policies>
                 <TimeBasedTriggeringPolicy interval="1"/>
             </Policies>
             <DefaultRolloverStrategy max="30" />
         </RollingFile>
-        <File name="__LOGPIPE__grouper_daemon" fileName="/tmp/logpipe">
-            <PatternLayout pattern="__GROUPER_LOG_PREFIX__;grouperDaemon.log;${ENV};${USERTOKEN};${layout}"/>
-        </File>
-        <RollingFile name="__FILE__grouper_daemon" fileName="/opt/grouper/logs/grouperDaemon.log" filePattern="/opt/grouper/logs/grouperDaemon.log.%d{yyyy-MM-dd}" >
-            <PatternLayout pattern="__GROUPER_LOG_PREFIX__;grouperDaemon.log;${ENV};${USERTOKEN};${layout}"/>
+        <RollingFile name="file_grouper_error" fileName="/opt/grouper/logs/grouper.log" filePattern="/opt/grouper/logs/grouper.log.%d{yyyy-MM-dd}" >
+            <PatternLayout pattern="${grouplogprefix};grouper_error.log;${env}${usertoken}${layout}"/>
             <Policies>
                 <TimeBasedTriggeringPolicy interval="1"/>
             </Policies>
             <DefaultRolloverStrategy max="30" />
         </RollingFile>
-        <File name="__LOGPIPE__grouper_pspng" fileName="/tmp/logpipe">
-            <PatternLayout pattern="__GROUPER_LOG_PREFIX__;pspng.log;${ENV};${USERTOKEN};${layout}"/>
-        </File>
-        <RollingFile name="__FILE__grouper_pspng" fileName="/opt/grouper/logs/pspng.log" filePattern="/opt/grouper/logs/pspng.log.%d{yyyy-MM-dd}" >
-            <PatternLayout pattern="__GROUPER_LOG_PREFIX__;pspng.log;${ENV};${USERTOKEN};${layout}"/>
+        <RollingFile name="file_grouper_daemon" fileName="/opt/grouper/logs/grouperDaemon.log" filePattern="/opt/grouper/logs/grouperDaemon.log.%d{yyyy-MM-dd}" >
+            <PatternLayout pattern="${grouplogprefix};grouperDaemon.log;${env}${usertoken}${layout}"/>
             <Policies>
                 <TimeBasedTriggeringPolicy interval="1"/>
             </Policies>
             <DefaultRolloverStrategy max="30" />
         </RollingFile>
-        <File name="__LOGPIPE__grouper_provisioning" fileName="/tmp/logpipe">
-            <PatternLayout pattern="__GROUPER_LOG_PREFIX__;provisioning.log;${ENV};${USERTOKEN};${layout}"/>
-        </File>
-        <RollingFile name="__FILE__grouper_provisioning" fileName="/opt/grouper/logs/provisioning.log" filePattern="/opt/grouper/logs/provisioning.log.%d{yyyy-MM-dd}" >
-            <PatternLayout pattern="__GROUPER_LOG_PREFIX__;provisioning.log;${ENV};${USERTOKEN};${layout}"/>
+        <RollingFile name="file_grouper_pspng" fileName="/opt/grouper/logs/pspng.log" filePattern="/opt/grouper/logs/pspng.log.%d{yyyy-MM-dd}" >
+            <PatternLayout pattern="${grouplogprefix};pspng.log;${env}${usertoken}${layout}"/>
             <Policies>
                 <TimeBasedTriggeringPolicy interval="1"/>
             </Policies>
             <DefaultRolloverStrategy max="30" />
         </RollingFile>
-
-        <File name="__LOGPIPE__grouper_ws" fileName="/tmp/logpipe">
-            <PatternLayout pattern="__GROUPER_LOG_PREFIX__;grouper_ws.log;${ENV};${USERTOKEN};${layout}"/>
-        </File>
-        <RollingFile name="__FILE__grouper_ws" fileName="/opt/grouper/logs/grouper_ws.log" filePattern="/opt/grouper/logs/grouper_ws.log.%d{yyyy-MM-dd}" >
-            <PatternLayout pattern="__GROUPER_LOG_PREFIX__;grouper_ws.log;${ENV};${USERTOKEN};${layout}"/>
+        <RollingFile name="file_grouper_provisioning" fileName="/opt/grouper/logs/provisioning.log" filePattern="/opt/grouper/logs/provisioning.log.%d{yyyy-MM-dd}" >
+            <PatternLayout pattern="${grouplogprefix};provisioning.log;${env}${usertoken}${layout}"/>
             <Policies>
                 <TimeBasedTriggeringPolicy interval="1"/>
             </Policies>
             <DefaultRolloverStrategy max="30" />
         </RollingFile>
-
-        <File name="__LOGPIPE__grouper_ws_longRunning" fileName="/tmp/logpipe">
-            <PatternLayout pattern="__GROUPER_LOG_PREFIX__;grouper_ws_longRunning.log;${ENV};${USERTOKEN};${layout}"/>
-        </File>
-        <RollingFile name="__FILE__grouper_ws_longRunning" fileName="/opt/grouper/logs/grouper_ws_longRunning.log" filePattern="/opt/grouper/logs/grouper_ws_longRunning.log.%d{yyyy-MM-dd}" >
-            <PatternLayout pattern="__GROUPER_LOG_PREFIX__;grouper_ws_longRunning.log;${ENV};${USERTOKEN};${layout}"/>
+        <RollingFile name="file_grouper_ws" fileName="/opt/grouper/logs/grouper_ws.log" filePattern="/opt/grouper/logs/grouper_ws.log.%d{yyyy-MM-dd}" >
+            <PatternLayout pattern="${grouplogprefix};grouper_ws.log;${env}${usertoken}${layout}"/>
+            <Policies>
+                <TimeBasedTriggeringPolicy interval="1"/>
+            </Policies>
+            <DefaultRolloverStrategy max="30" />
+        </RollingFile>
+        <RollingFile name="file_grouper_ws_longRunning" fileName="/opt/grouper/logs/grouper_ws_longRunning.log" filePattern="/opt/grouper/logs/grouper_ws_longRunning.log.%d{yyyy-MM-dd}" >
+            <PatternLayout pattern="${grouplogprefix};grouper_ws_longRunning.log;${env}${usertoken}${layout}"/>
             <Policies>
                 <TimeBasedTriggeringPolicy interval="1"/>
             </Policies>
             <DefaultRolloverStrategy max="30" />
         </RollingFile>
+        <File name="logpipe_catalina" fileName="/tmp/logpipe">
+            <PatternLayout pattern="tomee;catalina.out;${sys:ENV}${sys:USERTOKEN}${layout}"/>
+        </File>
+        <File name="logpipe_grouper_error" fileName="/tmp/logpipe">
+            <PatternLayout pattern="${grouplogprefix};grouper_error.log;${env}${usertoken}${layout}"/>
+        </File>
+        <File name="logpipe_grouper_daemon" fileName="/tmp/logpipe">
+            <PatternLayout pattern="${grouplogprefix};grouperDaemon.log;${env}${usertoken}${layout}"/>
+        </File>
+        <File name="logpipe_grouper_pspng" fileName="/tmp/logpipe">
+            <PatternLayout pattern="${grouplogprefix};pspng.log;${env}${usertoken}${layout}"/>
+        </File>
+        <File name="logpipe_grouper_provisioning" fileName="/tmp/logpipe">
+            <PatternLayout pattern="${grouplogprefix};provisioning.log;${env}${usertoken}${layout}"/>
+        </File>
+        <File name="logpipe_grouper_ws" fileName="/tmp/logpipe">
+            <PatternLayout pattern="${grouplogprefix};grouper_ws.log;${env}${usertoken}${layout}"/>
+        </File>
+        <File name="logpipe_grouper_ws_longRunning" fileName="/tmp/logpipe">
+            <PatternLayout pattern="${grouplogprefix};grouper_ws_longRunning.log;${env}${usertoken}${layout}"/>
+        </File>
         
          <!--MOREAPPENDERS-->
  
     </Appenders>
     <Loggers>
         <Root level="error">
-            <AppenderRef ref="grouper_error"/>
+            <AppenderRef ref="logpipe_grouper_error"/>
+            <AppenderRef ref="file_grouper_error"/>
         </Root>
         <Logger name="org.apache.catalina" level="info" additivity="false">
-            <AppenderRef ref="CATALINA"/>
+            <AppenderRef ref="logpipe_catalina" />
+            <AppenderRef ref="file_catalina"/>
         </Logger>
         <Logger name="edu.internet2.middleware" level="warn" additivity="false">
-            <AppenderRef ref="grouper_error"/>
+            <AppenderRef ref="logpipe_grouper_error"/>
+            <AppenderRef ref="file_grouper_error"/>
         </Logger>
         <Logger name="edu.internet2.middleware.grouper.app.loader.GrouperLoaderLog" level="debug" additivity="false">
-            <AppenderRef ref="grouper_daemon"/>
+            <AppenderRef ref="logpipe_grouper_daemon"/>
+            <AppenderRef ref="file_grouper_daemon"/>
         </Logger>
-        <Logger name="edu.internet2.middleware.grouper.pspng" level="info" additivity="false">
-            <AppenderRef ref="grouper_pspng"/>
+        <Logger name="edu.internet2.middleware.grouper.pspng" level="warn" additivity="false">
+            <AppenderRef ref="logpipe_grouper_pspng"/>
+            <AppenderRef ref="file_grouper_pspng"/>
         </Logger>
         <Logger name="edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningObjectLog" level="debug" additivity="false">
-            <AppenderRef ref="grouper_provisioning"/>
+            <AppenderRef ref="logpipe_grouper_provisioning"/>
+            <AppenderRef ref="file_grouper_provisioning"/>
         </Logger>
         <Logger name="edu.internet2.middleware.grouper.app.syncToGrouper.SyncToGrouperFromSqlDaemon" level="debug" additivity="false">
-            <AppenderRef ref="grouper_error"/>
+            <AppenderRef ref="logpipe_grouper_error"/>
+            <AppenderRef ref="file_grouper_error"/>
         </Logger>
         <Logger name="edu.internet2.middleware.grouper.app.provisioning.GrouperProvisioningLogCommands" level="debug" additivity="false">
-            <AppenderRef ref="grouper_error"/>
+            <AppenderRef ref="logpipe_grouper_error"/>
+            <AppenderRef ref="file_grouper_error"/>
         </Logger>
         <Logger name="edu.internet2.middleware.grouper.stem.StemViewPrivilegeEsbListener" level="debug" additivity="false">
-            <AppenderRef ref="grouper_error"/>
+            <AppenderRef ref="logpipe_grouper_error"/>
+            <AppenderRef ref="file_grouper_error"/>
         </Logger>
         <Logger name="edu.internet2.middleware.grouper.stem.StemViewPrivilegeFullDaemonLogic" level="debug" additivity="false">
-            <AppenderRef ref="grouper_error"/>
+            <AppenderRef ref="logpipe_grouper_error"/>
+            <AppenderRef ref="file_grouper_error"/>
         </Logger>
         <Logger name="org.apache.tools.ant" level="warn" additivity="false">
-            <AppenderRef ref="grouper_error"/>
+            <AppenderRef ref="logpipe_grouper_error"/>
+            <AppenderRef ref="file_grouper_error"/>
         </Logger>
         <Logger name="edu.internet2.middleware.grouper.util.PerformanceLogger" level="info" additivity="false">
-            <AppenderRef ref="grouper_error"/>
+            <AppenderRef ref="logpipe_grouper_error"/>
+            <AppenderRef ref="file_grouper_error"/>
         </Logger>
-        
         <Logger name="edu.internet2.middleware.grouper.ws.util.GrouperWsLog" level="off" additivity="false">
-            <AppenderRef ref="grouper_ws"/>
+            <AppenderRef ref="logpipe_grouper_ws"/>
+            <AppenderRef ref="file_grouper_ws"/>
         </Logger>
         <Logger name="edu.internet2.middleware.grouper.ws.util.GrouperWsLongRunningLog" level="off" additivity="false">
-            <AppenderRef ref="grouper_ws_longRunning"/>
+            <AppenderRef ref="logpipe_grouper_ws_longRunning"/>
+            <AppenderRef ref="file_grouper_ws_longRunning"/>
         </Logger>
-        
+        <Logger name="edu.internet2.middleware.grouper.ui.customUi.CustomUiEngine" level="debug" additivity="false">
+            <AppenderRef ref="logpipe_grouper_error"/>
+            <AppenderRef ref="file_grouper_error"/>
+        </Logger>
+        <Logger name="edu.upenn.isc.pennGrouper.o365" level="debug" additivity="false">
+            <AppenderRef ref="logpipe_grouper_error"/>
+            <AppenderRef ref="file_grouper_error"/>
+        </Logger>
+        <Logger name="edu.internet2.middleware.grouper.app.remedy.GrouperRemedyLog" level="debug" additivity="false">
+            <AppenderRef ref="logpipe_grouper_provisioning"/>
+            <AppenderRef ref="file_grouper_provisioning"/>
+        </Logger>
+        <Logger name="edu.internet2.middleware.grouper.app.remedy.digitalMarketplace.GrouperDigitalMarketplaceLog" level="debug" additivity="false">
+            <AppenderRef ref="logpipe_grouper_provisioning"/>
+            <AppenderRef ref="file_grouper_provisioning"/>
+        </Logger>
+        <Logger name="edu.internet2.middleware.grouperBox.GrouperBoxLog" level="debug" additivity="false">
+            <AppenderRef ref="logpipe_grouper_provisioning"/>
+            <AppenderRef ref="file_grouper_provisioning"/>
+        </Logger>
+        <Logger name="edu.internet2.middleware.grouperClient.jdbc.tableSync.GcTableSyncLog" level="debug" additivity="false">
+            <AppenderRef ref="logpipe_grouper_error"/>
+            <AppenderRef ref="file_grouper_error"/>
+        </Logger>
+        <Logger name="edu.internet2.middleware.grouper.app.zoom" level="debug" additivity="false">
+            <AppenderRef ref="logpipe_grouper_provisioning"/>
+            <AppenderRef ref="file_grouper_provisioning"/>
+        </Logger>
+
         <!--MORELOGGERS-->
     </Loggers>
 </Configuration>
\ No newline at end of file
diff --git a/container_files/tomee/bin/setenv.sh b/container_files/tomee/bin/setenv.sh
index 603fc570..174be1c5 100755
--- a/container_files/tomee/bin/setenv.sh
+++ b/container_files/tomee/bin/setenv.sh
@@ -1,4 +1,4 @@
 CLASSPATH=/opt/tomee/bin/*
 #JAVA_OPTS="-Dlog4j.configurationFile=/opt/tomee/conf/log4j2.xml -DENV=$ENV -DUSERTOKEN=$USERTOKEN"
-CATALINA_OPTS="-Xmx$GROUPER_MAX_MEMORY -XX:+UseG1GC -XX:+UseStringDeduplication -Dlog4j.configurationFile=/opt/tomee/conf/log4j2.xml -DENV=$ENV -DUSERTOKEN=$USERTOKEN -Dfile.encoding=UTF-8 $GROUPER_EXTRA_CATALINA_OPTS"
+CATALINA_OPTS="-Xmx$GROUPER_MAX_MEMORY -XX:+UseG1GC -XX:+UseStringDeduplication -Dlog4j.configurationFile=/opt/tomee/conf/log4j2.xml -DENV=$ENV -DUSERTOKEN=$USERTOKEN -Dfile.encoding=UTF-8 -Djavax.net.ssl.trustStore=/etc/pki/java/cacerts $GROUPER_EXTRA_CATALINA_OPTS"
 LOGGING_MANAGER=-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager
diff --git a/container_files/usr-local-bin/libraryPrep.sh b/container_files/usr-local-bin/libraryPrep.sh
index 8bfbf64f..37962a5f 100644
--- a/container_files/usr-local-bin/libraryPrep.sh
+++ b/container_files/usr-local-bin/libraryPrep.sh
@@ -441,6 +441,11 @@ prep_finishBegin() {
       echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_APACHE_STATUS_PATH=/status_grouper/status"
       export GROUPER_APACHE_STATUS_PATH=/status_grouper/status
     fi
+
+    if [ -z "$GROUPER_GSH_JVMARGS" ] ; then 
+      echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_GSH_JVMARGS=\"-Djavax.net.ssl.trustStore=/etc/pki/java/cacerts\""
+      export GROUPER_GSH_JVMARGS="-Djavax.net.ssl.trustStore=/etc/pki/java/cacerts"
+    fi
     
     #Replace web.xml session timeout with env variable
     if [[ -z "$GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES" ]]; then
diff --git a/container_files/usr-local-bin/librarySetupFilesTomcat.sh b/container_files/usr-local-bin/librarySetupFilesTomcat.sh
index 13263c00..d79edade 100644
--- a/container_files/usr-local-bin/librarySetupFilesTomcat.sh
+++ b/container_files/usr-local-bin/librarySetupFilesTomcat.sh
@@ -9,6 +9,7 @@ setupFilesTomcat() {
   setupFilesTomcat_accessLogs
   setupFilesTomcat_sessionTimeout
   setupFilesTomcat_ssl
+  setupFilesTomcat_sslCertsAnchors
 }
 
 
@@ -235,6 +236,37 @@ setupFilesTomcat_ssl() {
   fi
 }
 
+setupFilesTomcat_sslCertsAnchors() {
+
+    # the container user (we arent sure who this is) should be able to update root certs
+    # echo 'ALL ALL=NOPASSWD: /bin/update-ca-trust' | sudo EDITOR='tee -n' visudo
+
+    
+    if [ -n "$(ls -A /opt/grouper/certs/anchors/ 2>/dev/null)" ]; then
+  
+      amiroot=`whoami`
+      if [ "$amiroot" = "root" ]; then
+    
+        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process"
+        /bin/update-ca-trust
+        returnCode=$?
+        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) /bin/update-ca-trust , result=$returnCode"
+        if [ $returnCode != 0 ]
+        then
+          exit $returnCode
+        fi  
+        
+      else
+        echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process but not running as root so run this in subimage: /bin/update-ca-trust"
+      fi
+      
+    else
+      echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are no anchor certs in /opt/grouper/certs/anchors/ to process"
+    fi
+    
+  fi
+}
+
 
 setupFilesTomcat_unsetAll() {
 
@@ -243,6 +275,7 @@ setupFilesTomcat_unsetAll() {
   unset -f setupFilesTomcat_context
   unset -f setupFilesTomcat_ports
   unset -f setupFilesTomcat_ssl
+  unset -f setupFilesTomcat_sslCertsAnchors
   unset -f setupFilesTomcat_supervisor
   unset -f setupFilesTomcat_unsetAll
   unset -f setupFilesTomcat_accessLogs
@@ -258,6 +291,7 @@ setupFilesTomcat_exportAll() {
   export -f setupFilesTomcat_context
   export -f setupFilesTomcat_ports
   export -f setupFilesTomcat_ssl
+  export -f setupFilesTomcat_sslCertsAnchors
   export -f setupFilesTomcat_supervisor
   export -f setupFilesTomcat_unsetAll
   export -f setupFilesTomcat_accessLogs