Merge pull request #230 from Alfresco/develop

Certs fix

.kitchen.docker.yml

@@ -6,6 +6,7 @@ driver:
 
 provisioner:
   name: chef_zero
+  require_chef_omnibus: 12.19.36
 
 
 verifier:
@@ -36,6 +37,7 @@ suites:
       inspec_tests:
         - name: nginx-hardening
           git: https://github.com/Alfresco/tests-nginx-hardening
+        - path: test/integration/community-edition/inspec
     data_bags_path: "test/integration/data_bags"
     attributes: {
       "name": "chef-alfresco-community",
@@ -64,7 +66,11 @@ suites:
       "alfresco" : {
         "components" : ['haproxy','nginx','tomcat','transform','repo','share','solr','mysql','googledocs','yourkit'],
         "version" : "5.2.d",
-        "ssl_enabled" : false
+        "ssl_enabled" : false,
+        "certs" : {
+          "ssl_databag" : "ssl",
+          "ssl_databag_item" : "certs"
+        }
       },
       "nginx" : {
         "use_nossl_config" : true
@@ -89,7 +95,11 @@ suites:
         "version" : "5.1.2",
         "components" : ["haproxy","nginx","tomcat","transform","repo","share","solr","mysql","aos", "rm",'googledocs','yourkit'],
         "edition" : "enterprise",
-        "ssl_enabled" : false
+        "ssl_enabled" : false,
+        "certs" : {
+          "ssl_databag" : "ssl",
+          "ssl_databag_item" : "certs"
+        }
       },
       "artifact-deployer" : {
         "maven" : {
@@ -128,7 +138,11 @@ suites:
         "version" : "5.2.0",
         "components" : ["haproxy","nginx","tomcat","transform","repo","share","solr","mysql","aos","rm"],
         "edition" : "enterprise",
-        "ssl_enabled" : false
+        "ssl_enabled" : false,
+        "certs" : {
+          "ssl_databag" : "ssl",
+          "ssl_databag_item" : "certs"
+        }
       },
       "artifact-deployer" : {
         "maven" : {
@@ -177,7 +191,11 @@ suites:
         "version" : "5.2.0",
         "components" : ["haproxy","nginx","tomcat","transform","repo","share","solr6","mysql","aos","rm"],
         "edition" : "enterprise",
-        "ssl_enabled" : false
+        "ssl_enabled" : false,
+        "certs" : {
+          "ssl_databag" : "ssl",
+          "ssl_databag_item" : "certs"
+        }
       },
       "artifact-deployer" : {
         "maven" : {

.kitchen.yml

@@ -9,6 +9,7 @@ driver:
 
 provisioner:
   name: chef_zero
+  require_chef_omnibus: 12.19.36
 
 verifier:
   name: inspec
@@ -33,6 +34,7 @@ suites:
       inspec_tests:
         - name: nginx-hardening
           git: https://github.com/Alfresco/tests-nginx-hardening
+        - path: test/integration/community-edition/inspec
     data_bags_path: "test/integration/data_bags"
     attributes: {
       "name": "chef-alfresco-community",
@@ -61,7 +63,11 @@ suites:
       "alfresco" : {
         "components" : ['haproxy','nginx','tomcat','transform','repo','share','solr','mysql','googledocs','yourkit'],
         "version" : "5.2.d",
-        "ssl_enabled" : false
+        "ssl_enabled" : false,
+        "certs" : {
+          "ssl_databag" : "ssl",
+          "ssl_databag_item" : "certs"
+        }
       },
       "nginx" : {
         "use_nossl_config" : true
@@ -107,7 +113,11 @@ suites:
         "version" : "5.1.2",
         "components" : ["haproxy","nginx","tomcat","transform","repo","share","solr","mysql","aos", "rm"],
         "edition" : "enterprise",
-        "ssl_enabled" : false
+        "ssl_enabled" : false,
+        "certs" : {
+          "ssl_databag" : "ssl",
+          "ssl_databag_item" : "certs"
+        }
       },
       "artifact-deployer" : {
         "maven" : {
@@ -146,7 +156,11 @@ suites:
         "version" : "5.2.0",
         "components" : ["haproxy","nginx","tomcat","transform","repo","share","solr","mysql","aos","rm"],
         "edition" : "enterprise",
-        "ssl_enabled" : false
+        "ssl_enabled" : false,
+        "certs" : {
+          "ssl_databag" : "ssl",
+          "ssl_databag_item" : "certs"
+        }
       },
       "artifact-deployer" : {
         "maven" : {
@@ -195,7 +209,11 @@ suites:
         "version" : "5.2.0",
         "components" : ["haproxy","nginx","tomcat","transform","repo","share","solr6","mysql","aos","rm"],
         "edition" : "enterprise",
-        "ssl_enabled" : false
+        "ssl_enabled" : false,
+        "certs" : {
+          "ssl_databag" : "ssl",
+          "ssl_databag_item" : "certs"
+        }
       },
       "artifact-deployer" : {
         "maven" : {

attributes/haproxy.rb

@@ -217,14 +217,18 @@
 # HAproxy configuration
 default['haproxy']['frontends']['internal']['acls']['alfresco'] = ['path_beg /alfresco']
 default['haproxy']['frontends']['external']['acls']['alfresco'] = ['path_beg /alfresco', 'path_reg ^/alfresco/aos/.*', 'path_reg ^/alfresco/aos$']
+default['haproxy']['frontends']['external']['acls']['aos_vti'] = ['path_reg ^/_vti_inf.html$', 'path_reg ^/_vti_bin/.*']
+default['haproxy']['frontends']['external']['acls']['aos_root'] = ['path_reg ^/$ method OPTIONS', 'path_reg ^/$ method PROPFIND']
+
 default['haproxy']['backends']['roles']['alfresco']['entries'] = ['option httpchk GET /alfresco', 'cookie JSESSIONID prefix', 'balance url_param JSESSIONID check_post']
 default['haproxy']['backends']['roles']['alfresco']['port'] = 8070
 
-default['haproxy']['frontends']['external']['acls']['aos_vti'] = ['path_reg ^/_vti_inf.html$', 'path_reg ^/_vti_bin/.*']
+default['haproxy']['backends']['roles']['aos']['entries'] = ['option httpchk GET /alfresco', 'cookie JSESSIONID prefix', 'balance url_param JSESSIONID check_post']
+default['haproxy']['backends']['roles']['aos']['port'] = 8070
+
 default['haproxy']['backends']['roles']['aos_vti']['entries'] = ['option httpchk GET /_vti_inf.html', 'cookie JSESSIONID prefix', 'balance url_param JSESSIONID check_post']
 default['haproxy']['backends']['roles']['aos_vti']['port'] = 8070
 
-default['haproxy']['frontends']['external']['acls']['aos_root'] = ['path_reg ^/$ method OPTIONS', 'path_reg ^/$ method PROPFIND']
 default['haproxy']['backends']['roles']['aos_root']['entries'] = ['option httpchk GET /']
 default['haproxy']['backends']['roles']['aos_root']['port'] = 8070
 

attributes/java.rb

@@ -5,3 +5,7 @@
 default['java']['jdk']['8']['x86_64']['url'] = 'http://download.oracle.com/otn-pub/java/jdk/8u121-b13/e9e7ea248e2c4826b92b3f075a80e441/jdk-8u121-linux-x64.tar.gz'
 default['java']['jdk']['8']['x86_64']['checksum'] = '91972fb4e753f1b6674c2b952d974320'
 default['java']['oracle']['accept_oracle_download_terms'] = true
+
+# Java CA Certstore
+default['alfresco']['certstore']['path'] = "#{node['java']['java_home']}/jre/lib/security/cacerts"
+default['alfresco']['certstore']['pass'] = 'changeit'

recipes/_certs.rb

@@ -12,7 +12,7 @@
 begin
   ssl = data_bag_item(ssl_databag, ssl_databag_item)
   ssl.each do |ssl_item_name, ssl_item_value|
-    next unless ssl_item_name == 'id'
+    next if ssl_item_name == 'id'
     ssl_file = "#{ssl_folder}/#{filename}.#{ssl_item_name}"
     file ssl_file do
       action :create
@@ -26,7 +26,6 @@
   ssl_chain_file = "#{ssl_folder}/#{filename}.chain"
   ssl_nginxcrt_file = "#{ssl_folder}/#{filename}.nginxcrt"
   ssl_dhparam_file = "#{ssl_folder}/#{filename}.dhparam"
-
   unless node['alfresco']['skip_certificate_creation']
     execute 'create-fake-ssl-keypair' do
       command "openssl req -subj '/C=UK/ST=Berkshire/L=Maidenhead/O=Alfresco/CN=#{ssl_fqdn}' -x509 -days 3650 -batch -nodes -newkey rsa:4096 -keyout #{ssl_key_file} -out #{ssl_crt_file}"

recipes/db-ssl.rb

@@ -1,31 +1,41 @@
-remote_file "#{Chef::Config[:file_cache_path]}/rds-combined-ca-bundle.pem" do
-  source 'http://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem'
+pem_file = 'rds-combined-ca-bundle.pem'
+
+remote_file "#{Chef::Config[:file_cache_path]}/#{pem_file}" do
+  source "http://s3.amazonaws.com/rds-downloads/#{pem_file}"
   owner 'root'
   group 'root'
   mode '0755'
   action :create_if_missing
 end
 
-execute 'split_certs' do
-  command <<-EOF
-    cd #{Chef::Config[:file_cache_path]}
-    csplit -sz rds-combined-ca-bundle.pem '/-BEGIN CERTIFICATE-/' '{*}'
-    EOF
-  only_if { ::File.exist?("#{Chef::Config[:file_cache_path]}/rds-combined-ca-bundle.pem") }
-end
-
 truststore = node['alfresco']['truststore_file']
 truststore_pass = node['alfresco']['truststore_password']
 truststore_type = node['alfresco']['truststore_type']
 
+certstore = node['alfresco']['certstore']['path']
+certstore_pass = node['alfresco']['certstore']['pass']
+
 ruby_block 'Import AWS RDS Certs' do
   block do
+    Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut)
+    csplit = "cd #{Chef::Config[:file_cache_path]} && csplit -sz #{pem_file} '/-BEGIN CERTIFICATE-/' '{*}'"
+    shell_out(csplit)
     Dir.glob("#{Chef::Config[:file_cache_path]}/xx*").each do |cert|
-      Mixlib::ShellOut.new(
-        %[ keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt \
-        -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ]
-      ).run_command
+      alias_cmd = "openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print'"
+      crt_alias = shell_out(alias_cmd).stdout.chomp.split.join
+      f = Chef::Resource::JavaCertificate.new('java_certificate', run_context)
+      f.cert_alias = crt_alias
+      f.cert_file = cert
+      f.keystore_path = certstore
+      f.keystore_passwd = certstore_pass
+      f.run_action :install
+      # Java certificate library don't have option of storetype other than JKS hence passing this way
+      tstore_cmd = "keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt -alias #{crt_alias} -file #{cert}"
+      shell_out(tstore_cmd)
     end
   end
   action :run
 end
+
+ssl_db_conf = " -Djavax.net.ssl.keyStore=#{certstore} -Djavax.net.ssl.keyStorePassword=#{certstore_pass}"
+node.default['alfresco']['repo_tomcat_instance']['java_options']['others'] = "#{node['alfresco']['repo_tomcat_instance']['java_options']['others']} #{ssl_db_conf}"

recipes/tomcat.rb

@@ -38,6 +38,44 @@
 
 include_recipe 'tomcat::default'
 
+# Find openjdk version
+ruby_block 'Find openjdk version' do
+  block do
+    Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut)
+    command = 'rpm -qa | grep openjdk | grep -v headless'
+    command_out = shell_out(command)
+    openjdk_version = command_out.stdout.chomp
+    node.run_state['openjdk_path'] = "/usr/lib/jvm/#{openjdk_version}/jre"
+  end
+  action :run
+end
+
+# Unset openjdk alternatives for java and javac commands
+java_alternatives 'un-set java alternatives' do
+  java_location lazy { node.run_state['openjdk_path'] }
+  bin_cmds %w(java javac keytool)
+  action :unset
+end
+
+# Reset back to Oracle Java as Apache Tomcat installs OpenJDK via Yum
+java_ark 'jdk' do
+  url node['java']['jdk']['8']['x86_64']['url']
+  default node['java']['set_default']
+  checksum node['java']['jdk']['8']['x86_64']['checksum']
+  app_home node['java']['java_home']
+  bin_cmds node['java']['jdk']['8']['bin_cmds']
+  alternatives_priority node['java']['alternatives_priority']
+  retries node['java']['ark_retries']
+  retry_delay node['java']['ark_retry_delay']
+  connect_timeout node['java']['ark_timeout']
+  use_alt_suffix node['java']['use_alt_suffix']
+  reset_alternatives node['java']['reset_alternatives']
+  download_timeout node['java']['ark_download_timeout']
+  proxy node['java']['ark_proxy']
+  action :install
+  notifies :write, 'log[jdk-version-changed]', :immediately
+end
+
 selinux_commands = {}
 selinux_commands['semanage permissive -a tomcat_t'] = 'semanage permissive -l | grep tomcat_t'
 

resources/haproxy_config.rb

@@ -58,6 +58,10 @@
   end
 
   # Duplicate alfresco backend into aos_vti, root and alfresco_api
+  new_hash = Marshal.load(Marshal.dump(haproxy_backends))
+
+  haproxy_backends['alfresco']['az'] = new_hash['share']['az']
+  haproxy_backends['aos']['az'] = new_hash['share']['az']
   haproxy_backends['aos_vti']['az'] = haproxy_backends['alfresco']['az']
   # haproxy_backends['aos_root']['az'] = haproxy_backends['alfresco']['az']
 
@@ -77,7 +81,7 @@
     ordered_role << role['az']['local'] if role['az']['local']
     ordered_role << role['az'][current_az] if current_az && role['az'][current_az]
     role['az'].each do |az_name, az|
-      if 'local' != az_name && (current_az == nil? || current_az != azName)
+      if 'local' != az_name && (current_az == nil? || current_az != az_name)
         ordered_role << az if az
       end
     end
@@ -100,7 +104,9 @@
         if balanced
           options = "cookie #{instance['jvm_route']} check inter 5000"
         elsif index > 0
-          options = 'check inter 5000 backup'
+          if instance['haproxy_backends'] == 'solr'
+            options = 'check inter 5000 backup'
+          end
         end
         instance['options'] = options
       end

test/integration/community-52/inspec/certs_spec.rb

@@ -0,0 +1,37 @@
+require 'json'
+
+ssl_folder = '/etc/pki/tls/certs'
+filename = 'alfresco'
+
+file = File.read('test/integration/data_bags/ssl/certs.json')
+ssl_databag_test = JSON.parse(file)
+
+control 'alfresco-10' do
+  impact 0.5
+  title 'Certs files creation and value check'
+
+  describe file("#{ssl_folder}/#{filename}.key") do
+    it { should exist }
+    its('content') { should match ssl_databag_test['key'].to_s }
+  end
+
+  describe file("#{ssl_folder}/#{filename}.crt") do
+    it { should exist }
+    its('content') { should match ssl_databag_test['crt'].to_s }
+  end
+
+  describe file("#{ssl_folder}/#{filename}.chain") do
+    it { should exist }
+    its('content') { should match ssl_databag_test['chain'].to_s }
+  end
+
+  describe file("#{ssl_folder}/#{filename}.nginxcrt") do
+    it { should exist }
+    its('content') { should match ssl_databag_test['nginxcrt'].to_s }
+  end
+
+  describe file("#{ssl_folder}/#{filename}.dhparam") do
+    it { should exist }
+    its('content') { should match ssl_databag_test['dhparam'].to_s }
+  end
+end

test/integration/community-edition/inspec/java_spec.rb

@@ -0,0 +1,9 @@
+control 'Java version' do
+  impact 1.0
+  title 'Check for Oracle Java'
+  desc 'Determine if Java flavor is OracleJDK and not OpenJDK'
+  describe command("java -version 2>&1 >/dev/null | grep 'java' | awk '{print $1}'") do
+    its(:stdout) { should match(/java/) }
+    its(:stdout) { should_not match(/openjdk/) }
+  end
+end