Merge pull request #221 from Alfresco/REDD-789

Fixed Java flavor to be only Oracle & enabled inspec tests

.kitchen.yml

@@ -9,6 +9,7 @@ driver:
 
 provisioner:
   name: chef_zero
+  require_chef_omnibus: 12.19.36
 
 verifier:
   name: inspec
@@ -33,6 +34,7 @@ suites:
       inspec_tests:
         - name: nginx-hardening
           git: https://github.com/Alfresco/tests-nginx-hardening
+        - path: test/integration/community-edition/inspec
     data_bags_path: "test/integration/data_bags"
     attributes: {
       "name": "chef-alfresco-community",

attributes/haproxy.rb

@@ -217,14 +217,18 @@
 # HAproxy configuration
 default['haproxy']['frontends']['internal']['acls']['alfresco'] = ['path_beg /alfresco']
 default['haproxy']['frontends']['external']['acls']['alfresco'] = ['path_beg /alfresco', 'path_reg ^/alfresco/aos/.*', 'path_reg ^/alfresco/aos$']
+default['haproxy']['frontends']['external']['acls']['aos_vti'] = ['path_reg ^/_vti_inf.html$', 'path_reg ^/_vti_bin/.*']
+default['haproxy']['frontends']['external']['acls']['aos_root'] = ['path_reg ^/$ method OPTIONS', 'path_reg ^/$ method PROPFIND']
+
 default['haproxy']['backends']['roles']['alfresco']['entries'] = ['option httpchk GET /alfresco', 'cookie JSESSIONID prefix', 'balance url_param JSESSIONID check_post']
 default['haproxy']['backends']['roles']['alfresco']['port'] = 8070
 
-default['haproxy']['frontends']['external']['acls']['aos_vti'] = ['path_reg ^/_vti_inf.html$', 'path_reg ^/_vti_bin/.*']
+default['haproxy']['backends']['roles']['aos']['entries'] = ['option httpchk GET /alfresco', 'cookie JSESSIONID prefix', 'balance url_param JSESSIONID check_post']
+default['haproxy']['backends']['roles']['aos']['port'] = 8070
+
 default['haproxy']['backends']['roles']['aos_vti']['entries'] = ['option httpchk GET /_vti_inf.html', 'cookie JSESSIONID prefix', 'balance url_param JSESSIONID check_post']
 default['haproxy']['backends']['roles']['aos_vti']['port'] = 8070
 
-default['haproxy']['frontends']['external']['acls']['aos_root'] = ['path_reg ^/$ method OPTIONS', 'path_reg ^/$ method PROPFIND']
 default['haproxy']['backends']['roles']['aos_root']['entries'] = ['option httpchk GET /']
 default['haproxy']['backends']['roles']['aos_root']['port'] = 8070
 

attributes/java.rb

@@ -5,3 +5,7 @@
 default['java']['jdk']['8']['x86_64']['url'] = 'http://download.oracle.com/otn-pub/java/jdk/8u121-b13/e9e7ea248e2c4826b92b3f075a80e441/jdk-8u121-linux-x64.tar.gz'
 default['java']['jdk']['8']['x86_64']['checksum'] = '91972fb4e753f1b6674c2b952d974320'
 default['java']['oracle']['accept_oracle_download_terms'] = true
+
+# Java CA Certstore
+default['alfresco']['certstore']['path'] = "#{node['java']['java_home']}/jre/lib/security/cacerts"
+default['alfresco']['certstore']['pass'] = 'changeit'

recipes/db-ssl.rb

@@ -1,31 +1,39 @@
-remote_file "#{Chef::Config[:file_cache_path]}/rds-combined-ca-bundle.pem" do
-  source 'http://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem'
+pem_file = 'rds-combined-ca-bundle.pem'
+
+remote_file "#{Chef::Config[:file_cache_path]}/#{pem_file}" do
+  source "http://s3.amazonaws.com/rds-downloads/#{pem_file}"
   owner 'root'
   group 'root'
   mode '0755'
   action :create_if_missing
 end
 
-execute 'split_certs' do
-  command <<-EOF
-    cd #{Chef::Config[:file_cache_path]}
-    csplit -sz rds-combined-ca-bundle.pem '/-BEGIN CERTIFICATE-/' '{*}'
-    EOF
-  only_if { ::File.exist?("#{Chef::Config[:file_cache_path]}/rds-combined-ca-bundle.pem") }
-end
-
 truststore = node['alfresco']['truststore_file']
 truststore_pass = node['alfresco']['truststore_password']
 truststore_type = node['alfresco']['truststore_type']
 
+certstore = node['alfresco']['certstore']['path']
+certstore_pass = node['alfresco']['certstore']['pass']
+
 ruby_block 'Import AWS RDS Certs' do
   block do
+    Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut)
+    csplit = "cd #{Chef::Config[:file_cache_path]} && csplit -sz #{pem_file} '/-BEGIN CERTIFICATE-/' '{*}'"
+    shell_out(csplit)
     Dir.glob("#{Chef::Config[:file_cache_path]}/xx*").each do |cert|
-      Mixlib::ShellOut.new(
-        %[ keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt \
-        -alias \"$(openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print')\" -file #{cert} ]
-      ).run_command
+      alias_cmd = "openssl x509 -noout -text -in #{cert} | perl -ne 'next unless /Subject:/; s/.*CN=//; print'"
+      crt_alias = shell_out(alias_cmd).stdout.chomp.split.join
+      f = Chef::Resource::JavaCertificate.new('java_certificate', run_context)
+      f.cert_alias = crt_alias
+      f.cert_file = cert
+      f.run_action :install
+      # Java certificate library don't have option of storetype other than JKS hence passing this way
+      tstore_cmd = "keytool -import -keystore #{truststore} -storepass #{truststore_pass} -storetype #{truststore_type} -noprompt -alias #{crt_alias} -file #{cert}"
+      shell_out(tstore_cmd)
     end
   end
   action :run
 end
+
+ssl_db_conf = " -Djavax.net.ssl.keyStore=#{certstore} -Djavax.net.ssl.keyStorePassword=#{certstore_pass}"
+node.default['alfresco']['repo_tomcat_instance']['java_options']['others'] = "#{node['alfresco']['repo_tomcat_instance']['java_options']['others']} #{ssl_db_conf}"

recipes/tomcat.rb

@@ -38,6 +38,44 @@
 
 include_recipe 'tomcat::default'
 
+# Find openjdk version
+ruby_block 'Find openjdk version' do
+  block do
+    Chef::Resource::RubyBlock.send(:include, Chef::Mixin::ShellOut)
+    command = 'rpm -qa | grep openjdk | grep -v headless'
+    command_out = shell_out(command)
+    openjdk_version = command_out.stdout.chomp
+    node.run_state['openjdk_path'] = "/usr/lib/jvm/#{openjdk_version}/jre"
+  end
+  action :run
+end
+
+# Unset openjdk alternatives for java and javac commands
+java_alternatives 'un-set java alternatives' do
+  java_location lazy { node.run_state['openjdk_path'] }
+  bin_cmds %w(java javac keytool)
+  action :unset
+end
+
+# Reset back to Oracle Java as Apache Tomcat installs OpenJDK via Yum
+java_ark 'jdk' do
+  url node['java']['jdk']['8']['x86_64']['url']
+  default node['java']['set_default']
+  checksum node['java']['jdk']['8']['x86_64']['checksum']
+  app_home node['java']['java_home']
+  bin_cmds node['java']['jdk']['8']['bin_cmds']
+  alternatives_priority node['java']['alternatives_priority']
+  retries node['java']['ark_retries']
+  retry_delay node['java']['ark_retry_delay']
+  connect_timeout node['java']['ark_timeout']
+  use_alt_suffix node['java']['use_alt_suffix']
+  reset_alternatives node['java']['reset_alternatives']
+  download_timeout node['java']['ark_download_timeout']
+  proxy node['java']['ark_proxy']
+  action :install
+  notifies :write, 'log[jdk-version-changed]', :immediately
+end
+
 selinux_commands = {}
 selinux_commands['semanage permissive -a tomcat_t'] = 'semanage permissive -l | grep tomcat_t'
 

resources/haproxy_config.rb

@@ -58,6 +58,10 @@
   end
 
   # Duplicate alfresco backend into aos_vti, root and alfresco_api
+  new_hash = Marshal.load(Marshal.dump(haproxy_backends))
+
+  haproxy_backends['alfresco']['az'] = new_hash['share']['az']
+  haproxy_backends['aos']['az'] = new_hash['share']['az']
   haproxy_backends['aos_vti']['az'] = haproxy_backends['alfresco']['az']
   # haproxy_backends['aos_root']['az'] = haproxy_backends['alfresco']['az']
 
@@ -77,7 +81,7 @@
     ordered_role << role['az']['local'] if role['az']['local']
     ordered_role << role['az'][current_az] if current_az && role['az'][current_az]
     role['az'].each do |az_name, az|
-      if 'local' != az_name && (current_az == nil? || current_az != azName)
+      if 'local' != az_name && (current_az == nil? || current_az != az_name)
         ordered_role << az if az
       end
     end
@@ -100,7 +104,9 @@
         if balanced
           options = "cookie #{instance['jvm_route']} check inter 5000"
         elsif index > 0
-          options = 'check inter 5000 backup'
+          if instance['haproxy_backends'] == 'solr'
+            options = 'check inter 5000 backup'
+          end
         end
         instance['options'] = options
       end

test/integration/community-edition/inspec/java_spec.rb

@@ -0,0 +1,9 @@
+control 'Java version' do
+  impact 1.0
+  title 'Check for Oracle Java'
+  desc 'Determine if Java flavor is OracleJDK and not OpenJDK'
+  describe command("java -version 2>&1 >/dev/null | grep 'java' | awk '{print $1}'") do
+    its(:stdout) { should match(/java/) }
+    its(:stdout) { should_not match(/openjdk/) }
+  end
+end