#!/bin/bash ##### # ESG SECURITY # This script is intended to be an adjunct to the esg-node / esg-gway scripts # (author: gavin@llnl.gov) #**************************************************************************** #* * #* Organization: Lawrence Livermore National Lab (LLNL) * #* Directorate: Computation * #* Department: Computing Applications and Research * #* Division: S&T Global Security * #* Matrix: Atmospheric, Earth and Energy Division * #* Program: PCMDI * #* Project: Earth Systems Grid (ESG) Data Node Software Stack * #* First Author: Gavin M. Bell (gavin@llnl.gov) * #* * #**************************************************************************** #* * #* Copyright (c) 2009, Lawrence Livermore National Security, LLC. * #* Produced at the Lawrence Livermore National Laboratory * #* Written by: Gavin M. Bell (gavin@llnl.gov) * #* LLNL-CODE-420962 * #* * #* All rights reserved. This file is part of the: * #* Earth System Grid (ESG) Data Node Software Stack, Version 1.0 * #* * #* For details, see http://esg-repo.llnl.gov/esg-node/ * #* Please also read this link * #* http://esg-repo.llnl.gov/LICENSE * #* * #* * Redistribution and use in source and binary forms, with or * #* without modification, are permitted provided that the following * #* conditions are met: * #* * #* * Redistributions of source code must retain the above copyright * #* notice, this list of conditions and the disclaimer below. * #* * #* * Redistributions in binary form must reproduce the above copyright * #* notice, this list of conditions and the disclaimer (as noted below) * #* in the documentation and/or other materials provided with the * #* distribution. * #* * #* Neither the name of the LLNS/LLNL nor the names of its contributors * #* may be used to endorse or promote products derived from this * #* software without specific prior written permission. * #* * #* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * #* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * #* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * #* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL LAWRENCE * #* LIVERMORE NATIONAL SECURITY, LLC, THE U.S. DEPARTMENT OF ENERGY OR * #* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * #* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * #* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * #* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * #* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * #* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * #* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * #* SUCH DAMAGE. * #* * #**************************************************************************** ###### # Description: Installation of the esg-security infrastructure. This # file is meant to be sourced by the esg-node | esg-gway # scripts that has the definition of checked_get(), # stop_tomcat(), start_tomcat(), $workdir, esg_security_filters_dist_url=${esg_dist_url}/filters #arg (1) - install = 0 [default] # upgrade = 1 setup_security_saml_filters() { mkdir -p $workdir [ $? != 0 ] && return 1 pushd $workdir >& /dev/null install_security_saml_filters popd >& /dev/null #start_tomcat return 0 } #NOTE:This function will stop tomcat, it is up to the caller to restart tomcat! #Takes 2 arguments: # First - The top level directory of the webapp where filter is to be installed. # Second - The file containing the filter entry xml snippet (optional: defaulted) install_security_saml_filters() { echo echo "*******************************" echo "Installing Tomcat ESG SAML Security Filters..." echo "*******************************" echo #----- #project generated jarfiles... orp_filter_jar=esg-orp-1.1.2.2.jar saml_filter_jar=esg-saml-1.1.2.2.jar opensaml_jar=opensaml-2.3.2.jar openws_jar=openws-1.3.1.jar xmltooling_jar=xmltooling-1.2.2.jar xsgroup_role_jar=XSGroupRole-1.0.0.jar #----- local dest_dir=${1:-${tomcat_install_dir}/webapps/thredds} echo "Filter installation destination dir = ${dest_dir}" local esg_filter_entry_file=${2:-esg-security-saml-filters.xml} echo "Filter entry file = ${esg_filter_entry_file}" local esg_filter_entry_pattern="" echo "Filter entry pattern = ${esg_filter_entry_pattern}" #Installs esg filter into web application's web.xml file, by replacing a #place holder token with the contents of the filter snippet file #"esg-security-filter.xml". Copies the filter jar file to the web app's #lib dir #pre-checking... make sure the files we need in web app are there.... [ ! -e ${dest_dir}/WEB-INF ] && echo " ERROR: Could not find WEB-INF installation dir!!" && return 1 [ ! -e ${dest_dir}/WEB-INF/lib ] && echo " ERROR: Could not find WEB-INF/lib installation dir!!" && return 1 [ ! -e ${dest_dir}/WEB-INF/web.xml ] && echo " ERROR: no web.xml file found!!" && return 1 ! egrep ${esg_filter_entry_pattern} ${dest_dir}/WEB-INF/web.xml && printf " WARNING: No Pattern Found In File - exiting this filter setup\n\n" && return 1 stop_tomcat pushd ${dest_dir}/WEB-INF/lib >& /dev/null echo "Checking for / Installing required jars..." [ ! -e eske.jar ] && echo "no eske jar found locally" && checked_get ${esg_dist_url}/eske.jar; (( $? > 1 )) && popd && checked_done 1 [ ! -e ${orp_filter_jar} ] && echo "no esg-orp jar found locally" && checked_get ${esg_security_filters_dist_url}/${orp_filter_jar}; (( $? > 1 )) && popd && checked_done 1 [ ! -e ${saml_filter_jar} ] && echo "no esg-saml jar found locally" && checked_get ${esg_security_filters_dist_url}/${saml_filter_jar}; (( $? > 1 )) && popd && checked_done 1 [ ! -e ${opensaml_jar} ] && echo "no opensaml jar found locally" && checked_get ${esg_security_filters_dist_url}/${opensaml_jar}; (( $? > 1 )) && popd && checked_done 1 [ ! -e ${openws_jar} ] && echo "no openws jar found locally" && checked_get ${esg_security_filters_dist_url}/${openws_jar}; (( $? > 1 )) && popd && checked_done 1 [ ! -e ${xmltooling_jar} ] && echo "no xmltooling jar found locally" && checked_get ${esg_security_filters_dist_url}/${xmltooling_jar}; (( $? > 1 )) && popd && checked_done 1 [ ! -e ${xsgroup_role_jar} ] && echo "no XSGroupRole jar found locally" && checked_get ${esg_security_filters_dist_url}/${xsgroup_role_jar}; (( $? > 1 )) && popd && checked_done 1 popd >& /dev/null mkdir -p $workdir [ $? != 0 ] && return 1 pushd $workdir >& /dev/null checked_get ${esg_security_filters_dist_url}/${esg_filter_entry_file}; (( $? > 1 )) && popd && checked_done 1 esg_filter_entry_file=$(readlink -f ${esg_filter_entry_file}) #going to need full path for pattern replacement below popd >& /dev/null #---------------------- #Configuration... pushd ${dest_dir}/WEB-INF >& /dev/null [ $? != 0 ] && echo " ERROR: Could not find web application (${dest_dir})" && return 1 local target_file=web.xml #Replace the filter's place holder token in web app's web.xml file with the filter entry. #Use utility function... insert_file_at_pattern $(readlink -f ${target_file}) ${esg_filter_entry_file} "${esg_filter_entry_pattern}" local openidrelyingparty_host=${openidrelyingparty_host:-$(hostname --fqdn)} #default assumes local install local authorization_service_host=${authorization_service_host:-${gateway_service_root%%/*}} #ex: pcmdi3.llnl.gov local truststore_file=${truststore_file:-"${tomcat_install_dir}/conf/jssecacerts"} local truststore_password=${truststore_password:-"changeit"} #Edit the web.xml file for the web app to include these token replacement values echo -n "Replacing tokens... " eval "perl -p -i -e 's#\\@openidrelyingparty_host\\@#${openidrelyingparty_host}#g' ${target_file}"; echo -n "*" eval "perl -p -i -e 's#\\@authorization_service_host\\@#${authorization_service_host}#g' ${target_file}"; echo -n "*" eval "perl -p -i -e 's#\\@truststore_file\\@#${truststore_file}#g' ${target_file}"; echo -n "*" eval "perl -p -i -e 's#\\@truststore_password\\@#${truststore_password}#g' ${target_file}"; echo -n "*" echo " [OK]" popd >& /dev/null #---------------------- chown -R ${tomcat_user} ${dest_dir}/WEB-INF chgrp -R ${tomcat_group} ${dest_dir}/WEB-INF echo "security filters installed..." return 0 }