#!/bin/bash ##### # ESG SECURITY # This script is intended to be an adjunct to the esg-node / esg-gway scripts # (author: gavin@llnl.gov) #**************************************************************************** #* * #* Organization: Lawrence Livermore National Lab (LLNL) * #* Directorate: Computation * #* Department: Computing Applications and Research * #* Division: S&T Global Security * #* Matrix: Atmospheric, Earth and Energy Division * #* Program: PCMDI * #* Project: Earth Systems Grid (ESG) Data Node Software Stack * #* First Author: Gavin M. Bell (gavin@llnl.gov) * #* * #**************************************************************************** #* * #* Copyright (c) 2009, Lawrence Livermore National Security, LLC. * #* Produced at the Lawrence Livermore National Laboratory * #* Written by: Gavin M. Bell (gavin@llnl.gov) * #* LLNL-CODE-420962 * #* * #* All rights reserved. This file is part of the: * #* Earth System Grid (ESG) Data Node Software Stack, Version 1.0 * #* * #* For details, see http://esg-repo.llnl.gov/esg-node/ * #* Please also read this link * #* http://esg-repo.llnl.gov/LICENSE * #* * #* * Redistribution and use in source and binary forms, with or * #* without modification, are permitted provided that the following * #* conditions are met: * #* * #* * Redistributions of source code must retain the above copyright * #* notice, this list of conditions and the disclaimer below. * #* * #* * Redistributions in binary form must reproduce the above copyright * #* notice, this list of conditions and the disclaimer (as noted below) * #* in the documentation and/or other materials provided with the * #* distribution. * #* * #* Neither the name of the LLNS/LLNL nor the names of its contributors * #* may be used to endorse or promote products derived from this * #* software without specific prior written permission. * #* * #* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * #* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * #* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * #* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL LAWRENCE * #* LIVERMORE NATIONAL SECURITY, LLC, THE U.S. DEPARTMENT OF ENERGY OR * #* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * #* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * #* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * #* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * #* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * #* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * #* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * #* SUCH DAMAGE. * #* * #**************************************************************************** ###### # Description: Installation of the esg-security infrastructure. This # file is meant to be sourced by the esg-node | esg-gway # scripts that has the definition of checked_get(), # stop_tomcat(), start_tomcat(), $workdir, service_name=${service_name:-"thredds"} esg_security_filters_dist_url=${esg_dist_url}/filters esg_orp_version=${esg_orp_version:-"1.1.4"} esgf_security_version=${esgf_security_version:-"1.3.1"} #arg (1) - install = 0 [default] # upgrade = 1 setup_security_las_ip_filter() { mkdir -p $workdir [ $? != 0 ] && return 1 pushd $workdir >& /dev/null install_security_las_ip_filter popd >& /dev/null #start_tomcat return 0 } #NOTE:This function will stop tomcat, it is up to the caller to restart tomcat! #Takes 2 arguments: # First - The top level directory of the webapp where filter is to be installed. # Second - The file containing the filter entry xml snippet (optional: defaulted) install_security_las_ip_filter() { local dest_dir=${1:-${tomcat_install_dir}/webapps/${service_name}} local esg_filter_entry_file=${2:-esg-security-las-ip-filter.xml} local esg_filter_entry_pattern="" echo echo "*******************************" echo "Installing Tomcat ESG LAS (IP) Security Filters... for ${service_name}" echo "-------------------------------" echo "ESG ORP Filter: v${esg_orp_version}" echo "ESGF Security (SAML): v${esgf_security_version}" echo "*******************************" echo echo "Filter installation destination dir = ${dest_dir}" echo "Filter entry file = ${esg_filter_entry_file}" echo "Filter entry pattern = ${esg_filter_entry_pattern}" #Installs esg filter into web application's web.xml file, by replacing a #place holder token with the contents of the filter snippet file #"esg-security-filter.xml". #pre-checking... make sure the files we need in web app are there.... [ ! -e ${dest_dir}/WEB-INF ] && echo " ERROR: Could not find WEB-INF installation dir!!" && return 1 [ ! -e ${dest_dir}/WEB-INF/lib ] && echo " ERROR: Could not find WEB-INF/lib installation dir!!" && return 1 [ ! -e ${dest_dir}/WEB-INF/web.xml ] && echo " ERROR: no web.xml file found!!" && return 1 stop_tomcat get_las_filter_support_libs ${dest_dir}/WEB-INF/lib ! egrep ${esg_filter_entry_pattern} ${dest_dir}/WEB-INF/web.xml && printf " No Pattern Found In File [${dest_dir}/WEB-INF/web.xml] - skipping this filter setup\n\n" && return 1 mkdir -p $workdir [ $? != 0 ] && return 1 pushd $workdir >& /dev/null checked_get ${esg_security_filters_dist_url}/${esg_filter_entry_file}; (( $? > 1 )) && popd && checked_done 1 esg_filter_entry_file=$(readlink -f ${esg_filter_entry_file}) #going to need full path for pattern replacement below popd >& /dev/null #---------------------- #Configuration... pushd ${dest_dir}/WEB-INF >& /dev/null [ $? != 0 ] && echo " ERROR: Could not find web application (${dest_dir})" && return 1 local target_file=web.xml #Replace the filter's place holder token in web app's web.xml file with the filter entry. #Use utility function... insert_file_at_pattern $(readlink -f ${target_file}) ${esg_filter_entry_file} "${esg_filter_entry_pattern}" echo " [OK]" popd >& /dev/null #---------------------- chown -R ${tomcat_user} ${dest_dir}/WEB-INF chgrp -R ${tomcat_group} ${dest_dir}/WEB-INF echo "security filters installed..." return 0 } #Copies the filter jar file to the web app's lib dir #arg 1 - The destination web application lib directory (default thredds) get_las_filter_support_libs() { openid_relying_party_app_home=${openid_relying_party_app_home:-"${CATALINA_HOME}/webapps/OpenidRelyingParty"} local dest_dir=${1:-${tomcat_install_dir}/webapps/${service_name}/WEB-INF/lib} local src_dir=${openid_relying_party_app_home}/WEB-INF/lib #Jar versions... openws_version=${openws_version:-"1.3.1"} xmltooling_version=${xmltooling_version:-"1.2.2"} xsgroup_role_version=${xsgroup_role_version:-"1.0.0"} #(formerly known as endorsed jars) commons_collections_version=${commons_collections_version:-"3.2.2"} serializer_version=${serializer_version:-"2.9.1"} velocity_version=${velocity_version:-"1.5"} xalan_version=${xalan_version:-"2.7.2"} xercesImpl_version=${xercesImpl_version:-"2.10.0"} xml_apis_version=${xml_apis_version:-"1.4.01"} xmlsec_version=${xmlsec_version:-"1.4.2"} #---------------------------- #Jar Libraries Needed To Be Present For ORP (tokenless) Filter Support #---------------------------- openws_jar=openws-${openws_version}.jar xmltooling_jar=xmltooling-${xmltooling_version}.jar xsgroup_role_jar=XSGroupRole-${xsgroup_role_version}.jar #(formerly known as endorsed jars) commons_collections_jar=commons-collections-${commons_collections_version}.jar serializer_jar=serializer-${serializer_version}.jar velocity_jar=velocity-${velocity_version}.jar xalan_jar=xalan-${xalan_version}.jar xercesImpl_jar=xercesImpl-${xercesImpl_version}.jar xml_apis_jar=xml-apis-${xml_apis_version}.jar xmlsec_jar=xmlsec-${xmlsec_version}.jar if [ -d ${dest_dir} ]; then #move over SAML libraries... echo "getting (copying) libary jars from the ORP to ${dest_dir}" [ ! -e ${dest_dir}/${openws_jar} ] && cp -v ${src_dir}/${openws_jar} ${dest_dir} [ ! -e ${dest_dir}/${xmltooling_jar} ] && cp -v ${src_dir}/${xmltooling_jar} ${dest_dir} [ ! -e ${dest_dir}/${xsgroup_role_jar} ] && cp -v ${src_dir}/${xsgroup_role_jar} ${dest_dir} #(formerly known as endorsed jars) [ ! -e ${dest_dir}/${commons_collections_jar} ] && cp -v ${src_dir}/${commons_collections_jar} ${dest_dir} [ ! -e ${dest_dir}/${serializer_jar} ] && cp -v ${src_dir}/${serializer_jar} ${dest_dir} [ ! -e ${dest_dir}/${velocity_jar} ] && cp -v ${src_dir}/${velocity_jar} ${dest_dir} [ ! -e ${dest_dir}/${xalan_jar} ] && cp -v ${src_dir}/${xalan_jar} ${dest_dir} [ ! -e ${dest_dir}/${xercesImpl_jar} ] && cp -v ${src_dir}/${xercesImpl_jar} ${dest_dir} [ ! -e ${dest_dir}/${xml_apis_jar} ] && cp -v ${src_dir}/${xml_apis_jar} ${dest_dir} [ ! -e ${dest_dir}/${xmlsec_jar} ] && cp -v ${src_dir}/${xmlsec_jar} ${dest_dir} #---------------------------- #Fetching ORP / Security Jars from Distribution Site... #---------------------------- #values inherited from esg-node calling script #----- #project generated jarfiles... local esg_orp_jar=esg-orp-${esg_orp_version}.jar local esgf_security_jar=esgf-security-${esgf_security_version}.jar #----- echo "getting (downloading) library jars from ESGF Distribution Server (ORP/Security) to ${dest_dir} ..." local make_backup_file=0 #Do NOT make backup file checked_get ${dest_dir}/${esg_orp_jar} ${esg_dist_url}/esg-orp/${esg_orp_jar} $((force_install)) $((make_backup_file)) checked_get ${dest_dir}/${esgf_security_jar} ${esg_dist_url}/esgf-security/${esgf_security_jar} $((force_install)) $((make_backup_file)) #remove all other node manager jars that are not what we want echo "cleaning up (removing) other, unnecessary, orp/security project jars from ${dest_dir} ..." rm -vf $(/bin/ls ${dest_dir}/${esg_orp_jar%-*}-*.jar | grep -v ${esg_orp_version}) rm -vf $(/bin/ls ${dest_dir}/${esgf_security_jar%-*}-*.jar | grep -v ${esgf_security_version}) #--- chown -R ${tomcat_user}:${tomcat_group} ${dest_dir} fi }