#!/bin/bash ##### # ESG SECURITY # This script is intended to be an adjunct to the esg-node / esg-gway scripts # (author: gavin@llnl.gov) #**************************************************************************** #* * #* Organization: Lawrence Livermore National Lab (LLNL) * #* Directorate: Computation * #* Department: Computing Applications and Research * #* Division: S&T Global Security * #* Matrix: Atmospheric, Earth and Energy Division * #* Program: PCMDI * #* Project: Earth Systems Grid (ESG) Data Node Software Stack * #* First Author: Gavin M. Bell (gavin@llnl.gov) * #* * #**************************************************************************** #* * #* Copyright (c) 2009, Lawrence Livermore National Security, LLC. * #* Produced at the Lawrence Livermore National Laboratory * #* Written by: Gavin M. Bell (gavin@llnl.gov) * #* LLNL-CODE-420962 * #* * #* All rights reserved. This file is part of the: * #* Earth System Grid (ESG) Data Node Software Stack, Version 1.0 * #* * #* For details, see http://esg-repo.llnl.gov/esg-node/ * #* Please also read this link * #* http://esg-repo.llnl.gov/LICENSE * #* * #* * Redistribution and use in source and binary forms, with or * #* without modification, are permitted provided that the following * #* conditions are met: * #* * #* * Redistributions of source code must retain the above copyright * #* notice, this list of conditions and the disclaimer below. * #* * #* * Redistributions in binary form must reproduce the above copyright * #* notice, this list of conditions and the disclaimer (as noted below) * #* in the documentation and/or other materials provided with the * #* distribution. * #* * #* Neither the name of the LLNS/LLNL nor the names of its contributors * #* may be used to endorse or promote products derived from this * #* software without specific prior written permission. * #* * #* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * #* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * #* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * #* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL LAWRENCE * #* LIVERMORE NATIONAL SECURITY, LLC, THE U.S. DEPARTMENT OF ENERGY OR * #* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * #* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * #* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * #* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * #* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * #* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * #* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * #* SUCH DAMAGE. * #* * #**************************************************************************** ###### # Description: Installation of the esg-security infrastructure. This # file is meant to be sourced by the esg-node | esg-gway # scripts that has the definition of checked_get(), # stop_tomcat(), start_tomcat(), $workdir, service_name=${service_name:-"thredds"} esg_root_dir=${esg_root_dir:-${ESGF_HOME:-"/esg"}} esg_security_filters_dist_url=${esg_dist_url}/filters esg_orp_version=${esg_orp_version:-"2.3.5"} esgf_security_version=${esgf_security_version:-"2.3.15"} #arg (1) - install = 0 [default] # upgrade = 1 setup_security_tokenless_filters() { mkdir -p $workdir [ $? != 0 ] && return 1 pushd $workdir >& /dev/null install_security_tokenless_filters popd >& /dev/null #start_tomcat return 0 } #NOTE:This function will stop tomcat, it is up to the caller to restart tomcat! #Takes 2 arguments: # First - The top level directory of the webapp where filter is to be installed. # Second - The file containing the filter entry xml snippet (optional: defaulted) install_security_tokenless_filters() { local dest_dir=${1:-${tomcat_install_dir}/webapps/${service_name}} local esg_filter_entry_file=${2:-esg-security-tokenless-$([ "${service_name}" = "thredds" ] && echo "${service_name}" || echo "generic")-filters.xml} local esg_filter_entry_pattern="" #((force_install)) && [ -e "${dest_dir}/web.xml.tmpl" ] \ # && mv -v "${dest_dir}/web.xml" "${dest_dir}/web.xml.bak" \ # && mv -v "${dest_dir}/web.xml.tmpl" "${dest_dir/}web.xml" echo echo "*******************************" echo "Installing Tomcat ESG SAML/ORP (Tokenless) Security Filters... for ${service_name}" echo "-------------------------------" echo "ESG ORP Filter: v${esg_orp_version}" echo "ESGF Security (SAML): v${esgf_security_version}" echo "*******************************" echo echo "Filter installation destination dir = ${dest_dir}" echo "Filter entry file = ${esg_filter_entry_file}" echo "Filter entry pattern = ${esg_filter_entry_pattern}" #Installs esg filter into web application's web.xml file, by replacing a #place holder token with the contents of the filter snippet file #"esg-security-filter.xml". #pre-checking... make sure the files we need in web app are there.... [ ! -e ${dest_dir}/WEB-INF ] && echo " WARNING: Could not find ${service_name}'s WEB-INF installation dir - Filter Not Applied" && return 1 [ ! -e ${dest_dir}/WEB-INF/lib ] && echo " WARNING: Could not find ${service_name}'s WEB-INF/lib installation dir - Filter Not Applied" && return 1 [ ! -e ${dest_dir}/WEB-INF/web.xml ] && echo " WARNING: no web.xml file found for ${service_name} - Filter Not Applied" && return 1 stop_tomcat get_orp_libs ${dest_dir}/WEB-INF/lib ! egrep ${esg_filter_entry_pattern} ${dest_dir}/WEB-INF/web.xml && printf " No Pattern Found In File [${dest_dir}/WEB-INF/web.xml] - skipping this filter setup\n\n" && return 1 mkdir -p $workdir [ $? != 0 ] && return 1 pushd $workdir >& /dev/null checked_get ${esg_security_filters_dist_url}/${esg_filter_entry_file}; (( $? > 1 )) && popd && checked_done 1 esg_filter_entry_file=$(readlink -f ${esg_filter_entry_file}) #going to need full path for pattern replacement below popd >& /dev/null #---------------------- #Configuration... pushd ${dest_dir}/WEB-INF >& /dev/null [ $? != 0 ] && echo " ERROR: Could not find web application (${dest_dir})" && return 1 local target_file=web.xml #Replace the filter's place holder token in web app's web.xml file with the filter entry. #Use utility function... insert_file_at_pattern $(readlink -f ${target_file}) ${esg_filter_entry_file} "${esg_filter_entry_pattern}" local orp_host=${orp_host:-${esgf_host}} #default assumes local install local authorization_service_root=${authorization_service_root:-${esgf_idp_peer}} #ex: pcmdi3.llnl.gov/esgcet[/saml/soap...] local truststore_file=${truststore_file:-"${tomcat_install_dir}/conf/jssecacerts"} local truststore_password=${truststore_password:-"changeit"} #Edit the web.xml file for the web app to include these token replacement values echo -n "Replacing tokens... " eval "perl -p -i -e 's#\\@orp_host\\@#${orp_host}#g' ${target_file}"; echo -n "*" eval "perl -p -i -e 's#\\@truststore_file\\@#${truststore_file}#g' ${target_file}"; echo -n "*" eval "perl -p -i -e 's#\\@truststore_password\\@#${truststore_password}#g' ${target_file}"; echo -n "*" eval "perl -p -i -e 's#\\@esg_root_dir\\@#${esg_root_dir}#g' ${target_file}"; echo -n "*" echo " [OK]" popd >& /dev/null #---------------------- chown -R ${tomcat_user} ${dest_dir}/WEB-INF chgrp -R ${tomcat_group} ${dest_dir}/WEB-INF echo "orp/security filters installed..." return 0 } #Copies the filter jar file to the web app's lib dir #arg 1 - The destination web application lib directory (default thredds) get_orp_libs() { orp_service_app_home=${orp_service_app_home:-"${CATALINA_HOME}/webapps/esg-orp"} local dest_dir=${1:-${tomcat_install_dir}/webapps/${service_name}/WEB-INF/lib} local src_dir=${orp_service_app_home}/WEB-INF/lib #Jar versions... opensaml_version=${opensaml_version:-"2.3.2"} openws_version=${openws_version:-"1.3.1"} xmltooling_version=${xmltooling_version:-"1.2.2"} xsgroup_role_version=${xsgroup_role_version:-"1.0.0"} #(formerly known as endorsed jars) commons_collections_version=${commons_collections_version:-"3.2.2"} serializer_version=${serializer_version:-"2.9.1"} velocity_version=${velocity_version:-"1.5"} xalan_version=${xalan_version:-"2.7.2"} xercesImpl_version=${xercesImpl_version:-"2.10.0"} xml_apis_version=${xml_apis_version:-"1.4.01"} xmlsec_version=${xmlsec_version:-"1.4.2"} joda_version=${joda_version:-"2.0"} commons_io_version=${commons_io_version:-"2.4"} slf4j_version="1.6.4" #------------------------------------------------------------------ #NOTE: Make sure that this version matches the version that is in #the esg-orp project!!! spring_version=${spring_version:-"4.2.3.RELEASE"} #------------------------------------------------------------------ #---------------------------- #Jar Libraries Needed To Be Present For ORP (tokenless) Filter Support #---------------------------- opensaml_jar=opensaml-${opensaml_version}.jar openws_jar=openws-${openws_version}.jar xmltooling_jar=xmltooling-${xmltooling_version}.jar xsgroup_role_jar=XSGroupRole-${xsgroup_role_version}.jar #(formerly known as endorsed jars) commons_collections_jar=commons-collections-${commons_collections_version}.jar serializer_jar=serializer-${serializer_version}.jar velocity_jar=velocity-${velocity_version}.jar xalan_jar=xalan-${xalan_version}.jar xercesImpl_jar=xercesImpl-${xercesImpl_version}.jar xml_apis_jar=xml-apis-${xml_apis_version}.jar xmlsec_jar=xmlsec-${xmlsec_version}.jar joda_time_jar=joda-time-${joda_version}.jar commons_io_jar=commons-io-${commons_io_version}.jar slf4j_api_jar=slf4j-api-${slf4j_version}.jar slf4j_log4j_jar=slf4j-log4j12-${slf4j_version}.jar spring_jar=spring-core-${spring_version}.jar spring_web_jar=spring-web-${spring_version}.jar spring_webmvc_jar=spring-webmvc-${spring_version}.jar if [ -d ${dest_dir} ]; then #move over SAML libraries... echo "getting (copying) libary jars from the ORP to ${dest_dir}" [ ! -e ${dest_dir}/${opensaml_jar} ] && cp -v ${src_dir}/${opensaml_jar} ${dest_dir} [ ! -e ${dest_dir}/${openws_jar} ] && cp -v ${src_dir}/${openws_jar} ${dest_dir} [ ! -e ${dest_dir}/${xmltooling_jar} ] && cp -v ${src_dir}/${xmltooling_jar} ${dest_dir} [ ! -e ${dest_dir}/${xsgroup_role_jar} ] && cp -v ${src_dir}/${xsgroup_role_jar} ${dest_dir} #(formerly known as endorsed jars) [ ! -e ${dest_dir}/${commons_collections_jar} ] && cp -v ${src_dir}/${commons_collections_jar} ${dest_dir} [ ! -e ${dest_dir}/${serializer_jar} ] && cp -v ${src_dir}/${serializer_jar} ${dest_dir} [ ! -e ${dest_dir}/${velocity_jar} ] && cp -v ${src_dir}/${velocity_jar} ${dest_dir} [ ! -e ${dest_dir}/${xalan_jar} ] && cp -v ${src_dir}/${xalan_jar} ${dest_dir} [ ! -e ${dest_dir}/${xercesImpl_jar} ] && cp -v ${src_dir}/${xercesImpl_jar} ${dest_dir} [ ! -e ${dest_dir}/${xml_apis_jar} ] && cp -v ${src_dir}/${xml_apis_jar} ${dest_dir} [ ! -e ${dest_dir}/${xmlsec_jar} ] && cp -v ${src_dir}/${xmlsec_jar} ${dest_dir} [ ! -e ${dest_dir}/${joda_time_jar} ] && cp -v ${src_dir}/${joda_time_jar} ${dest_dir} [ ! -e ${dest_dir}/${commons_io_jar} ] && cp -v ${src_dir}/${commons_io_jar} ${dest_dir} [ ! -e ${dest_dir}/${slf4j_api_jar} ] && cp -v ${src_dir}/${slf4j_api_jar} ${dest_dir} [ ! -e ${dest_dir}/${slf4j_log4j12_jar} ] && cp -v ${src_dir}/${slf4j_log4j12_jar} ${dest_dir} #---------------------------- #Fetching ORP / Security Jars from Distribution Site... #---------------------------- #values inherited from esg-node calling script #----- #project generated jarfiles... local esg_orp_jar=esg-orp-${esg_orp_version}.jar local esgf_security_jar=esgf-security-${esgf_security_version}.jar #----- echo "getting (downloading) library jars from ESGF Distribution Server (ORP/Security) to ${dest_dir} ..." local make_backup_file=0 #Do NOT make backup file if [ "$service_name" = "las" ]; then #Trying to avoid going on the wire to fetch files... see if the ORP has it locally first. if [[ ! -e "${dest_dir}/${spring_jar}" ]]; then if [[ -e "${src_dir}/${spring_jar}" ]]; then cp -v ${src_dir}/${spring_jar} ${dest_dir}/${spring_jar} else checked_get ${dest_dir}/${spring_jar} ${esg_dist_url}/filters/${spring_jar} $((force_install)) $((make_backup_file)) fi else ((DEBUG)) && echo "${dest_dir}/${spring_jar} - [OK]" fi if [[ ! -e "${dest_dir}/${spring_webmvc_jar}" ]]; then if [[ -e "${src_dir}/${spring_webmvc_jar}" ]]; then cp -v ${src_dir}/${spring_webmvc_jar} ${dest_dir}/${spring_webmvc_jar} else checked_get ${dest_dir}/${spring_webmvc_jar} ${esg_dist_url}/filters/${spring_webmvc_jar} $((force_install)) $((make_backup_file)) fi else ((DEBUG)) && echo "${dest_dir}/${spring_webmvc_jar} - [OK]" fi if [[ ! -e "${dest_dir}/${spring_web_jar}" ]]; then if [[ -e "${src_dir}/${spring_web_jar}" ]]; then cp -v ${src_dir}/${spring_web_jar} ${dest_dir}/${spring_web_jar} else checked_get ${dest_dir}/${spring_web_jar} ${esg_dist_url}/filters/${spring_web_jar} $((force_install)) $((make_backup_file)) fi else ((DEBUG)) && echo "${dest_dir}/${spring_web_jar} - [OK]" fi fi #end of las-only block for the spring jars. if [[ ! -e "${dest_dir}/${esgf_security_jar}" ]]; then if [[ -e "${src_dir}/${esgf_security_jar}" ]]; then cp -v ${src_dir}/${esgf_security_jar} ${dest_dir}/${esgf_security_jar} else checked_get ${dest_dir}/${esgf_security_jar} ${esg_dist_url}/esgf-security/${esgf_security_jar} $((force_install)) $((make_backup_file)) fi else ((DEBUG)) && echo "${dest_dir}/${esgf_security_jar} - [OK]" fi if [[ ! -e "${dest_dir}/${esg_orp_jar}" ]]; then checked_get ${dest_dir}/${esg_orp_jar} ${esg_dist_url}/esg-orp/${esg_orp_jar} $((force_install)) $((make_backup_file)) fi #remove all other orp / security jar versions that we don't want echo "cleaning up (removing) other, unnecessary, orp/security project jars from ${dest_dir} ..." rm -vf $(/bin/ls ${dest_dir}/${esg_orp_jar%-*}-*.jar | grep -v ${esg_orp_version}) rm -vf $(/bin/ls ${dest_dir}/${esgf_security_jar%-*}-*.jar | grep -v ${esgf_security_version}) #--- chown -R ${tomcat_user}:${tomcat_group} ${dest_dir} fi }