Rasenmaeher integration

.pre-commit-config.yaml

@@ -11,7 +11,9 @@ repos:
     -   id: check-ast
     -   id: check-toml
     -   id: trailing-whitespace
+        exclude: ".*.sql"
     -   id: end-of-file-fixer
+        exclude: ".*.sql"
     -   id: check-yaml
     -   id: check-added-large-files
     -   id: check-case-conflict
@@ -31,9 +33,13 @@ repos:
     rev: v1.1.13
     hooks:
     -   id: forbid-crlf
+        exclude: ".*.sql"
     -   id: remove-crlf
+        exclude: ".*.sql"
     -   id: forbid-tabs
+        exclude: ".*.sql"
     -   id: remove-tabs
+        exclude: ".*.sql"
 -   repo: https://github.com/Lucas-C/pre-commit-hooks-markup
     rev: v1.0.1
     hooks:

Dockerfile

@@ -10,7 +10,6 @@ RUN mv /zips/takserver-docker-*.zip /tmp/takserver.zip
 FROM eclipse-temurin:${TEMURIN_VERSION}-jammy as deps
 ENV \
   LC_ALL=C.UTF-8
-COPY --from=tak-files /tmp/takserver.zip /tmp/takserver.zip
 RUN apt-get update && apt-get install -y \
       emacs-nox \
       net-tools \
@@ -24,6 +23,8 @@ RUN apt-get update && apt-get install -y \
       pwgen \
       zip \
       openssh-client \
+      postgresql-client \
+      jq \
     && apt-get autoremove -y \
     && rm -rf /var/lib/apt/lists/* \
     && curl https://raw.githubusercontent.com/vishnubob/wait-for-it/master/wait-for-it.sh -o /usr/bin/wait-for-it.sh \
@@ -36,6 +37,7 @@ SHELL ["/bin/bash", "-lc"]
 
 FROM deps as install
 COPY docker/entrypoint.sh /entrypoint.sh
+COPY --from=tak-files /tmp/takserver.zip /tmp/takserver.zip
 RUN cd /tmp \
     && unzip takserver.zip \
     && rm takserver.zip \

scripts/delete_user.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env -S /bin/bash
+set -e
+TR=/opt/tak
+CONFIG=${TR}/data/CoreConfig.xml
+
+cd ${TR}
+. ./setenv.sh
+TAKCL_CORECONFIG_PATH="${CONFIG}" java -jar /opt/tak/utils/UserManager.jar certmod -D "/opt/tak/data/certs/files/${USER_CERT_NAME}.pem"

scripts/enable_admin.sh

@@ -12,4 +12,4 @@ WAITFORIT_TIMEOUT=60 /usr/bin/wait-for-it.sh localhost:8089 -- true
 echo "enable_admin: Making sure ${ADMIN_CERT_NAME} user is in place"
 cd ${TR}
 . ./setenv.sh
-TAKCL_CORECONFIG_PATH="${CONFIG}" java -jar /opt/tak/utils/UserManager.jar certmod -A "/opt/tak/certs/files/${ADMIN_CERT_NAME}.pem"
+TAKCL_CORECONFIG_PATH="${CONFIG}" java -jar /opt/tak/utils/UserManager.jar certmod -A "/opt/tak/data/certs/files/${ADMIN_CERT_NAME}.pem"

scripts/enable_user.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env -S /bin/bash
+set -e
+TR=/opt/tak
+CONFIG=${TR}/data/CoreConfig.xml
+
+cd ${TR}
+. ./setenv.sh
+TAKCL_CORECONFIG_PATH="${CONFIG}" java -jar /opt/tak/utils/UserManager.jar certmod "/opt/tak/data/certs/files/${USER_CERT_NAME}.pem"

scripts/firstrun.sh

@@ -1,4 +1,10 @@
 #!/usr/bin/env -S /bin/bash
+if [ -f /opt/tak/data/firstrun.done ]
+then
+  echo "First run already done"
+  exit 0
+fi
+
 TR=/opt/tak
 CR=${TR}/certs
 CONFIG=${TR}/data/CoreConfig.xml
@@ -62,3 +68,5 @@ echo "Wait for postgres"
 WAITFORIT_TIMEOUT=60 /usr/bin/wait-for-it.sh ${POSTGRES_ADDRESS}:5432 -- true
 echo "Init db"
 java -jar ${TR}/db-utils/SchemaManager.jar -url jdbc:postgresql://${POSTGRES_ADDRESS}:5432/${POSTGRES_DB} -user ${POSTGRES_SUPERUSER} -password ${POSTGRES_SUPER_PASSWORD} upgrade
+
+date -u +"%Y%m%dT%H%M" >/opt/tak/data/firstrun.done

scripts/firstrun_rm.sh

@@ -0,0 +1,115 @@
+#!/usr/bin/env -S /bin/bash
+if [ -f /opt/tak/data/firstrun.done ]
+then
+  echo "First run already done"
+  exit 0
+fi
+
+TR=/opt/tak
+CR=${TR}/certs
+
+TAK_SERVER_KEY_FILENAME="${TAK_SERVER_KEY_FILENAME:-/le_certs/rasenmaeher/privkey.pem}"
+TAK_SERVER_CERT_FILENAME="${TAK_SERVER_CERT_FILENAME:-/le_certs/rasenmaeher/fullchain.pem}"
+TAKSERVER_KEYSTORE_PASS="${TAKSERVER_KEYSTORE_PASS:-takservercertpass}"
+
+RM_CERT_CHAIN_FILENAME="${RM_CERT_CHAIN_FILENAME:-/ca_public/ca_chain.pem}"
+
+# Secret to trusted certs java keystore
+KEYSTORE_PASS="${KEYSTORE_PASS:-takcacertpw}"
+
+# Symlink the log directory under data dir
+if [[ ! -d "${TR}/data/logs" ]];then
+  mkdir -p "${TR}/data/logs"
+fi
+if [[ ! -L "${TR}/logs"  ]];then
+  ln -f -s "${TR}/data/logs/" "${TR}/logs"
+fi
+
+# Seed initial certificate data if necessary
+if [[ ! -d "${TR}/data/certs" ]];then
+  mkdir -p "${TR}/data/certs"
+fi
+# Move original certificate data and symlink to certificate data in data dir
+if [[ ! -L "${TR}/certs"  ]];then
+  mv ${TR}/certs ${TR}/certs.orig
+  ln -f -s "${TR}/data/certs/" "${TR}/certs"
+fi
+
+set -x
+
+TAK_SERVER_HOSTNAME="$(cat /pvarki/kraftwerk-init.json | jq -r  .product.dns)"
+
+
+mkdir -p /opt/tak/data/certs/files
+pushd /opt/tak/data/certs/files >> /dev/null
+
+openssl list -providers 2>&1 | grep "\(invalid command\|unknown option\)" >/dev/null
+if [ $? -ne 0 ] ; then
+  echo "Using legacy provider"
+  LEGACY_PROVIDER="-legacy"
+fi
+
+# FIXME: We need to update these when the LE cert gets updated so these can't be inside of the firstrun.done -check
+#        But they also seem get hissy if you try to add the same cert multiple times
+
+# We have to do this pkcs12 song and dance because keytool can't import private keys directly
+# Create takserver.p12 using certificates from RM
+openssl pkcs12 ${LEGACY_PROVIDER} -export -out takserver.p12 \
+  -inkey "${TAK_SERVER_KEY_FILENAME}" \
+  -in "${TAK_SERVER_CERT_FILENAME}" \
+  -name "${TAK_SERVER_HOSTNAME}" \
+  -passout pass:${TAKSERVER_KEYSTORE_PASS}
+
+# Create the Java keystore and import takserver.p12
+keytool -importkeystore -srcstoretype PKCS12 \
+  -destkeystore takserver.jks \
+  -srckeystore takserver.p12 \
+  -alias "${TAK_SERVER_HOSTNAME}" \
+  -srcstorepass "${TAKSERVER_KEYSTORE_PASS}" \
+  -deststorepass "${TAKSERVER_KEYSTORE_PASS}" \
+  -destkeypass "${TAKSERVER_KEYSTORE_PASS}"
+
+# Put the CA certs one-by-one (can't import full chains in one go) to the truststore
+keytool -noprompt -import -trustcacerts \
+  -file "/ca_public/root_ca.pem" \
+  -alias "RM_Root" \
+  -keystore takserver-truststore.jks \
+  -storepass ${KEYSTORE_PASS}
+
+keytool -noprompt -import -trustcacerts \
+  -file "/ca_public/intermediate_ca.pem" \
+  -alias "RM_Intermediate" \
+  -keystore takserver-truststore.jks \
+  -storepass ${KEYSTORE_PASS}
+
+if [[ -f "/ca_public/miniwerk_ca.pem" ]];then
+  ALIAS=$(openssl x509 -noout -subject -in "/ca_public/miniwerk_ca.pem" |md5sum | cut -d" " -f1)
+  keytool -noprompt -import -trustcacerts \
+    -file /ca_public/miniwerk_ca.pem \
+    -alias "MW_Root" \
+    -keystore takserver-truststore.jks \
+    -storepass ${KEYSTORE_PASS}
+fi
+
+# fed-truststore.jks is needed, copy takserver-truststore.jks
+# TODO what are the names of truststores that we actually need???
+cp -v /opt/tak/data/certs/files/takserver-truststore.jks /opt/tak/data/certs/files/fed-truststore.jks
+cp -v /opt/tak/data/certs/files/takserver-truststore.jks /opt/tak/data/certs/files/truststore-root.jks
+
+popd >> /dev/null
+
+
+
+
+set -e
+echo "Wait for postgres"
+WAITFORIT_TIMEOUT=60 /usr/bin/wait-for-it.sh ${POSTGRES_ADDRESS}:5432 -- true
+echo "Init db"
+# This requires postgres superuser privileges which we do not want to actually give to tak containers
+# java -jar ${TR}/db-utils/SchemaManager.jar -url jdbc:postgresql://${POSTGRES_ADDRESS}:5432/${POSTGRES_DB} -user ${POSTGRES_SUPERUSER} -password ${POSTGRES_SUPER_PASSWORD} upgrade
+# First import base SQL file to get base migration state
+PGPASSWORD=${POSTGRES_PASSWORD} psql -v ON_ERROR_STOP=1 -h ${POSTGRES_ADDRESS} -U ${POSTGRES_USER} ${POSTGRES_DB} --single-transaction --file /opt/scripts/takdb_base.sql
+# Then if there are any un-applied migrations apply them.
+java -jar ${TR}/db-utils/SchemaManager.jar -url jdbc:postgresql://${POSTGRES_ADDRESS}:5432/${POSTGRES_DB} -user ${POSTGRES_USER} -password ${POSTGRES_PASSWORD} upgrade
+
+date -u +"%Y%m%dT%H%M" >/opt/tak/data/firstrun.done

scripts/start-tak.sh

@@ -36,11 +36,11 @@ elif [ $1 = "api" ]; then
     echo "Starting TAK API"
     java -jar -Xmx${API_MAX_HEAP}m -Dspring.profiles.active=api,consolelog -Dkeystore.pkcs12.legacy takserver.war
 elif [ $1 = "retention" ]; then
-    echo "Starting TAK API"
+    echo "Starting TAK Retention"
     java -jar -Xmx${RETENTION_MAX_HEAP}m takserver-retention.jar
 elif [ $1 = "pm" ]; then
     echo "Starting TAK Plugin Manager"
     java -jar -Xmx${PLUGIN_MANAGER_MAX_HEAP}m -Dloader.path=WEB-INF/lib-provided,WEB-INF/lib,WEB-INF/classes,file:lib/ takserver-pm.jar
 else
-  echo "Please provide right TAK component: messaging, api or pm"
+  echo "Please provide right TAK component: messaging, api, retention or pm"
 fi