Skip to content

Handling expired certificate and AAD script space based arguments #187

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Aug 4, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@
}
},
"variables": {
"const_aadParameters": "[concat(parameters('wlsUserName'),' ',parameters('wlsPassword'),' ',parameters('wlsDomainName'),' ',parameters('wlsLDAPProviderName'), ' ', parameters('aadsServerHost'), ' ', parameters('aadsPortNumber'), ' ', concat('\"',parameters('wlsLDAPPrincipal'),'\"'), ' ', parameters('wlsLDAPPrincipalPassword'), ' ', concat('\"',parameters('wlsLDAPUserBaseDN'),'\"'), ' ', concat('\"',parameters('wlsLDAPGroupBaseDN'),'\"'), ' ', variables('const_wlsHome'),' ',parameters('adminVMName'),' ',variables('const_wlsAdminPort'),' ',parameters('wlsLDAPSSLCertificate'), ' ', parameters('aadsPublicIP'), ' ', variables('const_adminServerName'), ' ', variables('const_wlsDomainPath'),' ',parameters('enableCustomSSL'),' ',base64(parameters('keyVaultCustomTrustKeyStorePassPhrase')),' ',base64(parameters('keyVaultCustomTrustKeyStoreType')))]",
"const_aadParameters": "[concat(parameters('wlsUserName'),' ',parameters('wlsPassword'),' ',parameters('wlsDomainName'),' ',parameters('wlsLDAPProviderName'), ' ', parameters('aadsServerHost'), ' ', parameters('aadsPortNumber'), ' ', base64(parameters('wlsLDAPPrincipal')), ' ', parameters('wlsLDAPPrincipalPassword'),' ', base64(parameters('wlsLDAPUserBaseDN')),' ', base64(parameters('wlsLDAPGroupBaseDN')),' ', variables('const_wlsHome'),' ',parameters('adminVMName'),' ',variables('const_wlsAdminPort'),' ',parameters('wlsLDAPSSLCertificate'),' ', parameters('aadsPublicIP'),' ',variables('const_adminServerName'),' ', variables('const_wlsDomainPath'),' ',parameters('enableCustomSSL'),' ',base64(parameters('keyVaultCustomTrustKeyStorePassPhrase')),' ',base64(parameters('keyVaultCustomTrustKeyStoreType')))]",
"const_adminServerName": "admin",
"const_wlsAdminPort": "7005",
"const_wlsDomainPath": "[concat('/u01/domains/', parameters('wlsDomainName'))]",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,48 @@ function mapLDAPHostWithPublicIP()
sudo echo "${wlsLDAPPublicIP} ${adServerHost}" >> /etc/hosts
}

# This function verifies whether certificate is valid and not expired
function verifyCertValidity()
{

CERT_FILE=$1
CURRENT_DATE=$2
MIN_CERT_VALIDITY=$3
VALIDITY=$(($CURRENT_DATE + ($MIN_CERT_VALIDITY*24*60*60)))

. $oracleHome/oracle_common/common/bin/setWlstEnv.sh

echo "Verifying $CERT_FILE is valid at least $MIN_CERT_VALIDITY day from the deployment time"
if [ $VALIDITY -le $CURRENT_DATE ];
then
echo_stderr "Error : Invalid minimum validity days supplied"
exit 1
fi

# Check whether CERT_FILE supplied can be opened for reading
# Redirecting as no need to display the contents
sudo ${JAVA_HOME}/bin/keytool -printcert -file $CERT_FILE > /dev/null 2>&1

if [ $? != 0 ];
then
echo_stderr "Error opening the certificate : $CERT_FILE"
exit 1
fi

VALIDITY_PERIOD=`sudo ${JAVA_HOME}/bin/keytool -printcert -file $CERT_FILE | grep Valid`
echo "Certificate $CERT_FILE is \"$VALIDITY_PERIOD\""
CERT_UNTIL_DATE=`echo $VALIDITY_PERIOD | awk -F'until:|\r' '{print $2}'`
CERT_UNTIL_SECONDS=`date -d "$CERT_UNTIL_DATE" +%s`
VALIDITY_REMIANS_SECONDS=`expr $CERT_UNTIL_SECONDS - $VALIDITY`
if [[ $VALIDITY_REMIANS_SECONDS -le 0 ]];
then
echo_stderr "$CERT_FILE is \"$VALIDITY_PERIOD\""
echo_stderr "Error : Supplied certificate $CERT_FILE is either expired or expiring soon within $MIN_CERT_VALIDITY day"
exit 1
fi
echo "$CERT_FILE validation is successful"
}

function parseLDAPCertificate()
{
echo "create key store"
Expand All @@ -216,6 +258,9 @@ function parseLDAPCertificate()

openssl base64 -d -in ${SCRIPT_PWD}/security/AzureADLDAPCerBase64String.txt -out ${SCRIPT_PWD}/security/AzureADTrust.cer
addsCertificate=${SCRIPT_PWD}/security/AzureADTrust.cer

# Verify certificate validity period more than MIN_CERT_VALIDITY
verifyCertValidity $addsCertificate $CURRENT_DATE $MIN_CERT_VALIDITY
}

function importAADCertificate()
Expand Down Expand Up @@ -369,7 +414,12 @@ function createTempFolder()

#main

read wlsUserName wlsPassword wlsDomainName adProviderName adServerHost adServerPort adPrincipal adPassword adGroupBaseDN adUserBaseDN oracleHome wlsAdminHost wlsAdminPort wlsADSSLCer wlsLDAPPublicIP wlsAdminServerName wlsDomainPath isCustomSSLEnabled customTrustKeyStorePassPhrase customTrustKeyStoreType
read wlsUserName wlsPassword wlsDomainName adProviderName adServerHost adServerPort adPrincipal adPassword adUserBaseDN adGroupBaseDN oracleHome wlsAdminHost wlsAdminPort wlsADSSLCer wlsLDAPPublicIP wlsAdminServerName wlsDomainPath isCustomSSLEnabled customTrustKeyStorePassPhrase customTrustKeyStoreType

# Passing these values as base64 as values has space embedded
adPrincipal=$(echo "$adPrincipal" | base64 --decode)
adUserBaseDN=$(echo "$adUserBaseDN" | base64 --decode)
adGroupBaseDN=$(echo "$adGroupBaseDN" | base64 --decode)

isCustomSSLEnabled="${isCustomSSLEnabled,,}"

Expand All @@ -390,7 +440,17 @@ USER_ORACLE="oracle"
GROUP_ORACLE="oracle"
DOMAIN_PATH="/u01/domains"

# Used for certificate expiry validation
CURRENT_DATE=`date +%s`
# Supplied certificate to have minimum days validity for the deployment
MIN_CERT_VALIDITY="1"

validateInput

# Executing parse and validate certificates to ensure there are no certificates issues
# If any certificates issues then it will be cuaght earlier
parseLDAPCertificate

createTempFolder
echo "check status of admin server"
wait_for_admin
Expand All @@ -400,7 +460,6 @@ enableTLSv12onJDK8
createAADProvider_model
createSSL_model
mapLDAPHostWithPublicIP
parseLDAPCertificate
importAADCertificate
importAADCertificateIntoWLSCustomTrustKeyStore
configureSSL
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,57 @@ function cleanup()
echo "Cleanup completed."
}

# This function verifies whether certificate is valid and not expired
function verifyCertValidity()
{
KEYSTORE=$1
PASSWORD=$2
CURRENT_DATE=$3
MIN_CERT_VALIDITY=$4
KEY_STORE_TYPE=$5
VALIDITY=$(($CURRENT_DATE + ($MIN_CERT_VALIDITY*24*60*60)))

echo "Verifying $KEYSTORE is valid at least $MIN_CERT_VALIDITY day from the deployment time"

if [ $VALIDITY -le $CURRENT_DATE ];
then
echo_stderr "Error : Invalid minimum validity days supplied"
exit 1
fi

# Check whether KEYSTORE supplied can be opened for reading
# Redirecting as no need to display the contents
runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE > /dev/null 2>&1"
if [ $? != 0 ];
then
echo_stderr "Error opening the keystore : $KEYSTORE"
exit 1
fi

aliasList=`runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE | grep Alias" |awk '{print $3}'`
if [[ -z $aliasList ]];
then
echo_stderr "Error : No alias found in supplied certificate $KEYSTORE"
exit 1
fi

for alias in $aliasList
do
VALIDITY_PERIOD=`runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $KEYSTORE -storepass $PASSWORD -storetype $KEY_STORE_TYPE -alias $alias | grep Valid"`
echo "$KEYSTORE is \"$VALIDITY_PERIOD\""
CERT_UNTIL_DATE=`echo $VALIDITY_PERIOD | awk -F'until:|\r' '{print $2}'`
CERT_UNTIL_SECONDS=`date -d "$CERT_UNTIL_DATE" +%s`
VALIDITY_REMIANS_SECONDS=`expr $CERT_UNTIL_SECONDS - $VALIDITY`
if [[ $VALIDITY_REMIANS_SECONDS -le 0 ]];
then
echo_stderr "$KEYSTORE is \"$VALIDITY_PERIOD\""
echo_stderr "Error : Supplied certificate $KEYSTORE is either expired or expiring soon within $MIN_CERT_VALIDITY day"
exit 1
fi
done
echo "$KEYSTORE validation is successful"
}

#Creates weblogic deployment model for admin domain
function create_admin_model()
{
Expand Down Expand Up @@ -378,6 +429,9 @@ function validateSSLKeyStores()
exit 1
fi

# Verify Identity keystore validity period more than MIN_CERT_VALIDITY
verifyCertValidity $customIdentityKeyStoreFileName $customIdentityKeyStorePassPhrase $CURRENT_DATE $MIN_CERT_VALIDITY $customIdentityKeyStoreType

#validate Trust keystore
runuser -l oracle -c ". $oracleHome/oracle_common/common/bin/setWlstEnv.sh; keytool -list -v -keystore $customTrustKeyStoreFileName -storepass $customTrustKeyStorePassPhrase -storetype $customTrustKeyStoreType | grep 'Entry type:' | grep 'trustedCertEntry'"

Expand All @@ -386,6 +440,9 @@ function validateSSLKeyStores()
exit 1
fi

# Verify Identity keystore validity period more than MIN_CERT_VALIDITY
verifyCertValidity $customTrustKeyStoreFileName $customTrustKeyStorePassPhrase $CURRENT_DATE $MIN_CERT_VALIDITY $customTrustKeyStoreType

echo "ValidateSSLKeyStores Successfull !!"
}

Expand Down Expand Up @@ -571,6 +628,12 @@ SCRIPT_PWD=`pwd`
CURR_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
BASE_DIR="$(readlink -f ${CURR_DIR})"

# Used for certificate expiry validation
CURRENT_DATE=`date +%s`
# Supplied certificate to have minimum days validity for the deployment
MIN_CERT_VALIDITY="1"


#read arguments from stdin
read wlsDomainName wlsUserName wlsPassword wlsAdminHost oracleHome storageAccountName storageAccountKey mountpointPath isHTTPAdminListenPortEnabled adminPublicHostName dnsLabelPrefix location virtualNetworkNewOrExisting storageAccountPrivateIp isCustomSSLEnabled customIdentityKeyStoreData customIdentityKeyStorePassPhrase customIdentityKeyStoreType customTrustKeyStoreData customTrustKeyStorePassPhrase customTrustKeyStoreType serverPrivateKeyAlias serverPrivateKeyPassPhrase

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@
}
},
"variables": {
"const_aadParameters": "[concat(parameters('wlsUserName'),' ',parameters('wlsPassword'),' ',parameters('wlsDomainName'),' ',parameters('wlsLDAPProviderName'), ' ', parameters('aadsServerHost'), ' ', parameters('aadsPortNumber'), ' ', concat('\"',parameters('wlsLDAPPrincipal'),'\"'), ' ', parameters('wlsLDAPPrincipalPassword'), ' ', concat('\"',parameters('wlsLDAPUserBaseDN'),'\"'), ' ', concat('\"',parameters('wlsLDAPGroupBaseDN'),'\"'), ' ', variables('const_wlsHome'),' ',parameters('adminVMName'),' ',variables('const_wlsAdminPort'),' ',parameters('wlsLDAPSSLCertificate'), ' ', parameters('aadsPublicIP'), ' ',variables('const_adminServerName'), ' ', variables('const_wlsDomainPath'),' ',parameters('enableCustomSSL'),' ',base64(parameters('keyVaultCustomTrustKeyStorePassPhrase')),' ',base64(parameters('keyVaultCustomTrustKeyStoreType')))]",
"const_aadParameters": "[concat(parameters('wlsUserName'),' ',parameters('wlsPassword'),' ',parameters('wlsDomainName'),' ',parameters('wlsLDAPProviderName'), ' ', parameters('aadsServerHost'), ' ', parameters('aadsPortNumber'), ' ', base64(parameters('wlsLDAPPrincipal')), ' ', parameters('wlsLDAPPrincipalPassword'), ' ', base64(parameters('wlsLDAPUserBaseDN')), ' ', base64(parameters('wlsLDAPGroupBaseDN')), ' ', variables('const_wlsHome'),' ',parameters('adminVMName'),' ',variables('const_wlsAdminPort'),' ',parameters('wlsLDAPSSLCertificate'), ' ', parameters('aadsPublicIP'), ' ',variables('const_adminServerName'), ' ', variables('const_wlsDomainPath'),' ',parameters('enableCustomSSL'),' ',base64(parameters('keyVaultCustomTrustKeyStorePassPhrase')),' ',base64(parameters('keyVaultCustomTrustKeyStoreType')))]",
"const_adminServerName": "admin",
"const_managedVMPrefix": "[concat(parameters('managedServerPrefix'),'VM')]",
"const_wlsAdminPort": "7005",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,48 @@ function mapLDAPHostWithPublicIP()
sudo echo "${wlsLDAPPublicIP} ${adServerHost}" >> /etc/hosts
}

# This function verifies whether certificate is valid and not expired
function verifyCertValidity()
{

CERT_FILE=$1
CURRENT_DATE=$2
MIN_CERT_VALIDITY=$3
VALIDITY=$(($CURRENT_DATE + ($MIN_CERT_VALIDITY*24*60*60)))

. $oracleHome/oracle_common/common/bin/setWlstEnv.sh

echo "Verifying $CERT_FILE is valid at least $MIN_CERT_VALIDITY day from the deployment time"
if [ $VALIDITY -le $CURRENT_DATE ];
then
echo_stderr "Error : Invalid minimum validity days supplied"
exit 1
fi

# Check whether CERT_FILE supplied can be opened for reading
# Redirecting as no need to display the contents
sudo ${JAVA_HOME}/bin/keytool -printcert -file $CERT_FILE > /dev/null 2>&1

if [ $? != 0 ];
then
echo_stderr "Error opening the certificate : $CERT_FILE"
exit 1
fi

VALIDITY_PERIOD=`sudo ${JAVA_HOME}/bin/keytool -printcert -file $CERT_FILE | grep Valid`
echo "Certificate $CERT_FILE is \"$VALIDITY_PERIOD\""
CERT_UNTIL_DATE=`echo $VALIDITY_PERIOD | awk -F'until:|\r' '{print $2}'`
CERT_UNTIL_SECONDS=`date -d "$CERT_UNTIL_DATE" +%s`
VALIDITY_REMIANS_SECONDS=`expr $CERT_UNTIL_SECONDS - $VALIDITY`
if [[ $VALIDITY_REMIANS_SECONDS -le 0 ]];
then
echo_stderr "$CERT_FILE is \"$VALIDITY_PERIOD\""
echo_stderr "Error : Supplied certificate $CERT_FILE is either expired or expiring soon within $MIN_CERT_VALIDITY day"
exit 1
fi
echo "$CERT_FILE validation is successful"
}

function parseLDAPCertificate()
{
echo "create key store"
Expand All @@ -253,6 +295,9 @@ function parseLDAPCertificate()

openssl base64 -d -in ${SCRIPT_PWD}/security/AzureADLDAPCerBase64String.txt -out ${SCRIPT_PWD}/security/AzureADTrust.cer
addsCertificate=${SCRIPT_PWD}/security/AzureADTrust.cer

# Verify certificate validity period more than MIN_CERT_VALIDITY
verifyCertValidity $addsCertificate $CURRENT_DATE $MIN_CERT_VALIDITY
}

function importAADCertificate()
Expand Down Expand Up @@ -438,7 +483,12 @@ function createTempFolder()
#main

#read arguments from stdin
read wlsUserName wlsPassword wlsDomainName adProviderName adServerHost adServerPort adPrincipal adPassword adGroupBaseDN adUserBaseDN oracleHome wlsAdminHost wlsAdminPort wlsADSSLCer wlsLDAPPublicIP wlsAdminServerName wlsDomainPath isCustomSSLEnabled customTrustKeyStorePassPhrase customTrustKeyStoreType vmIndex
read wlsUserName wlsPassword wlsDomainName adProviderName adServerHost adServerPort adPrincipal adPassword adUserBaseDN adGroupBaseDN oracleHome wlsAdminHost wlsAdminPort wlsADSSLCer wlsLDAPPublicIP wlsAdminServerName wlsDomainPath isCustomSSLEnabled customTrustKeyStorePassPhrase customTrustKeyStoreType vmIndex

# Passing these values as base64 as values has space embedded
adPrincipal=$(echo "$adPrincipal" | base64 --decode)
adUserBaseDN=$(echo "$adUserBaseDN" | base64 --decode)
adGroupBaseDN=$(echo "$adGroupBaseDN" | base64 --decode)

isCustomSSLEnabled="${isCustomSSLEnabled,,}"

Expand All @@ -459,6 +509,16 @@ USER_ORACLE="oracle"
GROUP_ORACLE="oracle"
DOMAIN_PATH="/u01/domains"

# Used for certificate expiry validation
CURRENT_DATE=`date +%s`
# Supplied certificate to have minimum days validity for the deployment
MIN_CERT_VALIDITY="1"

validateInput

# Executing parse and validate certificates to ensure there are no certificates issues
# If any certificates issues then it will be cuaght earlier
parseLDAPCertificate

if [ $vmIndex -eq 0 ];
then
Expand All @@ -471,7 +531,6 @@ then
createAADProvider_model
createSSL_model
mapLDAPHostWithPublicIP
parseLDAPCertificate
importAADCertificate
importAADCertificateIntoWLSCustomTrustKeyStore
configureSSL
Expand All @@ -487,7 +546,6 @@ then
else
cleanup
mapLDAPHostWithPublicIP
parseLDAPCertificate
importAADCertificate
importAADCertificateIntoWLSCustomTrustKeyStore
cleanup
Expand Down
Loading