Skip to content

Commit 987dfae

Browse files
committed
Story #15673: Fully rewriting generate_stores scripts.
1 parent e09fb27 commit 987dfae

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

50 files changed

+401
-700
lines changed

deployment/ansible-vitamui/app_api_gateway.yml

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,3 @@
66
- vitamui
77
vars:
88
vitamui_struct: "{{ vitamui.api_gateway }}"
9-
vitamui_certificate_type: external
10-
password_keystore_server: "{{ keystores_server_vitamui_services_api_gateway }}"
11-
password_keystore_client: "{{ keystores_client_vitamui_services_api_gateway }}"
12-
password_truststore: "{{ truststores_client_external }}"
13-
vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/app_archive_search.yml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,4 @@
66
- vitamui
77
vars:
88
vitamui_struct: "{{ vitamui.archive_search }}"
9-
password_keystore_server: "{{ keystores_server_vitamui_services_archive_search }}"
10-
password_keystore_client: "{{ keystores_client_vitamui_services_archive_search }}"
119
vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/app_collect.yml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,4 @@
66
- vitamui
77
vars:
88
vitamui_struct: "{{ vitamui.collect }}"
9-
password_keystore_server: "{{ keystores_server_vitamui_services_collect }}"
10-
password_keystore_client: "{{ keystores_client_vitamui_services_collect }}"
119
vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/app_ingest.yml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,4 @@
66
- vitamui
77
vars:
88
vitamui_struct: "{{ vitamui.ingest }}"
9-
password_keystore_server: "{{ keystores_server_vitamui_services_ingest }}"
10-
password_keystore_client: "{{ keystores_client_vitamui_services_ingest }}"
119
vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/app_pastis.yml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,4 @@
66
- vitamui
77
vars:
88
vitamui_struct: "{{ vitamui.pastis }}"
9-
password_keystore_server: "{{ keystores_server_vitamui_services_pastis }}"
10-
password_keystore_client: "{{ keystores_client_vitamui_services_pastis }}"
119
vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/app_referential.yml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,4 @@
66
- vitamui
77
vars:
88
vitamui_struct: "{{ vitamui.referential }}"
9-
password_keystore_server: "{{ keystores_server_vitamui_services_referential }}"
10-
password_keystore_client: "{{ keystores_client_vitamui_services_referential }}"
119
vitam_cert: "{{ vitam_certs.vitamui }}"

deployment/ansible-vitamui/vitamui_apps.yml

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@
88
- vitamui
99
vars:
1010
vitamui_struct: "{{ vitamui.security }}"
11-
password_keystore_server: "{{ keystores_server_vitamui_services_security }}"
1211
tags: security
1312

1413
# External apps
@@ -19,8 +18,6 @@
1918
- vitamui
2019
vars:
2120
vitamui_struct: "{{ vitamui.iam }}"
22-
password_keystore_server: "{{ keystores_server_vitamui_services_iam }}"
23-
password_keystore_client: "{{ keystores_client_vitamui_services_iam }}"
2421
vitam_cert: "{{ vitam_certs.vitamui }}"
2522
tags: iam
2623

@@ -32,6 +29,4 @@
3229
- vitamui
3330
vars:
3431
vitamui_struct: "{{ vitamui.cas_server }}"
35-
password_keystore_server: "{{ keystores_server_vitamui_services_cas_server }}"
36-
password_keystore_client: "{{ keystores_client_vitamui_services_cas_server }}"
3732
tags: cas-server

deployment/environments/group_vars/all/vitam_vars.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -44,10 +44,10 @@ vitam_vars:
4444

4545
vitam_certs:
4646
vitamui:
47-
filename: keystore_vitamui.p12
48-
password: "{{ keystores_client_vitam_vitamui }}"
49-
truststore_filename: truststore_vitam.p12
50-
password_truststore: "{{ truststores_client_vitam }}"
47+
keystore_filename: keystore_vitamui.p12
48+
keystore_password: "{{ keystore_client_vitam_clients_vitamui }}"
49+
truststore_filename: truststore_client-vitam.p12
50+
truststore_password: "{{ truststore_client_vitam }}"
5151

5252

5353
# Define connection settings for external / third-party Vitam instances (for COLLECT)

deployment/pki/scripts/lib/ca.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -162,7 +162,7 @@ function main() {
162162
pki_logger "Creation of CA-root for ${AUTHORITY}..."
163163
# Generate CA_ROOT_PASS & store it in the vault-ca
164164
CA_ROOT_PASS=$(generatePassphrase)
165-
setComponentPassphrase ca "ca_root_${AUTHORITY}" "${CA_ROOT_PASS}"
165+
setPassphrase ca "ca_root_${AUTHORITY}" "${CA_ROOT_PASS}"
166166
generate_ca_root ${CA_ROOT_PASS} ${AUTHORITY}
167167
else
168168
pki_logger "CA-root for ${AUTHORITY} already exists, it will not be recreated..."
@@ -171,7 +171,7 @@ function main() {
171171
pki_logger "Creation of CA-intermediate for ${AUTHORITY}..."
172172
# Generate CA_INTERMEDIATE_PASS & store it in the vault-ca
173173
CA_INTERMEDIATE_PASS=$(generatePassphrase)
174-
setComponentPassphrase ca "ca_intermediate_${AUTHORITY}" "${CA_INTERMEDIATE_PASS}"
174+
setPassphrase ca "ca_intermediate_${AUTHORITY}" "${CA_INTERMEDIATE_PASS}"
175175
generate_ca_intermediate ${CA_INTERMEDIATE_PASS} ${CA_ROOT_PASS} ${AUTHORITY}
176176

177177
purge_directory "${CONFIG_DIR}/${AUTHORITY}"

deployment/pki/scripts/lib/certs.sh

Lines changed: 36 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ set -e
1515
function getServerCertificatePath {
1616
local TYPE_CERTIFICAT="${1}"
1717
local COMPONENT="${2}"
18-
echo "${CERTIFICATE_DIR}/${TYPE_CERTIFICAT}/server/${COMPONENT}"
18+
echo "${CERTIFICATE_DIR}/${TYPE_CERTIFICAT}/servers/${COMPONENT}"
1919
}
2020

2121
# Generate the Subject Alternate Name for a server certificate
@@ -43,7 +43,7 @@ function generateServerCertificate {
4343
local KEY_PASS="${2}"
4444
local INTERMEDIATE_CA_KEY="${3}"
4545
local TYPE_CERTIFICAT="${4}"
46-
local PKI_CONTEXT="${5}"
46+
local AUTHORITY="${5}"
4747
local SERVICE_HOSTNAME="${6}"
4848
local SERVICE_DC_HOSTNAME="${7}"
4949
local REVERSE_SAN="${8}"
@@ -53,10 +53,10 @@ function generateServerCertificate {
5353
# Correctly set certificate CN (env var is read inside the openssl configuration file)
5454
export OPENSSL_CN="$(getComponentCertificateCn $SERVICE_HOSTNAME)"
5555
# Correctly set certificate DIRECTORY (env var is read inside the openssl configuration file)
56-
export OPENSSL_CRT_DIR=${PKI_CONTEXT}
56+
export OPENSSL_CRT_DIR=${AUTHORITY}
5757

58-
pki_logger "Starting process to generate ${TYPE_CERTIFICAT} certificate signed with CA ${PKI_CONTEXT} for ${COMPOSANT}..."
59-
local SERVER_CERTIFICATE_PATH=$(getServerCertificatePath ${PKI_CONTEXT} ${COMPOSANT})
58+
pki_logger "Starting process to generate ${TYPE_CERTIFICAT} certificate signed with CA ${AUTHORITY} for ${COMPOSANT}..."
59+
local SERVER_CERTIFICATE_PATH=$(getServerCertificatePath ${AUTHORITY} ${COMPOSANT})
6060
mkdir -p "${SERVER_CERTIFICATE_PATH}"
6161
pki_logger "Generating ${TYPE_CERTIFICAT} key for ${COMPOSANT}..."
6262
openssl req -newkey "${CRYPTO_SPEC}" \
@@ -75,14 +75,14 @@ function generateServerCertificate {
7575
-extensions extension_${TYPE_CERTIFICAT} -batch
7676

7777
purge_directory "${SERVER_CERTIFICATE_PATH}"
78-
purge_directory "${CONFIG_DIR}/${PKI_CONTEXT}"
78+
purge_directory "${CONFIG_DIR}/${AUTHORITY}"
7979
}
8080

8181
# Generate the path of a client certificate
8282
function getClientCertificatePath {
83-
local PKI_CONTEXT="${1}"
83+
local AUTHORITY="${1}"
8484
local COMPOSANT="${2}"
85-
echo "${CERTIFICATE_DIR}/${PKI_CONTEXT}/clients/${COMPOSANT}"
85+
echo "${CERTIFICATE_DIR}/${AUTHORITY}/clients/${COMPOSANT}"
8686
}
8787

8888
# Generate a client certificate
@@ -91,15 +91,15 @@ function generateClientCertificate {
9191
local KEY_PASS="${2}"
9292
local CA_INTERMEDIATE_PASS="${3}"
9393
local TYPE_CERTIFICAT="${4}"
94-
local PKI_CONTEXT="${5}"
94+
local AUTHORITY="${5}"
9595

9696
# Correctly set certificate CN (env var is read inside the openssl configuration file)
9797
export OPENSSL_CN="${COMPOSANT}"
9898
# Correctly set certificate DIRECTORY (env var is read inside the openssl configuration file)
99-
export OPENSSL_CRT_DIR=${PKI_CONTEXT}
99+
export OPENSSL_CRT_DIR=${AUTHORITY}
100100

101101
pki_logger "Starting process to generate ${TYPE_CERTIFICAT} certificate for ${COMPOSANT}..."
102-
local CLIENT_CERTIFICATE_PATH=$(getClientCertificatePath ${PKI_CONTEXT} ${COMPOSANT})
102+
local CLIENT_CERTIFICATE_PATH=$(getClientCertificatePath ${AUTHORITY} ${COMPOSANT})
103103
mkdir -p "${CLIENT_CERTIFICATE_PATH}"
104104
pki_logger "Generating ${TYPE_CERTIFICAT} key for ${COMPOSANT}..."
105105
# TODO: Workaround with -nodes parameter to avoid passphrase.
@@ -112,7 +112,7 @@ function generateClientCertificate {
112112
-config "${CONFIG_DIR}/crt-config" \
113113
-batch
114114

115-
pki_logger "Generating ${TYPE_CERTIFICAT} crt signed with ${PKI_CONTEXT} for ${COMPOSANT}..."
115+
pki_logger "Generating ${TYPE_CERTIFICAT} crt signed with ${AUTHORITY} for ${COMPOSANT}..."
116116
openssl ca -config "${CONFIG_DIR}/crt-config" \
117117
-passin pass:"${CA_INTERMEDIATE_PASS}" \
118118
-out "${CLIENT_CERTIFICATE_PATH}/${COMPOSANT}.crt" \
@@ -129,29 +129,29 @@ function generateClientCertificate {
129129
fi
130130

131131
purge_directory "${CLIENT_CERTIFICATE_PATH}"
132-
purge_directory "${CONFIG_DIR}/${PKI_CONTEXT}"
132+
purge_directory "${CONFIG_DIR}/${AUTHORITY}"
133133
}
134134

135135
# Generate a server and a client certificate and store passphrase
136136
function generateServerAndClientCertAndStorePassphrase {
137137
local COMPONENT="${1}"
138-
local PKI_CONTEXT="${2}"
139-
generateServerCertAndStorePassphrase "${COMPONENT}" "${PKI_CONTEXT}"
140-
generateClientCertAndStorePassphrase "${COMPONENT}" "${PKI_CONTEXT}"
138+
local AUTHORITY="${2}"
139+
generateServerCertAndStorePassphrase "${COMPONENT}" "${AUTHORITY}"
140+
generateClientCertAndStorePassphrase "${COMPONENT}" "${AUTHORITY}"
141141
}
142142

143143
# Generate a server certificate and store passphrase
144144
function generateServerCertAndStorePassphrase {
145145
local COMPONENT="${1}"
146-
local PKI_CONTEXT="${2}"
146+
local AUTHORITY="${2}"
147147

148-
pki_logger "DEBUG" "generateServerCertAndStorePassphrase called with $# args: COMPONENT=$1, PKI_CONTEXT=$2"
148+
pki_logger "DEBUG" "generateServerCertAndStorePassphrase called with $# args: COMPONENT=$1, AUTHORITY=$2"
149149

150150
local TYPE_CERTIFICAT="server"
151151
local REVERSE_SAN=""
152152

153153
# Retrieve the passphrase of the CA_INTERMEDIATE from the vault-ca
154-
CA_INTERMEDIATE_PASS=$(getComponentPassphrase ca "ca_intermediate_${PKI_CONTEXT}")
154+
CA_INTERMEDIATE_PASS=$(getPassphrase ca "ca_intermediate_${AUTHORITY}")
155155
DC_NAME=$(getDcName)
156156

157157
if [ "${COMPONENT}" == "reverse" ]; then
@@ -161,7 +161,7 @@ function generateServerCertAndStorePassphrase {
161161

162162
pki_logger "DEBUG" "DC_NAME=${DC_NAME}, CONSUL_DOMAIN=${CONSUL_DOMAIN}"
163163

164-
local SERVER_CERTIFICATE_PATH=$(getServerCertificatePath ${PKI_CONTEXT} ${COMPONENT})
164+
local SERVER_CERTIFICATE_PATH=$(getServerCertificatePath ${AUTHORITY} ${COMPONENT})
165165
if [ ! -f "${SERVER_CERTIFICATE_PATH}/${COMPONENT}.crt" ]; then
166166
# Generate the passphrase
167167
local KEY_PASS=$(generatePassphrase)
@@ -170,30 +170,30 @@ function generateServerCertAndStorePassphrase {
170170
${KEY_PASS} \
171171
${CA_INTERMEDIATE_PASS} \
172172
${TYPE_CERTIFICAT} \
173-
${PKI_CONTEXT} \
173+
${AUTHORITY} \
174174
"vitamui-${COMPONENT}.service.${CONSUL_DOMAIN}" \
175175
"vitamui-${COMPONENT}.service.${DC_NAME}.${CONSUL_DOMAIN}" \
176176
"${REVERSE_SAN}"
177177
# Store the key to the vault
178-
setComponentPassphrase certs "server_${PKI_CONTEXT}_${COMPONENT}_key" "${KEY_PASS}"
178+
setPassphrase certs "${TYPE_CERTIFICAT}_${AUTHORITY}_${COMPONENT}" "${KEY_PASS}"
179179
else
180-
pki_logger "Le certificat SERVER - ${PKI_CONTEXT} - ${COMPONENT}.crt existe déjà, il ne sera pas recréé..."
180+
pki_logger "Le certificat ${TYPE_CERTIFICAT} - ${AUTHORITY} - ${COMPONENT}.crt existe déjà, il ne sera pas recréé..."
181181
fi
182182
}
183183

184184
# Generate client certificate and store the passphrase
185185
function generateClientCertAndStorePassphrase {
186186
local COMPONENT="${1}"
187-
local PKI_CONTEXT="${2}"
187+
local AUTHORITY="${2}"
188188

189-
pki_logger "DEBUG" "generateClientCertAndStorePassphrase called with $# args: COMPONENT=$1, PKI_CONTEXT=$2"
189+
pki_logger "DEBUG" "generateClientCertAndStorePassphrase called with $# args: COMPONENT=$1, AUTHORITY=$2"
190190

191191
local TYPE_CERTIFICAT="client"
192192

193-
local CLIENT_CERTIFICATE_PATH=$(getClientCertificatePath ${PKI_CONTEXT} ${COMPONENT})
193+
local CLIENT_CERTIFICATE_PATH=$(getClientCertificatePath ${AUTHORITY} ${COMPONENT})
194194
if [ ! -f "${CLIENT_CERTIFICATE_PATH}/${COMPONENT}.crt" ]; then
195195
# Get the CA_INTERMEDIATE passphrase from the vault-ca
196-
local CA_INTERMEDIATE_PASS=$(getComponentPassphrase ca "ca_intermediate_${PKI_CONTEXT}")
196+
local CA_INTERMEDIATE_PASS=$(getPassphrase ca "ca_intermediate_${AUTHORITY}")
197197

198198
# Generate the key
199199
local KEY_PASS=$(generatePassphrase)
@@ -202,22 +202,22 @@ function generateClientCertAndStorePassphrase {
202202
${KEY_PASS} \
203203
${CA_INTERMEDIATE_PASS} \
204204
${TYPE_CERTIFICAT} \
205-
${PKI_CONTEXT}
205+
${AUTHORITY}
206206
# Store the key to the vault
207-
setComponentPassphrase certs "client_${PKI_CONTEXT}_${COMPONENT}_key" "${KEY_PASS}"
207+
setPassphrase certs "${TYPE_CERTIFICAT}_${AUTHORITY}_${COMPONENT}" "${KEY_PASS}"
208208
else
209-
pki_logger "Le certificat CLIENT - ${PKI_CONTEXT} - ${COMPONENT} existe déjà, il ne sera pas recréé..."
209+
pki_logger "Le certificat ${TYPE_CERTIFICAT} - ${AUTHORITY} - ${COMPONENT} existe déjà, il ne sera pas recréé..."
210210
fi
211211
}
212212

213-
# Copy the CA from pki/<PKI_CONTEXT>/ca to environments/certs/<PKI_CONTEXT>/ca
213+
# Copy the CA from pki/<AUTHORITY>/ca to environments/certs/<AUTHORITY>/ca
214214
function copyCAFromPki {
215-
local PKI_CONTEXT="${1}"
215+
local AUTHORITY="${1}"
216216

217-
mkdir -p "${CERTIFICATE_DIR}/${PKI_CONTEXT}/ca"
218-
pki_logger "Copying CA of ${PKI_CONTEXT}"
219-
for CA in $(ls ${CA_DIR}/${PKI_CONTEXT}/*.crt); do
220-
cp -vf "${CA}" "${CERTIFICATE_DIR}/${PKI_CONTEXT}/ca/$(basename ${CA})"
217+
mkdir -p "${CERTIFICATE_DIR}/${AUTHORITY}/ca"
218+
pki_logger "Copying CA of ${AUTHORITY}"
219+
for CA in $(ls ${CA_DIR}/${AUTHORITY}/*.crt); do
220+
cp -vf "${CA}" "${CERTIFICATE_DIR}/${AUTHORITY}/ca/$(basename ${CA})"
221221
done
222222
}
223223

0 commit comments

Comments
 (0)