Story #15673: Updating PKI to use get_authorities function as reference for generating expected authorities.

GiooDev · GiooDev · commit bd21f5eba734 · 2026-02-15T16:53:28.000+01:00
diff --git a/deployment/pki/scripts/generate_certs.sh b/deployment/pki/scripts/generate_certs.sh
@@ -13,18 +13,16 @@ set -e
 
 function generateCerts {
 
-    # Copy CA
-    pki_logger "Recopie des clés publiques des CA"
-    copyCAFromPki client-external
-    copyCAFromPki client-vitam
-    copyCAFromPki vitamui-services
-
-    # Generate hosts certificates
-    pki_logger "Génération des certificats serveurs"
-    # Zone interne
+    pki_logger "Copying CA certificates"
+    for AUTHORITY_NAME in $(get_autorities); do
+        copyCAFromPki "${AUTHORITY_NAME}"
+    done
+
+    # VitamUI Services
+    # Server Only for https
     generateServerCertAndStorePassphrase            security            vitamui-services
 
-    #Zone externe
+    # Server and Client for https or mTLS
     generateServerAndClientCertAndStorePassphrase   iam                 vitamui-services
     generateServerAndClientCertAndStorePassphrase   referential         vitamui-services
     generateServerAndClientCertAndStorePassphrase   cas-server          vitamui-services
@@ -34,7 +32,7 @@ function generateCerts {
     generateServerAndClientCertAndStorePassphrase   pastis              vitamui-services
     generateServerAndClientCertAndStorePassphrase   api-gateway         vitamui-services
 
-    #Zone UI
+    # Zone UI - Client Only for mTLS
     generateClientCertAndStorePassphrase            ui-portal           vitamui-services
     generateClientCertAndStorePassphrase            ui-identity         vitamui-services
     generateClientCertAndStorePassphrase            ui-identity-admin   vitamui-services
@@ -44,7 +42,7 @@ function generateCerts {
     generateClientCertAndStorePassphrase            ui-collect          vitamui-services
     generateClientCertAndStorePassphrase            ui-pastis           vitamui-services
 
-    #Reverse
+    # Reverse - Server Only for https
     generateServerCertAndStorePassphrase            reverse             vitamui-services
 
     # Example of generated client cert for a customer allowing to perform request on external APIs
diff --git a/deployment/pki/scripts/generate_certs_dev.sh b/deployment/pki/scripts/generate_certs_dev.sh
@@ -23,18 +23,16 @@ function getComponentCertificateSan {
 
 function generateCerts {
 
-    # Copy CA
-    pki_logger "Recopie des clés publiques des CA"
-    copyCAFromPki client-external
-    copyCAFromPki client-vitam
-    copyCAFromPki vitamui-services
-
-    # Generate hosts certificates
-    pki_logger "Génération des certificats serveurs"
-    # Zone interne
+    pki_logger "Copying CA certificates"
+    for AUTHORITY_NAME in $(get_autorities); do
+        copyCAFromPki "${AUTHORITY_NAME}"
+    done
+
+    # VitamUI Services
+    # Server Only for https
     generateServerCertAndStorePassphrase            security            vitamui-services
 
-    #Zone externe
+    # Server and Client for https or mTLS
     generateServerAndClientCertAndStorePassphrase   iam                 vitamui-services
     generateServerAndClientCertAndStorePassphrase   cas-server          vitamui-services
     generateServerAndClientCertAndStorePassphrase   referential         vitamui-services
@@ -44,7 +42,7 @@ function generateCerts {
     generateServerAndClientCertAndStorePassphrase   pastis              vitamui-services
     generateServerAndClientCertAndStorePassphrase   api-gateway         vitamui-services
 
-    #Zone UI
+    # Zone UI - Client Only for mTLS
     generateClientCertAndStorePassphrase            ui-portal           vitamui-services
     generateClientCertAndStorePassphrase            ui-identity         vitamui-services
     generateClientCertAndStorePassphrase            ui-identity-admin   vitamui-services
@@ -54,7 +52,7 @@ function generateCerts {
     generateClientCertAndStorePassphrase            ui-pastis           vitamui-services
     generateClientCertAndStorePassphrase            ui-collect          vitamui-services
 
-    #Reverse
+    # Reverse proxy - Server Only for https
     generateServerCertAndStorePassphrase            reverse             vitamui-services
 
     # Example of generated client cert for a customer allowing to perform request on external APIs
diff --git a/deployment/pki/scripts/lib/ca.sh b/deployment/pki/scripts/lib/ca.sh
@@ -25,11 +25,11 @@ function generate_ca_root {
 
     local CA_DIR=${CA_DIR}/${OPENSSL_CA_DIR}
     if [ ! -d ${CA_DIR} ]; then
-        pki_logger "Create directory ${CA_DIR}"
+        pki_logger "Creating directory ${CA_DIR}"
         mkdir -p ${CA_DIR};
     fi
 
-    pki_logger "Create CA-root request..."
+    pki_logger "Creating CA-root request..."
     openssl req \
         -config ${CONFIG_DIR}/ca-config \
         -new \
@@ -38,7 +38,7 @@ function generate_ca_root {
         -passout pass:${CA_ROOT_PASS} \
         -batch
 
-    pki_logger "Sign CA-root certificate..."
+    pki_logger "Signing CA-root certificate..."
     openssl ca \
         -config ${CONFIG_DIR}/ca-config \
         -selfsign \
@@ -64,11 +64,11 @@ function generate_ca_intermediate {
 
     local CA_DIR=${CA_DIR}/${OPENSSL_CA_DIR}
     if [ ! -d ${CA_DIR} ]; then
-        pki_logger "Create directory ${OPENSSL_CA_DIR}"
+        pki_logger "Creating directory ${OPENSSL_CA_DIR}"
         mkdir -p ${CA_DIR};
     fi
 
-    pki_logger "Create CA-intermediate request..."
+    pki_logger "Creating CA-intermediate request..."
     openssl req \
         -config ${CONFIG_DIR}/ca-config \
         -new \
@@ -78,7 +78,7 @@ function generate_ca_intermediate {
         -passout pass:${CA_INTERMEDIATE_PASS} \
         -batch
 
-    pki_logger "Sign CA-intermediate certificate..."
+    pki_logger "Signing CA-intermediate certificate..."
     openssl ca \
         -config ${CONFIG_DIR}/ca-config \
         -extensions extension_ca_intermediate \
@@ -153,7 +153,7 @@ function main() {
 
     # Create CA per authorities
     AUTHORITIES="$(get_autorities)"
-    for AUTHORITY in ${AUTHORITIES[@]}
+    for AUTHORITY in $AUTHORITIES; do
     do
         mkdir -p ${CA_DIR}/${AUTHORITY}
         init_config_ca ${AUTHORITY}
diff --git a/deployment/pki/scripts/lib/stores.sh b/deployment/pki/scripts/lib/stores.sh
@@ -53,7 +53,7 @@ function generateKeystore {
         rm -vf ${KEYSTORE_PATH:?}
     fi
 
-    pki_logger "Generate keystore: ${KEYSTORE_PATH}"
+    pki_logger "Generating keystore: ${KEYSTORE_PATH}"
 
     mkdir -p "$(dirname "${KEYSTORE_PATH}")"
     openssl pkcs12 -export \
@@ -97,41 +97,47 @@ function main() {
     # Remove old keystores clients & server directories
     find ${KEYSTORES_DIRECTORY:?} -mindepth 1 -maxdepth 1 -type d -exec rm -vrf {} \; #TODO: pk on supprime tout si on a pas mis le erase à true ?
 
-    # For each authorities under environments/certs directory (client-external, client-vitam, vitamui-services)
-    for AUTHORITY_PATH in $( ls -d ${CERTIFICATE_DIR}/{client-external,client-vitam,vitamui-services} ); do
-        pki_logger "-------------------------------------------"
-        local AUTHORITY_NAME=$(basename ${AUTHORITY_PATH})
-        pki_logger "Creating keystores for AUTHORITY: ${AUTHORITY_NAME}"
+    # Generate stores for each authorities
+    for AUTHORITY_NAME in $(get_autorities); do
+        AUTHORITY_PATH="${CERTIFICATE_DIR}/${AUTHORITY_NAME}"
 
-        # Could be clients or servers
-        for TYPE_PATH in $( ls -d ${AUTHORITY_PATH}/{ca,clients,servers} 2>/dev/null || true ); do
-            local TYPE_NAME=$(basename ${TYPE_PATH})
+        # Verify the directory exists before processing
+        if [ -d "$AUTHORITY_PATH" ]; then
+            pki_logger "-------------------------------------------"
+            pki_logger "Creating keystores or truststore for AUTHORITY: ${AUTHORITY_NAME}"
 
-            if [ "${TYPE_NAME}" == "ca" ]; then
-                # Generate truststore for CA certificates
-                pki_logger "Generating truststore for CA certificates: ${AUTHORITY_NAME}"
-                generateTruststore "${TYPE_PATH}" "${AUTHORITY_NAME}"
-                continue
-            fi
+            # Could be ca, clients or servers
+            for TYPE_PATH in $( ls -d ${AUTHORITY_PATH}/{ca,clients,servers} 2>/dev/null || true ); do
+                local TYPE_NAME=$(basename ${TYPE_PATH})
 
-            pki_logger "Creating keystores for TYPE: ${AUTHORITY_NAME}/${TYPE_NAME}"
+                if [ "${TYPE_NAME}" == "ca" ]; then
+                    # Generate truststore for CA certificates
+                    pki_logger "Creating truststore for CA certificates: ${AUTHORITY_NAME}"
+                    generateTruststore "${TYPE_PATH}" "${AUTHORITY_NAME}"
+                    continue
+                fi
 
-            # Generate keystore for each components except for ui-
-            for COMPONENT in $( ls ${TYPE_PATH} | grep -v -e "README" -e "^ui-" ); do
-                pki_logger "Creating keystore for COMPONENT: ${AUTHORITY_NAME}/${TYPE_NAME}/${COMPONENT}"
+                pki_logger "Creating keystores for TYPE: ${AUTHORITY_NAME}/${TYPE_NAME}"
 
-                local COMPONENT_CRT_DIR=${CERTIFICATE_DIR}/${AUTHORITY_NAME}/${TYPE_NAME}/${COMPONENT}
-                local TARGET_KEYSTORE=${KEYSTORES_DIRECTORY}/${AUTHORITY_NAME}/${TYPE_NAME}/keystore_${COMPONENT}.p12
-                local CRT_KEY_PASSWORD=$(getPassphrase certs "${AUTHORITY_NAME}_${TYPE_NAME}_${COMPONENT}")
-                local KEYSTORE_PASSWORD=$(setPassphrase keystores "${AUTHORITY_NAME}_${TYPE_NAME}_${COMPONENT}")
+                # Generate keystore for each components except for ui-
+                for COMPONENT in $( ls ${TYPE_PATH} | grep -v -e "README" -e "^ui-" ); do
+                    pki_logger "Creating keystore for COMPONENT: ${AUTHORITY_NAME}/${TYPE_NAME}/${COMPONENT}"
 
-                generateKeystore    "${COMPONENT_CRT_DIR}" \
-                                    "${CRT_KEY_PASSWORD}" \
-                                    "${TARGET_KEYSTORE}" \
-                                    "${KEYSTORE_PASSWORD}"
+                    local COMPONENT_CRT_DIR=${CERTIFICATE_DIR}/${AUTHORITY_NAME}/${TYPE_NAME}/${COMPONENT}
+                    local TARGET_KEYSTORE=${KEYSTORES_DIRECTORY}/${AUTHORITY_NAME}/${TYPE_NAME}/keystore_${COMPONENT}.p12
+                    local CRT_KEY_PASSWORD=$(getPassphrase certs "${AUTHORITY_NAME}_${TYPE_NAME}_${COMPONENT}")
+                    local KEYSTORE_PASSWORD=$(setPassphrase keystores "${AUTHORITY_NAME}_${TYPE_NAME}_${COMPONENT}")
 
+                    generateKeystore    "${COMPONENT_CRT_DIR}" \
+                                        "${CRT_KEY_PASSWORD}" \
+                                        "${TARGET_KEYSTORE}" \
+                                        "${KEYSTORE_PASSWORD}"
+
+                done
             done
-        done
+        else
+            pki_logger "Skipping: $AUTHORITY_PATH not found"
+        fi
     done
 
     pki_logger "-------------------------------------------"
