Merge CIP code

cmd/runmqdevserver/keystore.go

@@ -1,179 +0,0 @@
-/*
-© Copyright IBM Corporation 2018
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-package main
-
-import (
-	"bufio"
-	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-
-	"github.com/ibm-messaging/mq-container/internal/command"
-)
-
-// KeyStore describes information about a keystore file
-type KeyStore struct {
-	Filename     string
-	Password     string
-	keyStoreType string
-	command      string
-}
-
-// NewJKSKeyStore creates a new Java Key Store, managed by the runmqckm command
-func NewJKSKeyStore(filename, password string) *KeyStore {
-	return &KeyStore{
-		Filename:     filename,
-		Password:     password,
-		keyStoreType: "jks",
-		command:      "/opt/mqm/bin/runmqckm",
-	}
-}
-
-// NewCMSKeyStore creates a new MQ CMS Key Store, managed by the runmqakm command
-func NewCMSKeyStore(filename, password string) *KeyStore {
-	return &KeyStore{
-		Filename:     filename,
-		Password:     password,
-		keyStoreType: "cms",
-		command:      "/opt/mqm/bin/runmqakm",
-	}
-}
-
-// Create a key store, if it doesn't already exist
-func (ks *KeyStore) Create() error {
-	_, err := os.Stat(ks.Filename)
-	if err == nil {
-		// Keystore already exists so we should refresh it by deleting it.
-		extension := filepath.Ext(ks.Filename)
-		log.Debugf("Refreshing keystore: %v", ks.Filename)
-		if ks.keyStoreType == "cms" {
-			// Only delete these when we are refreshing the kdb keystore
-			stashFile := ks.Filename[0:len(ks.Filename)-len(extension)] + ".sth"
-			rdbFile := ks.Filename[0:len(ks.Filename)-len(extension)] + ".rdb"
-			crlFile := ks.Filename[0:len(ks.Filename)-len(extension)] + ".crl"
-			err = os.Remove(stashFile)
-			if err != nil {
-				log.Errorf("Error removing %s: %v", stashFile, err)
-				return err
-			}
-			err = os.Remove(rdbFile)
-			if err != nil {
-				log.Errorf("Error removing %s: %v", rdbFile, err)
-				return err
-			}
-			err = os.Remove(crlFile)
-			if err != nil {
-				log.Errorf("Error removing %s: %v", crlFile, err)
-				return err
-			}
-		}
-		err = os.Remove(ks.Filename)
-		if err != nil {
-			log.Errorf("Error removing %s: %v", ks.Filename, err)
-			return err
-		}
-	} else if !os.IsNotExist(err) {
-		// If the keystore exists but cannot be accessed then return the error
-		return err
-	}
-
-	// Create the keystore now we're sure it doesn't exist
-	out, _, err := command.Run(ks.command, "-keydb", "-create", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password, "-stash")
-	if err != nil {
-		return fmt.Errorf("error running \"%v -keydb -create\": %v %s", ks.command, err, out)
-	}
-
-	mqmUID, mqmGID, err := command.LookupMQM()
-	if err != nil {
-		log.Error(err)
-		return err
-	}
-	err = os.Chown(ks.Filename, mqmUID, mqmGID)
-	if err != nil {
-		log.Error(err)
-		return err
-	}
-	return nil
-}
-
-// CreateStash creates a key stash, if it doesn't already exist
-func (ks *KeyStore) CreateStash() error {
-	extension := filepath.Ext(ks.Filename)
-	stashFile := ks.Filename[0:len(ks.Filename)-len(extension)] + ".sth"
-	log.Debugf("TLS stash file: %v", stashFile)
-	_, err := os.Stat(stashFile)
-	if err != nil {
-		if os.IsNotExist(err) {
-			out, _, err := command.Run(ks.command, "-keydb", "-stashpw", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
-			if err != nil {
-				return fmt.Errorf("error running \"%v -keydb -stashpw\": %v %s", ks.command, err, out)
-			}
-		}
-		return err
-	}
-	mqmUID, mqmGID, err := command.LookupMQM()
-	if err != nil {
-		log.Error(err)
-		return err
-	}
-	err = os.Chown(stashFile, mqmUID, mqmGID)
-	if err != nil {
-		log.Error(err)
-		return err
-	}
-	return nil
-}
-
-// Import imports a certificate file in the keystore
-func (ks *KeyStore) Import(inputFile, password string) error {
-	out, _, err := command.Run(ks.command, "-cert", "-import", "-file", inputFile, "-pw", password, "-target", ks.Filename, "-target_pw", ks.Password, "-target_type", ks.keyStoreType)
-	if err != nil {
-		return fmt.Errorf("error running \"%v -cert -import\": %v %s", ks.command, err, out)
-	}
-	return nil
-}
-
-// GetCertificateLabels returns the labels of all certificates in the key store
-func (ks *KeyStore) GetCertificateLabels() ([]string, error) {
-	out, _, err := command.Run(ks.command, "-cert", "-list", "-type", ks.keyStoreType, "-db", ks.Filename, "-pw", ks.Password)
-	if err != nil {
-		return nil, fmt.Errorf("error running \"%v -cert -list\": %v %s", ks.command, err, out)
-	}
-	scanner := bufio.NewScanner(strings.NewReader(out))
-	var labels []string
-	for scanner.Scan() {
-		s := scanner.Text()
-		if strings.HasPrefix(s, "-") || strings.HasPrefix(s, "*-") {
-			s := strings.TrimLeft(s, "-*")
-			labels = append(labels, strings.TrimSpace(s))
-		}
-	}
-	err = scanner.Err()
-	if err != nil {
-		return nil, err
-	}
-	return labels, nil
-}
-
-// RenameCertificate renames the specified certificate
-func (ks *KeyStore) RenameCertificate(from, to string) error {
-	out, _, err := command.Run(ks.command, "-cert", "-rename", "-db", ks.Filename, "-pw", ks.Password, "-label", from, "-new_label", to)
-	if err != nil {
-		return fmt.Errorf("error running \"%v -cert -rename\": %v %s", ks.command, err, out)
-	}
-	return nil
-}

cmd/runmqdevserver/main.go

@@ -25,6 +25,7 @@ import (
 	"github.com/ibm-messaging/mq-container/internal/command"
 	containerruntimelogger "github.com/ibm-messaging/mq-container/internal/containerruntimelogger"
 	"github.com/ibm-messaging/mq-container/internal/logger"
+	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 	"github.com/ibm-messaging/mq-container/internal/name"
 )
 
@@ -91,7 +92,7 @@ func configureLogger() error {
 
 func configureWeb(qmName string) error {
 	out := "/etc/mqm/web/installations/Installation1/angular.persistence/admin.json"
-	return processTemplateFile("/etc/mqm/admin.json.tpl", out, map[string]string{"QueueManagerName": qmName})
+	return mqtemplate.ProcessTemplateFile("/etc/mqm/admin.json.tpl", out, map[string]string{"QueueManagerName": qmName}, log)
 }
 
 func logTerminationf(format string, args ...interface{}) {

cmd/runmqdevserver/mqsc.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2019
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -17,6 +17,8 @@ package main
 
 import (
 	"os"
+
+	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 )
 
 func updateMQSC(appPasswordRequired bool) error {
@@ -30,7 +32,7 @@ func updateMQSC(appPasswordRequired bool) error {
 	if os.Getenv("MQ_DEV") == "true" {
 		const mqscTemplate string = mqsc + ".tpl"
 		// Re-configure channel if app password not set
-		err := processTemplateFile(mqsc+".tpl", mqsc, map[string]string{"ChckClnt": checkClient})
+		err := mqtemplate.ProcessTemplateFile(mqsc+".tpl", mqsc, map[string]string{"ChckClnt": checkClient}, log)
 		if err != nil {
 			return err
 		}

cmd/runmqdevserver/template.go

@@ -1,78 +0,0 @@
-/*
-© Copyright IBM Corporation 2018, 2019
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-package main
-
-import (
-	"os"
-	"path"
-	"text/template"
-
-	"github.com/ibm-messaging/mq-container/internal/command"
-)
-
-// processTemplateFile takes a Go templateFile, and processes it with the
-// supplied data, writing to destFile
-func processTemplateFile(templateFile, destFile string, data interface{}) error {
-	// Re-configure channel if app password not set
-	t, err := template.ParseFiles(templateFile)
-	if err != nil {
-		log.Error(err)
-		return err
-	}
-	dir := path.Dir(destFile)
-	_, err = os.Stat(dir)
-	if err != nil {
-		if os.IsNotExist(err) {
-			// #nosec G301
-			err = os.MkdirAll(dir, 0770)
-			if err != nil {
-				log.Error(err)
-				return err
-			}
-			mqmUID, mqmGID, err := command.LookupMQM()
-			if err != nil {
-				log.Error(err)
-				return err
-			}
-			err = os.Chown(dir, mqmUID, mqmGID)
-			if err != nil {
-				log.Error(err)
-				return err
-			}
-		} else {
-			return err
-		}
-	}
-	// #nosec G302
-	f, err := os.OpenFile(destFile, os.O_CREATE|os.O_WRONLY, 0660)
-	defer f.Close()
-	err = t.Execute(f, data)
-	if err != nil {
-		log.Error(err)
-		return err
-	}
-	mqmUID, mqmGID, err := command.LookupMQM()
-	if err != nil {
-		log.Error(err)
-		return err
-	}
-	err = os.Chown(destFile, mqmUID, mqmGID)
-	if err != nil {
-		log.Error(err)
-		return err
-	}
-	return nil
-}

cmd/runmqdevserver/tls.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2018
+© Copyright IBM Corporation 2018, 2019
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -21,20 +21,22 @@ import (
 	"path/filepath"
 
 	"github.com/ibm-messaging/mq-container/internal/command"
+	"github.com/ibm-messaging/mq-container/internal/keystore"
+	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 )
 
-func configureWebTLS(cms *KeyStore) error {
+func configureWebTLS(cms *keystore.KeyStore) error {
 	dir := "/run/runmqdevserver/tls"
-	ks := NewJKSKeyStore(filepath.Join(dir, "key.jks"), cms.Password)
-	ts := NewJKSKeyStore(filepath.Join(dir, "trust.jks"), cms.Password)
+	ks := keystore.NewJKSKeyStore(filepath.Join(dir, "key.jks"), cms.Password)
+	ts := keystore.NewJKSKeyStore(filepath.Join(dir, "trust.jks"), cms.Password)
 
 	log.Debug("Creating key store")
-	err := ks.Create()
+	err := ks.Create(log)
 	if err != nil {
 		return err
 	}
 	log.Debug("Creating trust store")
-	err = ts.Create()
+	err = ts.Create(log)
 	if err != nil {
 		return err
 	}
@@ -105,14 +107,14 @@ func configureTLS(qmName string, inputFile string, passPhrase string) error {
 		}
 	}
 
-	cms := NewCMSKeyStore(keyFile, passPhrase)
+	cms := keystore.NewCMSKeyStore(keyFile, passPhrase)
 
-	err = cms.Create()
+	err = cms.Create(log)
 	if err != nil {
 		return err
 	}
 
-	err = cms.CreateStash()
+	err = cms.CreateStash(log)
 	if err != nil {
 		return err
 	}
@@ -146,11 +148,11 @@ func configureTLS(qmName string, inputFile string, passPhrase string) error {
 	const mqsc string = "/etc/mqm/20-dev-tls.mqsc"
 	const mqscTemplate string = mqsc + ".tpl"
 
-	err = processTemplateFile(mqscTemplate, mqsc, map[string]string{
+	err = mqtemplate.ProcessTemplateFile(mqscTemplate, mqsc, map[string]string{
 		"SSLKeyR":          filepath.Join(dir, "key"),
 		"CertificateLabel": newLabel,
 		"SSLCipherSpec":    sslCipherSpec,
-	})
+	}, log)
 	if err != nil {
 		return err
 	}

cmd/runmqserver/logging.go

@@ -167,11 +167,20 @@ func logDiagnostics() {
 	out, _, _ = command.Run("ls", "-l", "/mnt/mqm/data")
 	log.Debugf("/mnt/mqm/data:\n%s", out)
 	// #nosec G104
+	out, _, _ = command.Run("ls", "-l", "/mnt/mqm-log/log")
+	log.Debugf("/mnt/mqm-log/log:\n%s", out)
+	// #nosec G104
+	out, _, _ = command.Run("ls", "-l", "/mnt/mqm-data/qmgrs")
+	log.Debugf("/mnt/mqm-data/qmgrs:\n%s", out)
+	// #nosec G104
 	out, _, _ = command.Run("ls", "-l", "/var/mqm")
 	log.Debugf("/var/mqm:\n%s", out)
 	// #nosec G104
 	out, _, _ = command.Run("ls", "-l", "/var/mqm/errors")
 	log.Debugf("/var/mqm/errors:\n%s", out)
+	// #nosec G104
+	out, _, _ = command.Run("ls", "-l", "/etc/mqm")
+	log.Debugf("/etc/mqm:\n%s", out)
 
 	// Print out summary of any FDCs
 	// #nosec G204

cmd/runmqserver/post_init.go

@@ -21,9 +21,19 @@ import (
 
 // postInit is run after /var/mqm is set up
 func postInit(name string) error {
-	web := os.Getenv("MQ_BETA_ENABLE_WEB_SERVER")
-	if web == "true" || web == "1" {
-		// Configure the web server (if installed)
+	enableWebServer := os.Getenv("MQ_ENABLE_EMBEDDED_WEB_SERVER")
+	if enableWebServer == "true" || enableWebServer == "1" {
+
+		// Configure Single-Sign-On for the web server (if enabled)
+		enableSSO := os.Getenv("MQ_BETA_ENABLE_SSO")
+		if enableSSO == "true" || enableSSO == "1" {
+			err := configureSSO()
+			if err != nil {
+				return err
+			}
+		}
+
+		// Configure the web server (if enabled)
 		err := configureWebServer()
 		if err != nil {
 			return err

cmd/runmqserver/webserver.go

@@ -23,9 +23,12 @@ import (
 	"os/user"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"syscall"
 
 	"github.com/ibm-messaging/mq-container/internal/command"
+	"github.com/ibm-messaging/mq-container/internal/keystore"
+	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 )
 
 func startWebServer() error {
@@ -88,6 +91,103 @@ func CopyFile(src, dest string) error {
 	return err
 }
 
+func configureSSO() error {
+
+	// Ensure all required environment variables are set for SSO
+	requiredEnvVars := []string{
+		"MQ_WEB_ADMIN_USERS",
+		"MQ_OIDC_CLIENT_ID",
+		"MQ_OIDC_CLIENT_SECRET",
+		"MQ_OIDC_UNIQUE_USER_IDENTIFIER",
+		"MQ_OIDC_AUTHORIZATION_ENDPOINT",
+		"MQ_OIDC_TOKEN_ENDPOINT",
+		"MQ_OIDC_JWK_ENDPOINT",
+		"MQ_OIDC_ISSUER_IDENTIFIER",
+		"MQ_OIDC_CERTIFICATE",
+	}
+	for _, envVar := range requiredEnvVars {
+		if len(os.Getenv(envVar)) == 0 {
+			return fmt.Errorf("%v must be set when MQ_BETA_ENABLE_SSO=true", envVar)
+		}
+	}
+
+	// Check mqweb directory exists
+	const mqwebDir string = "/etc/mqm/web/installations/Installation1/servers/mqweb"
+	_, err := os.Stat(mqwebDir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil
+		}
+		return err
+	}
+
+	// Process SSO template for generating file mqwebuser.xml
+	adminUsers := strings.Split(os.Getenv("MQ_WEB_ADMIN_USERS"), "\n")
+	err = mqtemplate.ProcessTemplateFile(mqwebDir+"/mqwebuser.xml.tpl", mqwebDir+"/mqwebuser.xml", map[string][]string{"AdminUser": adminUsers}, log)
+	if err != nil {
+		return err
+	}
+
+	// Configure SSO TLS
+	return configureSSO_TLS()
+}
+
+func configureSSO_TLS() error {
+
+	// Create tls directory
+	dir := "/run/tls"
+	mntdir := "/mnt/tls/"
+	_, err := os.Stat(dir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			err = os.MkdirAll(dir, 0770)
+			if err != nil {
+				return err
+			}
+			mqmUID, mqmGID, err := command.LookupMQM()
+			if err != nil {
+				log.Error(err)
+				return err
+			}
+			err = os.Chown(dir, mqmUID, mqmGID)
+			if err != nil {
+				log.Error(err)
+				return err
+			}
+		} else {
+			return err
+		}
+	}
+
+	// Setup key store & trust store
+	ks := keystore.NewJKSKeyStore(filepath.Join(dir, "key.jks"), "password")
+	ts := keystore.NewJKSKeyStore(filepath.Join(dir, "trust.jks"), "password")
+
+	log.Debug("Creating key store")
+	err = ks.Create(log)
+	if err != nil {
+		return err
+	}
+	log.Debug("Creating trust store")
+	err = ts.Create(log)
+	if err != nil {
+		return err
+	}
+	log.Debug("Generating PKCS12 file")
+	err = ks.GeneratePKCS12(filepath.Join(mntdir, "tls.key"), filepath.Join(mntdir, "tls.crt"), filepath.Join(dir, "tls.p12"), "default", "password")
+	if err != nil {
+		return err
+	}
+	log.Debug("Importing certificate into key store")
+	err = ks.Import(filepath.Join(dir, "tls.p12"), "password")
+	if err != nil {
+		return err
+	}
+	log.Debug("Adding OIDC certificate to trust store")
+	err = ts.Add(os.Getenv("MQ_OIDC_CERTIFICATE"), "OIDC")
+	return err
+}
+
 func configureWebServer() error {
 	_, err := os.Stat("/opt/mqm/bin/strmqweb")
 	if err != nil {