Extra changes to support non-root in CIP

2019-03-19 11:29:33 +00:00
parent 350b8318ee
commit c3f40c84a7
10 changed files with 88 additions and 111 deletions
--- a/cmd/runmqdevserver/tls.go
+++ b/cmd/runmqdevserver/tls.go
@@ -20,7 +20,6 @@ import (
 	"os"
 	"path/filepath"

-	"github.com/ibm-messaging/mq-container/internal/command"
 	"github.com/ibm-messaging/mq-container/internal/keystore"
 	"github.com/ibm-messaging/mq-container/internal/mqtemplate"
 )
@@ -58,16 +57,6 @@ func configureWebTLS(cms *keystore.KeyStore) error {
 	if err != nil {
 		return err
 	}
-	mqmUID, mqmGID, err := command.LookupMQM()
-	if err != nil {
-		log.Error(err)
-		return err
-	}
-	err = os.Chown(tlsConfig, mqmUID, mqmGID)
-	if err != nil {
-		log.Error(err)
-		return err
-	}

 	return nil
 }
@@ -84,29 +73,6 @@ func configureTLS(qmName string, inputFile string, passPhrase string) error {
 	dir := "/run/runmqdevserver/tls"
 	keyFile := filepath.Join(dir, "key.kdb")

-	_, err = os.Stat(dir)
-	if err != nil {
-		if os.IsNotExist(err) {
-			// #nosec G301
-			err = os.MkdirAll(dir, 0770)
-			if err != nil {
-				return err
-			}
-			mqmUID, mqmGID, err := command.LookupMQM()
-			if err != nil {
-				log.Error(err)
-				return err
-			}
-			err = os.Chown(dir, mqmUID, mqmGID)
-			if err != nil {
-				log.Error(err)
-				return err
-			}
-		} else {
-			return err
-		}
-	}
-
 	cms := keystore.NewCMSKeyStore(keyFile, passPhrase)

 	err = cms.Create(log)
--- a/cmd/runmqserver/crtmqvol.go
+++ b/cmd/runmqserver/crtmqvol.go
@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2018
+© Copyright IBM Corporation 2017, 2019

 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -60,3 +60,67 @@ func createVolume(path string) error {
 	}
 	return nil
 }
+
+func createWebConsoleTLSDirStructure() error {
+	// Create tls directory
+	dir := "/run/tls"
+	_, err := os.Stat(dir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			err = os.MkdirAll(dir, 0770)
+			if err != nil {
+				return err
+			}
+			mqmUID, mqmGID, err := command.LookupMQM()
+			if err != nil {
+				log.Error(err)
+				return err
+			}
+			err = os.Chown(dir, mqmUID, mqmGID)
+			if err != nil {
+				log.Error(err)
+				return err
+			}
+		} else {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func createDevTLSDir() error {
+	// TODO: Use a persisted file (on the volume) instead?
+	par := "/run/runmqdevserver"
+	dir := filepath.Join(par, "tls")
+
+	_, err := os.Stat(dir)
+	if err != nil {
+		if os.IsNotExist(err) {
+			// #nosec G301
+			err = os.MkdirAll(dir, 0770)
+			if err != nil {
+				return err
+			}
+			mqmUID, mqmGID, err := command.LookupMQM()
+			if err != nil {
+				log.Error(err)
+				return err
+			}
+			err = os.Chown(dir, mqmUID, mqmGID)
+			if err != nil {
+				log.Error(err)
+				return err
+			}
+			err = os.Chown(par, mqmUID, mqmGID)
+			if err != nil {
+				log.Error(err)
+				return err
+			}
+
+		} else {
+			return err
+		}
+	}
+	return nil
+}
--- a/cmd/runmqserver/logging.go
+++ b/cmd/runmqserver/logging.go
@@ -138,6 +138,9 @@ func logDiagnostics() {
 	out, _, _ = command.Run("ls", "-l", "/mnt/mqm/data")
 	log.Debugf("/mnt/mqm/data:\n%s", out)
 	// #nosec G104
+	out, _, _ = command.Run("ls", "-l", "/etc/mqm")
+	log.Debugf("/etc/mqm:\n%s", out)
+	// #nosec G104
 	out, _, _ = command.Run("ls", "-l", "/var/mqm")
 	log.Debugf("/var/mqm:\n%s", out)
 	// #nosec G104
--- a/cmd/runmqserver/main.go
+++ b/cmd/runmqserver/main.go
@@ -104,6 +104,20 @@ func doMain() error {
 		return err
 	}

+	err = createWebConsoleTLSDirStructure()
+	if err != nil {
+		logTermination(err)
+		return err
+	}
+
+	if *devFlag == true {
+		err = createDevTLSDir()
+		if err != nil {
+			logTermination(err)
+			return err
+		}
+	}
+
 	// If init flag is set, exit now
 	if *initFlag {
 		return nil
--- a/cmd/runmqserver/qmgr.go
+++ b/cmd/runmqserver/qmgr.go
@@ -34,6 +34,7 @@ func createDirStructure() error {
 		return err
 	}
 	log.Println("Created directory structure under /var/mqm")
+
 	return nil
 }

--- a/cmd/runmqserver/webserver.go
+++ b/cmd/runmqserver/webserver.go
@@ -136,34 +136,14 @@ func configureSSO_TLS() error {

 	// Create tls directory
 	dir := "/run/tls"
-	_, err := os.Stat(dir)
-	if err != nil {
-		if os.IsNotExist(err) {
-			err = os.MkdirAll(dir, 0770)
-			if err != nil {
-				return err
-			}
-			mqmUID, mqmGID, err := command.LookupMQM()
-			if err != nil {
-				log.Error(err)
-				return err
-			}
-			err = os.Chown(dir, mqmUID, mqmGID)
-			if err != nil {
-				log.Error(err)
-				return err
-			}
-		} else {
-			return err
-		}
-	}
+	mntdir := "/mnt/tls/"

 	// Setup key store & trust store
 	ks := keystore.NewJKSKeyStore(filepath.Join(dir, "key.jks"), "password")
 	ts := keystore.NewJKSKeyStore(filepath.Join(dir, "trust.jks"), "password")

 	log.Debug("Creating key store")
-	err = ks.Create(log)
+	err := ks.Create(log)
 	if err != nil {
 		return err
 	}
@@ -173,12 +153,12 @@ func configureSSO_TLS() error {
 		return err
 	}
 	log.Debug("Generating PKCS12 file")
-	err = ks.GeneratePKCS12("/mnt/tls/tls.key", "/mnt/tls/tls.crt", "/run/tls/tls.p12", "default", "password")
+	err = ks.GeneratePKCS12(filepath.Join(mntdir, "tls.key"), filepath.Join(mntdir, "tls.crt"), filepath.Join(dir, "tls.p12"), "default", "password")
 	if err != nil {
 		return err
 	}
 	log.Debug("Importing certificate into key store")
-	err = ks.Import("/run/tls/tls.p12", "password")
+	err = ks.Import(filepath.Join(dir, "tls.p12"), "password")
 	if err != nil {
 		return err
 	}
@@ -203,10 +183,6 @@ func configureWebServer() error {
 		}
 		return err
 	}
-	uid, gid, err := command.LookupMQM()
-	if err != nil {
-		return err
-	}
 	const prefix string = "/etc/mqm/web"
 	err = filepath.Walk(prefix, func(from string, info os.FileInfo, err error) error {
 		if err != nil {
@@ -242,10 +218,6 @@ func configureWebServer() error {
 				return err
 			}
 		}
-		err = os.Chown(to, uid, gid)
-		if err != nil {
-			return err
-		}
 		return nil
 	})
 	return err