Luigi Santivetti | b52d6d2 | 2020-05-18 00:56:27 +0100 | [diff] [blame] | 1 | #!/bin/bash |
| 2 | # |
| 3 | # module.sh - mysql |
| 4 | # |
| 5 | # Copyright 2019 Luigi Santivetti <luigi.santivetti@gmail.com> |
| 6 | |
| 7 | # Permission is hereby granted, free of charge, to any person obtaining a |
| 8 | # copy of this software and associated documentation files (the "Software"), |
| 9 | # to deal in the Software without restriction, including without limitation |
| 10 | # the rights to use, copy, modify, merge, publish, distribute, sublicense, |
| 11 | # and/or sell copies of the Software, and to permit persons to whom the |
| 12 | # Software is furnished to do so, subject to the following conditions: |
| 13 | |
| 14 | # The above copyright notice and this permission notice (including the next |
| 15 | # paragraph) shall be included in all copies or substantial portions of the |
| 16 | # Software. |
| 17 | |
| 18 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
| 19 | # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
| 20 | # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL |
| 21 | # ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER |
| 22 | # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN |
| 23 | # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
| 24 | |
| 25 | declare -r module="mysql" |
| 26 | source $common_sh |
| 27 | |
| 28 | module_enable $module |
| 29 | |
| 30 | declare -r etc_d="$mod_rootfs_d/etc" |
| 31 | declare -r initdb_d="$mod_docker_d" |
| 32 | declare -r var_d="$mod_rootfs_d/var" |
| 33 | |
| 34 | declare -r mycnf_d="$etc_d/mysql" |
| 35 | declare -r mysql_d="$var_d/lib/mysql" |
| 36 | declare -r log_d="$var_d/log/mysql" |
| 37 | |
| 38 | declare -ir mysql_uid="999" |
| 39 | |
| 40 | declare -ir mysql_has_dummy_certs=1 |
| 41 | if [ $mysql_has_dummy_certs -eq 1 ]; then |
| 42 | declare -r certificates_d="$mod_staging_d/${module}_dummy_cert" |
| 43 | declare -r ca_key_f="$certificates_d/${module}_dummy-ca-key.pem" |
| 44 | declare -r ca_f="$certificates_d/${module}_dummy-ca.pem" |
| 45 | |
| 46 | declare -r server_key_f="$certificates_d/${module}_dummy-server-key.pem" |
| 47 | declare -r server_req_f="$certificates_d/${module}_dummy-server-req.pem" |
| 48 | declare -r server_cert_f="$certificates_d/${module}_dummy-server-cert.pem" |
| 49 | |
| 50 | declare -r client_key_f="$certificates_d/${module}_dummy-client-key.pem" |
| 51 | declare -r client_req_f="$certificates_d/${module}_dummy-client-req.pem" |
| 52 | declare -r client_cert_f="$certificates_d/${module}_dummy-client-cert.pem" |
| 53 | |
| 54 | # Dup ca to avoid bind mounting the same file twice |
| 55 | declare -r ca_dup_f="$certificates_d/${module}_dummy-ca-dup.pem" |
| 56 | else |
| 57 | lets -l -e "official CA certificates not supported" |
| 58 | exit 1 |
| 59 | fi |
| 60 | declare -r certificates_l="$etc_d/mysql_ssl" |
| 61 | |
| 62 | # Output files |
| 63 | declare -r dockerfile="Dockerfile" |
| 64 | declare -r dockerfile_f="$mod_docker_d/$dockerfile" |
| 65 | declare -r initdb_f="$initdb_d/initdb.sql" |
| 66 | declare -r mycnf_f="$mycnf_d/my.cnf" |
| 67 | declare -r log_error_f="$log_d/error.txt" |
| 68 | declare -r log_general_f="$log_d/general.txt" |
| 69 | declare -r log_query_f="$log_d/query.txt" |
| 70 | declare -r mysql_cli_bang_f="$mod_docker_d/mysql-cli.sh" |
| 71 | |
| 72 | declare -ar mod_more_dirs=( \ |
| 73 | $etc_d $initdb_d $var_d $mycnf_d $log_d $mysql_d \ |
| 74 | ) |
| 75 | |
| 76 | declare -ar mod_more_files=( $mycnf_f $initdb_f $dockerfile_f $mysql_cli_bang_f ) |
| 77 | declare -ar mod_more_trefs=( mycnf_t initdb_t dockerfile_t mysql_cli_bang_t ) |
| 78 | |
| 79 | function tod_watch |
| 80 | { |
| 81 | __watch_module_common || return $s_err |
| 82 | } |
| 83 | |
| 84 | function tod_doins |
| 85 | { |
| 86 | __doins_module_common || return $s_err |
| 87 | __mysql_do_log_files || return $s_err |
| 88 | |
| 89 | # Use certificates provided by Apache |
| 90 | __mysql_do_dummy_cert || return $s_err |
| 91 | __mysql_do_links || return $s_err |
| 92 | } |
| 93 | |
| 94 | function tod_clins |
| 95 | { |
| 96 | __clins_module_common || return $s_err |
| 97 | __mysql_undo_log_files || return $s_err |
| 98 | } |
| 99 | |
| 100 | function tod_upins |
| 101 | { |
| 102 | __upins_module_common || return $s_err |
| 103 | |
| 104 | # Use ceritificates provided by Apache |
| 105 | __mysql_do_dummy_cert || return $s_err |
| 106 | } |
| 107 | |
| 108 | function tod_doall |
| 109 | { |
| 110 | tod_doins |
| 111 | } |
| 112 | |
| 113 | function tod_upall |
| 114 | { |
| 115 | tod_upins |
| 116 | } |
| 117 | |
| 118 | function __mysql_do_dummy_cert_helper |
| 119 | { |
| 120 | # Credits: |
| 121 | # https://techsparx.com/software-development/docker/damp/mysql-ssl-connection.html |
| 122 | |
| 123 | local -r OPENSSL_SUBJ="/C=US/ST=Utopia/L=Neverland" |
| 124 | local -r OPENSSL_CA="${OPENSSL_SUBJ}/CN=dummy-CA" |
| 125 | local -r OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=dummy-server" |
| 126 | local -r OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=dummy-client" |
| 127 | |
| 128 | # Generate new CA certificate ca.pem file. |
| 129 | openssl genrsa 2048 > $ca_key_f |
| 130 | |
| 131 | # TODO This has interaction that must be automated |
| 132 | openssl req -new -x509 -nodes -days 3600 \ |
| 133 | -subj "${OPENSSL_CA}" \ |
| 134 | -key $ca_key_f -out $ca_f |
| 135 | |
| 136 | # Create the server-side certificates |
| 137 | # This has more interaction that must be automated |
| 138 | |
| 139 | openssl req -newkey rsa:2048 -days 3600 -nodes \ |
| 140 | -subj "${OPENSSL_SERVER}" \ |
| 141 | -keyout $server_key_f -out $server_req_f |
| 142 | openssl rsa -in $server_key_f -out $server_key_f |
| 143 | |
| 144 | openssl x509 -req -in $server_req_f -days 3600 \ |
| 145 | -CA $ca_f -CAkey $ca_key_f -set_serial 01 -out $server_cert_f |
| 146 | |
| 147 | # Create the client-side certificates |
| 148 | openssl req -newkey rsa:2048 -days 3600 -nodes \ |
| 149 | -subj "${OPENSSL_CLIENT}" \ |
| 150 | -keyout $client_key_f -out $client_req_f |
| 151 | openssl rsa -in $client_key_f -out $client_key_f |
| 152 | |
| 153 | openssl x509 -req -in $client_req_f -days 3600 \ |
| 154 | -CA $ca_f -CAkey $ca_key_f -set_serial 01 -out $client_cert_f |
| 155 | |
| 156 | # Verify the certificates are correct |
| 157 | openssl verify -CAfile \ |
| 158 | $ca_f $server_cert_f $client_cert_f || return $s_err |
| 159 | |
| 160 | # Duplicate ca as it needs to be mounted client side |
| 161 | cp -ar $ca_f $ca_dup_f |
| 162 | |
Luigi Santivetti | e30b4c9 | 2020-10-25 21:22:19 +0000 | [diff] [blame^] | 163 | set_mode "0644" $mysql_uid $ca_f \ |
| 164 | $server_key_f $server_req_f $server_cert_f || return $s_err |
| 165 | |
| 166 | # WARNING! The only client expected is apache. This can break other clients |
| 167 | set_mode "0644" "www-data" \ |
| 168 | $ca_dup_f $client_key_f $client_cert_f || return $s_err |
Luigi Santivetti | b52d6d2 | 2020-05-18 00:56:27 +0100 | [diff] [blame] | 169 | |
| 170 | set_mode "0600" $mysql_uid $ca_key_f || return $s_err |
Luigi Santivetti | e30b4c9 | 2020-10-25 21:22:19 +0000 | [diff] [blame^] | 171 | set_mode "0755" root $certificates_d || return $s_err |
Luigi Santivetti | b52d6d2 | 2020-05-18 00:56:27 +0100 | [diff] [blame] | 172 | } |
| 173 | |
| 174 | function __mysql_do_dummy_cert |
| 175 | { |
| 176 | if [ $mysql_has_dummy_certs -eq 1 ]; then |
| 177 | if [ ! -d $certificates_d ]; then |
| 178 | mkdir -p $certificates_d && \ |
| 179 | pushd $certificates_d >/dev/null || return $s_err |
| 180 | __mysql_do_dummy_cert_helper 2>&1 | lets -l -x "openssl" |
| 181 | case "${PIPESTATUS[0]}" in |
| 182 | $s_err ) lets -l -e "failed to make dummy certificates" |
| 183 | popd >/dev/null; return $s_err ;; |
| 184 | esac |
| 185 | popd >/dev/null |
| 186 | fi |
| 187 | fi; |
| 188 | |
| 189 | lets -l -i "$module SSL cert from: ${certificates_d#$script_dir/}" |
| 190 | return $s_ok |
| 191 | } |
| 192 | |
| 193 | function __mysql_do_links |
| 194 | { |
| 195 | # NOTE: container path must match localhost path |
| 196 | # |
| 197 | # i.e. |
| 198 | # localhost:/etc container:/etc OK |
| 199 | # localhost:/home/luigi container:/home/??? NOT OK |
| 200 | # |
| 201 | ln -sf "${certificates_d}" "${certificates_l}" |
| 202 | } |
| 203 | |
| 204 | function __mysql_do_log_files |
| 205 | { |
| 206 | sudo touch $log_error_f $log_general_f $log_query_f || { |
| 207 | lets -l -e "failed to touch log files"; return $s_err |
| 208 | } |
| 209 | |
| 210 | set_mode "0755" $mysql_uid $log_d || { |
| 211 | lets -l -e "failed to set mode $log_d"; return $s_err |
| 212 | } |
| 213 | |
| 214 | set_mode "0644" $mysql_uid $log_error_f $log_general_f $log_query_f || { |
| 215 | lets -l -e "failed to set mode log files"; return $s_err |
| 216 | } |
| 217 | } |
| 218 | |
| 219 | function __mysql_undo_log_files |
| 220 | { |
| 221 | sudo rm -f $log_error_f $log_general_f $log_query_f || { |
| 222 | lets -l -e "failed remove log files"; return $s_err |
| 223 | } |
| 224 | |
| 225 | __mysql_do_log_files |
| 226 | } |