Merge pull request 'Crear certificados durante la instalación de OG' (#4) from tls into main

Reviewed-on: #4

.gitignore

@@ -4,4 +4,5 @@
 __pycache__/
 installer/post-update
 *.swp
+.vagrant
 *.o

admin/WebConsole/includes/restfunctions.php

@@ -1,7 +1,7 @@
 
 <?php
 
-define('OG_REST_URL', 'http://127.0.0.1:8888/');
+include_once (__DIR__ . '/../../etc/php-vars.php');
 
 define('GET', 1);
 define('POST', 2);
@@ -74,6 +74,8 @@ function common_request($command, $type, $data = null) {
 	curl_setopt($curl, CURLOPT_HTTPHEADER, array(
 		OG_REST_API_TOKEN,
 	));
+	curl_setopt ($curl, CURLOPT_SSLCERT, __DIR__ . '/../../etc/ssl/WebConsole.crt.pem');
+	curl_setopt ($curl, CURLOPT_SSLKEY,  __DIR__ . '/../../etc/ssl/WebConsole.key.pem');
 
 	switch ($type) {
 		default:

installer/opengnsys_installer.sh

@@ -128,8 +128,10 @@ function globalSetup ()
 	OPENGNSYS_SERVER="opengnsys.es"
 	DOWNLOADURL="https://$OPENGNSYS_SERVER/trac/downloads"
 	if [ -d "$PROGRAMDIR/../installer" ]; then
+		echo REMOTE=0
 		REMOTE=0
 	else
+		echo REMOTE=1
 		REMOTE=1
 	fi
 	BRANCH="main"
@@ -189,7 +191,7 @@ OSVERSION="${OSVERSION%%.*}"
 # Configuración según la distribución GNU/Linux (usar minúsculas).
 case "$OSDISTRIB" in
 	ubuntu|debian|linuxmint)
-		DEPENDENCIES=( subversion apache2 php php-ldap php-fpm mysql-server php-mysql isc-dhcp-server bittorrent tftp-hpa tftpd-hpa xinetd build-essential g++-multilib libmysqlclient-dev wget curl doxygen graphviz bittornado ctorrent samba rsync unzip netpipes debootstrap schroot squashfs-tools btrfs-tools procps arp-scan realpath php-curl gettext moreutils jq wakeonlan udpcast libev-dev libjansson-dev libssl-dev shim-signed grub-efi-amd64-signed gawk libdbi-dev libdbi1 libdbd-mysql liblz4-tool )
+		DEPENDENCIES=( subversion apache2 php php-ldap php-fpm mysql-server php-mysql isc-dhcp-server bittorrent tftp-hpa tftpd-hpa xinetd build-essential g++-multilib libmysqlclient-dev wget curl doxygen graphviz bittornado ctorrent samba rsync unzip netpipes debootstrap schroot squashfs-tools btrfs-tools procps arp-scan realpath php-curl gettext moreutils jq wakeonlan udpcast libev-dev libjansson-dev libssl-dev shim-signed grub-efi-amd64-signed gawk libdbi-dev libdbi1 libdbd-mysql liblz4-tool git stunnel4 )
 		UPDATEPKGLIST="apt-get update"
 		INSTALLPKG="apt-get -y install --force-yes"
 		CHECKPKG="dpkg -s \$package 2>/dev/null | grep Status | grep -qw install"
@@ -225,6 +227,9 @@ case "$OSDISTRIB" in
 		SAMBASERV=smbd
 		SAMBACFGDIR=/etc/samba
 		TFTPCFGDIR=/var/lib/tftpboot
+		LOCAL_CERTS_DIR=/usr/local/share/ca-certificates
+		UPDATE_CA_CMD=update-ca-certificates
+		STUNNEL_CAPATH=/etc/ssl/certs
 		;;
 	fedora|centos)
 		DEPENDENCIES=( subversion httpd mod_ssl php-ldap php-fpm mysql-server mysql-devel mysql-devel.i686 php-mysql dhcp tftp-server tftp xinetd binutils gcc gcc-c++ glibc-devel glibc-devel.i686 glibc-static glibc-static.i686 libstdc++-devel.i686 make wget curl doxygen graphviz ctorrent samba samba-client rsync unzip debootstrap schroot squashfs-tools python-crypto arp-scan procps-ng gettext moreutils jq net-tools udpcast libev-devel jansson-devel openssl-devel shim-x64 grub2-efi-x64 grub2-efi-x64-modules gawk libdbi-devel libdbi libdbi-dbd-mysql http://ftp.altlinux.org/pub/distributions/ALTLinux/5.1/branch/$(arch)/RPMS.classic/netpipes-4.2-alt1.$(arch).rpm )
@@ -264,6 +269,9 @@ case "$OSDISTRIB" in
 		SAMBACFGDIR=/etc/samba
 		TFTPSERV=tftp
 		TFTPCFGDIR=/var/lib/tftpboot
+		LOCAL_CERTS_DIR=/etc/pki/ca-trust/source/anchors
+		UPDATE_CA_CMD=update-ca-trust
+		STUNNEL_CAPATH=/etc/pki/tls/certs
 		;;
 	"") 	echo "ERROR: Unknown Linux distribution, please install \"lsb_release\" command."
 		exit 1 ;;
@@ -1102,6 +1110,13 @@ function installWebFiles()
 	echoAndLog "${FUNCNAME}(): Web files installed successfully."
 }
 
+function configurePHPvars()
+{
+    OGADMSRV_HOSTNAME=$1
+    OGADMSRV_PORT=$2
+    sed "s/__OGADMSRV_HOSTNAME__/$OGADMSRV_HOSTNAME/; s/__OGADMSRV_PORT__/$OGADMSRV_PORT/" <$WORKDIR/opengnsys/server/etc/php-vars.php.tmpl >$INSTALL_TARGET/etc/php-vars.php
+}
+
 # Copiar ficheros en la zona de descargas de OpenGnsys Web Console.
 function installDownloadableFiles()
 {
@@ -1325,6 +1340,251 @@ function copyServerFiles ()
 	popd
 }
 
+####################################################################
+### Funciones de TLS
+####################################################################
+
+CA_DIR=/root/CA
+OG_BASEDIR=/opt/opengnsys
+
+function gatherCertsInfo()
+{
+    ERRORS=0
+    ## BUG cuando REMOTE=1, $WORKDIR/opengnsys es el contenido del zip (producido al vuelo con 'git archive'), y naturalmente no contiene ./user-certs
+    ##     este código debe buscar los certificados en otro sitio adicional
+    if [ -f $WORKDIR/opengnsys/user-certs/ca.crt.pem ]; then
+        echoAndLog "CA provided by the user, checking presence of all certificates"
+
+        TLS_DATA_CA_CERTFILE=$WORKDIR/opengnsys/user-certs/ca.crt.pem
+        TLS_DATA_OGADMSRV_CERTFILE=$WORKDIR/opengnsys/user-certs/ogAdmSrv.crt.pem
+        TLS_DATA_OGADMSRV_KEYFILE=$WORKDIR/opengnsys/user-certs/ogAdmSrv.key.pem
+        TLS_DATA_WEBCONSOLE_CERTFILE=$WORKDIR/opengnsys/user-certs/WebConsole.crt.pem
+        TLS_DATA_WEBCONSOLE_KEYFILE=$WORKDIR/opengnsys/user-certs/WebConsole.key.pem
+
+        ## el usuario tiene que facilitar todos los certificados
+        ## si falta alguno, no podemos generarlo aquí porque habría que tener la privkey de la CA, y el usuario no nos la debe dar
+        if [ ! -f $TLS_DATA_OGADMSRV_CERTFILE   ]; then errorAndLog "ogAdmSrv certificate not found";   ERRORS=1; fi
+        if [ ! -f $TLS_DATA_OGADMSRV_KEYFILE    ]; then errorAndLog "ogAdmSrv privkey not found";       ERRORS=1; fi
+        if [ ! -f $TLS_DATA_WEBCONSOLE_CERTFILE ]; then errorAndLog "WebConsole certificate not found"; ERRORS=1; fi
+        if [ ! -f $TLS_DATA_WEBCONSOLE_KEYFILE  ]; then errorAndLog "WebConsole privkey not found";     ERRORS=1; fi
+
+        if [ $ERRORS -eq 0 ]; then
+            ## validar que las privkeys no tengan contraseña para que opengnsys pueda arrancar de forma desatendida
+            if ! openssl rsa -in $TLS_DATA_OGADMSRV_KEYFILE   -passin pass:42 -noout; then errorAndLog "ogAdmSrv privkey is encrypted";   ERRORS=1; fi
+            if ! openssl rsa -in $TLS_DATA_WEBCONSOLE_KEYFILE -passin pass:42 -noout; then errorAndLog "WebConsole privkey is encrypted"; ERRORS=1; fi
+
+            if [ $ERRORS -eq 0 ]; then
+                # obtener los subject de cada certificado
+                # la salida de openssl es tal que "subject=C = ES, ST = Madrid, L = Madrid, CN = test.example.org"
+                # con el sed cocinamos la salida
+                # además añadimos un / al principio para que el CN final sea correcto: "/C=ES/ST=Madrid/L=Madrid/CN=test.opengnsys.local"
+                TLS_DATA_CA_SUBJ=/$(        openssl x509 -in $TLS_DATA_CA_CERTFILE         -subject -noout |sed 's/^subject=//; s/ *//g; s/,/\//g')
+                TLS_DATA_OGADMSRV_SUBJ=/$(  openssl x509 -in $TLS_DATA_OGADMSRV_CERTFILE   -subject -noout |sed 's/^subject=//; s/ *//g; s/,/\//g')
+                TLS_DATA_WEBCONSOLE_SUBJ=/$(openssl x509 -in $TLS_DATA_WEBCONSOLE_CERTFILE -subject -noout |sed 's/^subject=//; s/ *//g; s/,/\//g')
+
+                # obtener CN a partir del subject
+                TLS_DATA_CA_CN=$(         echo $TLS_DATA_CA_SUBJ         |sed 's/.*CN=\([^/$]*\).*/\1/')
+                TLS_DATA_OGADMSRV_CN=$(   echo $TLS_DATA_OGADMSRV_SUBJ   |sed 's/.*CN=\([^/$]*\).*/\1/')
+                TLS_DATA_WEBCONSOLE_CN=$( echo $TLS_DATA_WEBCONSOLE_SUBJ |sed 's/.*CN=\([^/$]*\).*/\1/')
+
+                # los CN de los componentes que aceptan conexiones deberían resolver a una IP
+                if ! nslookup $TLS_DATA_OGADMSRV_CN &>/dev/null; then errorAndLog "ogAdmSrv CN doesn't resolve to an IP"; ERRORS=1; fi
+
+                if [ $ERRORS -eq 0 ]; then
+                    echoAndLog "Provided CA and certs are ok"
+                fi
+            fi
+        fi
+    fi
+
+    ## aquí también hay que tener en cuenta el sitio adicional para los user-certs
+    if [ ! -f $WORKDIR/opengnsys/user-certs/ca.crt.pem -o $ERRORS -eq 1 ]; then
+        echoAndLog "CA and certs not provided by the user or issues found, we will generate a new CA and all certs"
+
+        TLS_DATA_CA_CN=ca.opengnsys.local
+        TLS_DATA_CA_SUBJ=/CN=ca.opengnsys.local
+        TLS_DATA_CA_CERTFILE=$CA_DIR/certs/ca.crt.pem
+        TLS_DATA_CA_EXPIRY=7300           # this variable is used later to make some decisions
+
+        TLS_DATA_OGADMSRV_CN=ogAdmSrv.opengnsys.local
+        TLS_DATA_OGADMSRV_SUBJ=/CN=ogAdmSrv.opengnsys.local
+        TLS_DATA_OGADMSRV_CERTFILE=$CA_DIR/certs/ogAdmSrv.crt.pem
+        TLS_DATA_OGADMSRV_KEYFILE=$CA_DIR/private/ogAdmSrv.key.pem
+        TLS_DATA_OGADMSRV_EXPIRY=375
+
+        TLS_DATA_WEBCONSOLE_CN=WebConsole.opengnsys.local
+        TLS_DATA_WEBCONSOLE_SUBJ=/CN=WebConsole.opengnsys.local
+        TLS_DATA_WEBCONSOLE_CERTFILE=$CA_DIR/certs/WebConsole.crt.pem
+        TLS_DATA_WEBCONSOLE_KEYFILE=$CA_DIR/private/WebConsole.key.pem
+        TLS_DATA_WEBCONSOLE_EXPIRY=375
+    fi
+
+    # otras cosas de TLS no cubiertas arriba por no estar relacionadas con los certificados
+    TLS_DATA_OGADMSRV_LISTEN_PORT=48888
+
+    return 0
+}
+
+function _genCA ()
+{
+    SUBJ=$1
+    EXPIRY_DAYS=$2
+    openssl genrsa -out private/ca.key.pem 4096
+    openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days $EXPIRY_DAYS -sha256 -subj $SUBJ -out certs/ca.crt.pem
+
+    return 0
+}
+
+function _genCert ()
+{
+    COMPONENT=$1
+    SUBJ=$2
+    EXPIRY_DAYS=$3
+
+    openssl genrsa -out private/$COMPONENT.key.pem 2048
+    openssl req -config openssl.cnf -key private/$COMPONENT.key.pem -new -sha256 -subj $SUBJ -out csr/$COMPONENT.csr.pem
+    openssl ca -config openssl.cnf -batch -days $EXPIRY_DAYS -notext -md sha256 -in csr/$COMPONENT.csr.pem -out certs/$COMPONENT.crt.pem
+
+    return 0
+}
+
+function genAllCerts ()
+{
+    mkdir -p $CA_DIR
+    pushd $CA_DIR
+    cat >openssl.cnf <<EOF
+[ca]
+default_ca = CA_default
+
+[CA_default]
+dir                    = $CA_DIR
+certs                  = $CA_DIR/certs
+new_certs_dir          = $CA_DIR/newcerts
+database               = $CA_DIR/index.txt
+serial                 = $CA_DIR/serial
+default_md             = sha256
+policy                 = policy_loose
+
+private_key            = $CA_DIR/private/ca.key.pem
+certificate            = $CA_DIR/certs/ca.crt.pem
+
+[policy_loose]
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = optional
+
+[req]
+default_bits           = 2048
+distinguished_name     = req_distinguished_name
+default_md             = sha256
+
+[req_distinguished_name]
+countryName            = Country Name (2 letter code)
+EOF
+    mkdir certs csr newcerts private
+    chmod 0700 private
+    touch index.txt index.txt.attr
+    echo 1000 >serial
+
+    _genCA              $TLS_DATA_CA_SUBJ         $TLS_DATA_CA_EXPIRY
+    _genCert ogAdmSrv   $TLS_DATA_OGADMSRV_SUBJ   $TLS_DATA_OGADMSRV_EXPIRY
+    _genCert WebConsole $TLS_DATA_WEBCONSOLE_SUBJ $TLS_DATA_WEBCONSOLE_EXPIRY
+
+    popd
+    return 0
+}
+
+function installAllCerts ()
+{
+    mkdir -p $OG_BASEDIR/etc/ssl
+
+    ## CA cert goes to the OS store
+    cp $TLS_DATA_CA_CERTFILE $LOCAL_CERTS_DIR/opengnsys-ca.crt
+
+    ## ogAdmSrv cert & key go to the application store
+    cp $TLS_DATA_OGADMSRV_CERTFILE $TLS_DATA_OGADMSRV_KEYFILE $OG_BASEDIR/etc/ssl/
+    ## certs of ogAdmSrv clients go to the OS store (stunnel seems to require this)
+    cp $TLS_DATA_WEBCONSOLE_CERTFILE $LOCAL_CERTS_DIR/opengnsys-WebConsole.crt
+
+    ## WebConsole cert & key go to the application store
+    cp $TLS_DATA_WEBCONSOLE_CERTFILE $TLS_DATA_WEBCONSOLE_KEYFILE $OG_BASEDIR/etc/ssl/
+
+    $UPDATE_CA_CMD
+    chgrp stunnel4 $OG_BASEDIR/etc/ssl/*
+
+    return 0
+}
+
+# si generamos nuestros propios certificados, los CNs tienen que resolver a alguna IP
+# no podemos dar por hecho que algún servidor DNS por ahí fuera resuelva los CNs que hemos generado al instalar
+function makeCommonNamesResolvable ()
+{
+    # ogAdmSrv
+	local i=0
+	for dev in ${DEVICE[*]}; do
+	    echoAndLog "${FUNCNAME}(): evaluating dev (${DEVICE[i]}) against defaultdev ($DEFAULTDEV)"
+		if [ "${DEVICE[i]}" == "$DEFAULTDEV" ]; then
+            ETC_HOSTS_IP=${SERVERIP[i]}
+	        echoAndLog "${FUNCNAME}(): will use dev (${DEVICE[i]}) IP ($ETC_HOSTS_IP)"
+            break
+		fi
+		let i++
+	done
+
+    if [ -z $ETC_HOSTS_IP ]; then
+	    echoAndLog "${FUNCNAME}(): Don't know what IP address to add to /etc/hosts for ogAdmSrv"
+    else
+        echo "$ETC_HOSTS_IP  $TLS_DATA_OGADMSRV_CN" >>/etc/hosts
+    fi
+
+    return 0
+}
+
+function configureStunnel ()
+{
+	local i=0
+	for dev in ${DEVICE[*]}; do
+	    echoAndLog "${FUNCNAME}(): evaluating dev (${DEVICE[i]}) against defaultdev ($DEFAULTDEV)"
+		if [ "${DEVICE[i]}" == "$DEFAULTDEV" ]; then
+            LISTEN_IP=${SERVERIP[i]}
+	        echoAndLog "${FUNCNAME}(): will use dev (${DEVICE[i]}) IP ($LISTEN_IP)"
+            break
+		fi
+		let i++
+	done
+
+    if [ -z $LISTEN_IP ]; then
+	    echoAndLog "${FUNCNAME}(): Don't know what IP address to listen on"
+        return 1
+    fi
+
+    cat >/etc/stunnel/ogAdmSrv.conf <<EOF
+setuid = stunnel4
+setgid = stunnel4
+pid = /var/run/stunnel4/ogAdmSrv.pid
+
+[ogAdmSrv]
+accept = $LISTEN_IP:$TLS_DATA_OGADMSRV_LISTEN_PORT
+connect = 127.0.0.1:8888
+cert = $OG_BASEDIR/etc/ssl/ogAdmSrv.crt.pem
+key = $OG_BASEDIR/etc/ssl/ogAdmSrv.key.pem
+capath = $STUNNEL_CAPATH
+requireCert = yes
+verifyPeer = yes
+verifyChain = yes
+EOF
+
+    sed -i -e '/^ENABLED=/s/0/1/' /etc/default/stunnel4
+    service=stunnel4
+    $STARTSERVICE
+    return 0
+}
+
+
 ####################################################################
 ### Funciones de compilación de código fuente de servicios
 ####################################################################
@@ -1707,6 +1967,21 @@ else
 	ln -fs "$(dirname $PROGRAMDIR)" opengnsys
 fi
 
+# TLS
+gatherCertsInfo
+if [ $? -ne 0 ]; then
+	errorAndLog 'Not all required certificates have been provided, or privkey or DNS issues'
+	exit 1
+fi
+[ $TLS_DATA_CA_EXPIRY ] && genAllCerts                  ## el usuario no nos ha dado sus certificados: generamos unos
+installAllCerts
+[ $TLS_DATA_CA_EXPIRY ] && makeCommonNamesResolvable    ## el usuario no nos ha dado sus certificados: configuramos resolución de nombres en /etc/hosts
+configureStunnel
+if [ $? -ne 0 ]; then
+	errorAndLog 'Error while setting stunnel up'
+	exit 1
+fi
+
 # Compilar código fuente de los servicios de OpenGnsys.
 servicesCompilation
 if [ $? -ne 0 ]; then
@@ -1826,6 +2101,8 @@ rm -f $TMPMYCNF
 
 # Copiando páqinas web.
 installWebFiles
+# Configurar variables de PHP
+configurePHPvars $TLS_DATA_OGADMSRV_CN $TLS_DATA_OGADMSRV_LISTEN_PORT
 # Descargar/descomprimir archivos descargables.
 installDownloadableFiles
 # Generar páqinas web de documentación de la API

installer/opengnsys_installer_devel_esxi.sh

@@ -130,17 +130,18 @@ function globalSetup ()
 	OPENGNSYS_SERVER="opengnsys.es"
 	DOWNLOADURL="https://$OPENGNSYS_SERVER/trac/downloads"
 	if [ -d "$PROGRAMDIR/../installer" ]; then
+		echo REMOTE=0
 		REMOTE=0
 	else
+		echo REMOTE=1
 		REMOTE=1
 	fi
 	BRANCH=$1 
 	if [[ -z $BRANCH ]]; then 
 		BRANCH="main"
 	fi 
-	CODE_URL="https://codeload.github.com/opengnsys/OpenGnsys/zip/$BRANCH"
 	API_URL="https://api.github.com/repos/opengnsys/OpenGnsys"
-	GIT_REPO="ssh://git@ognproject.evlt.uma.es:222/unizar/opengnsys.git"
+	GIT_REPO="ssh://git@ognproject.evlt.uma.es:21987/opengnsys/opengnsys.git"
 
 	# Directorios de instalación y destino de OpenGnsys.
 	WORKDIR=/tmp/opengnsys_installer
@@ -199,7 +200,7 @@ OSVERSION="${OSVERSION%%.*}"
 # Configuración según la distribución GNU/Linux (usar minúsculas).
 case "$OSDISTRIB" in
 	ubuntu|debian|linuxmint)
-		DEPENDENCIES=( subversion apache2 php php-ldap php-fpm mysql-server php-mysql isc-dhcp-server bittorrent tftp-hpa tftpd-hpa xinetd build-essential g++-multilib libmysqlclient-dev wget curl doxygen graphviz bittornado ctorrent samba rsync unzip netpipes debootstrap schroot squashfs-tools btrfs-tools procps arp-scan realpath php-curl gettext moreutils jq wakeonlan udpcast libev-dev libjansson-dev libssl-dev shim-signed grub-efi-amd64-signed gawk libdbi-dev libdbi1 libdbd-mysql liblz4-tool )
+		DEPENDENCIES=( subversion apache2 php php-ldap php-fpm mysql-server php-mysql isc-dhcp-server bittorrent tftp-hpa tftpd-hpa xinetd build-essential g++-multilib libmysqlclient-dev wget curl doxygen graphviz bittornado ctorrent samba rsync unzip netpipes debootstrap schroot squashfs-tools btrfs-tools procps arp-scan realpath php-curl gettext moreutils jq wakeonlan udpcast libev-dev libjansson-dev libssl-dev shim-signed grub-efi-amd64-signed gawk libdbi-dev libdbi1 libdbd-mysql liblz4-tool git stunnel4 )
 		UPDATEPKGLIST="apt-get update"
 		INSTALLPKG="apt-get -y install --force-yes"
 		CHECKPKG="dpkg -s \$package 2>/dev/null | grep Status | grep -qw install"
@@ -235,6 +236,9 @@ case "$OSDISTRIB" in
 		SAMBASERV=smbd
 		SAMBACFGDIR=/etc/samba
 		TFTPCFGDIR=/var/lib/tftpboot
+		LOCAL_CERTS_DIR=/usr/local/share/ca-certificates
+		UPDATE_CA_CMD=update-ca-certificates
+		STUNNEL_CAPATH=/etc/ssl/certs
 		;;
 	fedora|centos)
 		DEPENDENCIES=( subversion httpd mod_ssl php-ldap php-fpm mysql-server mysql-devel mysql-devel.i686 php-mysql dhcp tftp-server tftp xinetd binutils gcc gcc-c++ glibc-devel glibc-devel.i686 glibc-static glibc-static.i686 libstdc++-devel.i686 make wget curl doxygen graphviz ctorrent samba samba-client rsync unzip debootstrap schroot squashfs-tools python-crypto arp-scan procps-ng gettext moreutils jq net-tools udpcast libev-devel jansson-devel openssl-devel shim-x64 grub2-efi-x64 grub2-efi-x64-modules gawk libdbi-devel libdbi libdbi-dbd-mysql http://ftp.altlinux.org/pub/distributions/ALTLinux/5.1/branch/$(arch)/RPMS.classic/netpipes-4.2-alt1.$(arch).rpm )
@@ -274,6 +278,9 @@ case "$OSDISTRIB" in
 		SAMBACFGDIR=/etc/samba
 		TFTPSERV=tftp
 		TFTPCFGDIR=/var/lib/tftpboot
+		LOCAL_CERTS_DIR=/etc/pki/ca-trust/source/anchors
+		UPDATE_CA_CMD=update-ca-trust
+		STUNNEL_CAPATH=/etc/pki/tls/certs
 		;;
 	"") 	echo "ERROR: Unknown Linux distribution, please install \"lsb_release\" command."
 		exit 1 ;;
@@ -829,8 +836,7 @@ function downloadCode()
 
 	echoAndLog "${FUNCNAME}(): downloading code..."
 
-	# curl "${url}" -o opengnsys.zip && unzip opengnsys.zip && mv "OpenGnsys-$BRANCH" opengnsys
-	git archive --remote=$url --format zip --output opengnsys.zip --prefix=opengnsys/ $BRANCH && unzip opengnsys.zip
+	GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new" git archive --remote=$url --format zip --output opengnsys.zip --prefix=opengnsys/ $BRANCH && unzip opengnsys.zip
 	if [ $? -ne 0 ]; then
 		errorAndLog "${FUNCNAME}(): error getting OpenGnsys code from $url"
 		return 1
@@ -887,8 +893,9 @@ function getNetworkSettings()
 
 	local i=0
 	local dev=""
+
 	echoAndLog "${FUNCNAME}(): Detecting network parameters."
-	DEVICE=( $(ip -o link show up | awk '!/loopback/ {sub(/[:@].*/,"",$2); print $2}') ) 
+	DEVICE=( $(ip -o link show up | awk '!/loopback/ {sub(/[:@].*/,"",$2); print $2}') )
 	if [ -z "$DEVICE" ]; then
 		errorAndLog "${FUNCNAME}(): Network devices not detected."
 		exit 1
@@ -1116,6 +1123,13 @@ function installWebFiles()
 	echoAndLog "${FUNCNAME}(): Web files installed successfully."
 }
 
+function configurePHPvars()
+{
+    OGADMSRV_HOSTNAME=$1
+    OGADMSRV_PORT=$2
+    sed "s/__OGADMSRV_HOSTNAME__/$OGADMSRV_HOSTNAME/; s/__OGADMSRV_PORT__/$OGADMSRV_PORT/" <$WORKDIR/opengnsys/server/etc/php-vars.php.tmpl >$INSTALL_TARGET/etc/php-vars.php
+}
+
 # Copiar ficheros en la zona de descargas de OpenGnsys Web Console.
 function installDownloadableFiles()
 {
@@ -1339,6 +1353,251 @@ function copyServerFiles ()
 	popd
 }
 
+####################################################################
+### Funciones de TLS
+####################################################################
+
+CA_DIR=/root/CA
+OG_BASEDIR=/opt/opengnsys
+
+function gatherCertsInfo()
+{
+    ERRORS=0
+    ## BUG cuando REMOTE=1, $WORKDIR/opengnsys es el contenido del zip (producido al vuelo con 'git archive'), y naturalmente no contiene ./user-certs
+    ##     este código debe buscar los certificados en otro sitio adicional
+    if [ -f $WORKDIR/opengnsys/user-certs/ca.crt.pem ]; then
+        echoAndLog "CA provided by the user, checking presence of all certificates"
+
+        TLS_DATA_CA_CERTFILE=$WORKDIR/opengnsys/user-certs/ca.crt.pem
+        TLS_DATA_OGADMSRV_CERTFILE=$WORKDIR/opengnsys/user-certs/ogAdmSrv.crt.pem
+        TLS_DATA_OGADMSRV_KEYFILE=$WORKDIR/opengnsys/user-certs/ogAdmSrv.key.pem
+        TLS_DATA_WEBCONSOLE_CERTFILE=$WORKDIR/opengnsys/user-certs/WebConsole.crt.pem
+        TLS_DATA_WEBCONSOLE_KEYFILE=$WORKDIR/opengnsys/user-certs/WebConsole.key.pem
+
+        ## el usuario tiene que facilitar todos los certificados
+        ## si falta alguno, no podemos generarlo aquí porque habría que tener la privkey de la CA, y el usuario no nos la debe dar
+        if [ ! -f $TLS_DATA_OGADMSRV_CERTFILE   ]; then errorAndLog "ogAdmSrv certificate not found";   ERRORS=1; fi
+        if [ ! -f $TLS_DATA_OGADMSRV_KEYFILE    ]; then errorAndLog "ogAdmSrv privkey not found";       ERRORS=1; fi
+        if [ ! -f $TLS_DATA_WEBCONSOLE_CERTFILE ]; then errorAndLog "WebConsole certificate not found"; ERRORS=1; fi
+        if [ ! -f $TLS_DATA_WEBCONSOLE_KEYFILE  ]; then errorAndLog "WebConsole privkey not found";     ERRORS=1; fi
+
+        if [ $ERRORS -eq 0 ]; then
+            ## validar que las privkeys no tengan contraseña para que opengnsys pueda arrancar de forma desatendida
+            if ! openssl rsa -in $TLS_DATA_OGADMSRV_KEYFILE   -passin pass:42 -noout; then errorAndLog "ogAdmSrv privkey is encrypted";   ERRORS=1; fi
+            if ! openssl rsa -in $TLS_DATA_WEBCONSOLE_KEYFILE -passin pass:42 -noout; then errorAndLog "WebConsole privkey is encrypted"; ERRORS=1; fi
+
+            if [ $ERRORS -eq 0 ]; then
+                # obtener los subject de cada certificado
+                # la salida de openssl es tal que "subject=C = ES, ST = Madrid, L = Madrid, CN = test.example.org"
+                # con el sed cocinamos la salida
+                # además añadimos un / al principio para que el CN final sea correcto: "/C=ES/ST=Madrid/L=Madrid/CN=test.opengnsys.local"
+                TLS_DATA_CA_SUBJ=/$(        openssl x509 -in $TLS_DATA_CA_CERTFILE         -subject -noout |sed 's/^subject=//; s/ *//g; s/,/\//g')
+                TLS_DATA_OGADMSRV_SUBJ=/$(  openssl x509 -in $TLS_DATA_OGADMSRV_CERTFILE   -subject -noout |sed 's/^subject=//; s/ *//g; s/,/\//g')
+                TLS_DATA_WEBCONSOLE_SUBJ=/$(openssl x509 -in $TLS_DATA_WEBCONSOLE_CERTFILE -subject -noout |sed 's/^subject=//; s/ *//g; s/,/\//g')
+
+                # obtener CN a partir del subject
+                TLS_DATA_CA_CN=$(         echo $TLS_DATA_CA_SUBJ         |sed 's/.*CN=\([^/$]*\).*/\1/')
+                TLS_DATA_OGADMSRV_CN=$(   echo $TLS_DATA_OGADMSRV_SUBJ   |sed 's/.*CN=\([^/$]*\).*/\1/')
+                TLS_DATA_WEBCONSOLE_CN=$( echo $TLS_DATA_WEBCONSOLE_SUBJ |sed 's/.*CN=\([^/$]*\).*/\1/')
+
+                # los CN de los componentes que aceptan conexiones deberían resolver a una IP
+                if ! nslookup $TLS_DATA_OGADMSRV_CN &>/dev/null; then errorAndLog "ogAdmSrv CN doesn't resolve to an IP"; ERRORS=1; fi
+
+                if [ $ERRORS -eq 0 ]; then
+                    echoAndLog "Provided CA and certs are ok"
+                fi
+            fi
+        fi
+    fi
+
+    ## aquí también hay que tener en cuenta el sitio adicional para los user-certs
+    if [ ! -f $WORKDIR/opengnsys/user-certs/ca.crt.pem -o $ERRORS -eq 1 ]; then
+        echoAndLog "CA and certs not provided by the user or issues found, we will generate a new CA and all certs"
+
+        TLS_DATA_CA_CN=ca.opengnsys.local
+        TLS_DATA_CA_SUBJ=/CN=ca.opengnsys.local
+        TLS_DATA_CA_CERTFILE=$CA_DIR/certs/ca.crt.pem
+        TLS_DATA_CA_EXPIRY=7300           # this variable is used later to make some decisions
+
+        TLS_DATA_OGADMSRV_CN=ogAdmSrv.opengnsys.local
+        TLS_DATA_OGADMSRV_SUBJ=/CN=ogAdmSrv.opengnsys.local
+        TLS_DATA_OGADMSRV_CERTFILE=$CA_DIR/certs/ogAdmSrv.crt.pem
+        TLS_DATA_OGADMSRV_KEYFILE=$CA_DIR/private/ogAdmSrv.key.pem
+        TLS_DATA_OGADMSRV_EXPIRY=375
+
+        TLS_DATA_WEBCONSOLE_CN=WebConsole.opengnsys.local
+        TLS_DATA_WEBCONSOLE_SUBJ=/CN=WebConsole.opengnsys.local
+        TLS_DATA_WEBCONSOLE_CERTFILE=$CA_DIR/certs/WebConsole.crt.pem
+        TLS_DATA_WEBCONSOLE_KEYFILE=$CA_DIR/private/WebConsole.key.pem
+        TLS_DATA_WEBCONSOLE_EXPIRY=375
+    fi
+
+    # otras cosas de TLS no cubiertas arriba por no estar relacionadas con los certificados
+    TLS_DATA_OGADMSRV_LISTEN_PORT=48888
+
+    return 0
+}
+
+function _genCA ()
+{
+    SUBJ=$1
+    EXPIRY_DAYS=$2
+    openssl genrsa -out private/ca.key.pem 4096
+    openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days $EXPIRY_DAYS -sha256 -subj $SUBJ -out certs/ca.crt.pem
+
+    return 0
+}
+
+function _genCert ()
+{
+    COMPONENT=$1
+    SUBJ=$2
+    EXPIRY_DAYS=$3
+
+    openssl genrsa -out private/$COMPONENT.key.pem 2048
+    openssl req -config openssl.cnf -key private/$COMPONENT.key.pem -new -sha256 -subj $SUBJ -out csr/$COMPONENT.csr.pem
+    openssl ca -config openssl.cnf -batch -days $EXPIRY_DAYS -notext -md sha256 -in csr/$COMPONENT.csr.pem -out certs/$COMPONENT.crt.pem
+
+    return 0
+}
+
+function genAllCerts ()
+{
+    mkdir -p $CA_DIR
+    pushd $CA_DIR
+    cat >openssl.cnf <<EOF
+[ca]
+default_ca = CA_default
+
+[CA_default]
+dir                    = $CA_DIR
+certs                  = $CA_DIR/certs
+new_certs_dir          = $CA_DIR/newcerts
+database               = $CA_DIR/index.txt
+serial                 = $CA_DIR/serial
+default_md             = sha256
+policy                 = policy_loose
+
+private_key            = $CA_DIR/private/ca.key.pem
+certificate            = $CA_DIR/certs/ca.crt.pem
+
+[policy_loose]
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = optional
+
+[req]
+default_bits           = 2048
+distinguished_name     = req_distinguished_name
+default_md             = sha256
+
+[req_distinguished_name]
+countryName            = Country Name (2 letter code)
+EOF
+    mkdir certs csr newcerts private
+    chmod 0700 private
+    touch index.txt index.txt.attr
+    echo 1000 >serial
+
+    _genCA              $TLS_DATA_CA_SUBJ         $TLS_DATA_CA_EXPIRY
+    _genCert ogAdmSrv   $TLS_DATA_OGADMSRV_SUBJ   $TLS_DATA_OGADMSRV_EXPIRY
+    _genCert WebConsole $TLS_DATA_WEBCONSOLE_SUBJ $TLS_DATA_WEBCONSOLE_EXPIRY
+
+    popd
+    return 0
+}
+
+function installAllCerts ()
+{
+    mkdir -p $OG_BASEDIR/etc/ssl
+
+    ## CA cert goes to the OS store
+    cp $TLS_DATA_CA_CERTFILE $LOCAL_CERTS_DIR/opengnsys-ca.crt
+
+    ## ogAdmSrv cert & key go to the application store
+    cp $TLS_DATA_OGADMSRV_CERTFILE $TLS_DATA_OGADMSRV_KEYFILE $OG_BASEDIR/etc/ssl/
+    ## certs of ogAdmSrv clients go to the OS store (stunnel seems to require this)
+    cp $TLS_DATA_WEBCONSOLE_CERTFILE $LOCAL_CERTS_DIR/opengnsys-WebConsole.crt
+
+    ## WebConsole cert & key go to the application store
+    cp $TLS_DATA_WEBCONSOLE_CERTFILE $TLS_DATA_WEBCONSOLE_KEYFILE $OG_BASEDIR/etc/ssl/
+
+    $UPDATE_CA_CMD
+    chgrp stunnel4 $OG_BASEDIR/etc/ssl/*
+
+    return 0
+}
+
+# si generamos nuestros propios certificados, los CNs tienen que resolver a alguna IP
+# no podemos dar por hecho que algún servidor DNS por ahí fuera resuelva los CNs que hemos generado al instalar
+function makeCommonNamesResolvable ()
+{
+    # ogAdmSrv
+	local i=0
+	for dev in ${DEVICE[*]}; do
+	    echoAndLog "${FUNCNAME}(): evaluating dev (${DEVICE[i]}) against defaultdev ($DEFAULTDEV)"
+		if [ "${DEVICE[i]}" == "$DEFAULTDEV" ]; then
+            ETC_HOSTS_IP=${SERVERIP[i]}
+	        echoAndLog "${FUNCNAME}(): will use dev (${DEVICE[i]}) IP ($ETC_HOSTS_IP)"
+            break
+		fi
+		let i++
+	done
+
+    if [ -z $ETC_HOSTS_IP ]; then
+	    echoAndLog "${FUNCNAME}(): Don't know what IP address to add to /etc/hosts for ogAdmSrv"
+    else
+        echo "$ETC_HOSTS_IP  $TLS_DATA_OGADMSRV_CN" >>/etc/hosts
+    fi
+
+    return 0
+}
+
+function configureStunnel ()
+{
+	local i=0
+	for dev in ${DEVICE[*]}; do
+	    echoAndLog "${FUNCNAME}(): evaluating dev (${DEVICE[i]}) against defaultdev ($DEFAULTDEV)"
+		if [ "${DEVICE[i]}" == "$DEFAULTDEV" ]; then
+            LISTEN_IP=${SERVERIP[i]}
+	        echoAndLog "${FUNCNAME}(): will use dev (${DEVICE[i]}) IP ($LISTEN_IP)"
+            break
+		fi
+		let i++
+	done
+
+    if [ -z $LISTEN_IP ]; then
+	    echoAndLog "${FUNCNAME}(): Don't know what IP address to listen on"
+        return 1
+    fi
+
+    cat >/etc/stunnel/ogAdmSrv.conf <<EOF
+setuid = stunnel4
+setgid = stunnel4
+pid = /var/run/stunnel4/ogAdmSrv.pid
+
+[ogAdmSrv]
+accept = $LISTEN_IP:$TLS_DATA_OGADMSRV_LISTEN_PORT
+connect = 127.0.0.1:8888
+cert = $OG_BASEDIR/etc/ssl/ogAdmSrv.crt.pem
+key = $OG_BASEDIR/etc/ssl/ogAdmSrv.key.pem
+capath = $STUNNEL_CAPATH
+requireCert = yes
+verifyPeer = yes
+verifyChain = yes
+EOF
+
+    sed -i -e '/^ENABLED=/s/0/1/' /etc/default/stunnel4
+    service=stunnel4
+    $STARTSERVICE
+    return 0
+}
+
+
 ####################################################################
 ### Funciones de compilación de código fuente de servicios
 ####################################################################
@@ -1721,6 +1980,21 @@ else
 	ln -fs "$(dirname $PROGRAMDIR)" opengnsys
 fi
 
+# TLS
+gatherCertsInfo
+if [ $? -ne 0 ]; then
+	errorAndLog 'Not all required certificates have been provided, or privkey or DNS issues'
+	exit 1
+fi
+[ $TLS_DATA_CA_EXPIRY ] && genAllCerts                  ## el usuario no nos ha dado sus certificados: generamos unos
+installAllCerts
+[ $TLS_DATA_CA_EXPIRY ] && makeCommonNamesResolvable    ## el usuario no nos ha dado sus certificados: configuramos resolución de nombres en /etc/hosts
+configureStunnel
+if [ $? -ne 0 ]; then
+	errorAndLog 'Error while setting stunnel up'
+	exit 1
+fi
+
 # Compilar código fuente de los servicios de OpenGnsys.
 servicesCompilation
 if [ $? -ne 0 ]; then
@@ -1840,6 +2114,8 @@ rm -f $TMPMYCNF
 
 # Copiando páqinas web.
 installWebFiles
+# Configurar variables de PHP
+configurePHPvars $TLS_DATA_OGADMSRV_CN $TLS_DATA_OGADMSRV_LISTEN_PORT
 # Descargar/descomprimir archivos descargables.
 installDownloadableFiles
 # Generar páqinas web de documentación de la API

installer/terraform/main.tf

@@ -20,7 +20,7 @@ provider "esxi" {
 
 resource "esxi_guest" "vmtest-tf" {
   count                   = var.num_clients
-  guest_name              = format("%s-%s","pc11-vagrant-esxi", count.index)
+  guest_name              = format("og-%s-pc%02d", var.ogversion, count.index)
   disk_store              = "almacen.00"
   boot_disk_size          = 50
   memsize		              = 1024
@@ -32,7 +32,7 @@ resource "esxi_guest" "vmtest-tf" {
   nested_esxi        = "y"
 
   network_interfaces {
-    virtual_network = var.virtual_netowrk
+    virtual_network = var.virtual_network
     nic_type        = "e1000"
     mac_address	    =  format("%s:%s",var.mac_prefix, sum([11 , count.index]))
   }

installer/terraform/variables.tf

@@ -1,4 +1,4 @@
-variable "virtual_netowrk" {
+variable "virtual_network" {
     type = string
     default = "test"
 }
@@ -18,3 +18,8 @@ variable "vi_password" {
     sensitive    = true
     default      = "" 
 }
+
+variable "ogversion" {
+    type         = string
+    default      = "test"
+}

installer/vagrant/Vagrantfile-1.1.1d-vbox

@@ -47,8 +47,12 @@ if which curl &>/dev/null; then
 elif which wget &>/dev/null; then
     DOWNLOAD="wget -q -O -"
 fi
-if [[ -f /install-from-repo/installer/opengnsys_installer.sh ]]; then
-    /install-from-repo/installer/opengnsys_installer.sh || exit $?
+if [[ -f /install-from-repo/opengnsys_installer_devel_esxi.sh ]]; then
+    ## installer will have REMOTE=1. Usage: cp installer/opengnsys_installer_devel_esxi.sh .; VAGRANT_VAGRANTFILE=installer/vagrant/Vagrantfile-1.1.1d-vbox INSTALL_FROM_REPO=. vagrant up ogAdministrator; rm -f opengnsys_installer_devel_esxi.sh
+    /install-from-repo/opengnsys_installer_devel_esxi.sh || exit $?
+elif [[ -f /install-from-repo/installer/opengnsys_installer_devel_esxi.sh ]]; then
+    ## installer will have REMOTE=0. Usage:                                                   VAGRANT_VAGRANTFILE=installer/vagrant/Vagrantfile-1.1.1d-vbox INSTALL_FROM_REPO=. vagrant up ogAdministrator
+    /install-from-repo/installer/opengnsys_installer_devel_esxi.sh || exit $?
 else
     BRANCH="opengnsys-#{OGVERSION}"
     $DOWNLOAD "https://raw.githubusercontent.com/opengnsys/OpenGnsys/$BRANCH/installer/opengnsys_installer.sh" | bash || exit $?

installer/vagrant/Vagrantfile-esxi

@@ -99,7 +99,7 @@ fi
 # Download installer 
 BRANCH="$OGVERSION"
 
-curl --show-error --fail -k -L -o opengnsys_installer_devel_esxi.sh https://$GITEA_USER:$GITEA_TOKEN@ognproject.evlt.uma.es/gitea/unizar/opengnsys/raw/branch/${BRANCH}/installer/opengnsys_installer_devel_esxi.sh 
+curl --show-error --fail -k -L -o opengnsys_installer_devel_esxi.sh https://$GITEA_USER:$GITEA_TOKEN@ognproject.evlt.uma.es/gitea/opengnsys/opengnsys/raw/branch/${BRANCH}/installer/opengnsys_installer_devel_esxi.sh
 chmod 755 opengnsys_installer_devel_esxi.sh && ./opengnsys_installer_devel_esxi.sh $BRANCH
 mv /opt/opengnsys/log/bash.log /opt/opengnsys/log/opengnsys_installer.log
 
@@ -130,11 +130,11 @@ EOT
 
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   # OpenGnsys Server VM definition.
-  config.vm.define "ogAdministrator-#{OGVERSION}", primary: true do |og|
+  config.vm.define "og-#{OGVERSION}-admin", primary: true do |og|
     # Specific VirtualBox configuration.
     og.vm.provider :vmware_esxi do |esxi|
       # VM name, memory and CPUs.
-      esxi.guest_name = "ogAdministrator-#{OGVERSION}"
+      esxi.guest_name = "og-#{OGVERSION}-admin"
       esxi.guest_memsize = SERVERMEM
       esxi.esxi_username = 'root'
       esxi.esxi_password = ESXIPASSWORD
@@ -150,7 +150,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     end
     # VM base and host name.
     og.vm.box = "esxi_clone/dummy"
-    og.vm.hostname = "ogAdministrator-#{OGVERSION}"
+    og.vm.hostname = "og-#{OGVERSION}-admin"
     # Launch provisioning script.
     og.vm.provision "file", source: "config/01-eth1.yaml" , destination: "/tmp/"
     og.vm.provision "shell", inline: OGSERVERSCRIPT , env: {"NETPREFIX" => NETPREFIX , "OGVERSION" => OGVERSION , "GITEA_TOKEN" => GITEA_TOKEN , "GITEA_USER" => GITEA_USER , "DHCPNET" => DHCPNET , "SSH_GIT_KEY_PASS" => SSH_GIT_KEY_PASS }

installer/vagrant/provision_esxi_net.sh

@@ -19,7 +19,7 @@ function checkIfPortgroupExists () {
         if [ $portgroup == $BRANCH ] ; then
                 echo "Portgroup $BRANCH is not going to be created, already exists" 
                 echo "Please Check ESXI configuration" 
-                exit 1  
+                exit 0
         fi 
     done  
 }

server/etc/php-vars.php.tmpl

@@ -0,0 +1,5 @@
+<?php
+// hostname: Common Name of the ogAdmSrv certificate
+// port: the port stunnel4 is listening on
+define('OG_REST_URL', 'https://__OGADMSRV_HOSTNAME__:__OGADMSRV_PORT__/');
+?>