feedback

0c8d43a0 · Scott Stroud · af839488 · 0c8d43a0 · 0c8d43a0 · 0c8d43a0
Commit 0c8d43a0 authored Jun 07, 2021 by Scott Stroud
6 changed files
--- a/.dockerignore
+++ b/.dockerignore
+scripts/build-image.sh
+scripts/genManifestTemplate.sh
+scripts/importArtifacts.sh
\ No newline at end of file
--- a/.gitignore
+++ b/.gitignore
+*.whl
+*.tar.gz
+*.rpm
+jsonnet
\ No newline at end of file
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,8 +14,8 @@
 # limitations under the License.
 ARG BASE_REGISTRY=registry1.dso.mil
-ARG BASE_IMAGE=redhat/ubi/ubi8
+ARG BASE_IMAGE=redhat/openjdk/openjdk11
-ARG BASE_TAG=8.3
+ARG BASE_TAG=1.11
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
@@ -27,11 +27,11 @@ USER root
 ########################################
 ## Install Python
-RUN dnf update -y && \
+RUN dnf update -y && dnf install -y python38.x86_64 python38-pip-wheel.noarch \
-    dnf install -y python38.x86_64 && \
+    && ln -s /usr/bin/python3 /usr/bin/python \
-    dnf install -y python38-pip-wheel.noarch && \
+    && ln -s /usr/bin/pip3 /usr/bin/pip \
-    dnf clean all && \
+    && dnf clean all \
-    rm -rf /var/cache/dnf
+    && rm -rf /var/cache/dnf
 ## Python Installed
 ########################################

--- a/build-image.sh
+++ b/build-image.sh
@@ -22,6 +22,8 @@ fi
 BASE_REGISTRY=${BASE_REGISTRY:-'registry1.dso.mil'}
 MANI='hardening_manifest.yaml'
+cd ../
 ## parse manifest with yq (https://github.com/mikefarah/yq)
 name=$(yq e '.name' $MANI)
 tags=( $(yq e '.tags.[]' $MANI) )
@@ -55,6 +57,8 @@ for tag in "${tags[@]}";do
  echo "🏷 Tagged build with $BASE_REGISTRY/$name:$tag" 
 done
+cd scripts
 end=`date +%s`
 duration=$((end-start))
 echo "🏁 Finished $CONTAINER build (${duration} seconds)"
\ No newline at end of file
--- a/scripts/genManifestTemplate.sh
+++ b/scripts/genManifestTemplate.sh
+if [[ -f .env ]]; then
+    echo "Loading in '.env' for values ..."
+    export $(grep -v '^#' .env | xargs)
+    echo " "
+fi
+VERSION=${VERSION:-'6.1.1.0'}
+SCRIPTS_HOME="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+PROJECT_HOME=${PROJECT_HOME:-'../'}
+PROJECT_HOME=$(realpath $PROJECT_HOME)
+myShaRona () {  
+    myfile=$(basename $1)
+    mydir=$(dirname $1)
+    mkdir -p $mydir
+    if [ ! -e "$mydir/filelist.txt" ] ; then
+        touch "$mydir/filelist.txt"
+    fi
+    if [[ "$OSTYPE" == "darwin"* ]] ; then
+        mySha=$(shasum -a 256 $1 | cut -d " " -f 1)
+    else
+        mySha=$(sha256sum $1 | cut -d " " -f 1)
+    fi
+    echo -e "$myfile | $mySha" >> $mydir/filelist.txt
+}
+filelist () {
+    rm -f $1/filelist.txt
+    for filename in $1/*; do
+        myShaRona $filename
+    done
+}
+if [ $# -eq 0 ]; then
+    echo "filelist.txt or dir path argument required "
+    exit 1
+fi
+# if there is not a filelist.txt, generate one
+if [ -f "$1" ]; then
+    filefile=$(realpath $1)
+elif [ -f "$1/filelist.txt" ]; then
+    filefile=$(realpath $1)/filelist.txt
+elif [ -d "$1" ]; then
+    filefile=$(realpath $1)/filelist.txt
+fi
+filelist $1
+basedir=$(dirname $filefile)
+cd $basedir
+if [[ $filefile == *"ironbank-files"* ]]; then
+    urlPrefix="https://ironbank-files.s3.amazonaws.com"
+elif [[ $filefile == *"confluent"* ]]; then
+    urlPrefix="https://packages.confluent.io/rpm/${VERSION:0:3}"
+elif [[ $filefile == *"pythonhosted"* ]]; then
+    echo "unsupported cause of the weird guid in the path"
+    exit 0
+fi
+echo "resources:" > $basedir/hardened_manifest_template.yaml
+while IFS= read -r line
+do
+IFS=" | " read -a parts <<< $line
+cat >> $basedir/hardened_manifest_template.yaml << EOL
+- filename: ${parts[0]}
+  url: ${urlPrefix}/${parts[0]}
+  validation:
+    type: sha256
+    value: ${parts[1]}
+EOL
+done < "$filefile"
\ No newline at end of file
--- a/scripts/importArtifacts.sh
+++ b/scripts/importArtifacts.sh
+#!/bin/bash
+start=`date +%s`
+if [[ -f .env ]]; then
+    echo "Loading in '.env' for values ..."
+    export $(grep -v '^#' .env | xargs)
+    echo " "
+fi
+SCRIPTS_HOME="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+PROJECT_HOME=${PROJECT_HOME:-'../'}
+PROJECT_HOME=$(realpath $PROJECT_HOME)
+RESOURCE_HOME=${RESOURCE_HOME:-'../../resources'}
+RESOURCE_HOME=$(realpath $RESOURCE_HOME)
+importArtifacts() {
+    manifestPath=$1
+    httpdomain=$2
+    resourceDir=$3
+    echo -e "\nImporting ${httpdomain} artifacts ..."
+    maniDir=$(dirname "$manifestPath")
+    if [[ ! -f "$maniDir/build-image.sh" ]]; then
+        cp build-image.sh $maniDir/
+    fi
+    # (re)set the filelist.txt
+    mkdir -p $resourceDir    
+    prefix="url: "
+    pushd $resourceDir
+        grep $httpdomain $manifestPath | while read -r line ; do
+            url=${line##*$prefix}
+            filename=$(basename "$url")
+            if [[ ! -f "$filename" ]]; then
+                echo "downloading ${url} ..."
+                wget $url            
+            else
+                echo "Using existing $filename. Run ./clean.sh if thats not desired."
+            fi
+            if [[ ! -f "$maniDir/$filename" ]]; then
+                echo "copying ${filename} into ${maniDir} ..."
+                cp $filename $maniDir/
+            fi
+        done
+    popd
+}
+mani=$(realpath "../hardening_manifest.yaml")
+importArtifacts $mani 'ironbank-files.s3.amazonaws.com' "$RESOURCE_HOME/ironbank-files"
+importArtifacts $mani 'packages.confluent.io' "$RESOURCE_HOME/confluent"
+importArtifacts $mani 'files.pythonhosted.org' "$RESOURCE_HOME/pythonhosted"
+echo "Generating hardening_manifest_template.yaml ..."
+$SCRIPTS_HOME/genManifestTemplate.sh "$RESOURCE_HOME/ironbank-files"
+$SCRIPTS_HOME/genManifestTemplate.sh "$RESOURCE_HOME/confluent"
+$SCRIPTS_HOME/genManifestTemplate.sh "$RESOURCE_HOME/pythonhosted"
+end=`date +%s`
+duration=$((end-start))
+echo "#########################"
+echo "All done (${duration} seconds)"
+echo "#########################"