From 39c09798707072699d548080d458e41168e8e7f3 Mon Sep 17 00:00:00 2001
From: Scott Stroud <sstroud@confluent.io>
Date: Thu, 10 Jun 2021 11:18:24 -0600
Subject: [PATCH 1/2] meh

---
 .gitignore                 |  5 +++
 Dockerfile                 |  7 +++-
 hardening_manifest.yaml    | 12 ++++++-
 scripts/build-image.sh     |  4 +++
 scripts/importArtifacts.sh | 68 ++++++++++++++++++++++++++++++++++++++
 5 files changed, 94 insertions(+), 2 deletions(-)
 create mode 100644 .gitignore
 create mode 100755 scripts/importArtifacts.sh

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..58ce6e7
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+archive.key
+*.whl
+*.jar
+*.tar.gz
+*.rpm
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index ca0892a..a20da8c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -48,6 +48,7 @@ RUN chown appuser:appuser -R /usr/logs
 
 # Copy required RPMs
 COPY *.rpm /tmp/
+COPY archive.key /tmp/
 
 ########################################
 # confluentinc/kafka-images/server
@@ -67,7 +68,8 @@ ENV DOCKER_SCRIPT_DIR=/opt/caas/bin
 EXPOSE 8088
 
 RUN echo "===> Installing ${COMPONENT}" \
-    && dnf install --nogpgcheck -y /tmp/confluent-common-${RPM_VERSION}.noarch.rpm \
+    && rpm --import /tmp/archive.key \
+    && dnf install -y /tmp/confluent-common-${RPM_VERSION}.noarch.rpm \
         /tmp/confluent-security-${RPM_VERSION}.noarch.rpm \
         /tmp/confluent-telemetry-${RPM_VERSION}.noarch.rpm \
         /tmp/confluent-hub-client-${RPM_VERSION}.noarch.rpm \        
@@ -87,6 +89,7 @@ COPY cp-${COMPONENT}-operator-*_UsrBin.tar.gz /usr/bin/
 ## For auditing & debugging
 COPY Dockerfile /etc/confluent/ironbank/
 COPY hardening_manifest.yaml /etc/confluent/ironbank/
+COPY maven-artifact-3.8.1.jar /tmp/
 
 RUN echo "===> Installing operator stuff" \
     && cd /usr/share && tar -xvf *_UsrShareJava.tar.gz && rm *_UsrShareJava.tar.gz \
@@ -95,6 +98,8 @@ RUN echo "===> Installing operator stuff" \
     && cd /etc && tar -xvf *_EtcKsqldb.tar.gz && rm *_EtcKsqldb.tar.gz \
     && cd /opt/confluent/ksql && tar -xvf *_OptConfluentKsqlLibs.tar.gz && rm *_OptConfluentKsqlLibs.tar.gz \
     && cd /usr/bin && tar -xvf *_UsrBin.tar.gz && rm *_UsrBin.tar.gz \
+    && find /usr/share/java  /opt/confluent/ksql -name "maven-artifact-3.6.3.jar" -execdir cp /tmp/maven-artifact-3.8.1.jar . \; -exec rm {} \; \ 
+    && chown appuser:appuser /opt/confluent/ksql/libs/maven-artifact-3.8.1.jar && chmod 755 /opt/confluent/ksql/libs/maven-artifact-3.8.1.jar \
     && chown -R appuser:appuser /etc/confluent /etc/${COMPONENT} /usr/logs /usr/bin/ksql /usr/share/java \
     && mkdir -p "${KSQL_LOG4J_DIR}" "${KSQL_SECRETS_DIR}" "${KSQL_CONFIG_DIR}" "${KSQL_DATA_DIR}" "${COMPONENT_SCRIPT_DIR}/${COMPONENT}" \
    	&& chmod -R ag+w "${KSQL_LOG4J_DIR}" "${KSQL_SECRETS_DIR}" "${KSQL_CONFIG_DIR}" "${KSQL_DATA_DIR}" "/opt" \
diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index 074fc2a..7408dc9 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -217,6 +217,11 @@ resources:
   validation:
     type: sha256
     value: 7e2622a934f04a2e5b23a355f920473ccf0144e946b433bc619a9802c1e3785c
+- filename: archive.key
+  url: https://packages.confluent.io/rpm/6.1/archive.key
+  validation:
+    type: sha256
+    value: b569e9d80bc08b65d342491f8b94e47eb7032701ce17b091f212e1072672a4d5
 - filename: confluent-common-6.1.1-1.noarch.rpm
   url: https://packages.confluent.io/rpm/6.1/confluent-common-6.1.1-1.noarch.rpm
   validation:
@@ -271,7 +276,12 @@ resources:
   url: https://ironbank-files.s3.amazonaws.com/cp-ksqldb-server-operator-6.1.1.0_UsrBin.tar.gz
   validation:
     type: sha256
-    value: d76da0002ea5b36cf3ea788aaeacc55eafc5f8ab4e5807e9d6e3ecc4794066b4     
+    value: d76da0002ea5b36cf3ea788aaeacc55eafc5f8ab4e5807e9d6e3ecc4794066b4
+- filename: maven-artifact-3.8.1.jar
+  url: https://repo1.maven.org/maven2/org/apache/maven/maven-artifact/3.8.1/maven-artifact-3.8.1.jar
+  validation:
+    type: sha256
+    value: 9dbd3db15ac4816471e72981cb06ef90f3ffa8be6628dddf7135f7bd69bee0c0       
     
 # List of project maintainers
 maintainers:
diff --git a/scripts/build-image.sh b/scripts/build-image.sh
index ab22f39..4826cb6 100755
--- a/scripts/build-image.sh
+++ b/scripts/build-image.sh
@@ -22,6 +22,8 @@ fi
 BASE_REGISTRY=${BASE_REGISTRY:-'registry1.dso.mil'}
 MANI='hardening_manifest.yaml'
 
+cd ../
+
 ## parse manifest with yq (https://github.com/mikefarah/yq)
 name=$(yq e '.name' $MANI)
 tags=( $(yq e '.tags.[]' $MANI) )
@@ -55,6 +57,8 @@ for tag in "${tags[@]}";do
   echo "🏷 Tagged build with $BASE_REGISTRY/$name:$tag" 
 done
 
+cd scripts
+
 end=`date +%s`
 duration=$((end-start))
 echo "🏁 Finished $CONTAINER build (${duration} seconds)"
\ No newline at end of file
diff --git a/scripts/importArtifacts.sh b/scripts/importArtifacts.sh
new file mode 100755
index 0000000..3f2b73d
--- /dev/null
+++ b/scripts/importArtifacts.sh
@@ -0,0 +1,68 @@
+
+#!/bin/bash
+
+start=`date +%s`
+
+if [[ -f .env ]]; then
+    echo "Loading in '.env' for values ..."
+    export $(grep -v '^#' .env | xargs)
+    echo " "
+fi
+
+SCRIPTS_HOME="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+PROJECT_HOME=${PROJECT_HOME:-'../'}
+PROJECT_HOME=$(realpath $PROJECT_HOME)
+RESOURCE_HOME=${RESOURCE_HOME:-'../../resources'}
+RESOURCE_HOME=$(realpath $RESOURCE_HOME)
+
+importArtifacts() {
+    
+    manifestPath=$1
+    httpdomain=$2
+    resourceDir=$3
+
+    echo -e "\nImporting ${httpdomain} artifacts ..."
+
+    maniDir=$(dirname "$manifestPath")
+
+    # (re)set the filelist.txt
+    mkdir -p $resourceDir    
+    prefix="url: "
+    pushd $resourceDir
+        grep $httpdomain $manifestPath | while read -r line ; do
+            url=${line##*$prefix}
+            filename=$(basename "$url")
+            
+            if [[ ! -f "$filename" ]]; then
+                echo "downloading ${url} ..."
+                wget $url            
+            else
+                echo "Using existing $filename. Run ./clean.sh if thats not desired."
+            fi
+
+            if [[ ! -f "$maniDir/$filename" ]]; then
+                echo "copying ${filename} into ${maniDir} ..."
+                cp $filename $maniDir/
+            fi
+        done
+    popd
+}
+    
+mani=$(realpath "../hardening_manifest.yaml")
+
+importArtifacts $mani 'ironbank-files.s3.amazonaws.com' "$RESOURCE_HOME/ironbank-files"
+importArtifacts $mani 'packages.confluent.io' "$RESOURCE_HOME/confluent"
+importArtifacts $mani 'files.pythonhosted.org' "$RESOURCE_HOME/pythonhosted"
+importArtifacts $mani 'repo1.maven.org' "$RESOURCE_HOME/maven"
+
+echo "Generating hardening_manifest_template.yaml ..."
+$SCRIPTS_HOME/genManifestTemplate.sh "$RESOURCE_HOME/ironbank-files"
+$SCRIPTS_HOME/genManifestTemplate.sh "$RESOURCE_HOME/confluent"
+$SCRIPTS_HOME/genManifestTemplate.sh "$RESOURCE_HOME/pythonhosted"
+
+end=`date +%s`
+duration=$((end-start))
+echo "#########################"
+echo "All done (${duration} seconds)"
+echo "#########################"
+
-- 
GitLab


From c2e83154e4fc5effe8bf8c928d04d7072276f20d Mon Sep 17 00:00:00 2001
From: Scott Stroud <sstroud@confluent.io>
Date: Fri, 11 Jun 2021 10:22:26 -0600
Subject: [PATCH 2/2] update

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index a20da8c..2c3aae0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -38,7 +38,7 @@ RUN pip3 install --no-index --prefix=/usr/local --upgrade --find-links /tmp/pyth
 RUN mkdir -p /usr/logs /licenses \
     && useradd --no-log-init --create-home --shell /bin/bash appuser
 
-COPY license.txt /licenses
+COPY LICENSE /licenses
 
 RUN chown appuser:appuser -R /usr/logs 
 
-- 
GitLab