From: Adam Bishop Date: Wed, 3 Sep 2014 12:35:04 +0000 (+0100) Subject: Adding files for running trust_router on rhel6-ish distributions nicely X-Git-Tag: 1.4~14 X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=7d3e90c80b95645f658a4fc79e1e309327c5966b;hp=c6463173cd418a9aa95d7a0aacf4ca2e93cf02fc;p=trust_router.git Adding files for running trust_router on rhel6-ish distributions nicely --- diff --git a/redhat/default-main.cfg b/redhat/default-main.cfg new file mode 100644 index 0000000..51324b4 --- /dev/null +++ b/redhat/default-main.cfg @@ -0,0 +1,5 @@ +{"tr_internal":{"max_tree_depth": 4, + "hostname":"tr.moonshot.local", + "tids_port" : 12309 + } +} diff --git a/redhat/init b/redhat/init new file mode 100755 index 0000000..7c5900e --- /dev/null +++ b/redhat/init @@ -0,0 +1,308 @@ +#!/bin/bash +# +# ntpd This shell script takes care of starting and stopping +# trust_router. +# +# chkconfig: - 58 74 +# description: trust_router is the GSS-EAP trust routing daemon. \ +# GSS-EAP is an IETF standard for providing authentication across \ +# an insecure WAN. \ + +### BEGIN INIT INFO +# Provides: trust_router +# Required-Start: $network $local_fs $remote_fs +# Required-Stop: $network $local_fs $remote_fs +# Should-Start: $syslog $named ntpdate +# Should-Stop: $syslog $named +# Short-Description: start and stop trust_router +# Description: trust_router is the GSS-EAP trust routing daemon. +# GSS-EAP is an IETF standard for providing authentication +# across an insecure WAN. +### END INIT INFO + +# Source function library. +. /etc/init.d/functions + +# Source networking configuration. +. /etc/sysconfig/network + +# Load the instance configuration +[ -f /etc/sysconfig/trust_router ] || exit 6 +. /etc/sysconfig/trust_router + +# Create the pidfile directory +mkdir -p /var/run/trust_router +chown trustrouter:trustrouter /var/run/trust_router + +# Does the trust router and wrapper exist +[ -x /usr/bin/trust_router ] || exit 5 +[ -x /usr/bin/trust_router-wrapper ] || exit 5 + +# Does the tidc client exist +[ -x /usr/bin/tidc ] || exit 5 +[ -x /usr/bin/tidc-wrapper ] || exit 5 + +prog="trust_router-wrapper" + +array_contains() { + local i + + for i in "${@:2}" ; + do + [ "${i}" == "${1}" ] && return 0 + done + + return 1 +} + +execute-tidc() { + echo -n "Attempting to authenticate to instance ${current_instance}:${current_port}" + + daemon --user="${current_user}" /usr/bin/tidc-wrapper "${current_test_acceptor}" "${current_test_rprealm}" "${current_test_community}" "${current_test_realm}" "${current_port}" + tidc_ret=$? + + echo + + return ${tidc_ret} +} + +get-config() { + current_instance=${1} + + if [ "${TR_CONFIG_USER[${current_instance}]+abc}" ] ; + then + current_user=${TR_CONFIG_USER[${current_instance}]} + else + current_user=${TR_DEFAULT_USER} + fi + + if [ "${TR_CONFIG_PIDDIR[${current_instance}]+abc}" ] ; + then + current_piddir=${TR_CONFIG_PIDDIR[${current_instance}]} + else + current_piddir=${TR_DEFAULT_PIDDIR} + fi + + if [ "${TR_CONFIG_CFGDIR[${current_instance}]+abc}" ] ; + then + current_cfgdir=${TR_CONFIG_CFGDIR[${current_instance}]} + else + current_cfgdir=${TR_DEFAULT_CFGDIR} + fi + + if [ "${TR_CONFIG_LOGDIR[${current_instance}]+abc}" ] ; + then + current_logdir=${TR_CONFIG_LOGDIR[${current_instance}]} + else + current_logdir=${TR_DEFAULT_LOGDIR} + fi + + if [ "${TR_CONFIG_PORT[${current_instance}]+abc}" ] ; + then + current_port=${TR_CONFIG_PORT[${current_instance}]} + else + current_port=${TR_DEFAULT_PORT} + fi + + if [ "${TR_CONFIG_AUTOSTART[${current_instance}]+abc}" ] ; + then + current_autostart=${TR_CONFIG_AUTOSTART[${current_instance}]} + else + current_autostart=${TR_DEFAULT_AUTOSTART} + fi + + if [ "${TR_CONFIG_ACCEPTOR[${current_instance}]+abc}" ] ; + then + current_test_acceptor=${TR_CONFIG_TEST_ACCEPTOR[${current_instance}]} + else + current_test_acceptor=${TR_DEFAULT_TEST_ACCEPTOR} + fi + + if [ "${TR_CONFIG_RPREALM[${current_instance}]+abc}" ] ; + then + current_test_rprealm=${TR_CONFIG_TEST_RPREALM[${current_instance}]} + else + current_test_rprealm=${TR_DEFAULT_TEST_RPREALM} + fi + + if [ "${TR_CONFIG_TEST_COMMUNITY[${current_instance}]+abc}" ] ; + then + current_test_community=${TR_CONFIG_TEST_COMMUNITY[${current_instance}]} + else + current_test_community=${TR_DEFAULT_TEST_COMMUNITY} + fi + + if [ "${TR_CONFIG_TEST_REALM[${current_instance}]+abc}" ] ; + then + current_test_realm=${TR_CONFIG_TEST_REALM[${current_instance}]} + else + current_test_realm=${TR_DEFAULT_TEST_REALM} + fi +} + +get-pidfile() { + echo "${current_piddir}/${current_instance}.pid" +} + +start() { + [ "${EUID}" != "0" ] && exit 4 + [ "${NETWORKING}" = "no" ] && exit 1 + + start_ret=0 + + for i in "${TR_INSTANCES[@]}" + do + get-config "${i}" + + if ${current_autostart} ; + then + start-instance + let "start_ret+=$?" + else + echo "Skipping instance ${current_instance}" + fi + done + + return "${start_ret}" +} + +start-single() { + if array_contains "${1}" "${TR_INSTANCES[@]}" ; + then + get-config "${1}" + + start-instance + return $? + else + echo "Instance ${1} not found..." + + return 1 + fi +} + +start-instance() { + pidfile=$(get-pidfile) + logfile="${current_logdir}/${current_instance}.log" + cfgdir="${current_cfgdir}/${current_instance}/" + + OPTIONS="${pidfile} ${cfgdir} ${logfile}" + + if [ -f "${pidfile}" ] ; + then + local OLD_PID=$(cat "${pidfile}") + + if [ -d "/proc/${OLD_PID}" ] ; + then + echo "Instance ${current_instance} is already running..." + else + echo "Removing stale PID file..." + rm "${pidfile}" + + start-instance + return $? + fi + else + echo -n "Starting instance ${current_instance}..." + daemon --user="${current_user}" --pidfile="${pidfile}" "${prog}" "${OPTIONS}" + echo + fi + + # Give it a few seconds for things to settle + sleep 2 + + execute-tidc + return $? +} + +stop() { + [ "${EUID}" != "0" ] && exit 4 + [ "${NETWORKING}" = "no" ] && exit 1 + + for i in "${TR_INSTANCES[@]}" + do + get-config "${i}" + + pidfile=$(get-pidfile) + + if [ -f "${pidfile}" ] ; + then + stop-instance + else + echo "Instance ${i} does not appear to be running..." + fi + done +} + +stop-single() { + if array_contains "${1}" "${TR_INSTANCES[@]}" ; + then + get-config "${1}" + + stop-instance + else + echo "Instance ${1} not found..." + + return 1 + fi + + return 0 +} + +stop-instance() { + if [ -f "$(get-pidfile)" ] ; + then + echo -n "Stopping instance ${current_instance}..." + + killproc -p "$(get-pidfile)" "${prog}" + echo + else + echo "Instance ${current_instance} does not appear to be running..." + fi +} + +status() { + [ "${EUID}" != "0" ] && exit 4 + [ "${NETWORKING}" = "no" ] && exit 1 + + start_ret=0 + + for i in "${TR_INSTANCES[@]}" + do + get-config "${i}" + + execute-tidc + let "exec_ret+=$?" + done + + return "${exec_ret}" +} + + +# See how we were called. +case "${1}" in + start) + start + ;; + start-single) + start-single "${2}" + ;; + stop) + stop + ;; + stop-single) + stop-single "${2}" + ;; + status) + status "${prog}" + ;; + restart|force-reload) + stop + start + ;; + reload) + exit 3 + ;; + *) + echo "Usage: ${0} {start|start-single|stop|stop-single|status|restart|force-reload}" + exit 2 +esac diff --git a/redhat/sysconfig b/redhat/sysconfig new file mode 100644 index 0000000..4530de5 --- /dev/null +++ b/redhat/sysconfig @@ -0,0 +1,44 @@ +## +## Declare an id tag for each trust router instance +## + +TR_INSTANCES[0]="default" +TR_INSTANCES[1]="tr-test" + +## +## Declare the default configuration +## + +TR_DEFAULT_USER="trustrouter" # Username to execute the trust router as +TR_DEFAULT_PIDDIR="/var/run/trust_router" # Directory to store PIDFile in +TR_DEFAULT_CFGDIR="/etc/trust_router/conf.d" # Config directory +TR_DEFAULT_LOGDIR="/var/log/trust_router" # Trust router log directories +TR_DEFAULT_AUTOSTART=true # Default autostart state +TR_DEFAULT_PORT=12309 # Port instance should be running on +TR_DEFAULT_TEST_ACCEPTOR="tr.moonshot.local" # Acceptor name to expect when testing +TR_DEFAULT_TEST_RPREALM="apc.moonshot.local" # RP Realm to assert when testing +TR_DEFAULT_TEST_COMMUNITY="apc.moonshot.local" # Community to query when testing +TR_DEFAULT_TEST_REALM="apc.moonshot.local" # Realm to request when testing + +## +## Declare the configuration arrays +## + +declare -A TR_CONFIG_USER +declare -A TR_CONFIG_PIDDIR +declare -A TR_CONFIG_CFGDIR +declare -A TR_CONFIG_LOGDIR +declare -A TR_CONFIG_PORT +declare -A TR_CONFIG_AUTOSTART +declare -A TR_CONFIG_TEST_ACCEPTOR +declare -A TR_CONFIG_TEST_RPREALM +declare -A TR_CONFIG_TEST_COMMUNITY +declare -A TR_CONFIG_TEST_REALM + +## +## Override the default configuation for each instance as required +## + +TR_CONFIG_PORT[tr-test]=12345 +TR_CONFIG_AUTOSTART[tr-test]=false + diff --git a/redhat/tidc-wrapper b/redhat/tidc-wrapper new file mode 100755 index 0000000..20eb974 --- /dev/null +++ b/redhat/tidc-wrapper @@ -0,0 +1,4 @@ +#! /usr/bin/env bash + +tidc "$@" > /dev/null 2>&1 +exit "${?}" diff --git a/redhat/tr-test-main.cfg b/redhat/tr-test-main.cfg new file mode 100644 index 0000000..45f845e --- /dev/null +++ b/redhat/tr-test-main.cfg @@ -0,0 +1,5 @@ +{"tr_internal":{"max_tree_depth": 4, + "hostname":"tr.moonshot.local", + "tids_port" : 12345 + } +} diff --git a/redhat/trust_router-wrapper b/redhat/trust_router-wrapper new file mode 100755 index 0000000..81bf47e --- /dev/null +++ b/redhat/trust_router-wrapper @@ -0,0 +1,11 @@ +#! /usr/bin/env bash + +cd "${2}" + +/usr/bin/trust_router > "${3}.$(date +'%Y%m%d%H%M')" 2>&1 & +BGPID=$! +RET=$? + +echo "${BGPID}" > "${1}" + +exit "${RET}" diff --git a/redhat/trusts.cfg b/redhat/trusts.cfg new file mode 100644 index 0000000..0998e1f --- /dev/null +++ b/redhat/trusts.cfg @@ -0,0 +1,128 @@ +{ + "communities": [ + { + "apcs": [ + "pci-community.ja.net" + ], + "community_id": "comm.offcenter.org", + "idp_realms": [ + "idr2.offcenter.org" + ], + "rp_realms": [ + "sr3.offcenter.org" + ], + "type": "coi" + }, + { + "apcs": [ + + ], + "community_id": "pci-community.ja.net", + "idp_realms": [ + "idr1.offcenter.org", + "idr2.offcenter.org", + "ja.net", + "no-longer-untitled.offcenter.org" + ], + "rp_realms": [ + "exchange.ja.net", + "sr3.offcenter.org" + ], + "type": "apc" + } + ], + "idp_realms": [ + { + "aaa_servers": [ + "127.0.0.1" + ], + "apcs": [ + "pci-community.ja.net" + ], + "realm_id": "idr1.offcenter.org", + "shared_config": "yes" + }, + { + "aaa_servers": [ + "127.0.0.1" + ], + "apcs": [ + "pci-community.ja.net" + ], + "realm_id": "idr2.offcenter.org", + "shared_config": "no" + }, + { + "aaa_servers": [ + "10.1.10.90" + ], + "apcs": [ + "pci-community.ja.net" + ], + "realm_id": "ja.net", + "shared_config": "no" + }, + { + "aaa_servers": [ + "127.0.0.1" + ], + "apcs": [ + "pci-community.ja.net" + ], + "realm_id": "no-longer-untitled.offcenter.org", + "shared_config": "yes" + } + ], + "rp_clients": [ + { + "filter": { + "filter_lines": [ + { + "action": "accept", + "domain_constraints": ["*.exchange.ja.net"], + "filter_specs": [ + { + "field": "rp_realm", + "match": "exchange.ja.net" + }, + { + "field": "rp_realm", + "match": "*.exchange.ja.net" + } + ], + "realm_constraints": ["*.exchange.ja.net", "a.com"] + } + ], + "type": "rp_permitted" + }, + "gss_names": [ + "01b80aa9-8753-4691-8f8a-f49f7793546f@portal-realm.ja.net" + ] + }, + { + "filter": { + "filter_lines": [ + { + "action": "accept", + "domain_constraints": ["*.bob.sr3.offcenter.org"], + "filter_specs": [ + { + "field": "rp_realm", + "match": "sr3.offcenter.org" + }, + { + "field": "rp_realm", + "match": "*.sr3.offcenter.org" + } + ], + "realm_constraints": ["*.sr3.offcenter.org" ] + } + ], + "type": "rp_permitted" + }, + "gss_names": [ + "895c308a-5624-4055-bb4f-ea24b77e6637@portal-realm.ja.net" + ] + } + ] +}