From a4cd1ddbb5036d46109f0136b9c3e68d74be6430 Mon Sep 17 00:00:00 2001 From: "work@jacobthomas.net" Date: Tue, 10 Aug 2021 11:07:56 -0700 Subject: [PATCH 1/2] Security Review Changes to aks files --- .../main/arm/scripts/buildWLSDockerImage.sh | 11 ++-- .../main/arm/scripts/invokeSetupWLSDomain.sh | 47 ++++++++++------- .../src/main/arm/scripts/setupWLSDomain.sh | 52 +++++++++---------- 3 files changed, 61 insertions(+), 49 deletions(-) diff --git a/weblogic-azure-aks/src/main/arm/scripts/buildWLSDockerImage.sh b/weblogic-azure-aks/src/main/arm/scripts/buildWLSDockerImage.sh index ffaafdcdf..2a4ff4f8d 100644 --- a/weblogic-azure-aks/src/main/arm/scripts/buildWLSDockerImage.sh +++ b/weblogic-azure-aks/src/main/arm/scripts/buildWLSDockerImage.sh @@ -1,4 +1,4 @@ -# Copyright (c) 2021, Oracle Corporation and/or its affiliates. +# Copyright (c) 2019, 2020, Oracle Corporation and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. #Function to output message to StdErr @@ -6,13 +6,14 @@ function echo_stderr() { echo "$@" >&2 } -# PENDING(edburns): load and from filesystem, from a file that is guaranteed to be secured as required -function load_parameters_from_file() { +# read and from stdin +function read_sensitive_parameters_from_stdin() { + read azureACRPassword ocrSSOPSW } #Function to display usage message function usage() { - echo_stdout "./buildWLSDockerImage.sh " + echo_stdout " ./buildWLSDockerImage.sh " if [ $1 -eq 1 ]; then exit 1 fi @@ -243,7 +244,7 @@ export ocrLoginServer="container-registry.oracle.com" export wdtDownloadURL="https://github.com/oracle/weblogic-deploy-tooling/releases/download/release-1.9.7/weblogic-deploy.zip" export witDownloadURL="https://github.com/oracle/weblogic-image-tool/releases/download/release-1.9.11/imagetool.zip" -load_parameters_from_file +read_sensitive_parameters_from_stdin validate_inputs diff --git a/weblogic-azure-aks/src/main/arm/scripts/invokeSetupWLSDomain.sh b/weblogic-azure-aks/src/main/arm/scripts/invokeSetupWLSDomain.sh index efa265a48..ababb154f 100644 --- a/weblogic-azure-aks/src/main/arm/scripts/invokeSetupWLSDomain.sh +++ b/weblogic-azure-aks/src/main/arm/scripts/invokeSetupWLSDomain.sh @@ -1,24 +1,16 @@ -# Copyright (c) 2021, Oracle Corporation and/or its affiliates. +# Copyright (c) 2019, 2020, Oracle Corporation and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. -echo "Script starts" - -#Function to output message to stdout function echo_stderr() { - echo "$@" >&2 + >&2 echo "$@" echo "$@" >>stdout } function echo_stdout() { - echo "$@" >&2 + echo "$@" echo "$@" >>stdout } -# PENDING(edburns): write some of the parameters to file. Others are passed directly to the script. -function write_parameters_to_file() { -} - - #Function to display usage message function usage() { echo_stdout "./invokeSetupWLSDomain.sh ..." @@ -27,13 +19,32 @@ function usage() { fi } -#Function to validate input -function validate_input() { - -} - -validate_input +# Main script +export script="${BASH_SOURCE[0]}" +export scriptDir="$(cd "$(dirname "${script}")" && pwd)" + +export ocrSSOUser=${1} +ocrSSOPSW=${2} +export aksClusterRGName=${3} +export aksClusterName=${4} +export wlsImageTag=${5} +export acrName=${6} +export wlsDomainName=${7} +export wlsDomainUID=${8} +export wlsUserName=${9} +wlsPassword=${10} +wdtRuntimePassword=${11} +export wlsCPU=${12} +export wlsMemory=${13} +export managedServerPrefix=${14} +export appReplicas=${15} +export appPackageUrls=${16} +export currentResourceGroup=${17} +export scriptURL=${18} +export storageAccountName=${19} +export wlsClusterSize=${20} + +echo ${ocrSSOPSW} ${wlsPassword} ${wdtRuntimePassword} | bash ./setupWLSDomain.sh ${ocrSSOUser} ${aksClusterRGName} ${aksClusterName} ${wlsImageTag} ${acrName} ${wlsDomainName} ${wlsDomainUID} ${wlsUserName} ${wlsCPU} ${wlsMemory} ${managedServerPrefix} ${appReplicas} ${appPackageUrls} ${currentResourceGroup} ${scriptURL} ${storageAccountName} ${wlsClusterSize} -# invoke the setupWLSDomain passing the parameters and the file exit $exitCode diff --git a/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh b/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh index 0406b46b7..1dde4c0c9 100644 --- a/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh +++ b/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh @@ -1,4 +1,4 @@ -# Copyright (c) 2021, Oracle Corporation and/or its affiliates. +# Copyright (c) 2019, 2020, Oracle Corporation and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. echo "Script starts" @@ -14,14 +14,15 @@ function echo_stdout() { echo "$@" >>stdout } -# PENDING(edburns): load from filesystem, from a file that is guaranteed to be secured as required -function load_parameters_from_file() { +# read from stdin +function read_sensitive_parameters_from_stdin() { + read ocrSSOPSW wlsPassword wdtRuntimePassword } #Function to display usage message function usage() { - echo_stdout "./setupWLSDomain.sh " + echo_stdout " ./setupWLSDomain.sh " if [ $1 -eq 1 ]; then exit 1 fi @@ -250,7 +251,7 @@ function build_docker_image() { --publisher Microsoft.Azure.Extensions \ --version 2.0 \ --settings "{ \"fileUris\": [\"${scriptURL}model.yaml\",\"${scriptURL}model.properties\",\"${scriptURL}buildWLSDockerImage.sh\"]}" \ - --protected-settings "{\"commandToExecute\":\"bash buildWLSDockerImage.sh ${wlsImagePath} ${azureACRServer} ${azureACRUserName} ${newImageTag} \\\"${appPackageUrls}\\\" ${ocrSSOUser} ${wlsClusterSize}\"}" + --protected-settings "{\"commandToExecute\":\"echo ${azureACRPassword} ${ocrSSOPSW} | bash ./buildWLSDockerImage.sh ${wlsImagePath} ${azureACRServer} ${azureACRUserName} ${newImageTag} \\\"${appPackageUrls}\\\" ${ocrSSOUser} ${ocrSSOPSW} \"}" # If error fires, keep vm resource and exit. validate_status "Check status of buiding WLS domain image." @@ -312,7 +313,7 @@ function setup_wls_domain() { # * Create PV using Azure file share # * Create PVC function create_pv() { - export storageAccountKey=$(az storage account keys list --resource-group $currentResourceGroup --account-name $storageAccountName --query "[0].value" -o tsv) + storageAccountKey=$(az storage account keys list --resource-group $currentResourceGroup --account-name $storageAccountName --query "[0].value" -o tsv) export azureSecretName="azure-secret" kubectl -n ${wlsDomainNS} create secret generic ${azureSecretName} \ --from-literal=azurestorageaccountname=${storageAccountName} \ @@ -446,30 +447,29 @@ function cleanup_vm() { export script="${BASH_SOURCE[0]}" export scriptDir="$(cd "$(dirname "${script}")" && pwd)" -export ocrSSOUser=$1 -export ocrSSOPSW=$2 -export aksClusterRGName=$3 -export aksClusterName=$4 -export wlsImageTag=$5 -export acrName=$6 -export wlsDomainName=$7 -export wlsDomainUID=$8 -export wlsUserName=$9 -export wlsCPU=${10} -export wlsMemory=${11} -export managedServerPrefix=${12} -export appReplicas=${13} -export appPackageUrls=${14} -export currentResourceGroup=${15} -export scriptURL=${16} -export storageAccountName=${17} -export wlsClusterSize=${18} +export ocrSSOUser=${1} +export aksClusterRGName=${2} +export aksClusterName=${3} +export wlsImageTag=${4} +export acrName=${5} +export wlsDomainName=${6} +export wlsDomainUID=${7} +export wlsUserName=${8} +export wlsCPU=${9} +export wlsMemory=${10} +export managedServerPrefix=${11} +export appReplicas=${12} +export appPackageUrls=${13} +export currentResourceGroup=${14} +export scriptURL=${15} +export storageAccountName=${16} +export wlsClusterSize=${17} export adminServerName="admin-server" export exitCode=0 export ocrLoginServer="container-registry.oracle.com" export kubectlSecretForACR="regsecret" -export kubectlWLSCredentials="${wlsDomainUID}-weblogic-credentials" +kubectlWLSCredentials="${wlsDomainUID}-weblogic-credentials" export newImageTag=$(date +%s) export storageFileShareName="weblogic" export wlsDomainNS="${wlsDomainUID}-ns" @@ -478,7 +478,7 @@ export wlsOptNameSpace="weblogic-operator-ns" export wlsOptRelease="weblogic-operator" export wlsOptSA="weblogic-operator-sa" -load_parameters_from_file +read_sensitive_parameters_from_stdin validate_input From b305741b578680b6fce9c9a081236fc3bab063a0 Mon Sep 17 00:00:00 2001 From: "work@jacobthomas.net" Date: Tue, 10 Aug 2021 13:34:44 -0700 Subject: [PATCH 2/2] Modified usage function and Copyright --- .../src/main/arm/scripts/buildWLSDockerImage.sh | 2 +- .../src/main/arm/scripts/invokeSetupWLSDomain.sh | 2 +- weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh | 7 ++----- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/weblogic-azure-aks/src/main/arm/scripts/buildWLSDockerImage.sh b/weblogic-azure-aks/src/main/arm/scripts/buildWLSDockerImage.sh index 2a4ff4f8d..ff512e6bf 100644 --- a/weblogic-azure-aks/src/main/arm/scripts/buildWLSDockerImage.sh +++ b/weblogic-azure-aks/src/main/arm/scripts/buildWLSDockerImage.sh @@ -1,4 +1,4 @@ -# Copyright (c) 2019, 2020, Oracle Corporation and/or its affiliates. +# Copyright (c) 2021, Oracle Corporation and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. #Function to output message to StdErr diff --git a/weblogic-azure-aks/src/main/arm/scripts/invokeSetupWLSDomain.sh b/weblogic-azure-aks/src/main/arm/scripts/invokeSetupWLSDomain.sh index ababb154f..48ab4ce9c 100644 --- a/weblogic-azure-aks/src/main/arm/scripts/invokeSetupWLSDomain.sh +++ b/weblogic-azure-aks/src/main/arm/scripts/invokeSetupWLSDomain.sh @@ -1,4 +1,4 @@ -# Copyright (c) 2019, 2020, Oracle Corporation and/or its affiliates. +# Copyright (c) 2021, Oracle Corporation and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. function echo_stderr() { diff --git a/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh b/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh index 1dde4c0c9..7d36a3239 100644 --- a/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh +++ b/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh @@ -1,4 +1,4 @@ -# Copyright (c) 2019, 2020, Oracle Corporation and/or its affiliates. +# Copyright (c) 2021 Oracle Corporation and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. echo "Script starts" @@ -22,10 +22,7 @@ function read_sensitive_parameters_from_stdin() { #Function to display usage message function usage() { - echo_stdout " ./setupWLSDomain.sh " - if [ $1 -eq 1 ]; then - exit 1 - fi + echo "Configure WLS Domain" } #Function to validate input