From 0bbd0b7fafb9fa57f469a86ea486ff8086f5d339 Mon Sep 17 00:00:00 2001
From: Leif Johansson <leifj@sunet.se>
Date: Fri, 12 Jul 2019 11:31:41 +0200
Subject: [PATCH] demw deploy - attempt 1

---
 .../configuration/credentials/enc.crt         |  30 +++++++++++++++
 .../metadata-signature-certificate.crt        | Bin
 .../configuration/credentials/sign.crt        |  30 +++++++++++++++
 .../eidasmiddleware.properties.sh             |   2 +-
 .../configuration/hsm/pkcs11.properties       |  15 --------
 .../configuration/hsm/pkcs11.properties.sh    |  11 ++++++
 global/overlay/etc/puppet/cosmos-rules.yaml   |  17 +++++++--
 .../etc/puppet/manifests/cosmos-site.pp       |  35 ++++++++++++++++++
 8 files changed, 121 insertions(+), 19 deletions(-)
 create mode 100644 demw-common/overlay/opt/eidas-middleware/configuration/credentials/enc.crt
 rename demw-common/overlay/opt/eidas-middleware/configuration/{ => credentials}/metadata-signature-certificate.crt (100%)
 create mode 100644 demw-common/overlay/opt/eidas-middleware/configuration/credentials/sign.crt
 delete mode 100644 demw-common/overlay/opt/eidas-middleware/configuration/hsm/pkcs11.properties
 create mode 100644 demw-common/overlay/opt/eidas-middleware/configuration/hsm/pkcs11.properties.sh

diff --git a/demw-common/overlay/opt/eidas-middleware/configuration/credentials/enc.crt b/demw-common/overlay/opt/eidas-middleware/configuration/credentials/enc.crt
new file mode 100644
index 00000000..d6e3657c
--- /dev/null
+++ b/demw-common/overlay/opt/eidas-middleware/configuration/credentials/enc.crt
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFLjCCAxagAwIBAgIEBEA5gTANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJT
+RTEXMBUGA1UEChMOU3dlZGVuIENvbm5lY3QxDjAMBgNVBAsTBWVJREFTMRcwFQYD
+VQQDEw5TQU1MIEVuY3J5cHRlcjAeFw0xODA5MDEwMDAwMDBaFw0yODA5MDEwMDAw
+MDBaME8xCzAJBgNVBAYTAlNFMRcwFQYDVQQKEw5Td2VkZW4gQ29ubmVjdDEOMAwG
+A1UECxMFZUlEQVMxFzAVBgNVBAMTDlNBTUwgRW5jcnlwdGVyMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAncnQs7F6x3l7WDWfzWQ1YI3nRPRAmou/6wfu
+t/Q/0Lrk2qC1t0cKXVcwgjYjond7mNgTl8rUBIheI4KLOzX48diUOs+aNz21EjPP
+qGpgq3HzS9AAs7yw8ZEG5Y/G2KTLrxG9DO/zhy+mXcRle+zGJh8jc5MBqz2xnSMj
+drRNWlIuAQ+hrlEiJw70+ezZIB3Y0KWwAKSN+CMNXzNoxuCd4hiSocga74guoLu7
+borpf6Z+i9Iry+L1+jTRPzPdeoEdVI45a2Oy3x9up5Oag9ehIeqJqEQZOtrJj45Q
+FiQgYEEVOB7YAFKSwf426eSOyDNfcYlZGC9+p/hAxsJAptOlfiW5OFhKvsdc4t6l
+t43U4GqKT+gDGvk8WOMCTkcJBfDkRMbSHA7ZnmF3xmkfROUjh5/OiypVUpjQDxTi
+wd2F7lc0w5qMiWbLTUIGYtbsVdLcsZ3npkxxYSV/b4GnR1QDQgktDol2ksQUFYaW
+a301l7zLoKHVXbXIZu569VFVtgB8SeJwaqIEsOqyLpLUzCL+27cpPhenW1hZ4ZAY
+R0kEWu8tUL8IEplG96NGSuKF0KM3hrRGC80wW8epHKHcjVlPnAALWSrXh86N+6kw
+cf9vKETYCZAWo8QUC0MWNB9yH+JR6whsrmBcywNTnyAtPc00gYY4DbzaWgbjCJNx
+cI9rHKUCAwEAAaMSMBAwDgYDVR0PAQH/BAQDAgUgMA0GCSqGSIb3DQEBCwUAA4IC
+AQBvu+YkEyb6JBIVaRfDGk04ggJEZcBMjfP8JH4bCDTkHJW8vTGIADLuONd/LR0z
+hmjWILQ/kZWtqmgm7RTduMQfLm1Pl/s2Zj4dRM4KfYGHSuqDOUhOqP8BcvXesx8e
+YoD3ui8V5Uo2mnbajJOTSTd5AXEMheujBaMzVQ1G8sT6FPVBPP2jXuQyOS+sSOr3
+vRRN+hEMkI2D6b6h20Nu2CFdDP+q9QSbbRf9Igx+h9lJ+VhWgsytHsRIIzq5Watg
+rx2cfXOvhgagMomgDmOFD0YrRRjqPH7wYDwcc4W7si3TilP54lfnl6pEG9HCK31t
+cVwdMc06lSh3LLpfiYQUBi7Q68p5F9T6oNL71Ii+v99ouDqiDsrcP3ouS5OK5RrY
+4w2nw9993xU0Dp3s307OY/5FAUc7PGagTbx464FTXNDXA9nNKW/Z6Fy+c3IwA0fb
+ZtqsCoet9DiJr9OG5awC33KeNB95a6WVym/My4WgNeZUHUoI4SnmtELUr4h1IO/2
+y6nm2r4haoS5OUw+cxBYYP/LXTDaF759AYJEcOYOqad2IBFChMcC3Sk45XPXwfE9
++AyNq6gwRzqtqsCnDB65g7zSGYZUsTJSAMlEzcrTpksBAgirZmCMsJVLEAJgqCwn
+j00m1WNvgK2Fj71hjOONvhwP5gj0bwy+1b8GY0+A/RObSw==
+-----END CERTIFICATE-----
diff --git a/demw-common/overlay/opt/eidas-middleware/configuration/metadata-signature-certificate.crt b/demw-common/overlay/opt/eidas-middleware/configuration/credentials/metadata-signature-certificate.crt
similarity index 100%
rename from demw-common/overlay/opt/eidas-middleware/configuration/metadata-signature-certificate.crt
rename to demw-common/overlay/opt/eidas-middleware/configuration/credentials/metadata-signature-certificate.crt
diff --git a/demw-common/overlay/opt/eidas-middleware/configuration/credentials/sign.crt b/demw-common/overlay/opt/eidas-middleware/configuration/credentials/sign.crt
new file mode 100644
index 00000000..cc2d612d
--- /dev/null
+++ b/demw-common/overlay/opt/eidas-middleware/configuration/credentials/sign.crt
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFKDCCAxCgAwIBAgIEBEA5gTANBgkqhkiG9w0BAQsFADBMMQswCQYDVQQGEwJT
+RTEXMBUGA1UEChMOU3dlZGVuIENvbm5lY3QxDjAMBgNVBAsTBWVJREFTMRQwEgYD
+VQQDEwtTQU1MIFNpZ25lcjAeFw0xODA5MDEwMDAwMDBaFw0yODA5MDEwMDAwMDBa
+MEwxCzAJBgNVBAYTAlNFMRcwFQYDVQQKEw5Td2VkZW4gQ29ubmVjdDEOMAwGA1UE
+CxMFZUlEQVMxFDASBgNVBAMTC1NBTUwgU2lnbmVyMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAoDCg0aSB43LoPFwh0gB9ZyQ6c5MRHddSDfdyZW2Z20bo
+EML62j3spRnBXG83orL40w3CzbXVu3j4gaCSx+Qt8sGKW9mk2PY8S+h6Xieg18Rw
+SP0eZRoAfacxufejvKHUg4nSLdT8k8RjiVkLjPMyTwqHlhusFU/OiGdT82B9aYJa
+ekiKVqLorv6VBIFu2j3KJ7mKJN3xxjeSWyHlKVvVmJ7slarp69ndGV5AJNtnDK5Y
+KbEzgKslIUicP3rmnqgCSKBUlA3ppYxArUy6IJLGiKmv74/Sc2tRpsCXwVgFouC/
+sj2Mpksab0wTzXomZ7oXMb35M12duiltPXgnLhMuH4GjEYlPBaaQl1ilAAvk/e29
+xpT2jIR5tl0RF9rUqYlpJqyLq5/jRjyUXOTWwVQ5/oQ65iYXuoA9EYxkAE1bYCf9
+rKMPUcczqiThzHzaYUs/mkAoLgBMtLSf2K84ztWZrbUzDa4RBTfeXmZhHyjenTSC
+KgBqnN2s89VOgy/+hB8EmTeSHg4BOoJ56zjOr/EOifUQCey2PetA9rMUd7MkMv49
+hdVWKdk9fIrAmmEaVtU5uMajmCTiZItMbtEbmBtYfFOZmE0BoI1/g3wu393tY/oF
+vMrGrGf2gFUc/o63IrlSDpZLv/hmKfmpmreZpY6yi3pAVs9wiuDRZsaQcV8dpIMC
+AwEAAaMSMBAwDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUAA4ICAQBt3yH5
+jXx63IFWA+jWdLdAn/MSJNT19vwuC5KVgDdlnv/bWj6u3uCmBvHUVsNMcTuOJXN2
+KOverRvdzStwW2yHmNn8PX4Yn4IVLSYdYNlrxp4DvL97WwnpxV2tASaRZ3eUMrh5
+sQaG/IqdJ1lCS78PyiE+kVzF0oNUbk1ba0N2Hvlc6LeA5Sy0lbaqT0PTU6xF5lec
+9azRPc3S2GiGl5BLRBcJvMjJzBBQ6yD4dXPY4nFQSWdgp7VW6FnvY6jnj2mmLVn8
+HYLB7hSxev3vCqt5vOEWXCi/zDM/YU5/SwbvZQ/vdkFGIEaJNSBGLq8As3uljmPd
+byLHu2wpW7/hVZpD6fYVG+0nghu23lwZ+l0KQKU4AleHulMJUaYkprP4LhC3mRAO
+jaJwlMn4hdGEV38zauukvwspxEmZ52UAEAhS1+NPLIm0gjR/s3S+U4HNpJjvqm+T
+BI3VAH8TV9bJ0FGf1jPZ5ZM0AsLearM5AO9peQ2xRvC9tLrpCnfk84HZF6KvZCzo
+egUxh55BXfCs5n/xhKU5ZLzbetkNLHXFsd3F2KAg3ny+vTxaTpY/rBCvsOKI98Fo
+ybRdsPn1zskNyGXdZi3yxVYa0lvEWf7VyG9svLSfF7xjN/pc7vj/nspCZK6B/q5+
+wAO+aJg4t0V8ZXu8gI23LFpiMNhjqkSQ6ZuIGA==
+-----END CERTIFICATE-----
diff --git a/demw-common/overlay/opt/eidas-middleware/configuration/eidasmiddleware.properties.sh b/demw-common/overlay/opt/eidas-middleware/configuration/eidasmiddleware.properties.sh
index 0a2ad070..db1cc43a 100644
--- a/demw-common/overlay/opt/eidas-middleware/configuration/eidasmiddleware.properties.sh
+++ b/demw-common/overlay/opt/eidas-middleware/configuration/eidasmiddleware.properties.sh
@@ -19,7 +19,7 @@ ORGANIZATION_LANG=sv
 ORGANIZATION_NAME=Sweden Connect
 ORGANIZATION_URL=https\://swedenconnect.se
 SERVICE_PROVIDER_CONFIG_FOLDER=/opt/eidas-middleware/configuration/serviceprovider-metadata
-SERVICE_PROVIDER_METADATA_SIGNATURE_CERT=/opt/eidas-middleware/configuration/metadata-signature-certificate.crt
+SERVICE_PROVIDER_METADATA_SIGNATURE_CERT=/opt/eidas-middleware/configuration/credentials/metadata-signature-certificate.crt
 
 #metadata validity
 #METADATA_VALIDITY=2063-04-30
diff --git a/demw-common/overlay/opt/eidas-middleware/configuration/hsm/pkcs11.properties b/demw-common/overlay/opt/eidas-middleware/configuration/hsm/pkcs11.properties
deleted file mode 100644
index 81f1b699..00000000
--- a/demw-common/overlay/opt/eidas-middleware/configuration/hsm/pkcs11.properties
+++ /dev/null
@@ -1,15 +0,0 @@
-hsmExternalCfgLocations=/opt/eidas-middleware/configuration/hsm/demw-sunpkcs11-config
-#hsmPin=
-#hsmLib=
-#hsmProviderName=
-#hsmSlot=0
-#hsmSlotListIndex=0
-#hsmSlotListIndexMaxRange=0
-#keySourcePass=
-#keySourceAlias=
-#keySourceKeyLocation=
-#keySourceCertLocation=
-#keySourcePassEnc=
-#keySourceAliasEnc=
-#keySourceKeyLocationEnc=
-#keySourceCertLocationEnc=ß
\ No newline at end of file
diff --git a/demw-common/overlay/opt/eidas-middleware/configuration/hsm/pkcs11.properties.sh b/demw-common/overlay/opt/eidas-middleware/configuration/hsm/pkcs11.properties.sh
new file mode 100644
index 00000000..cf1257dc
--- /dev/null
+++ b/demw-common/overlay/opt/eidas-middleware/configuration/hsm/pkcs11.properties.sh
@@ -0,0 +1,11 @@
+cat<<EOF
+hsmExternalCfgLocations=/opt/eidas-middleware/configuration/hsm/demw-sunpkcs11-config
+hsmPin=${PKCS11_PIN}
+hsmLib=/usr/safenet/lunaclient/lib/libCryptoki2_64.so
+hsmProviderName=Luna
+hsmSlot=5
+keySourceAlias=sc_eidas_sign
+keySourceCertLocation=/opt/eidas-middleware/configuration/credentials/sign.crt
+keySourceAliasEnc=sc_eidas_encrypt
+keySourceCertLocationEnc=/opt/eidas-middleware/configuration/credentials/enc.crt
+EOF
diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index ee4af3e3..e12097d1 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -610,12 +610,12 @@ md-eu1.qa.komreg.net:
            - 'se-tug-lb-1.sunet.se'
          port: '443'
 
-'^demw-[0-9]+\.sveidas\.se$':
+'^demw-1\.sveidas\.se$':
    eid::dockerhost:
    konsulter:
    autoupdate:
-   eidas_de_middleware:
-      version: 1.1.0-qa
+   eidas_de_middleware_hsm:
+      version: 110-fixes-sc-p11
       hostname: demw.eidas.swedenconnect.se
    saml_metadata:
       filename: /opt/eidas-middleware/configuration/serviceprovider-metadata/connector-metadata.xml
@@ -628,6 +628,17 @@ md-eu1.qa.komreg.net:
            - 'fe-tug-3.komreg.net'
          port: '443'
 
+'^demw-2\.sveidas\.se$':
+   eid::dockerhost:
+   konsulter:
+   autoupdate:
+   eidas_de_middleware_hsm:
+      version: 110-fixes-sc-p11
+      hostname: demw.eidas.swedenconnect.se
+   saml_metadata:
+      filename: /opt/eidas-middleware/configuration/serviceprovider-metadata/connector-metadata.xml
+      url: https://connector.eidas.swedenconnect.se/idp/metadata/sp
+
 '^refidp-[0-9]+\.qa\.sveidas\.se$':
    sunet_iaas_cloud:
    eid::dockerhost:
diff --git a/global/overlay/etc/puppet/manifests/cosmos-site.pp b/global/overlay/etc/puppet/manifests/cosmos-site.pp
index 2524b8e4..cafa82e9 100644
--- a/global/overlay/etc/puppet/manifests/cosmos-site.pp
+++ b/global/overlay/etc/puppet/manifests/cosmos-site.pp
@@ -289,6 +289,40 @@ class md_repo_server($hostname) {
    ensure_resource('class','https_server',{})
 }
 
+class eidas_de_middleware_hsm($version="110-fixes-sc-p11",$hostname='localhost') {
+   $_version = safe_hiera('eidas_demw_version',$version)
+   $_hostname = safe_hiera('eidas_demw_hostname',$hostname)
+   $poseidas_admin_hashed_password = safe_hiera('poseidas_admin_hashed_password')
+   $spring_datasource_password = safe_hiera('spring_datasource_password')
+   $pkcs11_pin = safe_hiera('pkcs11_pin')
+   $demw_tls_client_key = safe_hiera('demw_tls_client_key')
+   $demw_tls_client_cert = safe_hiera('demw_tls_client_cert')
+   $demw_tls_server_cert = safe_hiera('demw_tls_server_cert')
+
+   file {['/opt/eidas-middleware','/opt/eidas-middleware/configuration','/opt/eidas-middleware/database']: ensure => directory } ->
+   sunet::docker_run {'eidas-demw':
+      image    => 'docker.sunet.se/eidas-demw',
+      imagetag => $_version,
+      hostname => "${::fqdn}",
+      ports    => ['443:8443'],
+      volumes  => ['/var/log/eidas-middleware:/var/log/eidas-middleware',
+                   '/opt/eidas-middleware/configuration:/opt/eidas-middleware/configuration',
+                   '/opt/eidas-middleware/database:/opt/eidas-middleware/database',
+                   '/dev/log:/dev/log',
+                   '/etc/ssl:/etc/ssl'],
+      env      => ["CERTNAME=${::fqdn}_infra",
+                   "EIDAS_SIGNER_DEFAULT_HASH_ALGORITHM=SHA256",
+                   "PUBLIC_HOSTNAME=$_hostname",
+                   "PKCS11_PIN=$pkcs11_pin",
+                   "POSEIDAS_ADMIN_HASHED_PASSWORD=$poseidas_admin_hashed_password",
+                   "DEMW_TLS_CLIENT_KEY=$demw_tls_client_key",
+                   "DEMW_TLS_CLIENT_CERT=$demw_tls_client_cert",
+                   "DEMW_TLS_SERVER_CERT=$demw_tls_server_cert",
+                   "SPRING_DATASOURCE_PASSWORD=$spring_datasource_password"],
+      extra_parameters => ["--log-driver=syslog"]
+   }
+}
+
 class eidas_de_middleware($version="106-rs",$hostname='localhost') {
    $_version = safe_hiera('eidas_demw_version',$version)
    $_hostname = safe_hiera('eidas_demw_hostname',$hostname)
@@ -299,6 +333,7 @@ class eidas_de_middleware($version="106-rs",$hostname='localhost') {
    $demw_tls_client_key = safe_hiera('demw_tls_client_key')
    $demw_tls_client_cert = safe_hiera('demw_tls_client_cert')
    $demw_tls_server_cert = safe_hiera('demw_tls_server_cert')
+
    file {['/opt/eidas-middleware','/opt/eidas-middleware/configuration','/opt/eidas-middleware/database']: ensure => directory } ->
    sunet::snippets::secret_file {"/opt/eidas-middleware/configuration/eidasmw-signature-keystore.jks":
       hiera_key => 'eidasmw-signature-keystore',