From 9f6fc26c734a259284b5cfc35e7d895b6b604da7 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 9 Dec 2024 15:45:49 -0600 Subject: [PATCH 1/2] Modified hub package install scriptlet to use hostname -s and fail if that is longer than 64 characters We create a self-signed certificate and the CN must be 64 characters or less so use hostname -s instead of hostname -f and fail if even the short name is longer than 64 characters. This check is added to the preinstall scriptlet so that the package will not even be unpacked if hostname -s is longer than 64 characters long. This check is only activated if there is no current cert present such as during an upgrade. Ticket: CFE-4469 Changelog: title libre (cherry picked from commit decaa42e22d325de244480028889aef2804a5c36) --- packaging/common/cfengine-hub/postinstall.sh | 7 ++++++- packaging/common/cfengine-hub/preinstall.sh | 17 +++++++++++++++-- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/packaging/common/cfengine-hub/postinstall.sh b/packaging/common/cfengine-hub/postinstall.sh index 8ed070f4d..567946b4c 100644 --- a/packaging/common/cfengine-hub/postinstall.sh +++ b/packaging/common/cfengine-hub/postinstall.sh @@ -308,6 +308,11 @@ mkdir -p $CFENGINE_MP_DEFAULT_KEY_LOCATION mkdir -p $CFENGINE_MP_DEFAULT_CSR_LOCATION mkdir -p $CFENGINE_MP_DEFAULT_CERT_LINK_LOCATION mkdir -p $CFENGINE_MP_DEFAULT_SSLCONF_LOCATION +CFENGINE_SHORTNAME=$(hostname -s | tr '[:upper:]' '[:lower:]') +if [ $(echo -n "$CFENGINE_SHORTNAME" | wc -m) -gt 64 ]; then + cf_console echo "Short hostname, $CFENGINE_SHORTNAME, is longer than 64 bytes so cannot be used for a self-signed cert CN." + exit 1 +fi CFENGINE_LOCALHOST=$(hostname -f | tr '[:upper:]' '[:lower:]') CFENGINE_SSL_KEY_SIZE="4096" CFENGINE_SSL_DAYS_VALID="3650" @@ -327,7 +332,7 @@ if [ ! -f $CFENGINE_MP_CERT ]; then ${CFENGINE_OPENSSL} rsa -passin pass:x -in ${CFENGINE_MP_PASS_KEY} -out ${CFENGINE_MP_KEY} # Generate a CSR in ${CFENGINE_MP_CSR} with key ${CFENGINE_MP_KEY} - ${CFENGINE_OPENSSL} req -utf8 -sha256 -nodes -new -subj "/CN=$CFENGINE_LOCALHOST" -key ${CFENGINE_MP_KEY} -out ${CFENGINE_MP_CSR} ${OPENSSL_CNF} + ${CFENGINE_OPENSSL} req -utf8 -sha256 -nodes -new -subj "/CN=$CFENGINE_SHORTNAME" -key ${CFENGINE_MP_KEY} -out ${CFENGINE_MP_CSR} ${OPENSSL_CNF} # Build configuration with reasonable default subjectAltName entries rm -f "$CFENGINE_MP_SSLCONF" diff --git a/packaging/common/cfengine-hub/preinstall.sh b/packaging/common/cfengine-hub/preinstall.sh index a2ee761ac..dcb7bb175 100644 --- a/packaging/common/cfengine-hub/preinstall.sh +++ b/packaging/common/cfengine-hub/preinstall.sh @@ -105,9 +105,10 @@ if [ "`package_type`" = "rpm" ]; then fi # +# If an existing cert is not in place then: # Before starting the installation process we need to check that -# hostname -f returns a valid name. If that is not the case then -# we just abort the installation. +# hostname -f returns a valid name and hostname -s is shorter +# than 64 characters. If not we abort the installation. # NAME=$(hostname -f) || true if [ -z "$NAME" ]; @@ -119,6 +120,18 @@ then exit 1 fi +CFENGINE_MP_DEFAULT_CERT_LOCATION="$PREFIX/httpd/ssl/certs" +CFENGINE_LOCALHOST=$(hostname -f | tr '[:upper:]' '[:lower:]') +CFENGINE_MP_CERT=$CFENGINE_MP_DEFAULT_CERT_LOCATION/$CFENGINE_LOCALHOST.cert +if [ ! -f "$CFENGINE_MP_CERT" ]; then + CFENGINE_SHORTNAME=$(hostname -s | tr '[:upper:]' '[:lower:]') + if [ $(echo -n "$CFENGINE_SHORTNAME" | wc -m) -gt 64 ]; then + cf_console echo "hostname -s returned '$CFENGINE_SHORTNAME' which is longer than 64 characters and cannot be used to generate a self-signed cert common name (CN)." + cf_console echo "Please make sure that hostname -s returns a name less than 64 characters long." + exit 1 + fi +fi + #stop the remaining services on upgrade if is_upgrade; then cf_console platform_service cfengine3 stop From 714cb5c891262143e53f5756df00d8bd6847d4d3 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 11 Dec 2024 13:43:37 -0600 Subject: [PATCH 2/2] Update actions/upload-artifact from v3 to v4 and remove packages from deployment-tests workflow artifacts No need to duplicate the saving of packages. Almost always we will build the package and save it as an artifact during the build_cfengine_hub_package workflow. Ticket: none Changelog: none (cherry picked from commit a1f5d3584518d73d8f12fbdca8ec3407131df9a7) --- .github/workflows/build-using-buildscripts.yml | 2 +- .github/workflows/deployment-tests.yml | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-using-buildscripts.yml b/.github/workflows/build-using-buildscripts.yml index 7226ad5e2..4a3cd9da6 100644 --- a/.github/workflows/build-using-buildscripts.yml +++ b/.github/workflows/build-using-buildscripts.yml @@ -128,7 +128,7 @@ jobs: - name: Save artifacts if: success() || failure() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: artifacts path: | diff --git a/.github/workflows/deployment-tests.yml b/.github/workflows/deployment-tests.yml index f6c56095e..ceeabc51b 100644 --- a/.github/workflows/deployment-tests.yml +++ b/.github/workflows/deployment-tests.yml @@ -134,9 +134,8 @@ jobs: - name: Save artifacts if: success() || failure() - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: - name: artifacts + name: deployment-test-artifacts path: | artifacts - packages