Merge branch 'main' into DBA-598

ministryofjustice · Feb 16, 2024 · 78119ae · 78119ae
2 parents 6577239 + f059527
commit 78119ae
Show file tree

Hide file tree

Showing 25 changed files with 1,322 additions and 13 deletions.
diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml
@@ -38,7 +38,7 @@ jobs:
         run: tflint --disable-rule=terraform_unused_declarations --format sarif > tflint.sarif
       - name: Upload SARIF file
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+        uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
         with:
           sarif_file: tflint.sarif
   tfsec:
@@ -60,7 +60,7 @@ jobs:
           additional_args: '--format sarif --out tfsec.sarif --exclude aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits'
       - name: Upload SARIF file
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+        uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
         with:
           sarif_file: tfsec.sarif
   checkov:
@@ -78,7 +78,7 @@ jobs:
           fetch-depth: 0
       - name: Run Checkov action
         id: checkov
-        uses: bridgecrewio/checkov-action@4fc35972a43e0622149fadb328d3a5123bfca03e # v12.2671.0
+        uses: bridgecrewio/checkov-action@1eb50fe1e99799c470516068f2540867f80bbb80 # v12.2673.0
         with:
           directory: ./
           framework: terraform
@@ -87,6 +87,6 @@ jobs:
           skip_check: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
       - name: Upload SARIF file
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+        uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
         with:
           sarif_file: ./checkov.sarif
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
+        uses: github/codeql-action/upload-sarif@379614612a29c9e28f31f39a59013eb8012a51f0 # v3.24.3
         with:
           sarif_file: results.sarif
diff --git a/ansible/roles/oracle-oms-setup/defaults/main.yml b/ansible/roles/oracle-oms-setup/defaults/main.yml
@@ -32,19 +32,20 @@ emcli: "{{ oem_mw_home }}/bin/emcli"
 # as defined in modernisation-platform/environments/<application>.json as
 # this is used to create the application tag on the instances running Oracle.
 application_groups: ["delius", "nomis", "oasys", "corporate-staff-rostering", "hmpps-oem"]
+emctl: "{{ oem_agent_base }}/agent_inst/bin/emctl"
 
 # Variables for OMS RU patching
-oms_ru_patch: p35437906_135000_Generic.zip
-oms_ru_patch_number: 35437906
+oms_ru_patch: p35861059_135000_Generic.zip
+oms_ru_patch_number: 35861059
 omspatcher_patch: p19999993_135000_Generic.zip
-oms_opatch_patch: p28186730_1394212_Generic.zip
-oms_opatch_version: 13.9.4.2.12
-omspatcher_version: 13.9.5.14.0
+oms_opatch_patch: p28186730_1394214_Generic.zip
+oms_opatch_version: 13.9.4.2.14
+omspatcher_version: 13.9.5.17.0
 omspatcher_stage: "{{ stage }}/omspatcher_stage"
-agent_ru_patch: p35437910_135000_Generic.zip
-agent_ru_patch_number: 35437910
+agent_ru_patch: p35861076_135000_Generic.zip
+agent_ru_patch_number: 35861076
 agentpatcher_patch: p33355570_135000_Generic.zip
-agentpatcher_version: 13.9.5.5.0
+agentpatcher_version: 13.9.5.6.0
 agent_home: "{{ oem_agent_base }}/agent_13.5.0.0.0"
 
 oms_env:

diff --git a/ansible/roles/oracle-oms-setup/tasks/configure_ssh.yml b/ansible/roles/oracle-oms-setup/tasks/configure_ssh.yml
@@ -0,0 +1,108 @@
+---
+# Create a named Credential OEM_HOST_SSH which may be used by the Central Agent
+# for local authentication to the host where OMS is running.  This uses an SSH
+# key rather than a password.
+
+# SSSD needs to be installed as OEM uses the pam_sss.so library provided.
+# The daemon itself does not need to be enabled or started.
+- name: Install SSSD
+  yum:
+    name: sssd
+    state: present
+    disable_gpg_check: true
+
+# By default ssh-rsa is not an accepted authentication method in the OpenSSH
+# server which is installed by default in OL/RH7.4 and above.
+# Add it to the list of accepted methods.
+- name: Allow ssh-rsa Authentication in OpenSSH
+  lineinfile:
+    path: /etc/crypto-policies/back-ends/opensshserver.config
+    regexp: "^(.*-oPubkeyAcceptedKeyTypes=)(?!ssh-rsa,)(.+)$"
+    line: '\1ssh-rsa,\2'
+    backrefs: true
+  register: add_ssh_rsa
+
+# A restart if require to pick up the OpenSSH Config changes
+- name: Restart SSHD service
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
+  when: add_ssh_rsa.changed
+
+- name: Create SSH Directory for Oracle
+  file:
+    path: "/home/{{ oracle_install_user }}/.ssh"
+    owner: "{{ oracle_install_user }}"
+    group: "{{ oracle_install_group }}"
+    state: directory
+    mode: "0700"
+
+- name: Generate an RSA private key
+  community.crypto.openssh_keypair:
+    path: "/home/{{ oracle_install_user }}/.ssh/oem_ssh_key"
+    comment: For use by OEM Central Agent for local authentication
+    size: 4096
+    type: rsa
+  become: true
+  become_user: oracle
+
+- name: Read Public key
+  slurp:
+    src: "/home/{{ oracle_install_user }}/.ssh/oem_ssh_key.pub"
+  register: read_public_key
+
+- name: Authorize the Public Key for Agent Connections
+  authorized_key:
+    user: "{{ oracle_install_user }}"
+    state: present
+    key: "{{ read_public_key.content | b64decode }}"
+
+- name: Create HostSSHCreds
+  block:
+    # EMCLI Login script contains a password so ensure it is not readable by other users
+    - name: Copy EMCLI Login Script
+      ansible.builtin.template:
+        src: emcli_login.sh.j2
+        dest: "{{ stage }}/emcli_login.sh"
+        mode: "0700"
+        owner: oracle
+        group: oinstall
+
+    # If the credential already exists then do not treat that as an error
+    - name: Run HostSSHCreds Creation
+      become_user: oracle
+      ansible.builtin.shell: |
+        echo "running emcli_login.sh"
+        {{ stage }}/emcli_login.sh
+        # Get Hostname as it is known to the Central Agent
+        HOST_TARGET=$({{ emctl }} config agent listtargets | grep -E "^.*, host]$" | cut -d, -f1 | tr -d ' []')
+        echo "Adding OEM_HOST_SSH CREDENTIALS for the ${HOST_TARGET} host"
+        function create_credential()
+        {
+           {{ emcli }} create_named_credential -cred_name=OEM_HOST_SSH -auth_target_type=host -cred_type=HostSSHCreds -attributes="USERNAME:{{ oracle_install_user }};SSH_PVT_KEY:pvtkey" -target_name="${HOST_TARGET}" -input_file="pvtkey:/home/{{ oracle_install_user }}/.ssh/oem_ssh_key" -target_type=host -cred_scope=instance
+           RC=$?
+        }
+        CREATE_CREDENTIAL=$(create_credential)
+        ALREADY_EXISTS_MESSAGE="Error occurred: Credential name OEM_HOST_SSH exists."
+        if [[ ${CREATE_CREDENTIAL} =~ ${ALREADY_EXISTS_MESSAGE} ]]; then
+           # If the credential already exists then drop and replace it since the key may have been changed
+           {{ emcli }} delete_named_credential -cred_owner=SYSMAN -cred_name=OEM_HOST_SSH
+           create_credential
+        fi
+        exit $RC
+      register: run_hostsshcreds_creation
+      changed_when: run_hostsshcreds_creation.stdout is search('.*Credential OEM_HOST_SSH created.*')
+
+    - name: Set Preferred Host Credentials for the OEM Database
+      become_user: oracle
+      ansible.builtin.shell: |
+        echo "running emcli_login.sh"
+        {{ stage }}/emcli_login.sh
+        {{ emcli }} set_preferred_credential -set_name=DBHostCreds -target_name=EMREP -target_type=oracle_database -credential_name=OEM_HOST_SSH
+      register: set_preferred_credentials
+
+  always:
+    - name: Remove EMCLI login scripts from Staging Area
+      ansible.builtin.file:
+        path: emcli_login.sh
+        state: absent
diff --git a/ansible/roles/oracle-oms-setup/tasks/main.yml b/ansible/roles/oracle-oms-setup/tasks/main.yml
@@ -73,3 +73,9 @@
     - amibuild
     - ec2provision
     - create_slack_notification_package
+
+- import_tasks: configure_ssh.yml
+  tags:
+    - amibuild
+    - ec2provision
+    - configure_ssh
diff --git a/powershell/Modules/Create-ModPlatformModuleManifest.ps1 b/powershell/Modules/Create-ModPlatformModuleManifest.ps1
@@ -0,0 +1,87 @@
+<#
+.SYNOPSIS
+    Wrapper script for creating module manifest 
+
+.DESCRIPTION
+    Automatically detect files and exported functions and create
+    associated manifest file.
+
+.PARAMETER ModuleName
+    String
+
+.PARAMETER ModuleVersion
+    String
+
+.PARAMETER Description
+    String
+
+.EXAMPLE
+    Create-ModPlatformModuleManifest.ps1 "ModPlatformAD" 
+#>
+
+param (
+  [Parameter(Mandatory=$true)][string]$ModuleName,
+  $ModuleVersion,
+  $Description,
+  $PowerShellVersion
+)
+
+$ManifestParameters = @{
+  "GUID" = New-Guid
+  "ModuleVersion" = "1.0.0.0"
+  "Author" = "Ministry of Justice"
+  "CompanyName" = "Ministry of Justice"
+  "Copyright" = "(c) 2024 Crown Copyright (Ministry of Justice)"
+  "Description" = "Modernisation Platform ${ModuleName} module"
+  "PowerShellVersion" = $PSVersionTable.PSVersion.ToString()
+}
+
+$ErrorActionPreference = "Stop"
+
+$ManifestPath = "${ModuleName}/${ModuleName}.psd1"
+
+# Overwrite default manifest parameters with existing values with incremented version
+if (Get-ChildItem $ManifestPath -ErrorAction SilentlyContinue) {
+  $ManifestParameters.Keys.Clone() | ForEach-Object {
+    $ExistingValue = (Select-String -Path $ManifestPath -Pattern "${_} = '" -Raw).Split("'")[1]
+    if ($ExistingValue) {
+      if ($_ -eq "ModuleVersion") {
+        # increment existing version number 
+        $Version = [version]$ExistingValue
+        $Number = $Version.Major*1000+$Version.Minor*100+$Version.Build*10+$Version.Revision+1
+        $Revision = $Number % 10
+        $Build = (($Number-$Revision)/10)%10
+        $Minor = (($Number-$Revision-$Build*10)/100)%10
+        $Major = ($Number-$Revision-$Build*10-$Minor*100)/1000
+        $ManifestParameters[$_] = "${Major}.${Minor}.${Build}.${Revision}"    
+      } else {
+        $ManifestParameters[$_] = $ExistingValue
+      }
+    }
+  } 
+}
+
+if ($ModuleVersion) {
+  $Version = [version]$ModuleVersion
+  if ($Version.Revision -gt 9 -or $Version.Build -gt 9 -or $Version.Minor -gt 9) {
+    Write-Error "Invalid version - revision/build/minor must not exceed 9"
+  }
+  $ManifestParameters["ModuleVersion"] = $ModuleVersion
+} 
+if ($Description) {
+  $ManifestParameters["Description"] = $Description
+}
+if ($PowerShellVersion) {
+  $ManifestParameters["PowerShellVersion"] = $PowerShellVersion
+}
+
+# Automatically detect functions to export
+$ModuleFiles = Get-ChildItem "${ModuleName}/*.psm1" -Name
+$FunctionsToExport = Select-String -Path "${ModuleName}/*.psm1" -Pattern 'Export-ModuleMember' | Select-String -Pattern "Function \w" -Raw | foreach { $_.Split(" ")[-1] }
+
+$ManifestParameters["Path"] = $ManifestPath
+$ManifestParameters["NestedModules"] = $ModuleFiles
+$ManifestParameters["FunctionsToExport"] = $FunctionsToExport
+
+Write-Output $ManifestParameters
+New-ModuleManifest @ManifestParameters