diff --git a/ansible/deploy-tier2.yml b/ansible/deploy-tier2.yml index ae76ab04..87b9decb 100644 --- a/ansible/deploy-tier2.yml +++ b/ansible/deploy-tier2.yml @@ -13,9 +13,10 @@ ansible.builtin.import_playbook: deploy-testlists.yml # commented out due to the fact it requires manual config of ~/.ssh/config -#- name: Setup codesign box -# hosts: codesign-box -# become: true -# remote_user: ubuntu -# roles: -# - codesign_box +- name: Setup codesign box + hosts: codesign-box + become: true + remote_user: ubuntu + roles: + - codesign_box + tags: codesign diff --git a/ansible/inventory b/ansible/inventory index 8998eba4..e48af402 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -52,3 +52,4 @@ jumphost.dev.ooni.io jumphost.prod.ooni.io testlist-ec2.dev.ooni.io testlist-ec2.prod.ooni.io +codesign-box diff --git a/ansible/roles/codesign_box/defaults/main.yml b/ansible/roles/codesign_box/defaults/main.yml index 985d214f..25c3090a 100644 --- a/ansible/roles/codesign_box/defaults/main.yml +++ b/ansible/roles/codesign_box/defaults/main.yml @@ -1,4 +1,6 @@ --- cluster_id: cluster-qsvghm4oqok hsm_token_name: OONI_2024-04-26_1 -codesign_usernames: [ art, majakomel, mehul ] +codesign_usernames: [ art, majakomel, mehul, norbel ] +aws_secret_access_key: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/cloudhsm_secret_access_key', profile='oonidevops_user_prod') }}" +aws_access_key_id: "AKIAW3MEBT7WLINUBPU2" diff --git a/ansible/roles/codesign_box/tasks/main.yml b/ansible/roles/codesign_box/tasks/main.yml index aa12e810..4b106a1f 100644 --- a/ansible/roles/codesign_box/tasks/main.yml +++ b/ansible/roles/codesign_box/tasks/main.yml @@ -5,21 +5,116 @@ dest: "/home/ubuntu/.ssh/authorized_keys" owner: "ubuntu" mode: "0400" + tags: codesign - name: Install cloudhsm-cli ansible.builtin.apt: deb: https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Jammy/cloudhsm-cli_latest_u22.04_amd64.deb update_cache: true + tags: codesign - name: Install cloudhsm-pkcs11 ansible.builtin.apt: deb: https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Jammy/cloudhsm-pkcs11_latest_u22.04_amd64.deb + tags: codesign - name: Install cloudhsm-pkcs11 ansible.builtin.apt: name: - libengine-pkcs11-openssl - awscli + tags: codesign + +- name: Check if osslsigncode is already installed + ansible.builtin.command: which osslsigncode + register: osslsigncode_check + failed_when: false + changed_when: false + tags: codesign +- name: Build and install osslsigncode from source + when: osslsigncode_check.rc != 0 + tags: codesign + vars: + ossl_version: 2.13 + block: + - name: Install osslsigncode build dependencies + ansible.builtin.apt: + name: + - cmake + - libssl-dev + - libcurl4-openssl-dev + - zlib1g-dev + - python3 + - git + state: present + update_cache: true + tags: codesign + + - name: Download osslsigncode release tarball + ansible.builtin.get_url: + url: "https://github.com/mtrojnar/osslsigncode/archive/refs/tags/{{ ossl_version }}.tar.gz" + dest: /tmp/osslsigncode.tar.gz + mode: "0644" + tags: codesign + + - name: Extract osslsigncode tarball + ansible.builtin.unarchive: + src: /tmp/osslsigncode.tar.gz + dest: /tmp/ + remote_src: true + tags: codesign + + - name: Create build directory + ansible.builtin.file: + path: "/tmp/osslsigncode-{{ ossl_version }}/build" + state: directory + mode: "0755" + tags: codesign + + - name: Configure osslsigncode with CMake + ansible.builtin.command: + cmd: cmake -S .. -DCMAKE_BUILD_TYPE=Release + chdir: "/tmp/osslsigncode-{{ ossl_version }}/build" + changed_when: true + tags: codesign + + - name: Build osslsigncode + ansible.builtin.command: + cmd: cmake --build . --parallel + chdir: "/tmp/osslsigncode-{{ ossl_version }}/build" + changed_when: true + tags: codesign + + - name: Install osslsigncode + ansible.builtin.command: + cmd: cmake --install . + chdir: "/tmp/osslsigncode-{{ossl_version}}/build" + changed_when: true + tags: codesign + + - name: Clean up build directory + ansible.builtin.file: + path: "/tmp/osslsigncode-{{ossl_version}}" + state: absent + tags: codesign + +- name: Create aws directory + ansible.builtin.file: + path: "/home/ubuntu/.aws" + owner: ubuntu + group: adm + state: directory + mode: "0750" + tags: codesign + +- name: Write ~/.aws/credentials + ansible.builtin.template: + src: aws_credentials + dest: /home/ubuntu/.aws/credentials + owner: ubuntu + group: adm + mode: "u=rwx,g=r,o=" + tags: codesign - name: Write customerCA.crt ansible.builtin.template: @@ -28,6 +123,7 @@ owner: root group: adm mode: "u=rwx,g=rx" + tags: codesign - name: Write Cert_bundle.pem ansible.builtin.template: @@ -36,6 +132,7 @@ owner: root group: adm mode: "u=rwx,g=rx" + tags: codesign - name: Write delete-hsms.sh command ansible.builtin.template: @@ -44,6 +141,7 @@ owner: root group: adm mode: "u=rwx,g=rx" + tags: codesign - name: Write create-hsms.sh command ansible.builtin.template: @@ -52,16 +150,18 @@ owner: root group: adm mode: "u=rwx,g=rx" + tags: codesign - name: Ensure .hsmcredentials file exists ansible.builtin.copy: dest: /home/ubuntu/.hsmcredentials content: | - HSM_PASSWORD= + HSM_CREDENTIALS= owner: ubuntu group: adm mode: "u=rw,g=,o=" force: false + tags: codesign - name: Write sign-windows-exe.sh command ansible.builtin.template: @@ -70,3 +170,4 @@ owner: root group: adm mode: "u=rwx,g=rx" + tags: codesign diff --git a/ansible/roles/codesign_box/templates/Cert_bundle.pem b/ansible/roles/codesign_box/templates/Cert_bundle.pem index 074bee46..28b1657b 100644 --- a/ansible/roles/codesign_box/templates/Cert_bundle.pem +++ b/ansible/roles/codesign_box/templates/Cert_bundle.pem @@ -1,107 +1,73 @@ subject=jurisdictionCountryName=IT, businessCategory=Business Entity, CN=Open Observatory of Network Interference (OONI), SERIALNUMBER=96568220584, O=Open Observatory of Network Interference (OONI), L=Rome, C=IT -issuer=CN=HARICA EV Code Signing RSA SubCA R1, O=Hellenic Academic and Research Institutions CA, L=Athens, C=GR +issuer=CN=HARICA EV Code Signing RSA, O=Hellenic Academic and Research Institutions CA, C=GR -----BEGIN CERTIFICATE----- -MIIHeDCCBWCgAwIBAgIQeP20SJFLrwNNrScDbdnSeDANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UE -BhMCR1IxDzANBgNVBAcMBkF0aGVuczE3MDUGA1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl -c2VhcmNoIEluc3RpdHV0aW9ucyBDQTEsMCoGA1UEAwwjSEFSSUNBIEVWIENvZGUgU2lnbmluZyBS -U0EgU3ViQ0EgUjEwHhcNMjQwNDI5MTEwNjU2WhcNMjYwNDI5MTEwNjU2WjCB1TELMAkGA1UEBhMC -SVQxDTALBgNVBAcMBFJvbWUxODA2BgNVBAoML09wZW4gT2JzZXJ2YXRvcnkgb2YgTmV0d29yayBJ -bnRlcmZlcmVuY2UgKE9PTkkpMRQwEgYDVQQFEws5NjU2ODIyMDU4NDE4MDYGA1UEAwwvT3BlbiBP -YnNlcnZhdG9yeSBvZiBOZXR3b3JrIEludGVyZmVyZW5jZSAoT09OSSkxGDAWBgNVBA8MD0J1c2lu -ZXNzIEVudGl0eTETMBEGCysGAQQBgjc8AgEDEwJJVDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC -AgoCggIBALs3gSrsYiuFwdffvSPMKI/yGYk6R2cX2nAsFB8fHFElGdsUbHNoBOdBsRUe2yCSHLwA -kMyuNsGvOxbykiNaCGnNjEg3bI7rE7YyKwSH6aR5B/TTpI9CESnFROxltWEfbBSr+SY/MlF+5bA2 -JWs9SMzl0BXMBoOVbLBczoAN38cX4Wwe7hsXpXwhbub8FIwSLMbMUcrqhLIsJQL7ywz/8cnxZqKD -Y9MsM+sIstCKrK2w6b8B9AAY0lmPpR+p4ZaBHzU1vsTX8wPoYA/QDz+TwlczuosNdyaWZcgAUZag -eMhjUOuT7Z92Yzu4PoWIPCOCu6LvYaC+M2mIRCZV476E+KlvSjqElDhYEBkkKueP+1/paiq4ibf3 -MUILTGg+/bhGF+5GVLGEhdimNYGVzzoqPh8ngPo37g+mKjMN8oguejN6/W5Ts/nedvNog4txeaYL -2M8PG5Jv0pyXf82lOaHpXVQ8qfHqWJr4RvI02kcNHGFrNvOCBao4DdLrehOCwFsxlcb7FG2lzjua -Zxg5TfBTNHDby8RGPDo6iq9zlEK2ciSN1lI1viGFRmM9ZYo75jj7OgFsSq9TwLj30WXLqxZdm7CN -f8OPFRc2NWNMTXhjCU9nAYYo8e8ZCnJ5bNVUMHpgx8eW9zrHVdQBKet3irOhDTdcl8DCj2/51S2z -wt69AB3HAgMBAAGjggGQMIIBjDAJBgNVHRMEAjAAMB8GA1UdIwQYMBaAFJTvT2NZT7wQp8iHqRdp -AhJiR+F1MHIGCCsGAQUFBwEBBGYwZDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC5oYXJpY2EuZ3Iv -SGFyaWNhRVZDb2RlU2lnbmluZ1N1YkNBUjEuY2VyMCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC5o -YXJpY2EuZ3IwYAYDVR0gBFkwVzAHBgVngQwBAzAIBgYEAI96AQIwQgYMKwYBBAGBzxEBAQMDMDIw -MAYIKwYBBQUHAgEWJGh0dHBzOi8vcmVwby5oYXJpY2EuZ3IvZG9jdW1lbnRzL0NQUzATBgNVHSUE -DDAKBggrBgEFBQcDAzBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLmhhcmljYS5nci9IYXJp -Y2FFVkNvZGVTaWduaW5nU3ViQ0FSMS5jcmwwHQYDVR0OBBYEFMA9FXuU36eaZpHrxlphS5vn/I9v -MA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAgEAlEj7BT3SRaAL0uZWs4VJ3zKxMQKL -JOMR5fl7DKO5N/ynRDH8ktjLJZyt4wfNXBR71l0hvTeE+ZqnWXn0Pz0tEVR4qdjzf/JuO2G0GXfb -ATnZrUsTgm8utogtzb3BwDQVRgh5X6/BN8Ip/5C80zAGg2pGdySho2D4kJVeoNu/Gr0xYodFZirV -fcT6zT82eh+MEM2I19gONJ9soJsM9qNxeV94nA8Rct9ZVtv6/CuEg2zPz+JYjmAttp1cEqUchUsg -yUuwLzA4Bk7xnO8giTVFs71z8GET9WeQnohYO2PE/+ytA8wyjELctVOBj1MHVcTcQb/pc+CKenTP -sbeq29RG2WYOsdvAQlhRLJDFB6UoHlqtvQCMfda9HEemI/wHRMD7zKYYc3F1ik6VgGQ8ekEyjuzJ -V6xnELvWpbpm/GvdeXTUqrQpfA4ZowQaQr3ZdNGmpuxaWXByfAzcN9tVYHlcPnh4lTd5j40Sy2OL -Az0MxeukIvBTZEQaYxjxqSHglrVs9c9Gc7DJdpNy48zAefRUK2CfpoY1396DmKmpmYFTWkBvSESm -oQt2IPMnskBgrrNKMvas+W6Grybp9Y0k7c0m4VlW7IkvNR3D3dh+cwdMVxXHmwktIzAE2QdoWlNM -PiaCEKcXPYdBJ9Q2LrxyH2QaqbppvZ/n36y4SCQ//ZvZOUM= +MIIHYTCCBUmgAwIBAgIQU5g4Rhqhf5FxM7exqL0LCzANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQG +EwJHUjE3MDUGA1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9u +cyBDQTEjMCEGA1UEAwwaSEFSSUNBIEVWIENvZGUgU2lnbmluZyBSU0EwHhcNMjYwMzMwMDYyMTI4 +WhcNMjcwMzMwMDYyMTI4WjCB1TELMAkGA1UEBhMCSVQxDTALBgNVBAcMBFJvbWUxODA2BgNVBAoM +L09wZW4gT2JzZXJ2YXRvcnkgb2YgTmV0d29yayBJbnRlcmZlcmVuY2UgKE9PTkkpMRQwEgYDVQQF +Ews5NjU2ODIyMDU4NDE4MDYGA1UEAwwvT3BlbiBPYnNlcnZhdG9yeSBvZiBOZXR3b3JrIEludGVy +ZmVyZW5jZSAoT09OSSkxGDAWBgNVBA8MD0J1c2luZXNzIEVudGl0eTETMBEGCysGAQQBgjc8AgED +EwJJVDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALs3gSrsYiuFwdffvSPMKI/yGYk6 +R2cX2nAsFB8fHFElGdsUbHNoBOdBsRUe2yCSHLwAkMyuNsGvOxbykiNaCGnNjEg3bI7rE7YyKwSH +6aR5B/TTpI9CESnFROxltWEfbBSr+SY/MlF+5bA2JWs9SMzl0BXMBoOVbLBczoAN38cX4Wwe7hsX +pXwhbub8FIwSLMbMUcrqhLIsJQL7ywz/8cnxZqKDY9MsM+sIstCKrK2w6b8B9AAY0lmPpR+p4ZaB +HzU1vsTX8wPoYA/QDz+TwlczuosNdyaWZcgAUZageMhjUOuT7Z92Yzu4PoWIPCOCu6LvYaC+M2mI +RCZV476E+KlvSjqElDhYEBkkKueP+1/paiq4ibf3MUILTGg+/bhGF+5GVLGEhdimNYGVzzoqPh8n +gPo37g+mKjMN8oguejN6/W5Ts/nedvNog4txeaYL2M8PG5Jv0pyXf82lOaHpXVQ8qfHqWJr4RvI0 +2kcNHGFrNvOCBao4DdLrehOCwFsxlcb7FG2lzjuaZxg5TfBTNHDby8RGPDo6iq9zlEK2ciSN1lI1 +viGFRmM9ZYo75jj7OgFsSq9TwLj30WXLqxZdm7CNf8OPFRc2NWNMTXhjCU9nAYYo8e8ZCnJ5bNVU +MHpgx8eW9zrHVdQBKet3irOhDTdcl8DCj2/51S2zwt69AB3HAgMBAAGjggGUMIIBkDAJBgNVHRME +AjAAMB8GA1UdIwQYMBaAFAdZmPK1dYDLNtHERsqzQ+RVARsGMHQGCCsGAQUFBwEBBGgwZjBBBggr +BgEFBQcwAoY1aHR0cDovL2NydC5oYXJpY2EuZ3IvSEFSSUNBLUVWLUNvZGVTaWduaW5nLVN1Yi1S +MS5jZXIwIQYIKwYBBQUHMAGGFWh0dHA6Ly9vY3NwLmhhcmljYS5ncjBgBgNVHSAEWTBXMAcGBWeB +DAEDMAgGBgQAj3oBAjBCBgwrBgEEAYHPEQEBAwMwMjAwBggrBgEFBQcCARYkaHR0cHM6Ly9yZXBv +LmhhcmljYS5nci9kb2N1bWVudHMvQ1BTMBMGA1UdJQQMMAoGCCsGAQUFBwMDMEYGA1UdHwQ/MD0w +O6A5oDeGNWh0dHA6Ly9jcmwuaGFyaWNhLmdyL0hBUklDQS1FVi1Db2RlU2lnbmluZy1TdWItUjEu +Y3JsMB0GA1UdDgQWBBTAPRV7lN+nmmaR68ZaYUub5/yPbzAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZI +hvcNAQELBQADggIBABlfxAj7woG8DGFpEWen5lzF9C8oVSm6Q+QoKQ/nUdHisxVJ1/V1IpQbSNMC +PHgywt7jrOv2Gcnx8d9CnClChDrD1dtI7MP62XtK/wEkZmvrvaIzyLiNo5rKqQWlV1IR4KZNszXY +M/r6/l3uJ+MYpakNV0n9YLogX/NTWA3NJMb6HKQ+Sz7pquIEq7q2nstB9igz1xo6ICwCe7J1SVkX +pbkLdKA6Mjt5Pvlg6RwkgM2sDfVDSZifxOAyxs7tdlZZIhJ+NV8YKz4nsTJ+jHCoTNdgahwcp8om +xYSg7MHfWnWXvGdWOFgkuLYNdykurOzU3dM6xu2PYjEPLnVMo3MlWucnxcLIwDNyH3Hxt+R4SBoC +jIkq9JaU6O16ha5kf0BbTcofZ1FIqLNIUbsltUzOYidRY7gNvd7AbVC3lVqqGDFvL9ivWy45eOQm +YxSO+vT6gsLrxFa2um78z94f5+6Go49wK0xRURxx6FsLTmQD33Zv0x67wTlHk5rIOF93bvVdo3+x +XYRHzVMe3ej6qfVeXzY2d8s4sZlEzjCPFAxa0/+e9ZbnFsK8gY3LDyoRUtw5U24exxVxtSRii7j8 +ywEpVV7nmL+6WikaSbEbcgTBqfDLrLkLBEYlCTgkkKFt6mV+AZ+mBMbqdTrgWrYJgCXtgU6YSbs1 +dE0xrQbKvIRWPKQQ -----END CERTIFICATE----- -subject=CN=HARICA EV Code Signing RSA SubCA R1, O=Hellenic Academic and Research Institutions CA, L=Athens, C=GR -issuer=CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR +subject=CN=HARICA EV Code Signing RSA, O=Hellenic Academic and Research Institutions CA, C=GR +issuer=CN=HARICA Code Signing RSA Root CA 2021, O=Hellenic Academic and Research Institutions CA, C=GR -----BEGIN CERTIFICATE----- -MIIG9jCCBN6gAwIBAgIQRBc8w77BDn0wQDhwYp8kwDANBgkqhkiG9w0BAQsFADCBpjELMAkGA1UE -BhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl -c2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNVBAMTN0hlbGxlbmljIEFj -YWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgUm9vdENBIDIwMTUwHhcNMjAwMjI3MTIw -NTIyWhcNMzUwMjIzMTIwNTIyWjCBhTELMAkGA1UEBhMCR1IxDzANBgNVBAcMBkF0aGVuczE3MDUG -A1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDQTEsMCoG -A1UEAwwjSEFSSUNBIEVWIENvZGUgU2lnbmluZyBSU0EgU3ViQ0EgUjEwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQCYS0S4Qp3qUC9OZ6t2FGCQBPTWXTEg081FblEgW/x41zwNJtFtQg3U -s+eKDgL0fB0lu64q2/A3uT8PzXr5YKgRcXswYztRFGbvd4zVKcOmNn1QXYB20RE7hHMSzFCc0LVz -CAnJE5+l+s60P+7HqIA/5aX/bKfI76xL2CiuTCZkgpXQFDdBIneIBMRXzpjQ2MM3qJg90yN6lt5S -ZH2+H+zV3OCLBYsAxsfuK4x1dH4EBD/6gF0DA8J38SU5g3nitEVlGMdl50Fvkuv0la5YUemSi+s/ -fE5QlRV39y3csRG5/L/irbZr39jTHDUK9mSli5KQvlzAvZ+Mw3byNKmlAeYrR+TYc0Tl8tVHWqoY -4e+shW4FTJlzpRWT550TD1QG8NqL+M4P7ZQD+X7W2bDedLBLDV1Oh1qVLcfPi7uzhqKFRG9Qv48b -CNXmiPkRlsUB3417sHaupqhNV487vxLKJSeu885SyehgFVv7ajJAxUSeIaguuxJ70ooCrXQDprN3 -a3qNhq/tNBzBByw2OMFj06tazhI66hrBhSnGHqwheT41mU3kz2fgwEyxe+9ZHbTgoSSGdPNp7Sga -ZBl4HXpIg8ofFFbBFGfmwoj12Nt75wGbY3gGec95VLqVqmF/fNZOqhj0V5kizzbtx4aEmiTG4ozn -zXfFrIqw27e7TRKTYzkRGwIDAQABo4IBPTCCATkwEgYDVR0TAQH/BAgwBgEB/wIBADAfBgNVHSME -GDAWgBRxFWfIyMm9dV1y0DgYap3zcSRUCzBvBggrBgEFBQcBAQRjMGEwPAYIKwYBBQUHMAKGMGh0 -dHA6Ly9yZXBvLmhhcmljYS5nci9jZXJ0cy9IYXJpY2FSb290Q0EyMDE1LmNydDAhBggrBgEFBQcw -AYYVaHR0cDovL29jc3AuaGFyaWNhLmdyMBEGA1UdIAQKMAgwBgYEVR0gADATBgNVHSUEDDAKBggr -BgEFBQcDAzA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsLmhhcmljYS5nci9IYXJpY2FSb290 -Q0EyMDE1LmNybDAdBgNVHQ4EFgQUlO9PY1lPvBCnyIepF2kCEmJH4XUwDgYDVR0PAQH/BAQDAgGG -MA0GCSqGSIb3DQEBCwUAA4ICAQByG18cPy5oLuAXImw5+BVlID7Y4Y3C3lNVVW15V12YV/OOLrPS -8N1L+66RyzkBAxC15Fn2xfrwHNRZEIQy/DqAfxO2nUn9BN1cXDgv2aje4LP7dqSOojupvkkWfCvg -JMuV3/Jpc3TFb8LdWN6+qreMJEU7FU+Xz0Sshm63ujzf8ta43FF9l4cooklUXrIjFrKPKYq38h8n -STrbPFDeZqjc9WwQ7tGm8Vt38PzQTmzAs6uZ5tZUyWJWYdtWa7AwwOoCRfE3L4i3ZzqYh/OL4z0m -qsiswn8PHn4yzirFXYs/jBY9pHZfbB81CV3Ad/xMxDMtmqSTVz9fP7o5Mpf+Z3aQlSsG4wFxQANA -w6EOQjt77ZTnLiGO8kjV2uxRBzXWDUATipNW8W4fMvIe6Pcb7pEU27piFTwxtsyq4KKfoKcnr7DZ -qZSfDVX2HBzndJu55aYZprU+AkB12aH0QDBjU/jeWu4dylJ8Soqn53bgWT3aAIXGB/mfE6XsjV+h -kc9GVDVAFYhe6qh6QXiUyZSt3nX9JU/UieAGnIck0YUQnjKlhpwgg1GjWQxc0YscDa9p/PtnPHSL -1/5DMkpv4sZnqeymAiGiOOofNrxpxtHCvEB4RTp4hGd3B3FxyVkkfVvwQQ6OyB2WvBVn7qht6/9Y -H64e3atPXIjYx+Lq6jGUQpci2w== ------END CERTIFICATE----- -subject=CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR -issuer=CN=Hellenic Academic and Research Institutions RootCA 2011, O=Hellenic Academic and Research Institutions Cert. Authority, C=GR ------BEGIN CERTIFICATE----- -MIIGcTCCBVmgAwIBAgIIGn48dflJd1IwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkdSMUQw -QgYDVQQKEztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIENlcnQu -IEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3Rp -dHV0aW9ucyBSb290Q0EgMjAxMTAeFw0xNjA3MTkxMDMwNDZaFw0yNDA3MTcxMDMwNDZaMIGmMQsw -CQYDVQQGEwJHUjEPMA0GA1UEBxMGQXRoZW5zMUQwQgYDVQQKEztIZWxsZW5pYyBBY2FkZW1pYyBh -bmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIENlcnQuIEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVu -aWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBSb290Q0EgMjAxNTCCAiIwDQYJ -KoZIhvcNAQEBBQADggIPADCCAgoCggIBAML4qT8bifw8PARdPZA2sJE6eTxmWu9tOQFJGrS3z39N -I1O3kADjEyoopjHxkQDjKOyuIUHOH9r9fRJbAYMPubBfmeHyEoOATQY+36yv56GIazGv8IvQGDO4 -20VqNPQCgCQoCgIVlV52Kg2ZOhRb9svLU7wTTQGIN5QlG0K8ItiOo5ZeOtky2z7o8BBl7XThL6d8 -ryc0uyl9m7bPCcjl0wr8iGVldArccxxczUCxHNS2hIxMUM9ojqhZrsInToKiNd0U9B//snfVhy+q -bn0kJ+fGyybm5f5nB2PYRQ3dOlllOVh6kplyPZyEXoghuNX0LPzZcFJPeLi9PCuLlZj1s9FozyAU -fkxcX+eL5fU1gRk31xEIt2a+00rOg1cAOsOB+BfLkjZd0aPYdRvhiyfqekhB/UUZBq0nmU7BcEfd -tZ+BUxLlsYxIXTFDF+OMxnpjlkspME6ETmIZXjzOl5ClfwHrneD4i4ndJZg9krZ+79nxUVF9LSbI -aVlh4KxquCo2EQR6UL0yhL4v3HLV1x0WR+RHZiA/9JbFr44BeqUPemT1DRiH2a6I1fqEwTrAaSgt -8g1oUarjpXfGpJAOoTeLMSNHwQkI6273eJvXgvyEIJlJGbYSRrH7RVUWqaNlrJwHD+pr3B8uBnLs -hogS5C3bXwUv5PAD0yYz54DCzUKhFzQLAgMBAAGjggGwMIIBrDAPBgNVHRMBAf8EBTADAQH/MA4G -A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUcRVnyMjJvXVdctA4GGqd83EkVAswRgYDVR0fBD8wPTA7 -oDmgN4Y1aHR0cDovL2NybHYxLmhhcmljYS5nci9IYXJpY2FSb290Q0EyMDExL2NybHYxLmRlci5j -cmwwHwYDVR0jBBgwFoAUppFC/RNhSiOeCKQp5dgTBCPuQSUwbgYIKwYBBQUHAQEEYjBgMCEGCCsG -AQUFBzABhhVodHRwOi8vb2NzcC5oYXJpY2EuZ3IwOwYIKwYBBQUHMAKGL2h0dHA6Ly93d3cuaGFy -aWNhLmdyL2NlcnRzL0hhcmljYVJvb3RDQTIwMTEuY3J0MIGQBgNVHSAEgYgwgYUwgYIGBFUdIAAw -ejAyBggrBgEFBQcCARYmaHR0cDovL3d3dy5oYXJpY2EuZ3IvZG9jdW1lbnRzL0NQUy5waHAwRAYI -KwYBBQUHAgIwOAw2VGhpcyBjZXJ0aWZpY2F0ZSBpcyBzdWJqZWN0IHRvIEdyZWVrIGxhd3MgYW5k -IG91ciBDUFMuMA0GCSqGSIb3DQEBCwUAA4IBAQCI1QWSZXa9rZJOYCTxBoag7VU8vZfaaegtz2s+ -24HjERi5837T/Fn4wf8oU+tyDCXpnU3hyxsAPGSim/qeRFW3MhyMXUspGC+vW6gaoY0fQ5zxVH/6 -10dPl91uM3ItnnslMQZnHO79WFc+0qI3FWw6pRtE9qxVkr3Ed38ay2sQhEtnsgxlv83JPtPXVTBS -L7YtbvlQPf9eu85xaBtBCM2hc8SoH34vEpnaX70o1WvVsMRLyH2SEhQO1POBKf9+WMddJKi8/eVz -EBRMXOR/XzsofGT7hpZuK3nSJR6FOeEU+AaOUveNZEJY2kTA2vqjqUvPLeO9R45736xh/jWnHi51 +MIIG2TCCBMGgAwIBAgIQYZteMfORbXWXH5ZcjAG4cDANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQG +EwJHUjE3MDUGA1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9u +cyBDQTEtMCsGA1UEAwwkSEFSSUNBIENvZGUgU2lnbmluZyBSU0EgUm9vdCBDQSAyMDIxMB4XDTIx +MDMxOTA5MzA1NFoXDTM2MDMxNTA5MzA1M1owazELMAkGA1UEBhMCR1IxNzA1BgNVBAoMLkhlbGxl +bmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ0ExIzAhBgNVBAMMGkhBUklD +QSBFViBDb2RlIFNpZ25pbmcgUlNBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmMS1 +EVUU+/udbIUugAyLqgmZn/miG4k7ZRXpQ8qVU4Ja2Fyu8Ha7SrL8jW3sTvIK5K7oTOQ6KbMp6LkQ +szPD29QG5qjBnpO2akvVsJ1JtYDzhSYYkuEqYn9Mtke2ZFEfiZhRToY7ltJAO3K6tAynTrq73d1C +izJcVR+izD97tI1aDQvDLa2Xl9tFgKyySsV4e4aLG0/wx9znn4J2flWTIwQnn06nfkmNRXZDfCqQ +l9ogPwnM1KsbTAhNTFVbZ0LuL6Gymc+2OonhWyi9unJH12syskfK6W+JrjzZypAEu63iGYcnSmS9 +GiTqyfyyoTPJMTTZPnLQCb7wvdVVMJuUAqeZb/GWBdiP+GxKBvYYuhTuK5tcbBi/VT1boApASj+t +uWEw5nFDFkNdN+DmFTG53tZ+8l0R8vXiXc/C82yugP4M4aFsLVxPTTZlVksSSti/MT3G5iulOcKP +X87va3X5xv21pEt9oCXhf5m8c6507YKRhSOJuiRcsM777LET0/HH+bjgnA9JznvKF2vFYcxlCzH/ +ZLT1UetIyNvhjJYI9vJBCtiXvJ4I5OzxWzHDG+4gL3x/e0TXI9nl+aR8FWknHV9+hObvK5WaqFcV +PztHTxcdOjLRb0LC0pjaSBbTeRNJ7iUOVDdZ8VOQ5LW8tEDchbY7KRmgrV7mxnhJK/53N50CAwEA +AaOCAW0wggFpMBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAUtGQWSOj8WkszKYnrmUC5 +ILT2YRowXAYIKwYBBQUHAQEEUDBOMEwGCCsGAQUFBzAChkBodHRwOi8vcmVwby5oYXJpY2EuZ3Iv +Y2VydHMvSEFSSUNBLUNvZGVTaWduaW5nLVJvb3QtMjAyMS1SU0EuY2VyMEQGA1UdIAQ9MDswOQYE +VR0gADAxMC8GCCsGAQUFBwIBFiNodHRwOi8vcmVwby5oYXJpY2EuZ3IvZG9jdW1lbnRzL0NQUzAT +BgNVHSUEDDAKBggrBgEFBQcDAzBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vY3JsLmhhcmljYS5n +ci9IQVJJQ0EtQ29kZVNpZ25pbmctUm9vdC0yMDIxLVJTQS5jcmwwHQYDVR0OBBYEFAdZmPK1dYDL +NtHERsqzQ+RVARsGMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAWZWbfyhrPQfb +2ljh17rJnf4ZeKa7thpS7FNnkg812gmXhklYvfb4OvGi0z7EAQBx/UsXCtQv9MJbZFI5iEvVKQaN +FPZoEae5cO4KFWyS062vlXupYjxpOCAwkTyyZLfeb5NUGM/MbD5Lw/7E0uExU3XogLv1o8F2Jb4L +AYAlpG97Ab0MFDJTpAFbAF00DzVEp9J1B5KtDlfNms8bYb9EAoc/sGUNZVyz1FGL0Fu/giMcyTdg +tVcvupxFoHodI77+XtNC6tGBB/nssunYmiFu+2fowitz2KTk+oIyLFz9I3uXnAFq3YKTZQfJzkHT +IpH89C6CKhMmuuUK6JwomtHjQpOK6Aq4uObkRiJ/sLLZkEAqpRM+leIKf3QskaVo7aZmVRcLV6/i +7wcT5LjmCPtjKzGtmWtT4uLM/7dQxaIaBTBDqmjABkSJLb0Oczk/KYoiLn5j+5SBAVEy9BtJQkOP +k6t4nR3klfoSDuoSn/LvsRbfCQiqPqca+oypxNJS6K2/vZ+7wXSWM6Hk2Ao9Rq5Udt/VcMz7gJxn +i//sh9rqlqZyXEBxZLtKAxDVObbogdvvXIS/k0oc78C5rGWypuVw8IdpHW+4ZWIkdVqNQ5Y453z/ +dDEqWP8A2uloPZsbpp+LibhhHdbOssTG6K5uEWLMMKDVXeEyyBUQLkljiFWZsuQ= -----END CERTIFICATE----- diff --git a/ansible/roles/codesign_box/templates/aws_credentials b/ansible/roles/codesign_box/templates/aws_credentials new file mode 100644 index 00000000..e86f453c --- /dev/null +++ b/ansible/roles/codesign_box/templates/aws_credentials @@ -0,0 +1,3 @@ +[default] +aws_access_key_id = {{ aws_access_key_id }} +aws_secret_access_key = {{ aws_secret_access_key }} diff --git a/ansible/roles/codesign_box/templates/create-hsms.sh b/ansible/roles/codesign_box/templates/create-hsms.sh index b5192060..6f71ce38 100644 --- a/ansible/roles/codesign_box/templates/create-hsms.sh +++ b/ansible/roles/codesign_box/templates/create-hsms.sh @@ -1,9 +1,11 @@ #!/bin/bash CLUSTER_ID="{{ cluster_id }}" +AWS_DEFAULT_REGION="eu-central-1" +export AWS_DEFAULT_REGION create_hsm_token() { - if [ -z $1 ]; then + if [ -z "$1" ]; then echo "AVAILABILITY ZONE PARAMETER UNSET!" exit 1 fi @@ -16,20 +18,26 @@ create_hsm_token() { wait_for_hsm_tokens() { - + local attempts=0 + local max_attempts=60 # 10 minutes while true; do - STATE=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[?State=='ACTIVE'] | length(@)") + STATE=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[?State=='ACTIVE'] | length(@)" --output text) if [ "$STATE" -ge 2 ]; then echo "HSM Tokens created and active." break fi - echo "Waiting for HSM Token $TOKEN_NAME to become active..." + attempts=$((attempts + 1)) + if [ "$attempts" -ge "$max_attempts" ]; then + echo "ERROR: Timed out waiting for HSM tokens to become active." + exit 1 + fi + echo "Waiting for HSM Token to become active..." sleep 10 done } -CURRENT_TOKEN_COUNT=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[?State=='ACTIVE'] | length(@)") +CURRENT_TOKEN_COUNT=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[?State=='ACTIVE'] | length(@)" --output text) if [ "$CURRENT_TOKEN_COUNT" -ge 2 ]; then echo "Enough HSMs already exist, skipping creation" else @@ -45,6 +53,11 @@ echo "IP Addresses of created HSM tokens: $IP_ADDRESSES" IP_ADDRESS_1=$(echo $IP_ADDRESSES | cut -d ' ' -f1) IP_ADDRESS_2=$(echo $IP_ADDRESSES | cut -d ' ' -f2) +if [ -z "$IP_ADDRESS_1" ] || [ -z "$IP_ADDRESS_2" ]; then + echo "ERROR: Could not extract both IP addresses. Got: '$IP_ADDRESSES'" + exit 1 +fi + echo "[+] writing cloudhsm-cli.cfg" cat < /tmp/cloudhsm-cli.cfg { @@ -109,4 +122,4 @@ cat < /tmp/cloudhsm-pkcs11.cfg } EOF sudo mv /tmp/cloudhsm-pkcs11.cfg /opt/cloudhsm/etc/cloudhsm-pkcs11.cfg -sudo chown root:root /opt/cloudhsm/etc/cloudhsm-pkcs11.cfg \ No newline at end of file +sudo chown root:root /opt/cloudhsm/etc/cloudhsm-pkcs11.cfg diff --git a/ansible/roles/codesign_box/templates/delete-hsms.sh b/ansible/roles/codesign_box/templates/delete-hsms.sh index 099a104f..9baf06b7 100644 --- a/ansible/roles/codesign_box/templates/delete-hsms.sh +++ b/ansible/roles/codesign_box/templates/delete-hsms.sh @@ -1,9 +1,11 @@ #!/bin/bash CLUSTER_ID="{{ cluster_id }}" +AWS_DEFAULT_REGION="eu-central-1" +export AWS_DEFAULT_REGION # List all HSM tokens echo "Listing all HSM tokens in the cluster..." -aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[*].HsmId" +aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[*].HsmId" --output text # Function to delete an HSM token and wait for its deletion delete_hsm_token() { @@ -16,7 +18,7 @@ delete_hsm_token() { wait_for_them_to_die() { while true; do - STATE=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[*] | length(@)") + STATE=$(aws cloudhsmv2 describe-clusters --filters clusterIds=$CLUSTER_ID --query "Clusters[0].Hsms[*] | length(@)" --output text) if [ "$STATE" -eq 0 ]; then echo "All HSM tokens are dead. RIP." break diff --git a/ansible/roles/codesign_box/templates/sign-windows-exe.sh b/ansible/roles/codesign_box/templates/sign-windows-exe.sh index 197ffed3..5b716af2 100644 --- a/ansible/roles/codesign_box/templates/sign-windows-exe.sh +++ b/ansible/roles/codesign_box/templates/sign-windows-exe.sh @@ -16,7 +16,7 @@ osslsigncode sign \ -pass $HSM_CREDENTIALS \ -pkcs11engine /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so \ -pkcs11module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so \ - -certs Cert_bundle.pem \ + -certs /opt/cloudhsm/etc/Cert_bundle.pem \ -key "pkcs11:token=hsm1;object={{ hsm_token_name }}" \ -in $1 \ -out $2 diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf index 10530a46..6e85d7ea 100644 --- a/tf/environments/prod/main.tf +++ b/tf/environments/prod/main.tf @@ -1422,19 +1422,60 @@ resource "aws_acm_certificate_validation" "ooniapi_frontend" { ## Code signing setup -# this has been manually created on EC2 -#module "codesigning" { -# source = "../../modules/cloudhsm" -# -# vpc_id = module.network.vpc_id -# subnet_ids = module.network.vpc_subnet_cloudhsm[*].id -# subnet_cidr_blocks = module.network.vpc_subnet_cloudhsm[*].cidr_block -# key_name = module.adm_iam_roles.oonidevops_key_name -# tags = { -# Environment = local.environment -# } -# monitoring_active = "false" -#} +module "ooni_codesign_box" { + source = "../../modules/ec2" + + stage = local.environment + + vpc_id = module.network.vpc_id + subnet_id = module.network.vpc_subnet_cloudhsm[0].id + private_subnet_cidr = module.network.vpc_subnet_cloudhsm[*].cidr_block + dns_zone_ooni_io = local.dns_zone_ooni_io + + key_name = module.adm_iam_roles.oonidevops_key_name + instance_type = "t3.micro" + + name = "codesign-box" + ingress_rules = [{ + from_port = 22, + to_port = 22, + protocol = "tcp", + cidr_blocks = ["0.0.0.0/0"], + }, { + from_port = 2223, + to_port = 2225, + protocol = "tcp", + cidr_blocks = module.network.vpc_subnet_cloudhsm[*].cidr_block, + }] + + egress_rules = [{ + from_port = 0, + to_port = 0, + protocol = "-1", + cidr_blocks = ["0.0.0.0/0"], + }, { + from_port = 0, + to_port = 0, + protocol = "-1", + ipv6_cidr_blocks = ["::/0"], + }] + + sg_prefix = "sgn" + tg_prefix = "sgn" + + disk_size = 20 + + # This host will be turned off most of the times and + # the monitoring system will think it's down, so it's + # not worth monitoring + monitoring_active = "false" + + tags = merge( + local.tags, + { Name = "ooni-tier3-codesign" } + ) +} + ## Ansible controller setup diff --git a/tf/modules/cloudhsm/main.tf b/tf/modules/cloudhsm/main.tf deleted file mode 100644 index c6f12abb..00000000 --- a/tf/modules/cloudhsm/main.tf +++ /dev/null @@ -1,96 +0,0 @@ -data "aws_cloudhsm_v2_cluster" "hsm_cluster" { - cluster_id = "cluster-qsvghm4oqok" -} - -## Temporarily disabled, see: https://github.com/ooni/devops/issues/55 -#resource "aws_cloudhsm_v2_hsm" "hsm" { -# count = length(var.subnet_ids) -# subnet_id = var.subnet_ids[count.index] -# cluster_id = data.aws_cloudhsm_v2_cluster.hsm_cluster.cluster_id -#} - -resource "aws_security_group" "hsm" { - vpc_id = var.vpc_id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - from_port = 2223 # Port for CloudHSM - to_port = 2225 - protocol = "tcp" - cidr_blocks = var.subnet_cidr_blocks - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } -} - -resource "aws_instance" "codesign_box" { - # Amazon linux - ami = "ami-03bb61bfa8e4d149e" - - key_name = var.key_name - instance_type = "t3.micro" - - subnet_id = var.subnet_ids[0] - vpc_security_group_ids = [aws_security_group.hsm.id] - - associate_public_ip_address = true - - user_data = <<-EOF - #!/bin/bash - sudo yum update -y - curl -o cloudhsm-cli.rpm https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Amzn2023/cloudhsm-cli-latest.amzn2023.x86_64.rpm - sudo yum install -y ./cloudhsm-cli.rpm - rm cloudhsm-cli.rpm - - curl -o cloudhsm-pkcs11.rpm https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Amzn2023/cloudhsm-pkcs11-latest.amzn2023.x86_64.rpm - sudo yum install -y ./cloudhsm-pkcs11.rpm - rm cloudhsm-pkcs11.rpm - EOF - - tags = merge(var.tags, { Name = "codesign-box", MonitoringActive = var.monitoring_active }) - - // NOTE: remove the ignore_changes rule to deploy - lifecycle { - ignore_changes = all - } -} - -resource "aws_launch_template" "codesign_box_template" { - name = "codesign-box" - # Ubuntu 22.04 - image_id = "ami-0a43b9fc420cabb27" - - instance_type = "t3.micro" - - key_name = var.key_name - - network_interfaces { - subnet_id = var.subnet_ids[0] - security_groups = [aws_security_group.hsm.id] - associate_public_ip_address = true - } - - update_default_version = true - - tag_specifications { - resource_type = "instance" - - tags = { - Name = "codesign-box" - MonitoringActive = var.monitoring_active - } - } - - tags = merge(var.tags, { Name = "codesign-box-template" }) -} diff --git a/tf/modules/cloudhsm/outputs.tf b/tf/modules/cloudhsm/outputs.tf deleted file mode 100644 index 0f5353fe..00000000 --- a/tf/modules/cloudhsm/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "cloudhsm_cluster_id" { - value = data.aws_cloudhsm_v2_cluster.hsm_cluster.id -} diff --git a/tf/modules/cloudhsm/variables.tf b/tf/modules/cloudhsm/variables.tf deleted file mode 100644 index 27a905c6..00000000 --- a/tf/modules/cloudhsm/variables.tf +++ /dev/null @@ -1,34 +0,0 @@ -variable "aws_region" { - description = "The AWS region to create things in." - default = "eu-central-1" -} - -variable "key_name" { - description = "Name of AWS key pair" -} - -variable "vpc_id" { - description = "the id of the VPC to deploy the instance into" -} - -variable "subnet_ids" { - description = "the id of the subnet for the HSM" - type = list(string) -} - -variable "subnet_cidr_blocks" { - description = "the ids of the subnet of the subnets to deploy the instance into" - type = list(string) -} - -variable "tags" { - description = "tags to apply to the resources" - default = {} - type = map(string) -} - -variable "monitoring_active" { - description = "If the monitoring system should consider the HSM machine. Set it to 'true' to activate it, anything else to deactivate it" - default = "true" - type = string -} \ No newline at end of file