Issue#36: .deb deploys default TLS certificate and private key (#39)

* issue#36: Generating TLS key and self-signed cert after installing/upgrading the package

* issue#36: Updated libstdc++.a dependency to v10

* issue#36: Generate self-signed certs after install/upgrade

* issue#36: Updated dependencies

* issue#36: Check for pre-existence of key/cert

build/after-install.sh

@@ -1,6 +1,19 @@
+#!/bin/bash
+
 ETC='/opt/key-networks/ztncui/etc'
-echo "Copying default password file..."
-cp -pv $ETC/default.passwd $ETC/passwd
+if [ -f ${ETC}/passwd ]; then
+  echo "Password file aready exists"
+else
+  echo "Copying default password file..."
+  cp -pv ${ETC}/default.passwd ${ETC}/passwd
+fi
+if [ -f /opt/key-networks/ztncui/etc/tls/privkey.pem ] && [ -f /opt/key-networks/ztncui/etc/tls/fullchain.pem ]; then
+  echo "TLS key and certificate already exist"
+else
+  echo "Generating new TLS key and self-signed certificate..."
+  openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout /opt/key-networks/ztncui/etc/tls/privkey.pem -out /opt/key-networks/ztncui/etc/tls/fullchain.pem -subj "/C=XX/ST=YY/L=ZZ/O=Security/OU=SelfSigned/CN=example.com"
+fi
+chown ztncui.ztncui /opt/key-networks/ztncui/etc/tls/*
 echo "Enabling and starting ztncui service..."
 systemctl enable ztncui
 systemctl start ztncui

build/after-upgrade.sh

@@ -1,2 +1,11 @@
+#!/bin/bash
+
+if [ -f /opt/key-networks/ztncui/etc/tls/privkey.pem ] && [ -f /opt/key-networks/ztncui/etc/tls/fullchain.pem ]; then
+  echo "TLS key and certificate already exist"
+else
+  echo "Generating new TLS key and self-signed certificate..."
+  openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout /opt/key-networks/ztncui/etc/tls/privkey.pem -out /opt/key-networks/ztncui/etc/tls/fullchain.pem -subj "/C=XX/ST=YY/L=ZZ/O=Security/OU=SelfSigned/CN=example.com"
+fi
+chown ztncui.ztncui /opt/key-networks/ztncui/etc/tls/*
 systemctl daemon-reload
 systemctl try-restart ztncui

build/binding.gyp.patch

@@ -1,10 +1,10 @@
---- /tmp/binding.gyp	2018-07-07 14:38:23.884143337 +0800
-+++ ../src/node_modules/argon2/binding.gyp	2018-07-07 14:39:09.684840870 +0800
+--- ../src/node_modules/argon2/binding.gyp
++++ ../src/node_modules/argon2/binding.gyp
 @@ -47,6 +47,7 @@
        ],
        "cflags+": ["-Wno-cast-function-type"],
        "include_dirs+": ["<!(node -e \"require('nan')\")"],
-+      "libraries": ["/usr/lib/gcc/x86_64-redhat-linux/9/libstdc++.a"],
++      "libraries": ["/usr/lib/gcc/x86_64-redhat-linux/10/libstdc++.a"],
        "dependencies": ["libargon2"],
        "configurations": {
          "Debug": {

build/build.sh

@@ -1,5 +1,7 @@
 #!/bin/sh
 
+set -e
+
 THISDIR=`pwd`
 if [ `basename $THISDIR`  != 'build' ]; then
   echo "Execute `basename $0` from the build directory"
@@ -22,20 +24,21 @@ LICENSE='GPLv3'
 
 BINDINGGYP='node_modules/argon2/binding.gyp'
 
-if [ ! -f  /usr/lib/gcc/x86_64-redhat-linux/9/libstdc++.a ]; then
+NODE_VER='v8'
+
+if [ ! -f  /usr/lib/gcc/x86_64-redhat-linux/10/libstdc++.a ]; then
   echo "You must install libstdc++-static"
   exit 1
 fi
 
-if [ ! -f  /usr/bin/rpmbuild ]; then
-  echo "You must install rpm-build"
-  exit 1
-fi
+DEPS="rpmbuild rpmsign npm node"
 
-if [ ! -f  /usr/bin/rpmsign ]; then
-  echo "You must install rpm-sign"
-  exit 1
-fi
+for DEP in ${DEPS}; do
+  if ! which ${DEP}; then
+    echo "Missing dependency ${DEP}"
+    exit 1
+  fi
+done
 
 rm -fr $STAGING_DIR && mkdir $STAGING_DIR
 rm -fr $PKG_DIR && mkdir $PKG_DIR
@@ -43,6 +46,15 @@ rm -fr $PKG_DIR && mkdir $PKG_DIR
 pushd .
 cd ../src
 pushd .
+
+NVER=`node --version`
+if [[ ${NVER%%.*} != ${NODE_VER} ]]; then
+  echo "Missing dependency node ${NODE_VER}"
+  exit 1
+fi
+
+[[ -d ../src/node_modules ]] && rm -fr ../src/node_modules
+
 npm install
 
 patch --forward --dry-run --silent $BINDINGGYP $BUILD_DIR/binding.gyp.patch
@@ -81,8 +93,6 @@ install -m 644 $BUILD_DIR/ztncui.service $STAGING_DIR/lib/systemd/system
 
 rm -f $BUILD_DIR/ztncui
 
-openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout $STAGING_DIR/opt/key-networks/ztncui/etc/tls/privkey.pem -out $STAGING_DIR/opt/key-networks/ztncui/etc/tls/fullchain.pem -config $BUILD_DIR/openssl.cnf
-
 GENERAL_FPM_FLAGS="
   --name $NAME
   --version $VERSION
@@ -92,6 +102,7 @@ GENERAL_FPM_FLAGS="
   --package $PKG_DIR
   --directories /opt/key-networks
   --depends zerotier-one
+  --depends openssl
   --before-install before-install.sh
   --after-install after-install.sh
   --before-remove before-remove.sh

src/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ztncui",
-  "version": "0.5.8",
+  "version": "0.6.3",
   "private": true,
   "scripts": {
     "start": "node ./bin/www",
@@ -17,9 +17,9 @@
     "express-session": "^1.15.6",
     "express-validator": "^4.3.0",
     "got": "^7.1.0",
-    "helmet": "^3.12.0",
+    "helmet": "^3.23.0",
     "ip-address": "^5.8.9",
-    "jquery": "^3.4.1",
+    "jquery": "^3.5.1",
     "morgan": "~1.9.1",
     "node-persist": "^2.1.0",
     "pug": "^2.0.4",