Add platform upgrade script about system certs

* About Tizen 2.4 -> 3.0

Change-Id: I225fddefe1ee41902576ed628fc9ee62498e8f8d
Signed-off-by: sangwan.kwon <sangwan.kwon@samsung.com>

5 files changed, 165 insertions, 11 deletions

diff --git a/etc/CMakeLists.txt b/etc/CMakeLists.txt
index ade8237..40dac00 100644
--- a/etc/CMakeLists.txt
+++ b/etc/CMakeLists.txt
@@ -33,5 +33,17 @@ ENDIF (ERROR_CODE)
 
 INSTALL(FILES
     ${ETC_DIR}/certs-meta.db
-    DESTINATION ${CERT_SVC_DB}
+    DESTINATION ${CERT_SVC_DB_PATH}
+    )
+
+CONFIGURE_FILE(cert-svc-db-upgrade.sh.in cert-svc-db-upgrade.sh @ONLY)
+CONFIGURE_FILE(
+    cert-svc-disabled-certs-upgrade.sh.in
+    cert-svc-disabled-certs-upgrade.sh @ONLY
+    )
+
+INSTALL(FILES
+    ${ETC_DIR}/cert-svc-db-upgrade.sh
+    ${ETC_DIR}/cert-svc-disabled-certs-upgrade.sh
+    DESTINATION ${UPGRADE_SCRIPT_PATH}
     )
diff --git a/etc/cert-svc-db-upgrade.sh.in b/etc/cert-svc-db-upgrade.sh.in
new file mode 100755
index 0000000..395c42b
--- /dev/null
+++ b/etc/cert-svc-db-upgrade.sh.in
@@ -0,0 +1,48 @@
+#!/bin/bash
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+# @file        cert-svc-db-upgrade.sh.in
+# @author      Sangwan Kwon (sangwan.kwon@samsung.com)
+# @brief       cert-svc db migration scripts for platform upgrade 2.4 -> 3.0
+#
+
+OLD_DB=@CERT_SVC_OLD_DB_PATH@/certs-meta-old.db
+NEW_DB=@CERT_SVC_DB_PATH@/certs-meta.db
+
+# backup old database
+mv @CERT_SVC_OLD_DB_PATH@/certs-meta.db $OLD_DB
+rm -rf @CERT_SVC_OLD_DB_PATH@/certs-meta.db-journal
+
+# install new database
+cp @UPGRADE_DATA_PATH@/certs-meta.db $NEW_DB
+
+# update disabled certs on db
+disabled_certs_cnt=`sqlite3 $OLD_DB "SELECT count(*) FROM disabled_certs;"`
+if [ "$disabled_certs_cnt" != "0" ]
+then
+	@UPGRADE_SCRIPT_PATH@/cert-svc-disabled-certs-upgrade.sh $OLD_DB $NEW_DB
+fi
+
+rm -rf $OLD_DB
+
+# generate blank journal file newly
+touch $NEW_DB-journal
+
+# change permission
+chsmack -a @SMACK_DOMAIN_NAME@ @CERT_SVC_DB_PATH@/*
+chown @USER_NAME@:@GROUP_NAME@ @CERT_SVC_DB_PATH@/*
+chmod 644 @CERT_SVC_DB_PATH@/*
diff --git a/etc/cert-svc-disabled-certs-upgrade.sh.in b/etc/cert-svc-disabled-certs-upgrade.sh.in
new file mode 100755
index 0000000..91f0805
--- /dev/null
+++ b/etc/cert-svc-disabled-certs-upgrade.sh.in
@@ -0,0 +1,74 @@
+#!/bin/bash
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+# Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+# @file        cert-svc-disabled-certs-upgrade.sh.in
+# @author      Sangwan Kwon (sangwan.kwon@samsung.com)
+# @brief       cert-svc disabled certs upgrade for platform upgrade 2.4 -> 3.0
+#
+
+# TODO(sangwan.kwon) Migration user certs(WIFI, VPN, EMAIL)
+
+# check this script invoked by cert-svc-db-upgrade
+if [ "$#" != "2" ]
+then
+	exit 0
+fi
+
+OLD_DB=$1
+NEW_DB=$2
+OLD_GNAME_LIST=@CERT_SVC_DB_PATH@/old-gname-list
+OLD_CERTS_DIR=@CERT_SVC_DB_PATH@/old-certs
+
+rm -rf $OLD_CERTS_DIR
+mkdir -p $OLD_CERTS_DIR
+
+# get disabled ceritificates list from old db
+sqlite3 $OLD_DB "SELECT gname FROM disabled_certs;" > $OLD_GNAME_LIST
+
+# since gname is different between Tizen 2.4 and 3.0, compare certicate
+index=1
+for gname in `cat $OLD_GNAME_LIST`
+do
+	sqlite3 $OLD_DB "SELECT certificate FROM disabled_certs
+					 WHERE gname='$gname';" > $OLD_CERTS_DIR/$index
+	index=$(expr $index + 1)
+done
+
+# restore disabled certs to new db
+for fname in `find $OLD_CERTS_DIR/* | sort`
+do
+	certs=`cat $fname`
+	# check certificate's existence on new db
+	ret=`sqlite3 $NEW_DB "SELECT EXISTS (
+								SELECT certificate
+								FROM ssl
+								WHERE certificate='$certs');"`
+
+	if [ "$ret" == "1" ]
+	then
+		# TODO(sangwan.kwon) Consider is_root_app column (it depends on master app)
+		# update ssl, disabled_certs table
+		gname=`sqlite3 $NEW_DB "SELECT gname FROM ssl WHERE certificate='$certs';"`
+		sqlite3 $NEW_DB "INSERT INTO disabled_certs VALUES ('$gname', '$certs');"
+		sqlite3 $NEW_DB "UPDATE ssl SET enabled=0 WHERE gname='$gname';"
+
+		# TODO(sangwan.kwon) unlink file between rw & ro area
+	fi
+done
+
+rm -rf $OLD_GNAME_LIST
+rm -rf $OLD_CERTS_DIR
diff --git a/packaging/cert-svc.manifest.in b/packaging/cert-svc.manifest.in
index aed0ebd..0e13460 100644
--- a/packaging/cert-svc.manifest.in
+++ b/packaging/cert-svc.manifest.in
@@ -3,6 +3,6 @@
 		<domain name="_" />
 	</request>
 	<assign>
-		<filesystem path="@CERT_SVC_PATH@" label="System" type="transmutable" />
+		<filesystem path="@CERT_SVC_PATH@" label="@SMACK_DOMAIN_NAME@" type="transmutable" />
 	</assign>
 </manifest>
diff --git a/packaging/cert-svc.spec b/packaging/cert-svc.spec
index 097d105..a3d0d52 100644
--- a/packaging/cert-svc.spec
+++ b/packaging/cert-svc.spec
@@ -33,6 +33,10 @@ Requires: security-config
 BuildRequires: pkgconfig(cert-checker)
 %endif
 
+%global USER_NAME security_fw
+%global GROUP_NAME security_fw
+%global SMACK_DONMAIN_NAME System
+
 %global TZ_SYS_BIN              %{?TZ_SYS_BIN:%TZ_SYS_BIN}%{!?TZ_SYS_BIN:%_bindir}
 %global TZ_SYS_ETC              %{?TZ_SYS_ETC:%TZ_SYS_ETC}%{!?TZ_SYS_ETC:/opt/etc}
 %global TZ_SYS_SHARE            %{?TZ_SYS_SHARE:%TZ_SYS_SHARE}%{!?TZ_SYS_SHARE:/opt/share}
@@ -45,11 +49,15 @@ BuildRequires: pkgconfig(cert-checker)
 
 %global CERT_SVC_PATH           %TZ_SYS_SHARE/cert-svc
 %global CERT_SVC_RO_PATH        %TZ_SYS_RO_SHARE/cert-svc
-%global CERT_SVC_DB             %CERT_SVC_PATH/dbspace
+%global CERT_SVC_DB_PATH        %CERT_SVC_PATH/dbspace
 %global CERT_SVC_PKCS12         %CERT_SVC_PATH/pkcs12
 %global CERT_SVC_CA_BUNDLE      %CERT_SVC_PATH/ca-certificate.crt
 %global CERT_SVC_TESTS          %TZ_SYS_RW_APP/cert-svc-tests
 
+%global CERT_SVC_OLD_DB_PATH    /opt/share/cert-svc/dbspace
+%global UPGRADE_SCRIPT_PATH     %TZ_SYS_RO_SHARE/upgrade/scripts
+%global UPGRADE_DATA_PATH       %TZ_SYS_RO_SHARE/upgrade/data
+
 %description
 Certification service
 
@@ -93,6 +101,9 @@ export FFLAGS="$FFLAGS -DTIZEN_EMULATOR_MODE"
 %{!?build_type:%define build_type "Release"}
 %cmake . -DVERSION=%version \
          -DINCLUDEDIR=%_includedir \
+         -DUSER_NAME=%USER_NAME \
+         -DGROUP_NAME=%GROUP_NAME \
+         -DSMACK_DOMAIN_NAME=%SMACK_DOMAIN_NAME \
          -DTZ_SYS_SHARE=%TZ_SYS_SHARE \
          -DTZ_SYS_RO_SHARE=%TZ_SYS_RO_SHARE \
          -DTZ_SYS_BIN=%TZ_SYS_BIN \
@@ -102,8 +113,11 @@ export FFLAGS="$FFLAGS -DTIZEN_EMULATOR_MODE"
          -DFINGERPRINT_LIST_RW_PATH=%TZ_SYS_REVOKED_CERTS_FINGERPRINTS_RUNTIME \
          -DCERT_SVC_PATH=%CERT_SVC_PATH \
          -DCERT_SVC_RO_PATH=%CERT_SVC_RO_PATH \
-         -DCERT_SVC_DB=%CERT_SVC_DB \
          -DCERT_SVC_PKCS12=%CERT_SVC_PKCS12 \
+         -DCERT_SVC_DB_PATH=%CERT_SVC_DB_PATH \
+         -DCERT_SVC_OLD_DB_PATH=%CERT_SVC_OLD_DB_PATH \
+         -DUPGRADE_SCRIPT_PATH=%UPGRADE_SCRIPT_PATH \
+         -DUPGRADE_DATA_PATH=%UPGRADE_DATA_PATH \
 %if "%{?profile}" == "mobile"
          -DTIZEN_PROFILE_MOBILE:BOOL=ON \
 %else
@@ -124,7 +138,9 @@ make %{?_smp_mflags}
 
 mkdir -p %buildroot%CERT_SVC_PKCS12
 
-touch %buildroot%CERT_SVC_DB/certs-meta.db-journal
+touch %buildroot%CERT_SVC_DB_PATH/certs-meta.db-journal
+mkdir -p %buildroot%UPGRADE_DATA_PATH
+cp %buildroot%CERT_SVC_DB_PATH/certs-meta.db %buildroot%UPGRADE_DATA_PATH
 
 ln -sf %TZ_SYS_CA_BUNDLE %buildroot%CERT_SVC_CA_BUNDLE
 
@@ -156,12 +172,16 @@ fi
 %_unitdir/sockets.target.wants/cert-server.socket
 %_libdir/libcert-svc-vcore.so.*
 %TZ_SYS_BIN/cert-server
-%dir %attr(-, security_fw, security_fw) %CERT_SVC_PATH
-%dir %attr(-, security_fw, security_fw) %CERT_SVC_PKCS12
-%attr(-, security_fw, security_fw) %CERT_SVC_CA_BUNDLE
-%attr(-, security_fw, security_fw) %CERT_SVC_DB/certs-meta.db
-%attr(-, security_fw, security_fw) %CERT_SVC_DB/certs-meta.db-journal
-%attr(-, security_fw, security_fw) %CERT_SVC_RO_PATH
+%dir %attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_PATH
+%dir %attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_PKCS12
+%attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_CA_BUNDLE
+%attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_DB_PATH/certs-meta.db
+%attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_DB_PATH/certs-meta.db-journal
+%attr(-, %{USER_NAME}, %{GROUP_NAME}) %CERT_SVC_RO_PATH
+
+%attr(755, root, root) %{UPGRADE_SCRIPT_PATH}/cert-svc-db-upgrade.sh
+%attr(755, root, root) %{UPGRADE_SCRIPT_PATH}/cert-svc-disabled-certs-upgrade.sh
+%{UPGRADE_DATA_PATH}/certs-meta.db
 
 %files devel
 %_includedir/*