From e9e7ecd74d794737eed8f0e14ca7849587ba7ca3 Mon Sep 17 00:00:00 2001
From: Dmitry Maksyoma <ledestin@gmail.com>
Date: Fri, 12 Feb 2021 18:11:27 +1300
Subject: [PATCH] Rpm: create certificate on postinst, remove on postrm

---
 .../dockerfile.centos_core.barebones.rpm.test |  5 ++--
 builder/dockerfile.centos_core.rpm.test       |  2 +-
 builder/startup/vnc_startup.sh                | 14 +++++-----
 builder/test-rpm-barebones                    |  2 --
 centos/kasmvncserver.spec                     | 26 ++++++++++++++++++-
 5 files changed, 36 insertions(+), 13 deletions(-)

diff --git a/builder/dockerfile.centos_core.barebones.rpm.test b/builder/dockerfile.centos_core.barebones.rpm.test
index 7f001ca..3852d29 100644
--- a/builder/dockerfile.centos_core.barebones.rpm.test
+++ b/builder/dockerfile.centos_core.barebones.rpm.test
@@ -10,12 +10,11 @@ RUN yum localinstall -y /tmp/*.rpm
 
 RUN useradd -m foo
 
-USER foo
+USER foo:kasmvnc
 
 RUN mkdir -p ~/.config/openbox && echo xterm > ~/.config/openbox/autostart && chmod +x ~/.config/openbox/autostart
 RUN mkdir ~/.vnc && echo '/usr/bin/openbox-session &' >> ~/.vnc/xstartup && \
   chmod +x ~/.vnc/xstartup
-RUN openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout $HOME/.vnc/self.pem -out $HOME/.vnc/self.pem -subj "/C=US/ST=VA/L=None/O=None/OU=DoFu/CN=kasm/emailAddress=none@none.none"
 RUN echo bar | kasmvncpasswd -f > $HOME/.kasmpasswd && chmod 0600 $HOME/.kasmpasswd
 
-ENTRYPOINT bash -c "vncserver :1 -interface 0.0.0.0 && vncserver -kill :1 && vncserver :1 -depth 24 -geometry 1280x1050 -websocketPort 8443 -cert $HOME/.vnc/self.pem -sslOnly -FrameRate=24 -interface 0.0.0.0 -httpd /usr/share/kasmvnc/www && tail -f $HOME/.vnc/*.log "
+ENTRYPOINT bash -c "vncserver :1 -interface 0.0.0.0 && vncserver -kill :1 && vncserver :1 -depth 24 -geometry 1280x1050 -websocketPort 8443 -cert /etc/pki/tls/private/kasmvnc.pem -sslOnly -FrameRate=24 -interface 0.0.0.0 -httpd /usr/share/kasmvnc/www && tail -f $HOME/.vnc/*.log "
diff --git a/builder/dockerfile.centos_core.rpm.test b/builder/dockerfile.centos_core.rpm.test
index d9738e4..ec02208 100644
--- a/builder/dockerfile.centos_core.rpm.test
+++ b/builder/dockerfile.centos_core.rpm.test
@@ -52,7 +52,7 @@ RUN yum localinstall -y /tmp/*.rpm
 ### END CUSTOM STUFF ###
 
 RUN chown -R 1000:0 $HOME
-USER 1000
+USER 1000:kasmvnc
 WORKDIR $HOME
 
 RUN mkdir ~/.vnc && echo '/usr/bin/xfce4-session &' >> ~/.vnc/xstartup && \
diff --git a/builder/startup/vnc_startup.sh b/builder/startup/vnc_startup.sh
index b2980ce..b2c3c59 100755
--- a/builder/startup/vnc_startup.sh
+++ b/builder/startup/vnc_startup.sh
@@ -21,12 +21,14 @@ detect_www_dir() {
 
 detect_cert_location() {
   local tarball_cert="$HOME/.vnc/self.pem"
-  local package_cert="/etc/ssl/certs/ssl-cert-snakeoil.pem"
-  local package_key="/etc/ssl/private/ssl-cert-snakeoil.key"
-  local use_cert=
-
-  if [[ -f "$package_cert" ]]; then
-    cert_option="-cert $package_cert -key $package_key"
+  local deb_cert="/etc/ssl/certs/ssl-cert-snakeoil.pem"
+  local deb_key="/etc/ssl/private/ssl-cert-snakeoil.key"
+  local rpm_cert="/etc/pki/tls/private/kasmvnc.pem"
+
+  if [[ -f "$deb_cert" ]]; then
+    cert_option="-cert $deb_cert -key $deb_key"
+  elif [[ -f "$rpm_cert" ]]; then
+    cert_option="-cert $rpm_cert"
   else
     cert_option="-cert $tarball_cert"
   fi
diff --git a/builder/test-rpm-barebones b/builder/test-rpm-barebones
index 3b528e5..e8ba9cd 100755
--- a/builder/test-rpm-barebones
+++ b/builder/test-rpm-barebones
@@ -9,7 +9,5 @@ os_codename="core"
 docker build --build-arg KASMVNC_PACKAGE_DIR="build/${os}_${os_codename}" \
   -t kasmvnctester_barebones_${os}:$os_codename \
   -f dockerfile.${os}_${os_codename}.barebones.rpm.test .
-echo
-echo "You will be asked to set password. User name is docker."
 docker run -it -p 443:8443 --rm -e "VNC_USER=foo" -e "VNC_PW=bar" \
   kasmvnctester_barebones_${os}:$os_codename
diff --git a/centos/kasmvncserver.spec b/centos/kasmvncserver.spec
index 6135904..91f0849 100644
--- a/centos/kasmvncserver.spec
+++ b/centos/kasmvncserver.spec
@@ -40,7 +40,29 @@ DESTDIR=$RPM_BUILD_ROOT make -f /src/debian/Makefile.to_fakebuild_tar_package in
       --slave "$mandir/man1/$generic_command.1.gz" "$generic_command.1.gz" \
         "$mandir/man1/$kasm_command.1.gz"
   done
-;;
+
+  kasmvnc_group="kasmvnc"
+
+  create_kasmvnc_group() {
+    if ! getent group "$kasmvnc_group" >/dev/null; then
+	    groupadd --system "$kasmvnc_group"
+    fi
+  }
+
+  make_self_signed_certificate() {
+    local cert_file=/etc/pki/tls/private/kasmvnc.pem
+    [ -f "$cert_file" ] && return 0
+
+    openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
+      -keyout "$cert_file" \
+      -out "$cert_file" -subj \
+      "/C=US/ST=VA/L=None/O=None/OU=DoFu/CN=kasm/emailAddress=none@none.none"
+    chgrp "$kasmvnc_group" "$cert_file"
+    chmod 640 "$cert_file"
+  }
+
+  create_kasmvnc_group
+  make_self_signed_certificate
 
 %postun
   bindir=/usr/bin
@@ -51,3 +73,5 @@ DESTDIR=$RPM_BUILD_ROOT make -f /src/debian/Makefile.to_fakebuild_tar_package in
     generic_command=`echo "$kasm_command" | sed -e 's/kasm//'`;
     update-alternatives --remove "$generic_command" "$bindir/$kasm_command"
   done
+
+  rm -f /etc/pki/tls/private/kasmvnc.pem