From acb0a444e5ef143bd6818afb4ff6224eec0d5064 Mon Sep 17 00:00:00 2001
From: Alan Zhu <v-xiangz@micorsoft.com>
Date: Mon, 7 Jan 2019 21:18:08 -0800
Subject: [PATCH] Fixes omiserver.conf setting overwritten issue

---
 Unix/installbuilder/conf/omiserver.conf     | 20 ++++++--
 Unix/installbuilder/datafiles/Base_OMI.data | 56 ++++++++-------------
 2 files changed, 37 insertions(+), 39 deletions(-)

diff --git a/Unix/installbuilder/conf/omiserver.conf b/Unix/installbuilder/conf/omiserver.conf
index db94d7d0d..0f2002c21 100644
--- a/Unix/installbuilder/conf/omiserver.conf
+++ b/Unix/installbuilder/conf/omiserver.conf
@@ -58,10 +58,24 @@ httpsport=0
 ## This section is for security protocol settings
 ##   NoSSLv2: When it is true, the SSLv2 protocol is disabled.
 ##   NoSSLv3: When it is true, the SSLv3 protocol is disabled.
-##   If NoSSLv2 and NoSSLv3 are both set to true, only TLS encryption will be negotiated.
+##   NoTLSv1_0: When it is true, the TLSv1.0 protocal is disabled.
+##   NoTLSv1_1: When it is true, and if available on the platform, the TLSv1.1 protocal is disabled.
+##   NoTLSv1_2: When it is true, and if available on the platform, the TLSv1.2 protocol is disabled
+##   note: if NoSSLv2 and NoSSLv3 are both set to true, only TLS encryption will be negotiated.
+##   
+##   sslciphersuite: The prioritized list of allowed SSL/TLS ciphers. 
+##      For example, set `sslciphersuite=ALL:!SSLv2:!SSLv3:!TLSv1:!RC4-MD5:!RC4-SHA:!SEED-SHA` in 
+##         `/etc/opt/omi/conf/omiserver.conf` to disable all SSLv2,SSLv3,TLSv1 ciphers 
+##         and 3 weak ciphers: RC4-MD5,RC4-SHA,SEED-SHA; then run 
+##         `sudo /opt/omi/bin/service_control restart` to take effect, for more information, 
+##         check man ciphers or search internet with openssl man ciphers
 ##
 #NoSSLv2=true
 #NoSSLv3=false
+#NoTLSv1_0=false
+#NoTLSv1_1=false
+#NoTLSv1_2=false
+#sslciphersuite=ALL
 
 # Enabling this will cause each provider to run under it's own omiagent
 # process. This will take considerably more memory, but is useful for
@@ -71,8 +85,8 @@ httpsport=0
 
 # List of authorized and unauthorized user groups, separated by commas.
 # Both local and domain groups can be listed.  For example:
-#    AuthorizedGroups=SCX\scx local admins, SCX\domain users, adm
-#    UnauthorizedGroups=games
+#   `AuthorizedGroups=SCX\scx local admins, SCX\domain users, adm`
+#   `UnauthorizedGroups=games`
 # If both parameters are blank (default), authorization checks are not
 # performed. For more info, see
 # https://github.com/Microsoft/omi/tree/master/Unix/doc/allow-deny-handling.md
diff --git a/Unix/installbuilder/datafiles/Base_OMI.data b/Unix/installbuilder/datafiles/Base_OMI.data
index acf0fb621..f2640c645 100644
--- a/Unix/installbuilder/datafiles/Base_OMI.data
+++ b/Unix/installbuilder/datafiles/Base_OMI.data
@@ -386,51 +386,35 @@ GenerateKeyCert() {
 }
 
 HandleConfigFiles() {
-    grep -i "sslciphersuite" /etc/opt/omi/conf/omiserver.conf 1> /dev/null 2> /dev/null
-    # if there is no sslCipherSuite defined in omiserver.conf, check the previous omiserver/cimserver OM conf files for an sslCipherSuite defined
-    if [ $? -ne 0 ]; then
-        if [ -f /etc/opt/omi/conf/omiserver.conf.rpmsave ]; then
-            echo `grep sslciphersuite /etc/opt/omi/conf/omiserver.conf.rpmsave` >> /etc/opt/omi/conf/omiserver.conf
-        elif [ -f /etc/opt/omi/conf/omiserver.conf.pkgsave ]; then
-            echo `grep sslciphersuite /etc/opt/omi/conf/omiserver.conf.pkgsave` >> /etc/opt/omi/conf/omiserver.conf
-        elif [ -f /etc/opt/microsoft/scx/conf/omiserver.conf.pkgsave ]; then
-            echo `grep sslciphersuite /etc/opt/microsoft/scx/conf/omiserver.conf.pkgsave` >> /etc/opt/omi/conf/omiserver.conf
-        elif [ -f /etc/opt/microsoft/scx/conf/omiserver.conf ]; then
-            echo `grep sslciphersuite /etc/opt/microsoft/scx/conf/omiserver.conf` >> /etc/opt/omi/conf/omiserver.conf
-        elif [ -f /etc/opt/microsoft/scx/conf/cimserver_current.conf ]; then
-            echo `grep sslCipherSuite /etc/opt/microsoft/scx/conf/cimserver_current.conf` | sed "s@sslCipherSuite@sslciphersuite@" >> /etc/opt/omi/conf/omiserver.conf
-        fi
+    local OMISETTINGS="httpport httpsport NoSSLv2 NoSSLv3 NoTLSv1_0 NoTLSv1_1 NoTLSv1_2 sslciphersuite AuthorizedGroups UnauthorizedGroups"
+
+    # omiconfigeditor requires SSL linkage to be set up properly on Linux
+    # If the file to set these up exists, run it
+    if [ -f /opt/omi/bin/support/installssllinks ]; then
+        /opt/omi/bin/support/installssllinks
     fi
 
-    grep -q '^httpsport=0$' /etc/opt/omi/conf/omiserver.conf 1> /dev/null 2> /dev/null
-    # If there is no httpsport defined in omiserver.conf, check the previous files
-    if [ $? -eq 0 ]; then
-        HTTPSPORT=""
+    for key in ${OMISETTINGS}; do
+        local VALUE=""
+        # If we found an OMISETTINGS from previous configuration, then restore it now
         if [ -f /etc/opt/omi/conf/omiserver.conf.rpmsave ]; then
-            HTTPSPORT=`grep '^httpsport=' /etc/opt/omi/conf/omiserver.conf.rpmsave | cut -d= -f2`
+            VALUE=`grep "^$key=" /etc/opt/omi/conf/omiserver.conf.rpmsave | cut -d= -f2 | head -1`
         elif [ -f /etc/opt/omi/conf/omiserver.conf.pkgsave ]; then
-            HTTPSPORT=`grep '^httpsport=' /etc/opt/omi/conf/omiserver.conf.pkgsave | cut -d= -f2`
+            VALUE=`grep "^$key=" /etc/opt/omi/conf/omiserver.conf.pkgsave | cut -d= -f2 | head -1`
         elif [ -f /etc/opt/microsoft/scx/conf/omiserver.conf.pkgsave ]; then
-            HTTPSPORT=`grep '^httpsport=' /etc/opt/microsoft/scx/conf/omiserver.conf.pkgsave | cut -d= -f2`
+            VALUE=`grep "^$key=" /etc/opt/microsoft/scx/conf/omiserver.conf.pkgsave | cut -d= -f2 | head -1`
         elif [ -f /etc/opt/microsoft/scx/conf/omiserver.conf ]; then
-            HTTPSPORT=`grep '^httpsport=' /etc/opt/microsoft/scx/conf/omiserver.conf | cut -d= -f2`
+            VALUE=`grep "^$key=" /etc/opt/microsoft/scx/conf/omiserver.conf | cut -d= -f2 | head -1`
         elif [ -f /etc/opt/microsoft/scx/conf/cimserver_current.conf ]; then
-            HTTPSPORT=`grep '^httpsport=' /etc/opt/microsoft/scx/conf/cimserver_current.conf | cut -d= -f2`
+            VALUE=`grep "^$key=" /etc/opt/microsoft/scx/conf/cimserver_current.conf | cut -d= -f2 | head -1`
         fi
-
-        # If we found an HTTSPORT from previous configuration, then restore it now
-        if [ -n "$HTTPSPORT" ]; then
-	    # omiconfigeditor requires SSL linkage to be set up properly on Linux
-	    # If the file to set these up exists, run it
-	    if [ -f /opt/omi/bin/support/installssllinks ]; then
-	       /opt/omi/bin/support/installssllinks
-	    fi
-
-            echo "Restoring OMI HTTPSPORT to $HTTPSPORT ..."
-            /opt/omi/bin/omiconfigeditor httpsport -s $HTTPSPORT < /etc/opt/omi/conf/omiserver.conf > /etc/opt/omi/conf/omiserver.conf_temp
-            mv /etc/opt/omi/conf/omiserver.conf_temp /etc/opt/omi/conf/omiserver.conf
+        
+        if [ -n "$VALUE" ]; then
+            echo "Restoring OMI $key to $VALUE ..."
+            /opt/omi/bin/omiconfigeditor $key -u < /etc/opt/omi/conf/omiserver.conf > /etc/opt/omi/conf/omiserver.conf_temp; mv /etc/opt/omi/conf/omiserver.conf_temp /etc/opt/omi/conf/omiserver.conf
+            /opt/omi/bin/omiconfigeditor $key -s $VALUE < /etc/opt/omi/conf/omiserver.conf > /etc/opt/omi/conf/omiserver.conf_temp; mv /etc/opt/omi/conf/omiserver.conf_temp /etc/opt/omi/conf/omiserver.conf
         fi
-    fi
+    done
 }
 
 # Handle upgrade from older SCX configurations. This needs to be in OMI since