contrib/shell: Add pair of utility script.

These scripts automate part of the work needed on the client side of
kedifa:
- retrieving the secret token, storing it along with server authentication
  (CA cert and CRL) paths
- serialising a key and certificate pair the way kedifa expects them, and
  pushing the result to kedifa

contrib/shell/kedifa_generateauth

+#!/bin/bash
+# This file is part of kedifa
+# Copyright (C) 2022  Nexedi SA
+#     Vincent Pelletier <vincent@nexedi.com>
+#
+# This program is free software: you can Use, Study, Modify and Redistribute
+# it under the terms of the GNU General Public License version 3, or (at your
+# option) any later version, as published by the Free Software Foundation.
+#
+# You can also Link and Combine this program with other software covered by
+# the terms of any of the Free Software licenses or any of the Open Source
+# Initiative approved licenses and Convey the resulting work. Corresponding
+# source of such a combination shall include the source code for all other
+# software used.
+#
+# This program is distributed WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+#
+# See COPYING file for full licensing terms.
+# See https://www.nexedi.com/licensing for rationale and options.
+# shellcheck enable=avoid-nullary-conditions
+# shellcheck enable=check-unassigned-uppercase,deprecate-which
+set -eu
+if [ $# -ne 5 ]; then
+  echo "Usage: $0 https://<kedifa-netloc>/<kedifa-domain-id>{,/generateauth,?auth=} <ca> <crl> <domain> <config-directory>"
+  echo "  ca, crl: Path of the service CA certificate used to sign kedifa's https certificate, and of coresponding CRL"
+  echo "    Note: these files must be maintained up-to-date, for example using cacuase-updater."
+  echo "  config-directory: existing directory where a configuration file usable by kedifa_update_cert will be created"
+  exit 1
+fi
+
+kedifa_url_base="$(printf '%s\n' "$1" | sed 's:\(/generateauth\|\?auth=\)$::')"
+cafile="$2"
+crlfile="$3"
+domain="$4"
+config_base="$5"
+
+if printf '%s\n' "$kedifa_url_base" | grep -q '^https://[^/]\+/[^/]\+$'; then
+  :
+else
+  echo "Invalid url, check usage"
+  exit 1
+fi
+if [ ! -d "$config_base" ]; then
+  echo "Configuration directory does not exist"
+  exit 1
+fi
+outfile="${config_base}/${domain}.sh"
+if [ -e "$outfile" ]; then
+  echo "Destination already exists, not updating"
+  exit 1
+fi
+if touch "$outfile"; then
+  :
+else
+  echo "Error creating $outfile"
+  exit 1
+fi
+trap 'rm "${outfile}"' EXIT
+chmod go= "$outfile"
+echo -n "Retrieving kedifa identifier for shared instance..."
+kedifa_auth="$(curl --silent --cacert "${cafile}" --crlfile "${crlfile}" "${kedifa_url_base}/generateauth")"
+trap - EXIT
+printf 'CA=%q\nCRL=%q\nURL=%q\n' "$cafile" "$crlfile" "${kedifa_url_base}?auth=${kedifa_auth}" > "$outfile"
+echo " done."
+if curl --output /dev/null --silent "https://$domain"; then
+  :
+elif [ 35 -eq $? ]; then
+  echo -n "Bootstrapping $domain certificate..."
+  tmpdir="$(mktemp --directory --tmpdir "$(basename "$0").XXXXXXXXXX")"
+  # Note: this trap is responsible for the final deletion
+  trap 'rm -r "${tmpdir}"' EXIT
+  openssl req \
+    -outform PEM \
+    -out "${tmpdir}/bootstrap.crt" \
+    -new \
+    -newkey rsa:2048 \
+    -keyout "${tmpdir}/bootstrap.key" \
+    -nodes \
+    -subj "/CN=${domain}" \
+    -x509 \
+    -batch \
+    > /dev/null 2>&1
+  kedifa_update_cert \
+    "$outfile" \
+    "${tmpdir}/bootstrap.key" \
+    "${tmpdir}/bootstrap.crt"
+  echo " done."
+else
+  echo "Unexpected curl status: $?"
+  exit 1
+fi

contrib/shell/kedifa_update_cert

+#!/bin/bash
+# This file is part of kedifa
+# Copyright (C) 2022  Nexedi SA
+#     Vincent Pelletier <vincent@nexedi.com>
+#
+# This program is free software: you can Use, Study, Modify and Redistribute
+# it under the terms of the GNU General Public License version 3, or (at your
+# option) any later version, as published by the Free Software Foundation.
+#
+# You can also Link and Combine this program with other software covered by
+# the terms of any of the Free Software licenses or any of the Open Source
+# Initiative approved licenses and Convey the resulting work. Corresponding
+# source of such a combination shall include the source code for all other
+# software used.
+#
+# This program is distributed WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+#
+# See COPYING file for full licensing terms.
+# See https://www.nexedi.com/licensing for rationale and options.
+# shellcheck enable=avoid-nullary-conditions
+# shellcheck enable=check-unassigned-uppercase,deprecate-which
+set -eu
+if [ $# -ne 3 ]; then
+  echo "Usage: $0 <config.sh> <key> <cert>"
+  echo "  config.sh: as generated by kedifa_generateauth"
+  echo "  key, cert: The private key and certificate to send to kedifa."
+  exit 1
+fi
+config="$1"
+key="$2"
+crt="$3"
+if grep -q '^-----BEGIN .*\<KEY-----' "$key"; then
+  :
+else
+  printf '"%q" is not a PEM-encoded private key\n' "$key"
+  exit 1
+fi
+if grep -q '^-----BEGIN CERTIFICATE-----$' "$crt"; then
+  :
+else
+  printf '"%q" is not a PEM-encoded certificate\n' "$crt"
+fi
+
+CA=
+CRL=
+URL=
+# shellcheck disable=SC1090
+. "$config"
+
+if test -z "$CA" || test -z "$CRL" || test -z "$URL"; then
+  printf '"%q": Malformed file\n' "$config"
+fi
+keycert="$(mktemp --tmpdir kedifa_update_XXXXXXXX)"
+trap 'rm "${keycert}"' EXIT
+cat "$key" "$crt" > "$keycert"
+if output="$(curl --silent --cacert "$CA" --crlfile "$CRL" --upload-file "$keycert" "$URL")"; then
+  status="$?"
+  printf '"%q": Failed uploading to kedifa\n' "$config"
+  exit "$status"
+fi
+if [ -n "$output" ]; then
+  printf '"%q": kedifa rejected the update: %s\n' "$config" "$output"
+  exit 1
+fi