Commit 14f281d4 authored by Vincent Pelletier's avatar Vincent Pelletier

contrib/shell: Add pair of utility script.

These scripts automate part of the work needed on the client side of
kedifa:
- retrieving the secret token, storing it along with server authentication
  (CA cert and CRL) paths
- serialising a key and certificate pair the way kedifa expects them, and
  pushing the result to kedifa
1 merge request!13contrib/shell: Add pair of utility script.
#!/bin/bash
# This file is part of kedifa
# Copyright (C) 2022 Nexedi SA
# Vincent Pelletier <vincent@nexedi.com>
#
# This program is free software: you can Use, Study, Modify and Redistribute
# it under the terms of the GNU General Public License version 3, or (at your
# option) any later version, as published by the Free Software Foundation.
#
# You can also Link and Combine this program with other software covered by
# the terms of any of the Free Software licenses or any of the Open Source
# Initiative approved licenses and Convey the resulting work. Corresponding
# source of such a combination shall include the source code for all other
# software used.
#
# This program is distributed WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# See COPYING file for full licensing terms.
# See https://www.nexedi.com/licensing for rationale and options.
# shellcheck enable=avoid-nullary-conditions
# shellcheck enable=check-unassigned-uppercase,deprecate-which
set -eu
if [ $# -ne 5 ]; then
echo "Usage: $0 https://<kedifa-netloc>/<kedifa-domain-id>{,/generateauth,?auth=} <ca> <crl> <domain> <config-directory>"
echo " ca, crl: Path of the service CA certificate used to sign kedifa's https certificate, and of coresponding CRL"
echo " Note: these files must be maintained up-to-date, for example using cacuase-updater."
echo " config-directory: existing directory where a configuration file usable by kedifa_update_cert will be created"
exit 1
fi
kedifa_url_base="$(printf '%s\n' "$1" | sed 's:\(/generateauth\|\?auth=\)$::')"
cafile="$2"
crlfile="$3"
domain="$4"
config_base="$5"
if printf '%s\n' "$kedifa_url_base" | grep -q '^https://[^/]\+/[^/]\+$'; then
:
else
echo "Invalid url, check usage"
exit 1
fi
if [ ! -d "$config_base" ]; then
echo "Configuration directory does not exist"
exit 1
fi
outfile="${config_base}/${domain}.sh"
if [ -e "$outfile" ]; then
echo "Destination already exists, not updating"
exit 1
fi
if touch "$outfile"; then
:
else
echo "Error creating $outfile"
exit 1
fi
trap 'rm "${outfile}"' EXIT
chmod go= "$outfile"
echo -n "Retrieving kedifa identifier for shared instance..."
kedifa_auth="$(curl --silent --cacert "${cafile}" --crlfile "${crlfile}" "${kedifa_url_base}/generateauth")"
trap - EXIT
printf 'CA=%q\nCRL=%q\nURL=%q\n' "$cafile" "$crlfile" "${kedifa_url_base}?auth=${kedifa_auth}" > "$outfile"
echo " done."
if curl --output /dev/null --silent "https://$domain"; then
:
elif [ 35 -eq $? ]; then
echo -n "Bootstrapping $domain certificate..."
tmpdir="$(mktemp --directory --tmpdir "$(basename "$0").XXXXXXXXXX")"
# Note: this trap is responsible for the final deletion
trap 'rm -r "${tmpdir}"' EXIT
openssl req \
-outform PEM \
-out "${tmpdir}/bootstrap.crt" \
-new \
-newkey rsa:2048 \
-keyout "${tmpdir}/bootstrap.key" \
-nodes \
-subj "/CN=${domain}" \
-x509 \
-batch \
> /dev/null 2>&1
kedifa_update_cert \
"$outfile" \
"${tmpdir}/bootstrap.key" \
"${tmpdir}/bootstrap.crt"
echo " done."
else
echo "Unexpected curl status: $?"
exit 1
fi
#!/bin/bash
# This file is part of kedifa
# Copyright (C) 2022 Nexedi SA
# Vincent Pelletier <vincent@nexedi.com>
#
# This program is free software: you can Use, Study, Modify and Redistribute
# it under the terms of the GNU General Public License version 3, or (at your
# option) any later version, as published by the Free Software Foundation.
#
# You can also Link and Combine this program with other software covered by
# the terms of any of the Free Software licenses or any of the Open Source
# Initiative approved licenses and Convey the resulting work. Corresponding
# source of such a combination shall include the source code for all other
# software used.
#
# This program is distributed WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# See COPYING file for full licensing terms.
# See https://www.nexedi.com/licensing for rationale and options.
# shellcheck enable=avoid-nullary-conditions
# shellcheck enable=check-unassigned-uppercase,deprecate-which
set -eu
if [ $# -ne 3 ]; then
echo "Usage: $0 <config.sh> <key> <cert>"
echo " config.sh: as generated by kedifa_generateauth"
echo " key, cert: The private key and certificate to send to kedifa."
exit 1
fi
config="$1"
key="$2"
crt="$3"
if grep -q '^-----BEGIN .*\<KEY-----' "$key"; then
:
else
printf '"%q" is not a PEM-encoded private key\n' "$key"
exit 1
fi
if grep -q '^-----BEGIN CERTIFICATE-----$' "$crt"; then
:
else
printf '"%q" is not a PEM-encoded certificate\n' "$crt"
fi
CA=
CRL=
URL=
# shellcheck disable=SC1090
. "$config"
if test -z "$CA" || test -z "$CRL" || test -z "$URL"; then
printf '"%q": Malformed file\n' "$config"
fi
keycert="$(mktemp --tmpdir kedifa_update_XXXXXXXX)"
trap 'rm "${keycert}"' EXIT
cat "$key" "$crt" > "$keycert"
if output="$(curl --silent --cacert "$CA" --crlfile "$CRL" --upload-file "$keycert" "$URL")"; then
status="$?"
printf '"%q": Failed uploading to kedifa\n' "$config"
exit "$status"
fi
if [ -n "$output" ]; then
printf '"%q": kedifa rejected the update: %s\n' "$config" "$output"
exit 1
fi
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment