Tree - centos/centos-packager - CentOS Git server

centos / centos-packager

Files

Blob Blame History Raw

 #!/bin/bash
 
# This is a simple bash wrapper for CentOS SIG and using fasjson-client with some values
# Goal is to retrieve signed TLS cert for user accounts, using kerberos ticket and then using the fasjson endpoint
 
function usage() {
cat << EOF
 
You need to call the script like this : $0 -arguments
 -u : username ([REQUIRED] : your existing ACO/FAS username)
 -v : just validates the existing TLS certificate ([OPTIONAL])
 -r : REALM to use for kerberos ([OPTIONAL] : defaults to FEDORAPROJECT.ORG)
 -f : fasjson url ([OPTIONAL]: defaults to https://fasjson.fedoraproject.org)
 -h : display this help
 
EOF
 
}
 
function varcheck() {
if [ -z "$1" ] ; then
        usage
        exit 1
fi
}
 
function f_log() {
   echo "[+] $(date +%Y%m%d-%H:%M) centos-cert -> $*" 
}
 
function verify_cert() {
  echo ""
  f_log "Verifying if TLS cert is still valid ..."
  if [ ! -e ~/.centos-server-ca.cert ] ; then
    f_log "[ERROR] No CA cert found to validate your TLS cert"
    f_log "Please retrieve it first with [$0 -u]"
    exit 1
  fi
  if [ -e ~/.centos.cert ] ; then
    f_log "Validating TLS cert against ~/.centos-server-ca.cert ..."
    openssl verify -CAfile ~/.centos-server-ca.cert ~/.centos.cert
    if [ "$?" -ne "0" ] ; then
      f_log "[ERROR] your TLS cert is not signed by correct CA"
      exit 1
    else
      f_log "[SUCCESS] ~/.centos.cert TLS cert verified by ~/.centos-server-ca.cert CA crt"   
    fi
    end_date=$(openssl x509 -in ~/.centos.cert -noout -text|sed -n 's/ *Not After : *//p')
    end_date_seconds=$(date '+%s' --date "$end_date")
    now_seconds=$(date '+%s')
    remaining_days=$(echo "($end_date_seconds-$now_seconds)/24/3600" | bc)
    if [ "${remaining_days}" -gt "0" ] ; then
      f_log "[SUCCESS] Your TLS cert is still valid for [${remaining_days}] days"
      echo ""
      exit 0
    else
      f_log "[ERROR] Your TLS cert has expired : [${remaining_days}] days"
      echo ""
      exit 1
    fi
  else
    f_log "[WARNING] : no TLS cert found so running this script to first get one"
    echo ""
  fi
}
 
function check_url() {
  echo ""
  f_log Validating user [${fasjson_user}] with realm [${fasjson_realm}] against ${fasjson_url}
  curl --fail --negotiate -u : ${fasjson_url}/v1/me/ --silent >/dev/null 
  if [ "$?" -ne "0" ] ; then
    f_log "Not able to negotiate kerberos with ${fasjson_url} ..."
    f_log "Forcing kinit to obtain valid kerberos ticket :"
    kinit ${fasjson_user}@${fasjson_realm} || (f_log "Not able to get kerberos ticket .." ; exit 1)
  else
    f_log "We can reach [${fasjson_url}] with realm [${fasjson_user}@${fasjson_realm}], so now asking for TLS cert ..." 
  fi
}
 
function get_cert(){
  fasjson-client --verbose --url ${fasjson_url} get-cert -u ${fasjson_user} -p ~/.centos-${fasjson_user}.key -s ~/.centos-${fasjson_user}.crt --overwrite
  if [ "$?" -ne "0" ] ; then
    f_log "[ISSUE] : Unable to retrieve TLS cert"
    exit 1
  else
    f_log "Concatenating cert to ~/.centos.cert"
    cat ~/.centos-${fasjson_user}.key ~/.centos-${fasjson_user}.crt > ~/.centos.cert
  fi
  f_log "Downloading correct CA cert .."
  curl --fail --silent ${ca_url} > ~/.centos-server-ca.cert CA crt
  echo ""
}
 
 
while getopts "hu:r:vf:" option
do
  case ${option} in
    h)
      usage
      exit 1
      ;;
    u)
      opt_user=${OPTARG}
      ;;
    r)
      opt_realm=${OPTARG}
      ;;
    v)
      verify_cert
      exit
      ;;
    f)
      opt_fasjson_url=${OPTARG}
      ;;
    ?)
      usage
      exit
      ;;
  esac
done
 
# Parsing and assigning default values if needed
fasjson_user=${opt_user:-$USER}
fasjson_realm=${opt_realm:-FEDORAPROJECT.ORG}
fasjson_url=${opt_fasjson_url:-https://fasjson.fedoraproject.org}
if [[ "$fasjson_url" =~ "fasjson.stg*" ]] ; then
  ca_url="https://id.stg.fedoraproject.org/ipa/config/ca.crt"
else
  ca_url="https://id.fedoraproject.org/ipa/config/ca.crt"
fi
 
 
# Now the real work and calling functions
if [ "$#" -eq "0" ] ;then
  usage
  exit 1
fi
check_url
get_cert
verify_cert

	#!/bin/bash

	# This is a simple bash wrapper for CentOS SIG and using fasjson-client with some values
	# Goal is to retrieve signed TLS cert for user accounts, using kerberos ticket and then using the fasjson endpoint

	function usage() {
	cat << EOF

	You need to call the script like this : $0 -arguments
	-u : username ([REQUIRED] : your existing ACO/FAS username)
	-v : just validates the existing TLS certificate ([OPTIONAL])
	-r : REALM to use for kerberos ([OPTIONAL] : defaults to FEDORAPROJECT.ORG)
	-f : fasjson url ([OPTIONAL]: defaults to https://fasjson.fedoraproject.org)
	-h : display this help

	EOF

	}

	function varcheck() {
	if [ -z "$1" ] ; then
	usage
	exit 1
	fi
	}

	function f_log() {
	echo "[+] $(date +%Y%m%d-%H:%M) centos-cert -> $*"
	}

	function verify_cert() {
	echo ""
	f_log "Verifying if TLS cert is still valid ..."
	if [ ! -e ~/.centos-server-ca.cert ] ; then
	f_log "[ERROR] No CA cert found to validate your TLS cert"
	f_log "Please retrieve it first with [$0 -u]"
	exit 1
	fi
	if [ -e ~/.centos.cert ] ; then
	f_log "Validating TLS cert against ~/.centos-server-ca.cert ..."
	openssl verify -CAfile ~/.centos-server-ca.cert ~/.centos.cert
	if [ "$?" -ne "0" ] ; then
	f_log "[ERROR] your TLS cert is not signed by correct CA"
	exit 1
	else
	f_log "[SUCCESS] ~/.centos.cert TLS cert verified by ~/.centos-server-ca.cert CA crt"
	fi
	end_date=$(openssl x509 -in ~/.centos.cert -noout -text\|sed -n 's/ Not After : //p')
	end_date_seconds=$(date '+%s' --date "$end_date")
	now_seconds=$(date '+%s')
	remaining_days=$(echo "($end_date_seconds-$now_seconds)/24/3600" \| bc)
	if [ "${remaining_days}" -gt "0" ] ; then
	f_log "[SUCCESS] Your TLS cert is still valid for [${remaining_days}] days"
	echo ""
	exit 0
	else
	f_log "[ERROR] Your TLS cert has expired : [${remaining_days}] days"
	echo ""
	exit 1
	fi
	else
	f_log "[WARNING] : no TLS cert found so running this script to first get one"
	echo ""
	fi
	}

	function check_url() {
	echo ""
	f_log Validating user [${fasjson_user}] with realm [${fasjson_realm}] against ${fasjson_url}
	curl --fail --negotiate -u : ${fasjson_url}/v1/me/ --silent >/dev/null
	if [ "$?" -ne "0" ] ; then
	f_log "Not able to negotiate kerberos with ${fasjson_url} ..."
	f_log "Forcing kinit to obtain valid kerberos ticket :"
	kinit ${fasjson_user}@${fasjson_realm} \|\| (f_log "Not able to get kerberos ticket .." ; exit 1)
	else
	f_log "We can reach [${fasjson_url}] with realm [${fasjson_user}@${fasjson_realm}], so now asking for TLS cert ..."
	fi
	}

	function get_cert(){
	fasjson-client --verbose --url ${fasjson_url} get-cert -u ${fasjson_user} -p ~/.centos-${fasjson_user}.key -s ~/.centos-${fasjson_user}.crt --overwrite
	if [ "$?" -ne "0" ] ; then
	f_log "[ISSUE] : Unable to retrieve TLS cert"
	exit 1
	else
	f_log "Concatenating cert to ~/.centos.cert"
	cat ~/.centos-${fasjson_user}.key ~/.centos-${fasjson_user}.crt > ~/.centos.cert
	fi
	f_log "Downloading correct CA cert .."
	curl --fail --silent ${ca_url} > ~/.centos-server-ca.cert CA crt
	echo ""
	}


	while getopts "hu:r:vf:" option
	do
	case ${option} in
	h)
	usage
	exit 1
	;;
	u)
	opt_user=${OPTARG}
	;;
	r)
	opt_realm=${OPTARG}
	;;
	v)
	verify_cert
	exit
	;;
	f)
	opt_fasjson_url=${OPTARG}
	;;
	?)
	usage
	exit
	;;
	esac
	done

	# Parsing and assigning default values if needed
	fasjson_user=${opt_user:-$USER}
	fasjson_realm=${opt_realm:-FEDORAPROJECT.ORG}
	fasjson_url=${opt_fasjson_url:-https://fasjson.fedoraproject.org}
	if [[ "$fasjson_url" =~ "fasjson.stg*" ]] ; then
	ca_url="https://id.stg.fedoraproject.org/ipa/config/ca.crt"
	else
	ca_url="https://id.fedoraproject.org/ipa/config/ca.crt"
	fi


	# Now the real work and calling functions
	if [ "$#" -eq "0" ] ;then
	usage
	exit 1
	fi
	check_url
	get_cert
	verify_cert

centos / centos-packager

Source Code

Files