|
 |
0c414b |
#!/bin/bash
|
|
|
0c414b |
|
|
|
0c414b |
# This is a simple bash wrapper for CentOS SIG and using fasjson-client with some values
|
|
|
0c414b |
# Goal is to retrieve signed TLS cert for user accounts, using kerberos ticket and then using the fasjson endpoint
|
|
|
0c414b |
|
|
|
0c414b |
function usage() {
|
|
|
0c414b |
cat << EOF
|
|
|
0c414b |
|
|
|
0c414b |
You need to call the script like this : $0 -arguments
|
|
|
0c414b |
-u : username ([REQUIRED] : your existing ACO/FAS username)
|
|
|
0c414b |
-v : just validates the existing TLS certificate ([OPTIONAL])
|
|
|
0c414b |
-r : REALM to use for kerberos ([OPTIONAL] : defaults to FEDORAPROJECT.ORG)
|
|
|
0c414b |
-f : fasjson url ([OPTIONAL]: defaults to https://fasjson.fedoraproject.org)
|
|
|
0c414b |
-h : display this help
|
|
|
0c414b |
|
|
|
0c414b |
EOF
|
|
|
0c414b |
|
|
|
0c414b |
}
|
|
|
0c414b |
|
|
|
0c414b |
function varcheck() {
|
|
|
0c414b |
if [ -z "$1" ] ; then
|
|
|
0c414b |
usage
|
|
|
0c414b |
exit 1
|
|
|
0c414b |
fi
|
|
|
0c414b |
}
|
|
|
0c414b |
|
|
|
0c414b |
function f_log() {
|
|
|
0c414b |
echo "[+] $(date +%Y%m%d-%H:%M) centos-cert -> $*"
|
|
|
0c414b |
}
|
|
|
0c414b |
|
|
|
0c414b |
function verify_cert() {
|
|
|
0c414b |
echo ""
|
|
|
0c414b |
f_log "Verifying if TLS cert is still valid ..."
|
|
|
630d3f |
if [ ! -e ~/.centos-server-ca.cert ] ; then
|
|
|
630d3f |
f_log "[ERROR] No CA cert found to validate your TLS cert"
|
|
|
630d3f |
f_log "Please retrieve it first with [$0 -u]"
|
|
|
630d3f |
exit 1
|
|
|
630d3f |
fi
|
|
|
0c414b |
if [ -e ~/.centos.cert ] ; then
|
|
|
630d3f |
f_log "Validating TLS cert against ~/.centos-server-ca.cert ..."
|
|
|
630d3f |
openssl verify -CAfile ~/.centos-server-ca.cert ~/.centos.cert
|
|
|
630d3f |
if [ "$?" -ne "0" ] ; then
|
|
|
630d3f |
f_log "[ERROR] your TLS cert is not signed by correct CA"
|
|
|
630d3f |
exit 1
|
|
|
630d3f |
else
|
|
|
630d3f |
f_log "[SUCCESS] ~/.centos.cert TLS cert verified by ~/.centos-server-ca.cert CA crt"
|
|
|
630d3f |
fi
|
|
|
0c414b |
end_date=$(openssl x509 -in ~/.centos.cert -noout -text|sed -n 's/ *Not After : *//p')
|
|
|
0c414b |
end_date_seconds=$(date '+%s' --date "$end_date")
|
|
|
0c414b |
now_seconds=$(date '+%s')
|
|
|
0c414b |
remaining_days=$(echo "($end_date_seconds-$now_seconds)/24/3600" | bc)
|
|
|
0c414b |
if [ "${remaining_days}" -gt "0" ] ; then
|
|
|
0c414b |
f_log "[SUCCESS] Your TLS cert is still valid for [${remaining_days}] days"
|
|
|
0c414b |
echo ""
|
|
|
0c414b |
exit 0
|
|
|
0c414b |
else
|
|
|
0c414b |
f_log "[ERROR] Your TLS cert has expired : [${remaining_days}] days"
|
|
|
0c414b |
echo ""
|
|
|
0c414b |
exit 1
|
|
|
0c414b |
fi
|
|
|
0c414b |
else
|
|
|
0c414b |
f_log "[WARNING] : no TLS cert found so running this script to first get one"
|
|
|
0c414b |
echo ""
|
|
|
0c414b |
fi
|
|
|
0c414b |
}
|
|
|
0c414b |
|
|
|
0c414b |
function check_url() {
|
|
|
0c414b |
echo ""
|
|
|
0c414b |
f_log Validating user [${fasjson_user}] with realm [${fasjson_realm}] against ${fasjson_url}
|
|
|
0c414b |
curl --fail --negotiate -u : ${fasjson_url}/v1/me/ --silent >/dev/null
|
|
|
0c414b |
if [ "$?" -ne "0" ] ; then
|
|
|
0c414b |
f_log "Not able to negotiate kerberos with ${fasjson_url} ..."
|
|
|
0c414b |
f_log "Forcing kinit to obtain valid kerberos ticket :"
|
|
|
0c414b |
kinit ${fasjson_user}@${fasjson_realm} || (f_log "Not able to get kerberos ticket .." ; exit 1)
|
|
|
0c414b |
else
|
|
|
0c414b |
f_log "We can reach [${fasjson_url}] with realm [${fasjson_user}@${fasjson_realm}], so now asking for TLS cert ..."
|
|
|
0c414b |
fi
|
|
|
0c414b |
}
|
|
|
0c414b |
|
|
|
0c414b |
function get_cert(){
|
|
|
0c414b |
fasjson-client --verbose --url ${fasjson_url} get-cert -u ${fasjson_user} -p ~/.centos-${fasjson_user}.key -s ~/.centos-${fasjson_user}.crt --overwrite
|
|
|
0c414b |
if [ "$?" -ne "0" ] ; then
|
|
|
0c414b |
f_log "[ISSUE] : Unable to retrieve TLS cert"
|
|
|
0c414b |
exit 1
|
|
|
0c414b |
else
|
|
|
0c414b |
f_log "Concatenating cert to ~/.centos.cert"
|
|
|
0c414b |
cat ~/.centos-${fasjson_user}.key ~/.centos-${fasjson_user}.crt > ~/.centos.cert
|
|
|
0c414b |
fi
|
|
|
630d3f |
f_log "Downloading correct CA cert .."
|
|
|
630d3f |
curl --fail --silent ${ca_url} > ~/.centos-server-ca.cert CA crt
|
|
|
0c414b |
echo ""
|
|
|
0c414b |
}
|
|
|
0c414b |
|
|
|
0c414b |
|
|
|
0c414b |
while getopts "hu:r:vf:" option
|
|
|
0c414b |
do
|
|
|
0c414b |
case ${option} in
|
|
|
0c414b |
h)
|
|
|
0c414b |
usage
|
|
|
0c414b |
exit 1
|
|
|
0c414b |
;;
|
|
|
0c414b |
u)
|
|
|
0c414b |
opt_user=${OPTARG}
|
|
|
0c414b |
;;
|
|
|
0c414b |
r)
|
|
|
0c414b |
opt_realm=${OPTARG}
|
|
|
0c414b |
;;
|
|
|
0c414b |
v)
|
|
|
0c414b |
verify_cert
|
|
|
0c414b |
exit
|
|
|
0c414b |
;;
|
|
|
0c414b |
f)
|
|
|
0c414b |
opt_fasjson_url=${OPTARG}
|
|
|
0c414b |
;;
|
|
|
0c414b |
?)
|
|
|
0c414b |
usage
|
|
|
0c414b |
exit
|
|
|
0c414b |
;;
|
|
|
0c414b |
esac
|
|
|
0c414b |
done
|
|
|
0c414b |
|
|
|
0c414b |
# Parsing and assigning default values if needed
|
|
|
0c414b |
fasjson_user=${opt_user:-$USER}
|
|
|
0c414b |
fasjson_realm=${opt_realm:-FEDORAPROJECT.ORG}
|
|
|
0c414b |
fasjson_url=${opt_fasjson_url:-https://fasjson.fedoraproject.org}
|
|
|
630d3f |
if [[ "$fasjson_url" =~ "fasjson.stg*" ]] ; then
|
|
|
630d3f |
ca_url="https://id.stg.fedoraproject.org/ipa/config/ca.crt"
|
|
|
630d3f |
else
|
|
|
630d3f |
ca_url="https://id.fedoraproject.org/ipa/config/ca.crt"
|
|
|
630d3f |
fi
|
|
|
0c414b |
|
|
|
0c414b |
|
|
|
0c414b |
# Now the real work and calling functions
|
|
|
0c414b |
if [ "$#" -eq "0" ] ;then
|
|
|
0c414b |
usage
|
|
|
0c414b |
exit 1
|
|
|
0c414b |
fi
|
|
|
0c414b |
check_url
|
|
|
0c414b |
get_cert
|
|
|
0c414b |
verify_cert
|
|
|
0c414b |
|