install-ca.sh - Opengist

install-ca.sh · 5.0 KiB · Bash Eredeti

#!/usr/bin/env bash set -euo pipefail CA_URL="${CA_URL:-https://10.10.40.53}" CA_FINGERPRINT="${CA_FINGERPRINT:-5fc8c379cab1119c1a9ac7038225f6bcf3a2ffb0e71b257af796b2bd6c71d594}" FORCE="${FORCE:-0}" SERVICE_CERT_DIR="${SERVICE_CERT_DIR:-/etc/insmw/certs}" log() { printf '\n[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$*" } fail() { echo "ERROR: $*" >&2 exit 1 } need_cmd() { command -v "$1" >/dev/null 2>&1 } is_root() { [ "$(id -u)" -eq 0 ] } as_root() { if is_root; then "$@" else sudo "$@" fi } real_user() { if [ -n "${SUDO_USER:-}" ] && [ "${SUDO_USER}" != "root" ]; then printf '%s\n' "$SUDO_USER" else id -un fi } real_home() { local user user="$(real_user)" eval echo "~$user" } detect_os() { case "$(uname -s)" in Linux*) echo "linux" ;; Darwin*) echo "darwin" ;; MINGW*|MSYS*|CYGWIN*) echo "windows_bash" ;; *) echo "unknown" ;; esac } install_step() { if need_cmd step; then log "step CLI already installed" return fi case "$(detect_os)" in darwin) need_cmd brew || fail "Homebrew not found" log "Installing step with Homebrew" brew install step ;; linux) if need_cmd apt-get; then log "Installing step-cli with apt" as_root apt-get update as_root apt-get install -y --no-install-recommends curl gpg ca-certificates as_root mkdir -p /etc/apt/keyrings curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg | \ as_root tee /etc/apt/keyrings/smallstep.asc >/dev/null tmpfile="$(mktemp)" cat > "$tmpfile" <<'EOF' Types: deb URIs: https://packages.smallstep.com/stable/debian Suites: debs Components: main Signed-By: /etc/apt/keyrings/smallstep.asc EOF as_root cp "$tmpfile" /etc/apt/sources.list.d/smallstep.sources rm -f "$tmpfile" as_root apt-get update as_root apt-get install -y step-cli elif need_cmd apk; then log "Installing step-cli with apk" as_root apk add --no-cache step-cli elif need_cmd dnf; then log "Installing step-cli with dnf" tmpfile="$(mktemp)" cat > "$tmpfile" <<'EOF' [smallstep] name=Smallstep baseurl=https://packages.smallstep.com/stable/fedora/ enabled=1 repo_gpgcheck=0 gpgcheck=1 gpgkey=https://packages.smallstep.com/keys/smallstep-0x889B19391F774443.gpg EOF as_root cp "$tmpfile" /etc/yum.repos.d/smallstep.repo rm -f "$tmpfile" as_root dnf makecache as_root dnf install -y step-cli elif need_cmd pacman; then log "Installing step-cli with pacman" as_root pacman -Sy --noconfirm step-cli if [ ! -e /usr/local/bin/step ] && [ -x /usr/bin/step-cli ]; then as_root ln -s /usr/bin/step-cli /usr/local/bin/step fi else fail "No supported package manager found" fi ;; *) fail "Unsupported OS" ;; esac need_cmd step || fail "step CLI installation failed" } bootstrap_step() { local user local user_home user="$(real_user)" user_home="$(real_home)" if [ "$FORCE" = "1" ]; then rm -rf "$user_home/.step" fi log "Bootstrapping as user $user against $CA_URL" if is_root && [ "$user" != "root" ]; then sudo -u "$user" HOME="$user_home" step ca bootstrap \ --ca-url "$CA_URL" \ --fingerprint "$CA_FINGERPRINT" \ --install \ --force else HOME="$user_home" step ca bootstrap \ --ca-url "$CA_URL" \ --fingerprint "$CA_FINGERPRINT" \ --install \ --force fi } install_linux_trust() { local root_cert root_cert="$(real_home)/.step/certs/root_ca.crt" [ -f "$root_cert" ] || fail "Root certificate not found at $root_cert" if need_cmd update-ca-certificates; then as_root mkdir -p /usr/local/share/ca-certificates as_root cp "$root_cert" /usr/local/share/ca-certificates/insmw-root-ca.crt as_root update-ca-certificates return fi if need_cmd trust; then as_root trust anchor "$root_cert" return fi fail "Could not determine Linux trust-store tool" } install_macos_trust() { local root_cert root_cert="$(real_home)/.step/certs/root_ca.crt" [ -f "$root_cert" ] || fail "Root certificate not found at $root_cert" as_root security add-trusted-cert \ -d \ -r trustRoot \ -k /Library/Keychains/System.keychain \ "$root_cert" } install_trust_store() { case "$(detect_os)" in linux) install_linux_trust ;; darwin) install_macos_trust ;; *) fail "Unsupported OS for trust-store installation" ;; esac } install_service_cert() { local root_cert root_cert="$(real_home)/.step/certs/root_ca.crt" [ -f "$root_cert" ] || fail "Root certificate not found at $root_cert" as_root mkdir -p "$SERVICE_CERT_DIR" as_root cp "$root_cert" "$SERVICE_CERT_DIR/root_ca.crt" as_root chmod 644 "$SERVICE_CERT_DIR/root_ca.crt" as_root chmod 755 "$(dirname "$SERVICE_CERT_DIR")" "$SERVICE_CERT_DIR" } main() { install_step bootstrap_step install_trust_store install_service_cert log "Done" } main "$@"

1	#!/usr/bin/env bash
2	set -euo pipefail
3
4	CA_URL="${CA_URL:-https://10.10.40.53}"
5	CA_FINGERPRINT="${CA_FINGERPRINT:-5fc8c379cab1119c1a9ac7038225f6bcf3a2ffb0e71b257af796b2bd6c71d594}"
6	FORCE="${FORCE:-0}"
7	SERVICE_CERT_DIR="${SERVICE_CERT_DIR:-/etc/insmw/certs}"
8
9	log() {
10	printf '\n[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$*"
11	}
12
13	fail() {
14	echo "ERROR: $*" >&2
15	exit 1
16	}
17
18	need_cmd() {
19	command -v "$1" >/dev/null 2>&1
20	}
21
22	is_root() {
23	[ "$(id -u)" -eq 0 ]
24	}
25
26	as_root() {
27	if is_root; then
28	"$@"
29	else
30	sudo "$@"
31	fi
32	}
33
34	real_user() {
35	if [ -n "${SUDO_USER:-}" ] && [ "${SUDO_USER}" != "root" ]; then
36	printf '%s\n' "$SUDO_USER"
37	else
38	id -un
39	fi
40	}
41
42	real_home() {
43	local user
44	user="$(real_user)"
45	eval echo "~$user"
46	}
47
48	detect_os() {
49	case "$(uname -s)" in
50	Linux*) echo "linux" ;;
51	Darwin*) echo "darwin" ;;
52	MINGW\|MSYS\|CYGWIN*) echo "windows_bash" ;;
53	*) echo "unknown" ;;
54	esac
55	}
56
57	install_step() {
58	if need_cmd step; then
59	log "step CLI already installed"
60	return
61	fi
62
63	case "$(detect_os)" in
64	darwin)
65	need_cmd brew \|\| fail "Homebrew not found"
66	log "Installing step with Homebrew"
67	brew install step
68	;;
69
70	linux)
71	if need_cmd apt-get; then
72	log "Installing step-cli with apt"
73	as_root apt-get update
74	as_root apt-get install -y --no-install-recommends curl gpg ca-certificates
75	as_root mkdir -p /etc/apt/keyrings
76	curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg \| \
77	as_root tee /etc/apt/keyrings/smallstep.asc >/dev/null
78
79	tmpfile="$(mktemp)"
80	cat > "$tmpfile" <<'EOF'
81	Types: deb
82	URIs: https://packages.smallstep.com/stable/debian
83	Suites: debs
84	Components: main
85	Signed-By: /etc/apt/keyrings/smallstep.asc
86	EOF
87	as_root cp "$tmpfile" /etc/apt/sources.list.d/smallstep.sources
88	rm -f "$tmpfile"
89
90	as_root apt-get update
91	as_root apt-get install -y step-cli
92
93	elif need_cmd apk; then
94	log "Installing step-cli with apk"
95	as_root apk add --no-cache step-cli
96
97	elif need_cmd dnf; then
98	log "Installing step-cli with dnf"
99	tmpfile="$(mktemp)"
100	cat > "$tmpfile" <<'EOF'
101	[smallstep]
102	name=Smallstep
103	baseurl=https://packages.smallstep.com/stable/fedora/
104	enabled=1
105	repo_gpgcheck=0
106	gpgcheck=1
107	gpgkey=https://packages.smallstep.com/keys/smallstep-0x889B19391F774443.gpg
108	EOF
109	as_root cp "$tmpfile" /etc/yum.repos.d/smallstep.repo
110	rm -f "$tmpfile"
111
112	as_root dnf makecache
113	as_root dnf install -y step-cli
114
115	elif need_cmd pacman; then
116	log "Installing step-cli with pacman"
117	as_root pacman -Sy --noconfirm step-cli
118	if [ ! -e /usr/local/bin/step ] && [ -x /usr/bin/step-cli ]; then
119	as_root ln -s /usr/bin/step-cli /usr/local/bin/step
120	fi
121
122	else
123	fail "No supported package manager found"
124	fi
125	;;
126
127	*)
128	fail "Unsupported OS"
129	;;
130	esac
131
132	need_cmd step \|\| fail "step CLI installation failed"
133	}
134
135	bootstrap_step() {
136	local user
137	local user_home
138
139	user="$(real_user)"
140	user_home="$(real_home)"
141
142	if [ "$FORCE" = "1" ]; then
143	rm -rf "$user_home/.step"
144	fi
145
146	log "Bootstrapping as user $user against $CA_URL"
147
148	if is_root && [ "$user" != "root" ]; then
149	sudo -u "$user" HOME="$user_home" step ca bootstrap \
150	--ca-url "$CA_URL" \
151	--fingerprint "$CA_FINGERPRINT" \
152	--install \
153	--force
154	else
155	HOME="$user_home" step ca bootstrap \
156	--ca-url "$CA_URL" \
157	--fingerprint "$CA_FINGERPRINT" \
158	--install \
159	--force
160	fi
161	}
162
163	install_linux_trust() {
164	local root_cert
165	root_cert="$(real_home)/.step/certs/root_ca.crt"
166
167	[ -f "$root_cert" ] \|\| fail "Root certificate not found at $root_cert"
168
169	if need_cmd update-ca-certificates; then
170	as_root mkdir -p /usr/local/share/ca-certificates
171	as_root cp "$root_cert" /usr/local/share/ca-certificates/insmw-root-ca.crt
172	as_root update-ca-certificates
173	return
174	fi
175
176	if need_cmd trust; then
177	as_root trust anchor "$root_cert"
178	return
179	fi
180
181	fail "Could not determine Linux trust-store tool"
182	}
183
184	install_macos_trust() {
185	local root_cert
186	root_cert="$(real_home)/.step/certs/root_ca.crt"
187
188	[ -f "$root_cert" ] \|\| fail "Root certificate not found at $root_cert"
189
190	as_root security add-trusted-cert \
191	-d \
192	-r trustRoot \
193	-k /Library/Keychains/System.keychain \
194	"$root_cert"
195	}
196
197	install_trust_store() {
198	case "$(detect_os)" in
199	linux) install_linux_trust ;;
200	darwin) install_macos_trust ;;
201	*) fail "Unsupported OS for trust-store installation" ;;
202	esac
203	}
204
205	install_service_cert() {
206	local root_cert
207	root_cert="$(real_home)/.step/certs/root_ca.crt"
208
209	[ -f "$root_cert" ] \|\| fail "Root certificate not found at $root_cert"
210
211	as_root mkdir -p "$SERVICE_CERT_DIR"
212	as_root cp "$root_cert" "$SERVICE_CERT_DIR/root_ca.crt"
213	as_root chmod 644 "$SERVICE_CERT_DIR/root_ca.crt"
214	as_root chmod 755 "$(dirname "$SERVICE_CERT_DIR")" "$SERVICE_CERT_DIR"
215	}
216
217	main() {
218	install_step
219	bootstrap_step
220	install_trust_store
221	install_service_cert
222	log "Done"
223	}
224
225	main "$@"