shift
curl -s --header "X-Real-Proto: https" --header "Host: www.$hostname" -b $folder/cookie-jar "http://$ip/$url" "$@"
}
+function mccurl {
+ local url="$1"
+ shift
+ curl -s --header "$(cat ${folder}/certauth.txt)" --header "X-Real-Proto: https" --header "Host: secure.$hostname" -b $folder/cookie-jar "http://$ip/$url" "$@"
+}
# get the csrf out of a webpage (arguments 1 and 2 can be used to select the correct csrf-token)
function csrf {
--data-urlencode "regional=1" \
--data-urlencode "radius=1" \
--data-urlencode "tos_agree=1" \
+ --data-urlencode "dp_agree=1" \
--data-urlencode "process=Weiter" \
--data-urlencode "csrf=$csrf" > /dev/null
}
+function check_error {
+ cat > $folder/page_output
+ cat $folder/page_output >> $folder/log
+ if grep -q "error-msgs" $folder/page_output; then
+ cat $folder/page_output
+ exit 1
+ fi
+}
+
+function issue {
+ curl=$1
+ shift
+ options=$1
+ shift
+ csrf=$($curl "account/certs/new" | csrf "head -n 1")
+
+ openssl req -newkey rsa:4096 -subj "/CN=blabla" -nodes -out $folder/req -keyout $folder/priv
+ encoded=$(tr '\n' '?' < $folder/req | sed "s/=/%3D/g;s/+/%2B/g;s/\?/%0A/g")
+
+ $curl account/certs/new -d "CSR=$encoded&process=Next&csrf=$csrf" | check_error
+
+ serial=$($curl account/certs/new "$@" -d "$options&OU=&hash_alg=SHA256&validFrom=now&validity=2y&login=1&description=&process=Issue+Certificate&csrf=$csrf" -v 2>&1 | tee $folder/certlog | grep "< Location: " | sed "s_.*/\([a-f0-9]*\)[^0-9]*_\1_")
+ echo "Certificate: $serial"
+ if [[ $serial != "" ]]; then
+ echo "installing"
+ $curl "account/certs/$serial.crt?chain&noAnchor" > $folder/cert.crt
+ $curl "account/certs/$serial.crt" > $folder/onlycert.crt
+ return 0;
+ else
+ return 1;
+ fi
+}
+
if ! type curl > /dev/null; then
echo "requires curl" >&2
exit 1
INSERT INTO notary("from","to","points","location","when","date") VALUES((SELECT "id" FROM "users" WHERE "email"='$secondaryEmail'), (SELECT "preferredName" FROM "users" WHERE "email"='$adminEmail'), 100, 'initial', CURRENT_TIMESTAMP, '$(date +%Y-%m-%d)');
INSERT INTO notary("from","to","points","location","when","date") VALUES((SELECT "id" FROM "users" WHERE "email"='$adminEmail'), (SELECT "preferredName" FROM "users" WHERE "email"='$secondaryEmail'), 100, 'initial', CURRENT_TIMESTAMP, '$(date +%Y-%m-%d)');
INSERT INTO cats_passed("user_id", "variant_id") VALUES((SELECT "id" FROM "users" WHERE "email"='$adminEmail'),1);
+INSERT INTO cats_passed("user_id", "variant_id") VALUES((SELECT "id" FROM "users" WHERE "email"='$adminEmail'),2);
+INSERT INTO cats_passed("user_id", "variant_id") VALUES((SELECT "id" FROM "users" WHERE "email"='$adminEmail'),6);
EOF
sudo lxc-attach -n gigi -- systemctl stop gigi-proxy.service
csrf=$(mcurl login -c $folder/cookie-jar | csrf)
open-jar $folder/cookie-jar
-mcurl login -c $folder/cookie-jar --data-urlencode "username=$adminEmail" --data-urlencode "password=$adminPw" --data-urlencode "csrf=$csrf" &>/dev/null
+mcurl login -c $folder/cookie-jar --data-urlencode "username=$adminEmail" --data-urlencode "password=$adminPw" --data-urlencode "csrf=$csrf" | check_error
+open-jar $folder/cookie-jar
+
+echo "Creating own cert"
+if issue mcurl "profile=client&CN=SomeCA+User" --data-urlencode "SANs=email:$adminEmail"; then
+ printf "Got own cert!\n"
+ cat ${folder}/cert.crt ${folder}/priv > gigi-key.pem
+else
+ printf "issuance failed\n" >&2
+ exit 1
+fi
+sed "s/^/\t/;s/^\t-----BEGIN/X-Client-Cert: -----BEGIN/;s/\r//g" < ${folder}/onlycert.crt > ${folder}/certauth.txt
+
+mccurl login -c $folder/cookie-jar
open-jar $folder/cookie-jar
echo "Creating organisation"
-csrf=$(mcurl "orga/new" | csrf)
-mgmOid=$(mcurl "orga/new" -v -d "O=SomeCA&L=town&ST=state&C=AT&contact=ce%40email.org&comments=&action=new&csrf=$csrf" 2>&1 | grep "< Location: " | sed "s_.*/\([0-9]*\)[^0-9]*_\1_")
+csrf=$(mccurl "orga/new" | csrf)
+mgmOid=$(mccurl "orga/new" -v -d "O=SomeCA&L=town&ST=state&C=AT&contact=ce%40email.org&comments=&action=new&csrf=$csrf" 2>&1 | grep "< Location: " | sed "s_.*/\([0-9]*\)[^0-9]*_\1_")
if ! grep -q '^[0-9]\+$' <<< $mgmOid; then
echo "Got an Organisation ID that is not a number: $mgmOid." >&2
exit 1
fi
printf "Management Organisation id is \"%s\"\n" "$mgmOid"
-echo "add self as orgadmin for organisation"
-csrf=$(mcurl orga/$mgmOid | csrf "head -n 2" "tail -n 1")
-mcurl orga/$mgmOid --data-urlencode "email=$adminEmail" --data-urlencode "master=y" --data-urlencode "do_affiliate=Add" --data-urlencode "csrf=$csrf" &>/dev/null
-echo "adding org-domain"
-csrf=$(mcurl orga/$mgmOid | csrf "head -n 4" "tail -n 1")
+printf "adding org-domain for org %s: %s\n" "$mgmOid" "$hostname"
+csrf=$(mccurl orga/$mgmOid | csrf "head -n 4" "tail -n 1")
domainName="$hostname"
-mcurl orga/$mgmOid -d "domain=$domainName&addDomain=action&csrf=$csrf" &> /dev/null
+mccurl orga/$mgmOid -d "domain=$domainName&addDomain=action&csrf=$csrf" | check_error
-csrf=$(mcurl account/details | csrf "tail -1")
-mcurl account/details -d "orgaForm=orga&org%3A$mgmOid&csrf=$csrf" &> /dev/null
+echo "using SQL to add self as orgadmin for organisation"
+sudo lxc-attach -n postgres-primary -- su -c "psql -d gigi" postgres <<EOF
+INSERT INTO org_admin("orgid", "memid", "creator", "master") VALUES('$mgmOid', (SELECT "id" FROM "users" WHERE "email"='$adminEmail'), (SELECT "id" FROM "users" WHERE "email"='$secondaryEmail'), 'y');
+EOF
+
+csrf=$(mccurl account/details -v | csrf "tail -1")
+mccurl account/details -v -d "orgaForm=orga&org%3A$mgmOid&csrf=$csrf" | check_error
echo "Configuring pings for the domain"
-domain=$(mcurl "account/domains" | grep "/account/domains/" | sed "s_.*/\([0-9]\+\)'.*_\1_")
+domain=$(mccurl "account/domains" | grep "/account/domains/" | sed "s_.*/\([0-9]\+\)'.*_\1_")
if ! grep -q '^[0-9]\+$' <<< $domain; then
echo "Got a Domain ID that is not a number: $domain." >&2
exit 1
fi
-csrf=$(mcurl "account/domains/$domain" | tee $folder/domain | csrf "tail -n 1")
+csrf=$(mccurl "account/domains/$domain" | tee $folder/domain | csrf "tail -n 1")
token=$(grep pre $folder/domain | tail -n 1 | sed "s_.*>\([a-zA-Z0-9]*\)<.*_\1_")
name=$(grep "content available at" $folder/domain | sed "s_.*/\([a-zA-Z0-9]*\)\\.txt.*_\1_")
cp --preserve=all $folder/self-priv modules/gigi/files/gigi.key
sudo lxc-attach -n front-nginx -- puppet agent --test --verbose
-mcurl "account/domains/$domain" -d "HTTPType=y&SSLType=y&ssl-type-0=direct&ssl-port-0=443&ssl-type-1=direct&ssl-port-1=&ssl-type-2=direct&ssl-port-2=&ssl-type-3=direct&ssl-port-3=&csrf=$csrf" > /dev/null
+mccurl "account/domains/$domain" -d "HTTPType=y&SSLType=y&ssl-type-0=direct&ssl-port-0=443&ssl-type-1=direct&ssl-port-1=&ssl-type-2=direct&ssl-port-2=&ssl-type-3=direct&ssl-port-3=&csrf=$csrf" | check_error
echo "Pings configured... waiting"
sleep 5
-mcurl "account/domains/$domain" > $folder/domainStatus
+mccurl "account/domains/$domain" > $folder/domainStatus
echo "Issuing certificate for web"
-function issue {
- options=$1
- csrf=$(mcurl "account/certs/new" | csrf "head -n 1")
-
- openssl req -newkey rsa:4096 -subj "/CN=blabla" -nodes -out $folder/req -keyout $folder/priv
- encoded=$(tr '\n' '?' < $folder/req | sed "s/=/%3D/g;s/+/%2B/g;s/\?/%0A/g")
-
- mcurl account/certs/new -d "CSR=$encoded&process=Next&csrf=$csrf" > /dev/null
-
- serial=$(mcurl account/certs/new -d "$options&OU=&hash_alg=SHA256&validFrom=now&validity=2y&login=1&description=&process=Issue+Certificate&csrf=$csrf" -v 2>&1 | tee $folder/certlog | grep "< Location: " | sed "s_.*/\([a-f0-9]*\)[^0-9]*_\1_")
- echo "Certificate: $serial"
- if [[ $serial != "" ]]; then
- echo "installing"
- mcurl "account/certs/$serial.crt?chain&noAnchor" > $folder/cert.crt
- return 0;
- else
- return 1;
- fi
-}
-if issue "profile=server-orga&CN=&SANs=dns%3Awww.$domainName%2Cdns%3Astatic.$domainName%2Cdns%3Aapi.$domainName%2Cdns%3Asecure.$domainName"; then
+if issue mccurl "profile=server-orga&CN=&SANs=dns%3Awww.$domainName%2Cdns%3Astatic.$domainName%2Cdns%3Aapi.$domainName%2Cdns%3Asecure.$domainName"; then
cp $folder/cert.crt modules/gigi/files/gigi.crt
setfacl -m user:puppet:r $folder/priv
cp --preserve=all $folder/priv modules/gigi/files/gigi.key
echo "refusing to update"
fi
-if issue "profile=mail-orga&CN=Gigi+System&SANs=email%3Agigi@$domainName"; then
+if issue mccurl "profile=mail-orga&CN=Gigi+System&SANs=email%3Agigi@$domainName"; then
echo "great!"
keystorepw=$(head -c 15 /dev/urandom | base64)
openssl pkcs12 -export -name "mail" -in $folder/cert.crt -inkey $folder/priv -CAfile modules/nre/files/config/ca/root.crt -password file:<(printf '%s' "$keystorepw") | sudo tee modules/gigi/files/keystore.pkcs12 > /dev/null