X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=bootstrap-user;h=da8c32720ecc13bba7afb86deb8f3739ef92f388;hb=4ac24a174e51d519f5d49690b48e503caf0080e5;hp=d25faf10e9f02504c9a3a0e360d55fe76f2c883f;hpb=417ce970216bcb6221d2e7335e89c65083cdecc5;p=infra.git

diff --git a/bootstrap-user b/bootstrap-user
old mode 100644
new mode 100755
index d25faf1..da8c327
--- a/bootstrap-user
+++ b/bootstrap-user
@@ -31,6 +31,10 @@ function silent_read {
 #execute a registration in gigi. If "$1" == "nopass" a password is not asked for but chosen at random.
 function register {
     csrf=$(mcurl register -c $folder/cookie-jar | csrf)
+    if ! [[ -f $folder/cookie-jar ]]; then
+        echo "error, could not start gigi"
+        exit 1
+    fi
     open-jar $folder/cookie-jar
     silent_read "First Name: " fname
     silent_read "Last Name: " lname
@@ -72,6 +76,14 @@ function register {
           --data-urlencode "process=Weiter" \
           --data-urlencode "csrf=$csrf" > /dev/null
 }
+function check_error {
+    cat > $folder/page_output
+    if grep -q "error-msgs" $folder/page_output; then
+        cat $folder/page_output
+        exit 1
+    fi
+}
+
 if ! type curl > /dev/null; then
     echo "requires curl" >&2
     exit 1
@@ -115,7 +127,7 @@ fi
 echo "granting initial bootstrapping-rights"
 sudo lxc-attach -n postgres-primary -- su -c "psql -d gigi" postgres <<EOF
 INSERT INTO user_groups("user","permission","grantedby") VALUES((SELECT "id" FROM "users" WHERE "email"='$adminEmail'),'supporter',(SELECT "id" FROM "users" WHERE "email"='$adminEmail'));
-INSERT INTO user_groups("user","permission","grantedby") VALUES((SELECT "id" FROM "users" WHERE "email"='$adminEmail'),'orgassurer',(SELECT "id" FROM "users" WHERE "email"='$adminEmail'));
+INSERT INTO user_groups("user","permission","grantedby") VALUES((SELECT "id" FROM "users" WHERE "email"='$adminEmail'),'org-agent',(SELECT "id" FROM "users" WHERE "email"='$adminEmail'));
 INSERT INTO notary("from","to","points","location","when","date") VALUES((SELECT "id" FROM "users" WHERE "email"='$secondaryEmail'), (SELECT "preferredName" FROM "users" WHERE "email"='$adminEmail'), 100, 'initial', CURRENT_TIMESTAMP, '$(date +%Y-%m-%d)');
 INSERT INTO notary("from","to","points","location","when","date") VALUES((SELECT "id" FROM "users" WHERE "email"='$adminEmail'), (SELECT "preferredName" FROM "users" WHERE "email"='$secondaryEmail'), 100, 'initial', CURRENT_TIMESTAMP, '$(date +%Y-%m-%d)');
 INSERT INTO cats_passed("user_id", "variant_id") VALUES((SELECT "id" FROM "users" WHERE "email"='$adminEmail'),1);
@@ -124,7 +136,7 @@ sudo lxc-attach -n gigi -- systemctl stop gigi-proxy.service
 
 csrf=$(mcurl login -c $folder/cookie-jar | csrf)
 open-jar $folder/cookie-jar
-mcurl login -c $folder/cookie-jar --data-urlencode "username=$adminEmail" --data-urlencode "password=$adminPw" --data-urlencode "csrf=$csrf" &>/dev/null
+mcurl login -c $folder/cookie-jar --data-urlencode "username=$adminEmail" --data-urlencode "password=$adminPw" --data-urlencode "csrf=$csrf" | check_error
 open-jar $folder/cookie-jar
 
 echo "Creating organisation"
@@ -136,16 +148,17 @@ if ! grep -q '^[0-9]\+$' <<< $mgmOid; then
 fi
 printf "Management Organisation id is \"%s\"\n" "$mgmOid"
 
-echo "add self as orgadmin for organisation"
-csrf=$(mcurl orga/$mgmOid | csrf "head -n 2" "tail -n 1")
-mcurl orga/$mgmOid --data-urlencode "email=$adminEmail" --data-urlencode "master=y" --data-urlencode "do_affiliate=Add" --data-urlencode "csrf=$csrf" &>/dev/null
+echo "using SQL to add self as orgadmin for organisation"
+sudo lxc-attach -n postgres-primary -- su -c "psql -d gigi" postgres <<EOF
+INSERT INTO org_admin("orgid", "memid", "creator", "master") VALUES('$mgmOid', (SELECT "id" FROM "users" WHERE "email"='$adminEmail'), (SELECT "id" FROM "users" WHERE "email"='$secondaryEmail'), 'y');
+EOF
 echo "adding org-domain"
 csrf=$(mcurl orga/$mgmOid | csrf "head -n 4" "tail -n 1")
 domainName="$hostname"
-mcurl orga/$mgmOid -d "domain=$domainName&addDomain=action&csrf=$csrf" &> /dev/null
+mcurl orga/$mgmOid -d "domain=$domainName&addDomain=action&csrf=$csrf" | check_error
 
-csrf=$(mcurl account/details | csrf "tail -1")
-mcurl account/details -d "orgaForm=orga&org%3A$mgmOid&csrf=$csrf" &> /dev/null
+csrf=$(mcurl account/details -v | csrf "tail -1")
+mcurl account/details -v -d "orgaForm=orga&org%3A$mgmOid&csrf=$csrf" | check_error
 
 echo "Configuring pings for the domain"
 domain=$(mcurl "account/domains" | grep "/account/domains/" | sed "s_.*/\([0-9]\+\)'.*_\1_")
@@ -157,10 +170,10 @@ fi
 csrf=$(mcurl "account/domains/$domain" | tee $folder/domain | csrf "tail -n 1")
 
 token=$(grep pre $folder/domain | tail -n 1 | sed "s_.*>\([a-zA-Z0-9]*\)<.*_\1_")
-name=$(grep "content available under" $folder/domain | sed "s_.*/cacert-\([a-zA-Z0-9]*\)\\.txt.*_\1_")
+name=$(grep "content available at" $folder/domain | sed "s_.*/\([a-zA-Z0-9]*\)\\.txt.*_\1_")
 
-sudo mkdir -p /data/nginx/challenge
-printf "%s" "$token" | sudo tee /data/nginx/challenge/cacert-$name.txt > /dev/null
+sudo mkdir -p /data/nginx/challenge/.well-known/someca-challenge
+printf "%s" "$token" | sudo tee /data/nginx/challenge/.well-known/someca-challenge/$name.txt > /dev/null
 
 openssl req -newkey rsa:4096 -subj "/CN=$domainName/OU=$token" -nodes -out $folder/self-req -keyout $folder/self-priv
 openssl x509 -req -in $folder/self-req -signkey $folder/self-priv -out $folder/self-cert -extfile <(printf "extendedKeyUsage = clientAuth, serverAuth\n")
@@ -170,7 +183,7 @@ setfacl -m user:puppet:r $folder/self-priv
 cp --preserve=all $folder/self-priv modules/gigi/files/gigi.key
 sudo lxc-attach -n front-nginx -- puppet agent --test --verbose
 
-mcurl "account/domains/$domain" -d "HTTPType=y&SSLType=y&ssl-type-0=direct&ssl-port-0=443&ssl-type-1=direct&ssl-port-1=&ssl-type-2=direct&ssl-port-2=&ssl-type-3=direct&ssl-port-3=&csrf=$csrf" > /dev/null
+mcurl "account/domains/$domain" -d "HTTPType=y&SSLType=y&ssl-type-0=direct&ssl-port-0=443&ssl-type-1=direct&ssl-port-1=&ssl-type-2=direct&ssl-port-2=&ssl-type-3=direct&ssl-port-3=&csrf=$csrf" | check_error
 
 echo "Pings configured... waiting"
 sleep 5
@@ -185,7 +198,7 @@ function issue {
     openssl req -newkey rsa:4096 -subj "/CN=blabla" -nodes -out $folder/req -keyout $folder/priv
     encoded=$(tr '\n' '?' < $folder/req | sed "s/=/%3D/g;s/+/%2B/g;s/\?/%0A/g")
 
-    mcurl account/certs/new -d "CSR=$encoded&process=Next&csrf=$csrf" > /dev/null
+    mcurl account/certs/new -d "CSR=$encoded&process=Next&csrf=$csrf" | check_error
 
     serial=$(mcurl account/certs/new -d "$options&OU=&hash_alg=SHA256&validFrom=now&validity=2y&login=1&description=&process=Issue+Certificate&csrf=$csrf" -v 2>&1 | tee $folder/certlog | grep "< Location: " | sed "s_.*/\([a-f0-9]*\)[^0-9]*_\1_")
     echo "Certificate: $serial"