Ad
Untitled
unknown
plain_text
a year ago
12 kB
3
Indexable
Never
#!/bin/bash
# Defines
ac_raiz_file="AC_RAIZ.pem"
ac_raiz_url="http://ac.globoi.com/repositorio/$ac_raiz_file"
ac_raiz_alias="AC_Raiz_da_Globo.com"
# Colorize
puts() {
if [[ "$1" == "-n" ]]; then
local newline=""
shift
else
local newline="\n"
fi
local msg="$1"
local color="$2"
local setcolor_normal="\e[0m"
case "$color" in
red) local setcolor="\e[31m" ;;
green) local setcolor="\e[32m" ;;
yellow) local setcolor="\e[33m" ;;
blue) local setcolor="\e[34m" ;;
magenta) local setcolor="\e[35m" ;;
cyan) local setcolor="\e[36m" ;;
dark_gray) local setcolor="\e[90m" ;;
light_red) local setcolor="\e[91m" ;;
light_green) local setcolor="\e[92m" ;;
light_yellow) local setcolor="\e[93m" ;;
light_blue) local setcolor="\e[94m" ;;
light_magenta) local setcolor="\e[95m" ;;
light_cyan) local setcolor="\e[96m" ;;
*)
echo "Setting default color"
local setcolor="\e[36m"
;;
esac
printf "${setcolor}$msg${setcolor_normal}${newline}"
}
# Run and retry with sudo if it fails
run_or_sudo() {
local cmd=$@
if ! $cmd; then
puts "Retrying command '$cmd' with sudo (sudo password may be required)" light_yellow
if ! sudo $cmd; then
puts "Command '$cmd' could not be run" light_red
exit 101
fi
fi
}
# Help
show_help() {
cat << EOF
Install 'AC Raiz da Globo.com' on clients
Usage:
$0 install - Installs AC_RAIZ root certificate
$0 test - Run all tests
$0 test-cmd - Run command line tests
$0 test-web - Run browser tests (GUI)
EOF
}
# Download CA root cert
download_root_cert() {
if [[ ! -f "$ac_raiz_file" ]]; then
puts "Downloading '$ac_raiz_url'" light_cyan
if command -v wget >/dev/null 2>&1; then
wget -q "$ac_raiz_url" -O "$ac_raiz_file"
elif command -v curl >/dev/null 2>&1; then
curl -sL "$ac_raiz_url" -o "$ac_raiz_file"
else
puts "Please install wget or curl, in order to download from '$ac_raiz_url'" light_red
exit 102
fi
if [[ ! -f "$ac_raiz_file" ]]; then
puts "Could not download '$ac_raiz_url'" light_red
exit 102
else
puts "Using downloaded '$ac_raiz_file'" light_green
fi
else
puts "Using already downloaded '$ac_raiz_file'" light_green
fi
echo
}
# Should be using Globo's RPM
exit_if_rhel_or_centos() {
if (grep "Red Hat" /etc/issue || grep "CentOS" /etc/issue); then
puts "It seems like you are trying to use this script to install AC_RAIZ into a production system (Red Hat/CentOS)" light_red
puts "You should be using 'globoi-ca-certificates' RPM as a package resource in your Puppet manifest" light_magenta
exit 103
fi
}
install_nssdb_linux() {
local distro="$1"
local cmd="$2"
local pkg_install_cmd="$3"
puts "$distro" light_green
if ! command -v "$cmd" >/dev/null 2>&1; then
puts "Command '$cmd' not found in PATH, trying to install it" light_yellow
run_or_sudo "$pkg_install_cmd"
fi
# For Chrome on linux (libnss)
if $cmd -d "sql:$HOME/.pki/nssdb" -L | grep -q "$ac_raiz_alias"; then
puts "AC_RAIZ is already imported into user's nssdb" light_green
else
puts "Importing AC_RAIZ into user's nssdb: $HOME/.pki/nssdb" light_cyan
if $cmd -d "sql:$HOME/.pki/nssdb" -A -n "$ac_raiz_alias" -t CT,c,c -i "$ac_raiz_file"; then
puts "AC_RAIZ successfully imported to user's nssdb" light_green
else
puts "Could not import AC_RAIZ into user's nssdb" light_red
fi
fi
echo
}
# Linux steps to add new root certificate to OS ca-bundle
install_ca_bundle_linux() {
local distro="$1"
local ac_raiz_file="$2"
local dest_ac_raiz_file="$3"
local update_cmd="$4"
local update_pkg_install_cmd="$5"
if [[ -f "$dest_ac_raiz_file" ]]; then
puts "AC_RAIZ is already system-wide installed" light_green
else
puts -n "Installing AC_RAIZ root certificate system-wide for: " light_cyan
puts "$distro" light_green
if ! command -v $update_cmd >/dev/null 2>&1; then
puts "Command '$update_cmd' not found in PATH, trying to install it" light_yellow
run_or_sudo "$update_pkg_install_cmd"
fi
puts "Copying '$ac_raiz_file' to '$dest_ac_raiz_file'" light_cyan
run_or_sudo "cp -v $ac_raiz_file $dest_ac_raiz_file"
run_or_sudo "$update_cmd"
puts "AC_RAIZ successfully installed system-wide" light_green
fi
}
# Command line tests
run_test_cmd() {
puts "Running command line tests" light_cyan
cd test && ./helper/roundup.sh
}
# GUI web browser tests
run_test_web() {
local test_url="https://minhaconta.globoi.com"
local x
puts "Running web browser (GUI) tests" light_cyan
# Chrome
chrome_app="/Applications/Google Chrome.app" # Mac
if command -v chromium-browser >/dev/null 2>&1; then
puts "Found Chrome browser (Chromium), opening $test_url" light_cyan
sleep 1
chromium-browser "$test_url"
puts "Press enter to continue..." dark_gray
read x
elif [[ -d "$chrome_app" ]]; then
puts "Found Chrome browser (Google Chrome.app), opening $test_url" light_cyan
sleep 1
open -a "$chrome_app" "$test_url"
puts "Press enter to continue..." dark_gray
read x
fi
# Firefox
firefox_app="/Applications/Firefox.app" # Mac
if command -v firefox >/dev/null 2>&1; then
puts "Found Firefox browser, opening $test_url" light_cyan
sleep 1
firefox "$test_url"
puts "Press enter to continue..." dark_gray
read x
elif [[ -d "$firefox_app" ]]; then
puts "Found Firefox browser (Firefox.app), opening $test_url" light_cyan
sleep 1
open -a "$firefox_app" "$test_url"
puts "Press enter to continue..." dark_gray
read x
fi
# Safari
safari_app="/Applications/Safari.app" # Mac
if [[ -d "$safari_app" ]]; then
puts "Found Safari browser (Safari.app), opening $test_url" light_cyan
sleep 1
open -a "$safari_app" "$test_url"
puts "Press enter to continue..." dark_gray
read x
fi
}
############
### Main ###
############
### Help (default)
if [[ -z "$1" || "$1" == "-h" || "$1" == "-help" || "$1" == "--help" ]]; then
show_help
exit 0
fi
### Test
case "$1" in
test)
run_test_cmd
ret1=$?
run_test_web
ret2=$?
if [[ $ret1 -eq 0 && $ret2 -eq 0 ]]; then
exit 0
else
exit 1
fi
;;
test-cmd)
run_test_cmd
exit $?
;;
test-web)
run_test_web
exit $?
;;
esac
### Install
if [[ "$1" != "install" ]]; then
puts "Unrecognized option '$@'" light_red
show_help
exit 2
fi
### System-wide installation
# OS detection and system-wide installation
# http://wiki.cacert.org/FAQ/ImportRootCert
os=$(uname)
case "$os" in
Linux)
# Should be using Globo's RPM
exit_if_rhel_or_centos
# Ubuntu
# http://manpages.ubuntu.com/manpages/vivid/man8/update-ca-certificates.8.html
if grep -q "Ubuntu" /etc/issue; then
download_root_cert
install_nssdb_linux \
"Ubuntu" \
"certutil" \
"apt-get install libnss3-tools"
# Dest cert file MUST be .crt to be included into bundle
install_ca_bundle_linux \
"Ubuntu" \
"$ac_raiz_file" \
"/usr/local/share/ca-certificates/${ac_raiz_file/%.pem/.crt}" \
"update-ca-certificates" \
"apt-get install ca-certificates"
# # Fedora
# # https://www.happyassassin.net/2015/01/14/trusting-additional-cas-in-fedora-rhel-centos-dont-append-to-etcpkitlscertsca-bundle-crt-or-etcpkitlscert-pem/
elif grep -q "Fedora" /etc/redhat-release; then
download_root_cert
install_nssdb_linux \
"Fedora" \
"certutil" \
"dnf install nss-tools"
# Dest cert file MUST be .pem to be included into bundle
install_ca_bundle_linux \
"Fedora" \
"$ac_raiz_file" \
"/etc/pki/ca-trust/source/anchors/$ac_raiz_file" \
"update-ca-trust" \
"dnf install ca-certificates"
# Mint
elif grep -q "Mint" /etc/issue; then
download_root_cert
install_nssdb_linux \
"Mint" \
"certutil" \
"apt-get install libnss3-tools"
# Dest cert file MUST be .crt to be included into bundle
install_ca_bundle_linux \
"Mint" \
"$ac_raiz_file" \
"/usr/local/share/ca-certificates/${ac_raiz_file/%.pem/.crt}" \
"update-ca-certificates" \
"apt-get install ca-certificates"
elif grep -Eiq "Arch|Manjaro" /etc/issue; then
download_root_cert
install_nssdb_linux \
"Arch Linux" \
"certutil" \
"pacman -S nss"
# Dest cert file MUST be .crt to be included into bundle
# Reference: https://www.archlinux.org/news/ca-certificates-update/
install_ca_bundle_linux \
"Arch Linux" \
"$ac_raiz_file" \
"/etc/ca-certificates/trust-source/anchors/${ac_raiz_file/%.pem/.crt}" \
"sudo trust extract-compat" \
"pacman -S ca-certificates"
# Other Linux
else
puts "Unsupported Linux distribution" light_red
cat /etc/issue
puts "Supported distributions are 'Ubuntu' and 'Fedora'" light_magenta
exit 3
fi
;;
Darwin)
download_root_cert
# https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/security.1.html
puts -n "Installing AC_RAIZ root certificate system-wide for: " light_cyan
puts "OS X" light_green
mac_add_cert_cmd="sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain $ac_raiz_file"
puts "Running '$mac_add_cert_cmd' (admin authentication may be required)" light_yellow
$mac_add_cert_cmd
# RVM certs on OS X
if type rvm >/dev/null 2>&1; then
puts "Found RVM installation on OS X, running 'rvm osx-ssl-certs update all' to rebuild ca-bundle files" light_cyan
rvm osx-ssl-certs update all
else
puts "RVM not found, skipping RVM" dark_gray
fi
;;
*)
puts "Unrecognized operating system '$os'" light_red
puts "Supported systems are 'Linux' and 'OS X'" light_magenta
exit 4
;;
esac
echo
### JAVA
if [[ ! -z "$JAVA_HOME" && -d "$JAVA_HOME" ]]; then
puts "Found JAVA_HOME='$JAVA_HOME' (keystore with option -cacerts)" light_cyan
if "$JAVA_HOME/bin/keytool" -list -cacerts -storepass changeit -alias "$ac_raiz_alias"; then
puts "AC_RAIZ is already imported into keystore" light_green
else
puts "Importing AC_RAIZ into keystore" light_cyan
run_or_sudo "$JAVA_HOME/bin/keytool -importcert -noprompt -cacerts -storepass changeit -alias $ac_raiz_alias -file $ac_raiz_file"
puts "AC_RAIZ successfully imported to keystore" light_green
fi
else
puts "JAVA_HOME not found, skipping Java" dark_gray
puts "Run command bellow and try again:" dark_gray
puts 'export JAVA_HOME="$(/usr/libexec/java_home)"' dark_gray
fi
echo
### Python
puts "Tip: if you are using Python with 'requests >= 2.4.0' you should install
python-certifi-globo (at least certifi-globo==2016.3.11). See more at
https://gitlab.globoi.com/time-infra-scrum/python-certifi-globo" dark_gray
echo
puts "Successfully installed AC_RAIZ root certificate" light_green
#EOF
Ad