Untitled

 avatar
unknown
plain_text
3 years ago
12 kB
6
Indexable
#!/bin/bash

# Defines
ac_raiz_file="AC_RAIZ.pem"
ac_raiz_url="http://ac.globoi.com/repositorio/$ac_raiz_file"
ac_raiz_alias="AC_Raiz_da_Globo.com"

# Colorize
puts() {
    if [[ "$1" == "-n" ]]; then
        local newline=""
        shift
    else
        local newline="\n"
    fi
    local msg="$1"
    local color="$2"
    local setcolor_normal="\e[0m"
    case "$color" in
        red)            local setcolor="\e[31m" ;;
        green)          local setcolor="\e[32m" ;;
        yellow)         local setcolor="\e[33m" ;;
        blue)           local setcolor="\e[34m" ;;
        magenta)        local setcolor="\e[35m" ;;
        cyan)           local setcolor="\e[36m" ;;
        dark_gray)      local setcolor="\e[90m" ;;
        light_red)      local setcolor="\e[91m" ;;
        light_green)    local setcolor="\e[92m" ;;
        light_yellow)   local setcolor="\e[93m" ;;
        light_blue)     local setcolor="\e[94m" ;;
        light_magenta)  local setcolor="\e[95m" ;;
        light_cyan)     local setcolor="\e[96m" ;;
        *)
            echo "Setting default color"
            local setcolor="\e[36m"
            ;;
    esac
    printf "${setcolor}$msg${setcolor_normal}${newline}"
}

# Run and retry with sudo if it fails
run_or_sudo() {
    local cmd=$@
    if ! $cmd; then
        puts "Retrying command '$cmd' with sudo (sudo password may be required)" light_yellow
        if ! sudo $cmd; then
            puts "Command '$cmd' could not be run" light_red
            exit 101
        fi
    fi
}

# Help
show_help() {
    cat << EOF

Install 'AC Raiz da Globo.com' on clients

Usage:
    $0 install      - Installs AC_RAIZ root certificate
    $0 test         - Run all tests
    $0 test-cmd     - Run command line tests
    $0 test-web     - Run browser tests (GUI)

EOF
}

# Download CA root cert
download_root_cert() {
    if [[ ! -f "$ac_raiz_file" ]]; then
        puts "Downloading '$ac_raiz_url'" light_cyan
        if command -v wget >/dev/null 2>&1; then
            wget -q "$ac_raiz_url" -O "$ac_raiz_file"
        elif command -v curl >/dev/null 2>&1; then
            curl -sL "$ac_raiz_url" -o "$ac_raiz_file"
        else
            puts "Please install wget or curl, in order to download from '$ac_raiz_url'" light_red
            exit 102
        fi

        if [[ ! -f "$ac_raiz_file" ]]; then
            puts "Could not download '$ac_raiz_url'" light_red
            exit 102
        else
            puts "Using downloaded '$ac_raiz_file'" light_green
        fi
    else
        puts "Using already downloaded '$ac_raiz_file'" light_green
    fi
    echo
}

# Should be using Globo's RPM
exit_if_rhel_or_centos() {
    if (grep "Red Hat" /etc/issue || grep "CentOS" /etc/issue); then
        puts "It seems like you are trying to use this script to install AC_RAIZ into a production system (Red Hat/CentOS)" light_red
        puts "You should be using 'globoi-ca-certificates' RPM as a package resource in your Puppet manifest" light_magenta
        exit 103
    fi
}

install_nssdb_linux() {
    local distro="$1"
    local cmd="$2"
    local pkg_install_cmd="$3"

    puts "$distro" light_green

    if ! command -v "$cmd" >/dev/null 2>&1; then
        puts "Command '$cmd' not found in PATH, trying to install it" light_yellow
        run_or_sudo "$pkg_install_cmd"
    fi

    # For Chrome on linux (libnss)
    if $cmd -d "sql:$HOME/.pki/nssdb" -L | grep -q "$ac_raiz_alias"; then
        puts "AC_RAIZ is already imported into user's nssdb" light_green
    else
        puts "Importing AC_RAIZ into user's nssdb: $HOME/.pki/nssdb" light_cyan
        if $cmd -d "sql:$HOME/.pki/nssdb" -A -n "$ac_raiz_alias" -t CT,c,c -i "$ac_raiz_file"; then
            puts "AC_RAIZ successfully imported to user's nssdb" light_green
        else
            puts "Could not import AC_RAIZ into user's nssdb" light_red
        fi
    fi
    echo
}

# Linux steps to add new root certificate to OS ca-bundle
install_ca_bundle_linux() {
    local distro="$1"
    local ac_raiz_file="$2"
    local dest_ac_raiz_file="$3"
    local update_cmd="$4"
    local update_pkg_install_cmd="$5"

    if [[ -f "$dest_ac_raiz_file" ]]; then
        puts "AC_RAIZ is already system-wide installed" light_green
    else
        puts -n "Installing AC_RAIZ root certificate system-wide for: " light_cyan
        puts "$distro" light_green

        if ! command -v $update_cmd >/dev/null 2>&1; then
            puts "Command '$update_cmd' not found in PATH, trying to install it" light_yellow
            run_or_sudo "$update_pkg_install_cmd"
        fi

        puts "Copying '$ac_raiz_file' to '$dest_ac_raiz_file'" light_cyan
        run_or_sudo "cp -v $ac_raiz_file $dest_ac_raiz_file"
        run_or_sudo "$update_cmd"

        puts "AC_RAIZ successfully installed system-wide" light_green
    fi
}

# Command line tests
run_test_cmd() {
    puts "Running command line tests" light_cyan
    cd test && ./helper/roundup.sh
}

# GUI web browser tests
run_test_web() {
    local test_url="https://minhaconta.globoi.com"
    local x

    puts "Running web browser (GUI) tests" light_cyan

    # Chrome
    chrome_app="/Applications/Google Chrome.app" # Mac
    if command -v chromium-browser >/dev/null 2>&1; then
        puts "Found Chrome browser (Chromium), opening $test_url" light_cyan
        sleep 1
        chromium-browser "$test_url"
        puts "Press enter to continue..." dark_gray
        read x
    elif [[ -d "$chrome_app" ]]; then
        puts "Found Chrome browser (Google Chrome.app), opening $test_url" light_cyan
        sleep 1
        open -a "$chrome_app" "$test_url"
        puts "Press enter to continue..." dark_gray
        read x
    fi

    # Firefox
    firefox_app="/Applications/Firefox.app" # Mac
    if command -v firefox >/dev/null 2>&1; then
        puts "Found Firefox browser, opening $test_url" light_cyan
        sleep 1
        firefox "$test_url"
        puts "Press enter to continue..." dark_gray
        read x
    elif [[ -d "$firefox_app" ]]; then
        puts "Found Firefox browser (Firefox.app), opening $test_url" light_cyan
        sleep 1
        open -a "$firefox_app" "$test_url"
        puts "Press enter to continue..." dark_gray
        read x
    fi

    # Safari
    safari_app="/Applications/Safari.app" # Mac
    if [[ -d "$safari_app" ]]; then
        puts "Found Safari browser (Safari.app), opening $test_url" light_cyan
        sleep 1
        open -a "$safari_app" "$test_url"
        puts "Press enter to continue..." dark_gray
        read x
    fi
}

############
### Main ###
############

### Help (default)
if [[ -z "$1" || "$1" == "-h" || "$1" == "-help" || "$1" == "--help" ]]; then
    show_help
    exit 0
fi

### Test
case "$1" in
    test)
        run_test_cmd
        ret1=$?
        run_test_web
        ret2=$?
        if [[ $ret1 -eq 0 && $ret2 -eq 0 ]]; then
            exit 0
        else
            exit 1
        fi
        ;;
    test-cmd)
        run_test_cmd
        exit $?
        ;;
    test-web)
        run_test_web
        exit $?
        ;;
esac

### Install
if [[ "$1" != "install" ]]; then
    puts "Unrecognized option '$@'" light_red
    show_help
    exit 2
fi

### System-wide installation

# OS detection and system-wide installation
# http://wiki.cacert.org/FAQ/ImportRootCert
os=$(uname)
case "$os" in
    Linux)
        # Should be using Globo's RPM
        exit_if_rhel_or_centos

        # Ubuntu
        # http://manpages.ubuntu.com/manpages/vivid/man8/update-ca-certificates.8.html
        if grep -q "Ubuntu" /etc/issue; then
            download_root_cert

            install_nssdb_linux \
                "Ubuntu" \
                "certutil" \
                "apt-get install libnss3-tools"

            # Dest cert file MUST be .crt to be included into bundle
            install_ca_bundle_linux \
                "Ubuntu" \
                "$ac_raiz_file" \
                "/usr/local/share/ca-certificates/${ac_raiz_file/%.pem/.crt}" \
                "update-ca-certificates" \
                "apt-get install ca-certificates"

        # # Fedora
        # # https://www.happyassassin.net/2015/01/14/trusting-additional-cas-in-fedora-rhel-centos-dont-append-to-etcpkitlscertsca-bundle-crt-or-etcpkitlscert-pem/
        elif grep -q "Fedora" /etc/redhat-release; then
            download_root_cert

            install_nssdb_linux \
                "Fedora" \
                "certutil" \
                "dnf install nss-tools"

            # Dest cert file MUST be .pem to be included into bundle
            install_ca_bundle_linux \
                "Fedora" \
                "$ac_raiz_file" \
                "/etc/pki/ca-trust/source/anchors/$ac_raiz_file" \
                "update-ca-trust" \
                "dnf install ca-certificates"

        # Mint
        elif grep -q "Mint" /etc/issue; then
            download_root_cert

            install_nssdb_linux \
                "Mint" \
                "certutil" \
                "apt-get install libnss3-tools"

            # Dest cert file MUST be .crt to be included into bundle
            install_ca_bundle_linux \
                "Mint" \
                "$ac_raiz_file" \
                "/usr/local/share/ca-certificates/${ac_raiz_file/%.pem/.crt}" \
                "update-ca-certificates" \
                "apt-get install ca-certificates"

        elif grep -Eiq "Arch|Manjaro" /etc/issue; then
            download_root_cert

            install_nssdb_linux \
                "Arch Linux" \
                "certutil" \
                "pacman -S nss"

            # Dest cert file MUST be .crt to be included into bundle
            # Reference: https://www.archlinux.org/news/ca-certificates-update/
            install_ca_bundle_linux \
                "Arch Linux" \
                "$ac_raiz_file" \
                "/etc/ca-certificates/trust-source/anchors/${ac_raiz_file/%.pem/.crt}" \
                "sudo trust extract-compat" \
                "pacman -S ca-certificates"

        # Other Linux
        else
            puts "Unsupported Linux distribution" light_red
            cat /etc/issue
            puts "Supported distributions are 'Ubuntu' and 'Fedora'" light_magenta
            exit 3
        fi
        ;;

    Darwin)
        download_root_cert

        # https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/security.1.html
        puts -n "Installing AC_RAIZ root certificate system-wide for: " light_cyan
        puts "OS X" light_green
        mac_add_cert_cmd="sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain $ac_raiz_file"
        puts "Running '$mac_add_cert_cmd' (admin authentication may be required)" light_yellow
        $mac_add_cert_cmd

        # RVM certs on OS X
        if type rvm >/dev/null 2>&1; then
            puts "Found RVM installation on OS X, running 'rvm osx-ssl-certs update all' to rebuild ca-bundle files" light_cyan
            rvm osx-ssl-certs update all
        else
            puts "RVM not found, skipping RVM" dark_gray
        fi
        ;;

    *)
        puts "Unrecognized operating system '$os'" light_red
        puts "Supported systems are 'Linux' and 'OS X'" light_magenta
        exit 4
        ;;
esac
echo

### JAVA
if [[ ! -z "$JAVA_HOME" && -d "$JAVA_HOME" ]]; then
    puts "Found JAVA_HOME='$JAVA_HOME' (keystore with option -cacerts)" light_cyan
    if "$JAVA_HOME/bin/keytool" -list -cacerts -storepass changeit -alias "$ac_raiz_alias"; then
        puts "AC_RAIZ is already imported into keystore" light_green
    else
        puts "Importing AC_RAIZ into keystore" light_cyan
        run_or_sudo "$JAVA_HOME/bin/keytool -importcert -noprompt -cacerts -storepass changeit -alias $ac_raiz_alias -file $ac_raiz_file"
        puts "AC_RAIZ successfully imported to keystore" light_green
    fi
else
    puts "JAVA_HOME not found, skipping Java" dark_gray
    puts "Run command bellow and try again:" dark_gray
    puts 'export JAVA_HOME="$(/usr/libexec/java_home)"' dark_gray
fi
echo

### Python
puts "Tip: if you are using Python with 'requests >= 2.4.0' you should install
python-certifi-globo (at least certifi-globo==2016.3.11). See more at
https://gitlab.globoi.com/time-infra-scrum/python-certifi-globo" dark_gray
echo

puts "Successfully installed AC_RAIZ root certificate" light_green

#EOF
Editor is loading...