Untitled
unknown
plain_text
3 years ago
12 kB
6
Indexable
#!/bin/bash # Defines ac_raiz_file="AC_RAIZ.pem" ac_raiz_url="http://ac.globoi.com/repositorio/$ac_raiz_file" ac_raiz_alias="AC_Raiz_da_Globo.com" # Colorize puts() { if [[ "$1" == "-n" ]]; then local newline="" shift else local newline="\n" fi local msg="$1" local color="$2" local setcolor_normal="\e[0m" case "$color" in red) local setcolor="\e[31m" ;; green) local setcolor="\e[32m" ;; yellow) local setcolor="\e[33m" ;; blue) local setcolor="\e[34m" ;; magenta) local setcolor="\e[35m" ;; cyan) local setcolor="\e[36m" ;; dark_gray) local setcolor="\e[90m" ;; light_red) local setcolor="\e[91m" ;; light_green) local setcolor="\e[92m" ;; light_yellow) local setcolor="\e[93m" ;; light_blue) local setcolor="\e[94m" ;; light_magenta) local setcolor="\e[95m" ;; light_cyan) local setcolor="\e[96m" ;; *) echo "Setting default color" local setcolor="\e[36m" ;; esac printf "${setcolor}$msg${setcolor_normal}${newline}" } # Run and retry with sudo if it fails run_or_sudo() { local cmd=$@ if ! $cmd; then puts "Retrying command '$cmd' with sudo (sudo password may be required)" light_yellow if ! sudo $cmd; then puts "Command '$cmd' could not be run" light_red exit 101 fi fi } # Help show_help() { cat << EOF Install 'AC Raiz da Globo.com' on clients Usage: $0 install - Installs AC_RAIZ root certificate $0 test - Run all tests $0 test-cmd - Run command line tests $0 test-web - Run browser tests (GUI) EOF } # Download CA root cert download_root_cert() { if [[ ! -f "$ac_raiz_file" ]]; then puts "Downloading '$ac_raiz_url'" light_cyan if command -v wget >/dev/null 2>&1; then wget -q "$ac_raiz_url" -O "$ac_raiz_file" elif command -v curl >/dev/null 2>&1; then curl -sL "$ac_raiz_url" -o "$ac_raiz_file" else puts "Please install wget or curl, in order to download from '$ac_raiz_url'" light_red exit 102 fi if [[ ! -f "$ac_raiz_file" ]]; then puts "Could not download '$ac_raiz_url'" light_red exit 102 else puts "Using downloaded '$ac_raiz_file'" light_green fi else puts "Using already downloaded '$ac_raiz_file'" light_green fi echo } # Should be using Globo's RPM exit_if_rhel_or_centos() { if (grep "Red Hat" /etc/issue || grep "CentOS" /etc/issue); then puts "It seems like you are trying to use this script to install AC_RAIZ into a production system (Red Hat/CentOS)" light_red puts "You should be using 'globoi-ca-certificates' RPM as a package resource in your Puppet manifest" light_magenta exit 103 fi } install_nssdb_linux() { local distro="$1" local cmd="$2" local pkg_install_cmd="$3" puts "$distro" light_green if ! command -v "$cmd" >/dev/null 2>&1; then puts "Command '$cmd' not found in PATH, trying to install it" light_yellow run_or_sudo "$pkg_install_cmd" fi # For Chrome on linux (libnss) if $cmd -d "sql:$HOME/.pki/nssdb" -L | grep -q "$ac_raiz_alias"; then puts "AC_RAIZ is already imported into user's nssdb" light_green else puts "Importing AC_RAIZ into user's nssdb: $HOME/.pki/nssdb" light_cyan if $cmd -d "sql:$HOME/.pki/nssdb" -A -n "$ac_raiz_alias" -t CT,c,c -i "$ac_raiz_file"; then puts "AC_RAIZ successfully imported to user's nssdb" light_green else puts "Could not import AC_RAIZ into user's nssdb" light_red fi fi echo } # Linux steps to add new root certificate to OS ca-bundle install_ca_bundle_linux() { local distro="$1" local ac_raiz_file="$2" local dest_ac_raiz_file="$3" local update_cmd="$4" local update_pkg_install_cmd="$5" if [[ -f "$dest_ac_raiz_file" ]]; then puts "AC_RAIZ is already system-wide installed" light_green else puts -n "Installing AC_RAIZ root certificate system-wide for: " light_cyan puts "$distro" light_green if ! command -v $update_cmd >/dev/null 2>&1; then puts "Command '$update_cmd' not found in PATH, trying to install it" light_yellow run_or_sudo "$update_pkg_install_cmd" fi puts "Copying '$ac_raiz_file' to '$dest_ac_raiz_file'" light_cyan run_or_sudo "cp -v $ac_raiz_file $dest_ac_raiz_file" run_or_sudo "$update_cmd" puts "AC_RAIZ successfully installed system-wide" light_green fi } # Command line tests run_test_cmd() { puts "Running command line tests" light_cyan cd test && ./helper/roundup.sh } # GUI web browser tests run_test_web() { local test_url="https://minhaconta.globoi.com" local x puts "Running web browser (GUI) tests" light_cyan # Chrome chrome_app="/Applications/Google Chrome.app" # Mac if command -v chromium-browser >/dev/null 2>&1; then puts "Found Chrome browser (Chromium), opening $test_url" light_cyan sleep 1 chromium-browser "$test_url" puts "Press enter to continue..." dark_gray read x elif [[ -d "$chrome_app" ]]; then puts "Found Chrome browser (Google Chrome.app), opening $test_url" light_cyan sleep 1 open -a "$chrome_app" "$test_url" puts "Press enter to continue..." dark_gray read x fi # Firefox firefox_app="/Applications/Firefox.app" # Mac if command -v firefox >/dev/null 2>&1; then puts "Found Firefox browser, opening $test_url" light_cyan sleep 1 firefox "$test_url" puts "Press enter to continue..." dark_gray read x elif [[ -d "$firefox_app" ]]; then puts "Found Firefox browser (Firefox.app), opening $test_url" light_cyan sleep 1 open -a "$firefox_app" "$test_url" puts "Press enter to continue..." dark_gray read x fi # Safari safari_app="/Applications/Safari.app" # Mac if [[ -d "$safari_app" ]]; then puts "Found Safari browser (Safari.app), opening $test_url" light_cyan sleep 1 open -a "$safari_app" "$test_url" puts "Press enter to continue..." dark_gray read x fi } ############ ### Main ### ############ ### Help (default) if [[ -z "$1" || "$1" == "-h" || "$1" == "-help" || "$1" == "--help" ]]; then show_help exit 0 fi ### Test case "$1" in test) run_test_cmd ret1=$? run_test_web ret2=$? if [[ $ret1 -eq 0 && $ret2 -eq 0 ]]; then exit 0 else exit 1 fi ;; test-cmd) run_test_cmd exit $? ;; test-web) run_test_web exit $? ;; esac ### Install if [[ "$1" != "install" ]]; then puts "Unrecognized option '$@'" light_red show_help exit 2 fi ### System-wide installation # OS detection and system-wide installation # http://wiki.cacert.org/FAQ/ImportRootCert os=$(uname) case "$os" in Linux) # Should be using Globo's RPM exit_if_rhel_or_centos # Ubuntu # http://manpages.ubuntu.com/manpages/vivid/man8/update-ca-certificates.8.html if grep -q "Ubuntu" /etc/issue; then download_root_cert install_nssdb_linux \ "Ubuntu" \ "certutil" \ "apt-get install libnss3-tools" # Dest cert file MUST be .crt to be included into bundle install_ca_bundle_linux \ "Ubuntu" \ "$ac_raiz_file" \ "/usr/local/share/ca-certificates/${ac_raiz_file/%.pem/.crt}" \ "update-ca-certificates" \ "apt-get install ca-certificates" # # Fedora # # https://www.happyassassin.net/2015/01/14/trusting-additional-cas-in-fedora-rhel-centos-dont-append-to-etcpkitlscertsca-bundle-crt-or-etcpkitlscert-pem/ elif grep -q "Fedora" /etc/redhat-release; then download_root_cert install_nssdb_linux \ "Fedora" \ "certutil" \ "dnf install nss-tools" # Dest cert file MUST be .pem to be included into bundle install_ca_bundle_linux \ "Fedora" \ "$ac_raiz_file" \ "/etc/pki/ca-trust/source/anchors/$ac_raiz_file" \ "update-ca-trust" \ "dnf install ca-certificates" # Mint elif grep -q "Mint" /etc/issue; then download_root_cert install_nssdb_linux \ "Mint" \ "certutil" \ "apt-get install libnss3-tools" # Dest cert file MUST be .crt to be included into bundle install_ca_bundle_linux \ "Mint" \ "$ac_raiz_file" \ "/usr/local/share/ca-certificates/${ac_raiz_file/%.pem/.crt}" \ "update-ca-certificates" \ "apt-get install ca-certificates" elif grep -Eiq "Arch|Manjaro" /etc/issue; then download_root_cert install_nssdb_linux \ "Arch Linux" \ "certutil" \ "pacman -S nss" # Dest cert file MUST be .crt to be included into bundle # Reference: https://www.archlinux.org/news/ca-certificates-update/ install_ca_bundle_linux \ "Arch Linux" \ "$ac_raiz_file" \ "/etc/ca-certificates/trust-source/anchors/${ac_raiz_file/%.pem/.crt}" \ "sudo trust extract-compat" \ "pacman -S ca-certificates" # Other Linux else puts "Unsupported Linux distribution" light_red cat /etc/issue puts "Supported distributions are 'Ubuntu' and 'Fedora'" light_magenta exit 3 fi ;; Darwin) download_root_cert # https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/security.1.html puts -n "Installing AC_RAIZ root certificate system-wide for: " light_cyan puts "OS X" light_green mac_add_cert_cmd="sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain $ac_raiz_file" puts "Running '$mac_add_cert_cmd' (admin authentication may be required)" light_yellow $mac_add_cert_cmd # RVM certs on OS X if type rvm >/dev/null 2>&1; then puts "Found RVM installation on OS X, running 'rvm osx-ssl-certs update all' to rebuild ca-bundle files" light_cyan rvm osx-ssl-certs update all else puts "RVM not found, skipping RVM" dark_gray fi ;; *) puts "Unrecognized operating system '$os'" light_red puts "Supported systems are 'Linux' and 'OS X'" light_magenta exit 4 ;; esac echo ### JAVA if [[ ! -z "$JAVA_HOME" && -d "$JAVA_HOME" ]]; then puts "Found JAVA_HOME='$JAVA_HOME' (keystore with option -cacerts)" light_cyan if "$JAVA_HOME/bin/keytool" -list -cacerts -storepass changeit -alias "$ac_raiz_alias"; then puts "AC_RAIZ is already imported into keystore" light_green else puts "Importing AC_RAIZ into keystore" light_cyan run_or_sudo "$JAVA_HOME/bin/keytool -importcert -noprompt -cacerts -storepass changeit -alias $ac_raiz_alias -file $ac_raiz_file" puts "AC_RAIZ successfully imported to keystore" light_green fi else puts "JAVA_HOME not found, skipping Java" dark_gray puts "Run command bellow and try again:" dark_gray puts 'export JAVA_HOME="$(/usr/libexec/java_home)"' dark_gray fi echo ### Python puts "Tip: if you are using Python with 'requests >= 2.4.0' you should install python-certifi-globo (at least certifi-globo==2016.3.11). See more at https://gitlab.globoi.com/time-infra-scrum/python-certifi-globo" dark_gray echo puts "Successfully installed AC_RAIZ root certificate" light_green #EOF
Editor is loading...