Remove s3-bash scripts, because they don't have ls.
[clinton/scripts.git] / ca-install
CommitLineData
b7068ae3 1#!/bin/bash
4c237a24 2#
3# Install a signed certificate, placing a complimentary copy in the
139a90c8 4# member's homedir. Validation is done on the certificate before
5# allowing it to be installed. Also grant member domtool permissions
6# for the certificate.
4c237a24 7#
b7068ae3 8# If the certificate comes from the member's home directory, then
9# don't place an extra copy there.
4c237a24 10#
11# Run this on deleuze as an admin.
12#
b7068ae3 13# Usage: ca-install member domain cert-file.pem [key-file.pem]
14
15function usage () {
16 echo "Usage: ca-install member domain cert-file.pem [key-file.pem]"
17 exit 1
18}
4c237a24 19
20# Check arguments
21if test -n "$5"; then
b7068ae3 22 echo "Error: Too many arguments."
23 usage
4c237a24 24elif test -z "$3"; then
b7068ae3 25 echo "Error: Not enough arguments."
26 usage
4c237a24 27else
b7068ae3 28 MEMBER=$1
4c237a24 29 DOMAIN=$2
30 CERT=$3
31 KEY=$4
32fi
33
b7068ae3 34WEBSERVER=mire.hcoop.net
35
36function verify_cert () {
37 if test -z "$2" || test -n "$3"; then
38 echo "Bad programming."
39 exit 1
40 fi
41 local CERT=$1
42 local KEY=$2
43 local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
44 if test $(echo "$MOD1" | wc -c) -lt 500; then
45 echo "Error: Bad x509 part in certificate."
46 exit 1
47 fi
48 local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1)
49 if test $(echo "$MOD2" | wc -c) -lt 500; then
50 echo "Error: Bad RSA part in certificate or key."
51 exit 1
52 fi
53 if test "$MOD1" != "$MOD2"; then
54 echo "Error: x509 and RSA parts in certificate do not match."
55 exit 1
56 fi
57}
58
59# Make sure we run this from deleuze
60if test "$(hostname -s)" != "deleuze"; then
61 echo "Error: This script must be run from deleuze."
62 exit 1
63fi
64
4c237a24 65# Sanity-check some paths
b7068ae3 66if test ! -f "$CERT"; then
67 echo "Error: Nonexistent or unreadable cert $CERT."
4c237a24 68 exit 1
69fi
b7068ae3 70if test -n "$KEY" && test ! -f "$KEY"; then
71 echo "Error: Nonexistent or unreadable key $KEY."
4c237a24 72 exit 1
73fi
74
b7068ae3 75# Check for valid username
76if ! getent passwd "$MEMBER" > /dev/null; then
77 echo "Error: Invalid user \"$MEMBER\"."
78 exit 1
79fi
80
4c237a24 81# Figure out destination for complimentary copy
82APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem
b7068ae3 83MEMBERHOME=$(getent passwd $MEMBER | cut -d':' -f 6)
4c237a24 84if test -n "$KEY"; then
b7068ae3 85 DEST="$(dirname $KEY)/$DOMAIN.pem"
4c237a24 86else
87 DEST=
88fi
89
90# Perform complimentary copy
91if test -z "$DEST"; then
b7068ae3 92 echo "No key specified, so skipping complimentary copy."
93elif echo "$CERT" | grep "^$MEMBERHOME" > /dev/null; then
94 echo "Member already has a cert, skipping the complimentary copy."
95elif test -f "$DEST"; then
96 echo "Not overwriting existing file $DEST."
4c237a24 97else
b7068ae3 98 echo "Copying signed certificate to member's home directory ..."
99 cp "$CERT" "$DEST"
100 chown $MEMBER:nogroup "$DEST"
4c237a24 101fi
102echo
103
104# Determine whether we need to concatenate a private key
b7068ae3 105if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then
4c237a24 106 KEY=
107else
108 if test -z "$KEY"; then
b7068ae3 109 echo "Error: No RSA private key is included with this certificate."
4c237a24 110 exit 1
111 fi
112fi
113
b7068ae3 114# Verify certificate and key
115echo "Validating certificate ..."
4c237a24 116if test -z "$KEY"; then
b7068ae3 117 verify_cert "$CERT" "$CERT"
4c237a24 118else
b7068ae3 119 verify_cert "$CERT" "$KEY"
120fi
121echo "Certificate passed validatation."
122echo
123
124# Copy complete certificate to webserver
125if test -z "$KEY"; then
126 echo "Installing certificate to Apache SSL directory ..."
127 < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
128else
129 echo "Installing certificate and key to Apache SSL directory ..."
130 cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
4c237a24 131fi
132echo
133
134# Grant Domtool permissions
b7068ae3 135echo "Granting member Domtool permissions for the certificate ..."
136domtool-admin grant $MEMBER cert "$APACHE_DEST"
137echo
138
139# Tell admin what to do
140echo "Done. Tell $MEMBER that the certificate is available for use at"
141echo " $APACHE_DEST"