More backup script revamp.

[hcoop/scripts.git] / ca-install

#!/bin/bash
#
# Install a signed certificate, placing a complimentary copy in the
# member's homedir.  Validation is done on the certificate before
# allowing it to be installed.  Also grant member domtool permissions
# for the certificate.
#
# If the certificate comes from the member's home directory, then
# don't place an extra copy there.
#
# Run this on deleuze as an admin.
#
# Usage: ca-install member domain cert-file.pem [key-file.pem]

function usage () {
    echo "Usage: ca-install member domain cert-file.pem [key-file.pem]"
    exit 1
}

# Check arguments
if test -n "$5"; then
    echo "Error: Too many arguments."
    usage
elif test -z "$3"; then
    echo "Error: Not enough arguments."
    usage
else
    MEMBER=$1
    DOMAIN=$2
    CERT=$3
    KEY=$4
fi

WEBSERVER=mire.hcoop.net

function verify_cert () {
    if test -z "$2" || test -n "$3"; then
        echo "Bad programming."
        exit 1
    fi
    local CERT=$1
    local KEY=$2
    local MOD1=$(openssl x509 -noout -modulus -in "$CERT" 2>&1)
    if test $(echo "$MOD1" | wc -c) -lt 500; then
        echo "Error: Bad x509 part in certificate."
        exit 1
    fi
    local MOD2=$(openssl rsa -noout -modulus -in "$KEY" 2>&1)
    if test $(echo "$MOD2" | wc -c) -lt 500; then
        echo "Error: Bad RSA part in certificate or key."
        exit 1
    fi
    if test "$MOD1" != "$MOD2"; then
        echo "Error: x509 and RSA parts in certificate do not match."
        exit 1
    fi
}

# Make sure we run this from deleuze
if test "$(hostname -s)" != "deleuze"; then
    echo "Error: This script must be run from deleuze."
    exit 1
fi

# Sanity-check some paths
if test ! -f "$CERT"; then
    echo "Error: Nonexistent or unreadable cert $CERT."
    exit 1
fi
if test -n "$KEY" && test ! -f "$KEY"; then
    echo "Error: Nonexistent or unreadable key $KEY."
    exit 1
fi    

# Check for valid username
if ! getent passwd "$MEMBER" > /dev/null; then
    echo "Error: Invalid user \"$MEMBER\"."
    exit 1
fi

# Figure out destination for complimentary copy
APACHE_DEST=/etc/apache2/ssl/user/$DOMAIN.pem
MEMBERHOME=$(getent passwd $MEMBER | cut -d':' -f 6)
if test -n "$KEY"; then
    DEST="$(dirname $KEY)/$DOMAIN.pem"
else
    DEST=
fi

# Perform complimentary copy
if test -z "$DEST"; then
    echo "No key specified, so skipping complimentary copy."
elif echo "$CERT" | grep "^$MEMBERHOME" > /dev/null; then
    echo "Member already has a cert, skipping the complimentary copy."
elif test -f "$DEST"; then
    echo "Not overwriting existing file $DEST."
else
    echo "Copying signed certificate to member's home directory ..."
    cp "$CERT" "$DEST"
    chown $MEMBER:nogroup "$DEST"
fi
echo

# Determine whether we need to concatenate a private key
if grep "^-----BEGIN RSA PRIVATE KEY-----" "$CERT" > /dev/null; then
    KEY=
else
    if test -z "$KEY"; then
        echo "Error: No RSA private key is included with this certificate."
        exit 1
    fi
fi

# Verify certificate and key
echo "Validating certificate ..."
if test -z "$KEY"; then
    verify_cert "$CERT" "$CERT"
else
    verify_cert "$CERT" "$KEY"
fi
echo "Certificate passed validatation."
echo

# Copy complete certificate to webserver
if test -z "$KEY"; then
    echo "Installing certificate to Apache SSL directory ..."
    < "$CERT" ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
else
    echo "Installing certificate and key to Apache SSL directory ..."
    cat "$CERT" "$KEY" | ssh $WEBSERVER sudo tee "$APACHE_DEST" > /dev/null
fi
echo

# Grant Domtool permissions
echo "Granting member Domtool permissions for the certificate ..."
domtool-admin grant $MEMBER cert "$APACHE_DEST"
echo

# Tell admin what to do
echo "Done.  Tell $MEMBER that the certificate is available for use at"
echo "  $APACHE_DEST"