forked from josegonzalez/dokku-global-cert
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinternal-functions
executable file
·161 lines (139 loc) · 5.18 KB
/
internal-functions
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
#!/usr/bin/env bash
source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/config"
source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
set -eo pipefail; [[ $DOKKU_TRACE ]] && set -x
fn-is-ssl-enabled() {
declare desc="returns 0 if ssl is enabled for given app"
declare SSL_PATH="$1"
if [[ -e "$SSL_PATH/server.crt" ]] && [[ -e "$SSL_PATH/server.key" ]]; then
return 0
else
return 1
fi
}
fn-get-ssl-hostnames() {
declare desc="returns a string of ssl hostnames extracted from an app's ssl certificate"
declare SSL_PATH="$1"
local SSL_HOSTNAME SSL_HOSTNAMES SSL_HOSTNAME_ALT
SSL_HOSTNAME=$(openssl x509 -in "$SSL_PATH/server.crt" -noout -subject | tr '/' '\n' | grep CN= | cut -c4-)
SSL_HOSTNAME_ALT=$(openssl x509 -in "$SSL_PATH/server.crt" -noout -text | grep --after-context=1 '509v3 Subject Alternative Name:' | tail -n 1 | sed -e "s/[[:space:]]*DNS://g" | tr ',' '\n' || true)
if [[ -n "$SSL_HOSTNAME_ALT" ]]; then
SSL_HOSTNAMES="${SSL_HOSTNAME}\n${SSL_HOSTNAME_ALT}"
else
SSL_HOSTNAMES=$SSL_HOSTNAME
fi
echo -e "$SSL_HOSTNAMES" | sort -u
return 0
}
fn-is-file-import() {
declare desc="determines if we have passed in a file and key path for a file import"
local CRT_FILE="$1"
local KEY_FILE="$2"
if [[ "$CRT_FILE" ]] && [[ "$KEY_FILE" ]]; then
if [[ ! -f "$CRT_FILE" ]]; then
dokku_log_fail "CRT file specified not found, please check file paths"
elif [[ ! -f "$KEY_FILE" ]]; then
dokku_log_fail "KEY file specified not found, please check file paths"
else
return 0
fi
fi
return 1
}
fn-is-tar-import() {
declare desc="determines if we have STDIN open in an attempt to detect a streamed tar import"
[[ -t 0 ]] && return 1
return 0
}
fn-ssl-enabled() {
local SSL_ENABLED=false
if fn-is-ssl-enabled "$PLUGIN_CONFIG_ROOT"; then
SSL_ENABLED=true
fi
echo "$SSL_ENABLED"
}
fn-ssl-expires-at() {
if fn-is-ssl-enabled "$PLUGIN_CONFIG_ROOT"; then
openssl x509 -in "$PLUGIN_CONFIG_ROOT/server.crt" -noout -text | grep "Not After :" | awk -F " : " '{ print $2 }'
fi
}
fn-ssl-hostnames() {
if fn-is-ssl-enabled "$PLUGIN_CONFIG_ROOT"; then
fn-get-ssl-hostnames "$PLUGIN_CONFIG_ROOT" | xargs
fi
}
fn-ssl-issuer() {
if fn-is-ssl-enabled "$PLUGIN_CONFIG_ROOT"; then
openssl x509 -in "$PLUGIN_CONFIG_ROOT/server.crt" -noout -text | grep "Issuer:" | xargs | sed -e "s/Issuer: //g"
fi
}
fn-ssl-starts-at() {
if fn-is-ssl-enabled "$PLUGIN_CONFIG_ROOT"; then
openssl x509 -in "$PLUGIN_CONFIG_ROOT/server.crt" -noout -text | grep "Not Before:" | awk -F ": " '{ print $2 }'
fi
}
fn-ssl-subject() {
if fn-is-ssl-enabled "$PLUGIN_CONFIG_ROOT"; then
openssl x509 -in "$PLUGIN_CONFIG_ROOT/server.crt" -noout -subject | sed -e "s:subject= ::g"| sed -e "s:^/::g" | sed -e "s:/:; :g"
fi
}
fn-ssl-verified() {
local SSL_VERIFY_OUTPUT=false SSL_SELF_SIGNED="self signed"
if ! fn-is-ssl-enabled "$PLUGIN_CONFIG_ROOT"; then
return
fi
SSL_VERIFY_OUTPUT="$(openssl verify -verbose -purpose sslserver "$PLUGIN_CONFIG_ROOT/server.crt" | awk -F ':' '{ print $2 }' | tail -1 | xargs || true)"
if [[ "$SSL_VERIFY_OUTPUT" == "OK" ]]; then
SSL_SELF_SIGNED="verified by a certificate authority"
fi
echo "$SSL_SELF_SIGNED"
}
fn-global-cert-help-content() {
declare desc="return $PLUGIN_COMMAND_PREFIX plugin help content"
cat<<help_content
${PLUGIN_COMMAND_PREFIX}, Alias for certs:help
${PLUGIN_COMMAND_PREFIX}:set CRT KEY, Adds a global ssl endpoint. Can also import from a tarball on stdin
${PLUGIN_COMMAND_PREFIX}:generate, Generate a key and certificate signing request (and self-signed certificate)
${PLUGIN_COMMAND_PREFIX}:remove, Remove the SSL configuration
${PLUGIN_COMMAND_PREFIX}:report [<flag>], Displays a global ssl report
help_content
}
cmd-global-cert-report() {
declare desc="Display the configured consul registration status for an application"
declare cmd="$PLUGIN_COMMAND_PREFIX:report" argv=("$@"); [[ ${argv[0]} == "$cmd" ]] && shift 1
declare INFO_FLAG="$1"
local flag flag_map key match valid_flags value_exists
flag_map=(
"--global-cert-dir: $PLUGIN_CONFIG_ROOT"
"--global-cert-enabled: $(fn-ssl-enabled)"
"--global-cert-expires-at: $(fn-ssl-expires-at)"
"--global-cert-hostnames: $(fn-ssl-hostnames)"
"--global-cert-issuer: $(fn-ssl-issuer)"
"--global-cert-starts-at: $(fn-ssl-starts-at)"
"--global-cert-subject: $(fn-ssl-subject)"
"--global-cert-verified: $(fn-ssl-verified)"
)
if [[ -z "$INFO_FLAG" ]]; then
dokku_log_info2_quiet "Global SSL Information"
for flag in "${flag_map[@]}"; do
key="$(echo "${flag#--}" | cut -f1 -d' ' | tr - ' ')"
dokku_log_verbose "$(printf "%-20s %-25s" "${key^}" "${flag#*: }")"
done
else
match=false
value_exists=false
for flag in "${flag_map[@]}"; do
valid_flags="${valid_flags} $(echo "$flag" | cut -d':' -f1)"
if [[ "$flag" == "${INFO_FLAG}:"* ]]; then
value=${flag#*: }
size="${#value}"
if [[ "$size" -ne 0 ]]; then
echo "$value" && match=true && value_exists=true
else
match=true
fi
fi
done
[[ "$match" == "true" ]] || dokku_log_fail "Invalid flag passed, valid flags:${valid_flags}"
fi
}