Commit a3f7460e authored by ssrq's avatar ssrq

[type/__easy_rsa_cert] Implement --state parameter

parent 252d2a4a
#!/bin/sh -e
# Return "present" if there already a cert, "absent" otherwise
base_dir=$(cat "${__object:?}/parameter/dir")
pki_dir="${base_dir}/pki"
test -f "${pki_dir}/issued/${__object_id:?}.crt" && echo 'present' || echo 'absent'
#!/bin/sh -e
#
# Returns the current state of the certificate:
# - "valid" if the certificate exists and is valid.
# - "expired" if the certificate exists but has expired.
# - "unsigned" if there is a CSR, but it has not been signed
# - "absent" if the certificate was revoked or was never signed.
#
base_dir=$(cat "${__object:?}/parameter/dir")
pki_dir="${base_dir}/pki"
test -f "${base_dir}/vars" && test -d "${pki_dir}"|| {
echo 'no-pki'
exit 0
}
cert_file="${pki_dir}/issued/${__object_id:?}.crt"
req_file="${pki_dir}/reqs/${__object_id:?}.req"
if test -f "${cert_file}"
then
if openssl x509 -noout -in "${cert_file}" -checkend 0 >/dev/null
then
echo 'valid'
else
echo 'expired'
fi
elif test -f "${req_file}"
then
echo 'unsigned'
else
echo 'absent'
fi
......@@ -24,7 +24,8 @@ quote() { printf "'%s'" "$(printf '%s' "$*" | sed -e "s/'/'\\\\''/g")"; }
base_dir=$(cat "${__object:?}/parameter/dir")
state_is=$(cat "${__object:?}/explorer/cert-presence")
state_should=$(cat "${__object:?}/parameter/state")
state_is=$(cat "${__object:?}/explorer/state")
if test -s "${__object:?}/parameter/common-name"
then
......@@ -37,6 +38,7 @@ fi
# shellcheck source=/dev/null
. "${__type:?}/files/check_parameter_validity.sh"
check_parameter_validity_digest
check_parameter_validity_usealgo
## Check required parameters for sanity
......@@ -51,39 +53,83 @@ in
;;
esac
req_options=
while read -r param option
do
test -s "${__object:?}/parameter/${param}" || continue
value=$(head -n 1 "${__object:?}/parameter/${param}")
req_options="${req_options} --${option}=$(quote "${value}")"
done <"${__type:?}/files/param_mapping.txt"
unset param option value
sign_options=
if test -s "${__object:?}/parameter/cert-expiration-days"
# NOTE: The following block is a bit of a "hack" to work around the fact that
# requirements in cdist only work for code, but not for explorers. Due to
# this, it could happen that the state explorer executes before the PKI
# has been initialised.
if test "${state_is}" = 'no-pki'
then
value=$(head -n 1 "${__object:?}/parameter/cert-expiration-days")
# shellcheck disable=SC2234
if ! (test $((value > 0)) -gt 0) 2>&-
then
printf 'Invalid --cert-expiration-days: %s\n' "${value}" >&2
printf 'Value must be a positive integer.\n' >&2
# Before doing anything else, check if the pki directory has been
# initialised in the meantime if the explorer didn't find it.
cat <<-EOF
test -d $(quote "${base_dir}/pki") || {
echo 'Could not find pki directory in ${base_dir}.' >&2
echo 'Please make sure that __easy_rsa_pki${base_dir} is ran first.' >&2
exit 1
fi
sign_options="${sign_options} --days=$(quote "${value}")"
}
EOF
# NOTE: If the PKI has been freshly initialised, the cert can't have been
# generated previously, so it must be 'absent'.
state_is='absent'
fi
unset value
if test "${state_is}" != 'present'
then
printf 'cd %s\n' "$(quote "${base_dir}")"
easyrsa_cmd="./easyrsa --pki-dir=$(quote "${base_dir}/pki") --vars=$(quote "${base_dir}/vars") --batch"
easyrsa_cmd="./easyrsa --pki-dir=$(quote "${base_dir}/pki") --vars=$(quote "${base_dir}/vars") --batch"
case ${state_should}
in
(signed|valid)
if test "${state_is}" = 'valid' \
|| test "${state_should}" = 'signed' -a "${state_is}" = 'expired'
then
exit 0
fi
printf '%s --req-cn=%s %s gen-req %s nopass\n' \
"${easyrsa_cmd}" "$(quote "${common_name}")" "${req_options# }" "$(quote "${__object_id:?}")"
printf '%s %s sign-req %s %s\n' \
"${easyrsa_cmd}" "${sign_options# }" "${cert_type}" "$(quote "${__object_id:?}")"
fi
printf 'cd %s\n' "$(quote "${base_dir}")"
if test "${state_is}" = 'absent'
then
req_options=
while read -r param option
do
test -s "${__object:?}/parameter/${param}" || continue
value=$(head -n 1 "${__object:?}/parameter/${param}")
req_options="${req_options} --${option}=$(quote "${value}")"
done <"${__type:?}/files/param_mapping.txt"
unset param option value
printf '%s --req-cn=%s %s gen-req %s nopass\n' \
"${easyrsa_cmd}" "$(quote "${common_name}")" "${req_options# }" "$(quote "${__object_id:?}")"
fi
sign_options=
if test -s "${__object:?}/parameter/cert-expiration-days"
then
value=$(head -n 1 "${__object:?}/parameter/cert-expiration-days")
# shellcheck disable=SC2234
if ! (test $((value > 0)) -gt 0) 2>&-
then
printf 'Invalid --cert-expiration-days: %s\n' "${value}" >&2
printf 'Value must be a positive integer.\n' >&2
exit 1
fi
sign_options="${sign_options} --days=$(quote "${value}")"
fi
unset value
printf '%s %s sign-req %s %s\n' \
"${easyrsa_cmd}" "${sign_options# }" "${cert_type}" "$(quote "${__object_id:?}")"
;;
(revoked)
if test "${state_is}" = 'absent'
then
exit 0
fi
printf 'cd %s\n' "$(quote "${base_dir}")"
printf '%s revoke %s \n' "${easyrsa_cmd}" "$(quote "${__object_id:?}")"
printf '%s gen-crl\n' "${easyrsa_cmd}"
;;
esac
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment