diff --git a/app/Controller.py b/app/Controller.py index 12694e3..72fd076 100644 --- a/app/Controller.py +++ b/app/Controller.py @@ -412,7 +412,7 @@ def get_random_string(self, length=12, """ def handleCreateShareLink(self, mid, pw, admin_name) -> str: tempStr: str = self.get_random_string(32) - curTime: datetime.datetime = datetime.datetime.utcnow() + curTime: datetime.datetime = datetime.datetime.now(datetime.timezone.utc) #create access log entry self.__mysqlConx.createAccessEntry(admin_name, mid, self.__mysqlConx.getLatestSuccessfulPassword(uuid.UUID(mid)).id) diff --git a/docker-compose.base.yml b/docker-compose.base.yml index b5e91b4..4a04e8f 100644 --- a/docker-compose.base.yml +++ b/docker-compose.base.yml @@ -58,7 +58,7 @@ services: - "VAULT_ADDR=http://127.0.0.1:8200" - "VAULT_DEV_ROOT_TOKEN_ID=dev" healthcheck: - test: ["CMD", "curl", "http://127.0.0.1:8200/v1/sys/seal-status"] + test: ["CMD", "ls", "/tmp/shared/INITIALIZED"] interval: 10s retries: 10 start_period: 15s @@ -66,20 +66,18 @@ services: db: # only used for testing and development, # if you want to use this in production, you might want to adjust this - image: mysql:8-debian - command: --default-authentication-plugin=mysql_native_password - restart: always - cap_add: - - SYS_NICE - environment: - MYSQL_ROOT_PASSWORD: dev - MYSQL_USER: dev - MYSQL_PASSWORD: dev - MYSQL_DATABASE: dev - healthcheck: - test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"] - timeout: 2s - retries: 10 + image: mysql:lts-oraclelinux9 + restart: always + environment: + MYSQL_ROOT_PASSWORD: dev + MYSQL_USER: dev + MYSQL_PASSWORD: dev + MYSQL_DATABASE: dev + healthcheck: + test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"] + timeout: 2s + start_period: 10s + retries: 10 keycloak: # only used for testing and development, diff --git a/docker/nginx/htaccess.htpasswd b/docker/nginx/htaccess.htpasswd new file mode 100644 index 0000000..03dbdd7 --- /dev/null +++ b/docker/nginx/htaccess.htpasswd @@ -0,0 +1 @@ +username:$apr1$IOZ4KtX/$ZtFMYj7X0SsSyC56TrGfS/ diff --git a/docker/nginx/mlaps.conf b/docker/nginx/mlaps.conf index 33ce3a2..f7083cf 100644 --- a/docker/nginx/mlaps.conf +++ b/docker/nginx/mlaps.conf @@ -42,7 +42,18 @@ server { proxy_set_header SSL_Client $ssl_client_s_dn; proxy_set_header SSL_Client_Verify $ssl_client_verify; } - location ~ ^(/api/enroll|/share_password|/api/share_password|/static/*) { + location ~ ^(/api/enroll|/ping) { + proxy_pass http://in-mlaps; + auth_basic "mlaps login"; + auth_basic_user_file /etc/nginx/htaccess.htpasswd; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_set_header SSL_Client $ssl_client_s_dn; + } + + location ~ ^(/share_password|/api/share_password|/static/*) { proxy_pass http://in-mlaps; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; diff --git a/docker/nginx/nginx.Dockerfile b/docker/nginx/nginx.Dockerfile index 8775c0a..a29a320 100644 --- a/docker/nginx/nginx.Dockerfile +++ b/docker/nginx/nginx.Dockerfile @@ -1,5 +1,6 @@ FROM nginx COPY mlaps.conf /etc/nginx/conf.d/mlaps.conf +COPY htaccess.htpasswd /etc/nginx/htaccess.htpasswd CMD ["nginx", "-g", "daemon off;"] diff --git a/docker/vault/setup.sh b/docker/vault/setup.sh index 78ee38f..033a1e5 100644 --- a/docker/vault/setup.sh +++ b/docker/vault/setup.sh @@ -11,7 +11,7 @@ while ! vault status; do sleep 1s done -if [ ! -f "/shared/INITIALIZED" ]; then +if [ ! -f "/tmp/shared/INITIALIZED" ]; then echo "Initializing Vault!" vault login token=dev @@ -64,13 +64,22 @@ if [ ! -f "/shared/INITIALIZED" ]; then ROLE_ID=$(vault read -format=json auth/approle/role/client-passwords/role-id | jq .data.role_id) SECRET_ID=$(vault write -format=json -f auth/approle/role/client-passwords/secret-id | jq .data.secret_id) - touch /tmp/shared/INITIALIZED - while ! mysql -u dev -h db -pdev dev -e "SHOW TABLES;" | grep auth_secret; do - echo "Waiting for DB to be ready" + while ! mysql -u dev -h db -pdev dev -e "SHOW TABLES;"; do + echo "Waiting for DB to be reachable" sleep 1s done + mysql -u dev -h db -pdev dev -e 'CREATE TABLE `auth_secret` ( + `id` bigint NOT NULL AUTO_INCREMENT, + `role_id` varchar(255) NOT NULL, + `secret_id` varchar(255) NOT NULL, + PRIMARY KEY (`id`) + ) ENGINE=InnoDB' + mysql -u dev -h db -pdev dev -e "insert into auth_secret (role_id,secret_id) values ($ROLE_ID, $SECRET_ID);" + + touch /tmp/shared/INITIALIZED + #https://stackoverflow.com/questions/28251144/inserting-and-selecting-uuids-as-binary16 #mysql -u dev -h db -pdev dev -e "insert into machine (id, hostname, serialnumber, enroll_time, enroll_success, disabled) values (UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),\"myHostname\",\"T35T1N600M86\",\"2020-01-01 12:12:12.121212\",True,False);" @@ -92,26 +101,31 @@ if [ ! -f "/shared/INITIALIZED" ]; then #mysql -u dev -h db -pdev dev -e "insert into AccessLog (id, admin_kurzel, getTime, machine_id, password_id) values (2,'big-admin',2020-01-01 13:26:26.262626,91a5de62-c27b-11ed-b06e-73a6e07e676e,e8359956-c27c-11ed-afb3-c3922f844a02);" #mysql -u dev -h db -pdev dev -e "insert into AccessLog (id, admin_kurzel, getTime, machine_id, password_id) values (3,'big-admin',2020-01-01 14:28:28.282828,a0bae91a-c27b-11ed-97d2-efbae491e385,f5b92d0e-c27c-11ed-8728-77b6c3364352);" - mysql -u dev -h db -pdev dev -e "insert into machine (id, hostname, serialnumber, enroll_time, enroll_success, disabled) values (UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),\"myHostname\",\"T35T1N600M86\",\"2020-01-01 12:12:12.121212\",True,False);" - mysql -u dev -h db -pdev dev -e "insert into machine (id, hostname, serialnumber, enroll_time, enroll_success, disabled) values (UNHEX(REPLACE(\"91a5de62-c27b-11ed-b06e-73a6e07e676e\", \"-\",\"\")),\"myDifferentHostname\",\"T35T1N600M87\",\"2020-01-01 13:13:13.131313\",True,False);" - mysql -u dev -h db -pdev dev -e "insert into machine (id, hostname, serialnumber, enroll_time, enroll_success, disabled) values (UNHEX(REPLACE(\"a0bae91a-c27b-11ed-97d2-efbae491e385\", \"-\",\"\")),\"myVeryDifferentHostname\",\"T35T1N600M88\",\"2020-01-01 14:14:14.141414\",True,False);" - mysql -u dev -h db -pdev dev -e "insert into password (id, machine_id, password, status, password_set, password_received, password_expiry) values (UNHEX(REPLACE(\"d2de2708-c27c-11ed-8b81-4b498eb56a2e\", \"-\",\"\")),UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),\"MyEncryptedPassword1\",\"Testing\",False,\"2020-01-01 12:24:24.242424\",\"2020-01-01 12:36:36.363636\");" - mysql -u dev -h db -pdev dev -e "insert into password (id, machine_id, password, status, password_set, password_received, password_expiry) values (UNHEX(REPLACE(\"dbf70378-c27c-11ed-ac0a-ff5d046c5f60\", \"-\",\"\")),UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),\"MyEncryptedPassword2\",\"Testing\",False,\"2020-01-01 12:36:36.363636\",\"2020-01-01 13:00:00.000000\");" - mysql -u dev -h db -pdev dev -e "insert into password (id, machine_id, password, status, password_set, password_received, password_expiry) values (UNHEX(REPLACE(\"e8359956-c27c-11ed-afb3-c3922f844a02\", \"-\",\"\")),UNHEX(REPLACE(\"91a5de62-c27b-11ed-b06e-73a6e07e676e\", \"-\",\"\")),\"MyEncryptedPassword3\",\"Testing\",False,\"2020-01-01 13:26:26.262626\",\"2020-01-01 13:39:39.393939\");" - mysql -u dev -h db -pdev dev -e "insert into password (id, machine_id, password, status, password_set, password_received, password_expiry) values (UNHEX(REPLACE(\"f04fa1fe-c27c-11ed-bdb5-8fd286cb2228\", \"-\",\"\")),UNHEX(REPLACE(\"91a5de62-c27b-11ed-b06e-73a6e07e676e\", \"-\",\"\")),\"MyEncryptedPassword4\",\"Testing\",False,\"2020-01-01 13:39:39.393939\",\"2020-01-01 14:00:00.000000\");" - mysql -u dev -h db -pdev dev -e "insert into password (id, machine_id, password, status, password_set, password_received, password_expiry) values (UNHEX(REPLACE(\"f5b92d0e-c27c-11ed-8728-77b6c3364352\", \"-\",\"\")),UNHEX(REPLACE(\"a0bae91a-c27b-11ed-97d2-efbae491e385\", \"-\",\"\")),\"MyEncryptedPassword5\",\"Testing\",False,\"2020-01-01 14:28:28.282828\",\"2020-01-01 14:42:42.424242\");" - mysql -u dev -h db -pdev dev -e "insert into password (id, machine_id, password, status, password_set, password_received, password_expiry) values (UNHEX(REPLACE(\"fa5a818c-c27c-11ed-a703-d75f772b0c57\", \"-\",\"\")),UNHEX(REPLACE(\"a0bae91a-c27b-11ed-97d2-efbae491e385\", \"-\",\"\")),\"MyEncryptedPassword6\",\"Testing\",False,\"2020-01-01 14:42:42.424242\",\"2020-01-01 15:00:00.000000\");" - mysql -u dev -h db -pdev dev -e "insert into checkin (id, uuid, mid, checkin_time) values (1,UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),\"2020-01-01 12:13:12.121212\");" - mysql -u dev -h db -pdev dev -e "insert into checkin (id, uuid, mid, checkin_time) values (2,UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),\"2020-01-01 12:25:24.242424\");" - mysql -u dev -h db -pdev dev -e "insert into checkin (id, uuid, mid, checkin_time) values (3,UNHEX(REPLACE(\"91a5de62-c27b-11ed-b06e-73a6e07e676e\", \"-\",\"\")),UNHEX(REPLACE(\"91a5de62-c27b-11ed-b06e-73a6e07e676e\", \"-\",\"\")),\"2020-01-01 13:14:13.131313\");" - mysql -u dev -h db -pdev dev -e "insert into checkin (id, uuid, mid, checkin_time) values (4,UNHEX(REPLACE(\"91a5de62-c27b-11ed-b06e-73a6e07e676e\", \"-\",\"\")),UNHEX(REPLACE(\"91a5de62-c27b-11ed-b06e-73a6e07e676e\", \"-\",\"\")),\"2020-01-01 13:27:26.262626\");" - mysql -u dev -h db -pdev dev -e "insert into checkin (id, uuid, mid, checkin_time) values (5,UNHEX(REPLACE(\"a0bae91a-c27b-11ed-97d2-efbae491e385\", \"-\",\"\")),UNHEX(REPLACE(\"a0bae91a-c27b-11ed-97d2-efbae491e385\", \"-\",\"\")),\"2020-01-01 14:15:14.141414\");" - mysql -u dev -h db -pdev dev -e "insert into checkin (id, uuid, mid, checkin_time) values (6,UNHEX(REPLACE(\"a0bae91a-c27b-11ed-97d2-efbae491e385\", \"-\",\"\")),UNHEX(REPLACE(\"a0bae91a-c27b-11ed-97d2-efbae491e385\", \"-\",\"\")),\"2020-01-01 14:29:28.282828\");" - mysql -u dev -h db -pdev dev -e "insert into accesslog (id, admin_kurzel, getTime, machine_id, password_id) values (1,\"big-admin\",\"2020-01-01 12:24:24.242424\",UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),UNHEX(REPLACE(\"d2de2708-c27c-11ed-8b81-4b498eb56a2e\", \"-\",\"\")));" - mysql -u dev -h db -pdev dev -e "insert into accesslog (id, admin_kurzel, getTime, machine_id, password_id) values (2,\"big-admin\",\"2020-01-01 13:26:26.262626\",UNHEX(REPLACE(\"91a5de62-c27b-11ed-b06e-73a6e07e676e\", \"-\",\"\")),UNHEX(REPLACE(\"e8359956-c27c-11ed-afb3-c3922f844a02\", \"-\",\"\")));" - mysql -u dev -h db -pdev dev -e "insert into accesslog (id, admin_kurzel, getTime, machine_id, password_id) values (3,\"big-admin\",\"2020-01-01 14:28:28.282828\",UNHEX(REPLACE(\"a0bae91a-c27b-11ed-97d2-efbae491e385\", \"-\",\"\")),UNHEX(REPLACE(\"f5b92d0e-c27c-11ed-8728-77b6c3364352\", \"-\",\"\")));" - - touch "/shared/INITIALIZED" + # TODO: implement demo mode to populate db a bit somewhere else than vault setup script + # while ! mysql -u dev -h db -pdev dev -e "SHOW TABLES;" | grep machine; do + # echo "Waiting for DB to be ready" + # sleep 1s + # done + + # mysql -u dev -h db -pdev dev -e "insert into machine (id, hostname, serialnumber, enroll_time, enroll_success, disabled) values (UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),\"myHostname\",\"T35T1N600M86\",\"2020-01-01 12:12:12.121212\",True,False);" + # mysql -u dev -h db -pdev dev -e "insert into machine (id, hostname, serialnumber, enroll_time, enroll_success, disabled) values (UNHEX(REPLACE(\"91a5de62-c27b-11ed-b06e-73a6e07e676e\", \"-\",\"\")),\"myDifferentHostname\",\"T35T1N600M87\",\"2020-01-01 13:13:13.131313\",True,False);" + # mysql -u dev -h db -pdev dev -e "insert into machine (id, hostname, serialnumber, enroll_time, enroll_success, disabled) values (UNHEX(REPLACE(\"a0bae91a-c27b-11ed-97d2-efbae491e385\", \"-\",\"\")),\"myVeryDifferentHostname\",\"T35T1N600M88\",\"2020-01-01 14:14:14.141414\",True,False);" + # mysql -u dev -h db -pdev dev -e "insert into password (id, machine_id, password, status, password_set, password_received, password_expiry) values (UNHEX(REPLACE(\"d2de2708-c27c-11ed-8b81-4b498eb56a2e\", \"-\",\"\")),UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),\"MyEncryptedPassword1\",\"Testing\",False,\"2020-01-01 12:24:24.242424\",\"2020-01-01 12:36:36.363636\");" + # mysql -u dev -h db -pdev dev -e "insert into password (id, machine_id, password, status, password_set, password_received, password_expiry) values (UNHEX(REPLACE(\"dbf70378-c27c-11ed-ac0a-ff5d046c5f60\", \"-\",\"\")),UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),\"MyEncryptedPassword2\",\"Testing\",False,\"2020-01-01 12:36:36.363636\",\"2020-01-01 13:00:00.000000\");" + # mysql -u dev -h db -pdev dev -e "insert into password (id, machine_id, password, status, password_set, password_received, password_expiry) values (UNHEX(REPLACE(\"e8359956-c27c-11ed-afb3-c3922f844a02\", \"-\",\"\")),UNHEX(REPLACE(\"91a5de62-c27b-11ed-b06e-73a6e07e676e\", \"-\",\"\")),\"MyEncryptedPassword3\",\"Testing\",False,\"2020-01-01 13:26:26.262626\",\"2020-01-01 13:39:39.393939\");" + # mysql -u dev -h db -pdev dev -e "insert into password (id, machine_id, password, status, password_set, password_received, password_expiry) values (UNHEX(REPLACE(\"f04fa1fe-c27c-11ed-bdb5-8fd286cb2228\", \"-\",\"\")),UNHEX(REPLACE(\"91a5de62-c27b-11ed-b06e-73a6e07e676e\", \"-\",\"\")),\"MyEncryptedPassword4\",\"Testing\",False,\"2020-01-01 13:39:39.393939\",\"2020-01-01 14:00:00.000000\");" + # mysql -u dev -h db -pdev dev -e "insert into password (id, machine_id, password, status, password_set, password_received, password_expiry) values (UNHEX(REPLACE(\"f5b92d0e-c27c-11ed-8728-77b6c3364352\", \"-\",\"\")),UNHEX(REPLACE(\"a0bae91a-c27b-11ed-97d2-efbae491e385\", \"-\",\"\")),\"MyEncryptedPassword5\",\"Testing\",False,\"2020-01-01 14:28:28.282828\",\"2020-01-01 14:42:42.424242\");" + # mysql -u dev -h db -pdev dev -e "insert into password (id, machine_id, password, status, password_set, password_received, password_expiry) values (UNHEX(REPLACE(\"fa5a818c-c27c-11ed-a703-d75f772b0c57\", \"-\",\"\")),UNHEX(REPLACE(\"a0bae91a-c27b-11ed-97d2-efbae491e385\", \"-\",\"\")),\"MyEncryptedPassword6\",\"Testing\",False,\"2020-01-01 14:42:42.424242\",\"2020-01-01 15:00:00.000000\");" + # mysql -u dev -h db -pdev dev -e "insert into checkin (id, uuid, mid, checkin_time) values (1,UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),\"2020-01-01 12:13:12.121212\");" + # mysql -u dev -h db -pdev dev -e "insert into checkin (id, uuid, mid, checkin_time) values (2,UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),\"2020-01-01 12:25:24.242424\");" + # mysql -u dev -h db -pdev dev -e "insert into checkin (id, uuid, mid, checkin_time) values (3,UNHEX(REPLACE(\"91a5de62-c27b-11ed-b06e-73a6e07e676e\", \"-\",\"\")),UNHEX(REPLACE(\"91a5de62-c27b-11ed-b06e-73a6e07e676e\", \"-\",\"\")),\"2020-01-01 13:14:13.131313\");" + # mysql -u dev -h db -pdev dev -e "insert into checkin (id, uuid, mid, checkin_time) values (4,UNHEX(REPLACE(\"91a5de62-c27b-11ed-b06e-73a6e07e676e\", \"-\",\"\")),UNHEX(REPLACE(\"91a5de62-c27b-11ed-b06e-73a6e07e676e\", \"-\",\"\")),\"2020-01-01 13:27:26.262626\");" + # mysql -u dev -h db -pdev dev -e "insert into checkin (id, uuid, mid, checkin_time) values (5,UNHEX(REPLACE(\"a0bae91a-c27b-11ed-97d2-efbae491e385\", \"-\",\"\")),UNHEX(REPLACE(\"a0bae91a-c27b-11ed-97d2-efbae491e385\", \"-\",\"\")),\"2020-01-01 14:15:14.141414\");" + # mysql -u dev -h db -pdev dev -e "insert into checkin (id, uuid, mid, checkin_time) values (6,UNHEX(REPLACE(\"a0bae91a-c27b-11ed-97d2-efbae491e385\", \"-\",\"\")),UNHEX(REPLACE(\"a0bae91a-c27b-11ed-97d2-efbae491e385\", \"-\",\"\")),\"2020-01-01 14:29:28.282828\");" + # mysql -u dev -h db -pdev dev -e "insert into accesslog (id, admin_kurzel, getTime, machine_id, password_id) values (1,\"big-admin\",\"2020-01-01 12:24:24.242424\",UNHEX(REPLACE(\"81a70234-c27b-11ed-a0f5-fb79d6671c6e\", \"-\",\"\")),UNHEX(REPLACE(\"d2de2708-c27c-11ed-8b81-4b498eb56a2e\", \"-\",\"\")));" + # mysql -u dev -h db -pdev dev -e "insert into accesslog (id, admin_kurzel, getTime, machine_id, password_id) values (2,\"big-admin\",\"2020-01-01 13:26:26.262626\",UNHEX(REPLACE(\"91a5de62-c27b-11ed-b06e-73a6e07e676e\", \"-\",\"\")),UNHEX(REPLACE(\"e8359956-c27c-11ed-afb3-c3922f844a02\", \"-\",\"\")));" + # mysql -u dev -h db -pdev dev -e "insert into accesslog (id, admin_kurzel, getTime, machine_id, password_id) values (3,\"big-admin\",\"2020-01-01 14:28:28.282828\",UNHEX(REPLACE(\"a0bae91a-c27b-11ed-97d2-efbae491e385\", \"-\",\"\")),UNHEX(REPLACE(\"f5b92d0e-c27c-11ed-8728-77b6c3364352\", \"-\",\"\")));" + fi diff --git a/docker/vault/vault.Dockerfile b/docker/vault/vault.Dockerfile index 585eb2d..d7f4c27 100644 --- a/docker/vault/vault.Dockerfile +++ b/docker/vault/vault.Dockerfile @@ -1,7 +1,7 @@ ARG vault_version=${VAULT_VERSION:-latest} -FROM vault:${vault_version} +FROM hashicorp/vault:${vault_version} -RUN apk update && apk upgrade && apk add bash jq openssl curl mysql-client +RUN apk update && apk upgrade && apk add bash jq openssl curl mysql-client mariadb-connector-c ENV VAULT_ADDR="http://127.0.0.1:8200" diff --git a/mlaps_client.sh b/mlaps_client.sh index 02dff6d..7d4af92 100755 --- a/mlaps_client.sh +++ b/mlaps_client.sh @@ -8,7 +8,8 @@ export PATH="/usr/local/bin/:/usr/local/sbin/:/opt/homebrew/bin:/opt/homebrew/sb SUPPORT="$SUPPORTPATH" ADMIN_USER_NAME="admin" ADMIN_USER_HOME="/Users/$ADMIN_USER_NAME" -MLAPS_ENDPOINT="https://mlaps.$YOURCOMPANY.com/api" # MLAPS HOST +MLAPS_HOSTNAME="https://mlaps.$YOURCOMPANY.com" # MLAPS HOST +MLAPS_ENDPOINT="$MLAPS_HOSTNAME/api" # MLAPS API MLAPS_CA="com.$YOURCOMPANY.mlaps" # MLAPS_CA CA_FILE="$SUPPORT/mlaps-ca.pem" # Path to CA file PW_FILE="$SUPPORT/mlaps-password" # Path to Backup Password File @@ -38,6 +39,11 @@ T_RETRIES=3 #Runtime Data UPDATEID="" +CURL_EXEC="" +BREW_CURL_FOUND=0 + +#Security +BASIC_AUTH="username:password" function panic(){ # rm pidfile @@ -48,9 +54,26 @@ function panic(){ # cleanup pidfile if process is not running anymore function cleanupPid(){ - pid=$(cat $PID_FILE) - if test -n $pid && ! ps -p $pid ; then - rm $PID_FILE + if [ -f $PID_FILE ]; then + PID=$(cat $PID_FILE) + ps -p $PID > /dev/null 2>&1 + if [ $? -eq 0 ]; then + echo "Process already running" + exit 1 + else + ## Process not found assume not running + echo $$ > $PID_FILE + if [ $? -ne 0 ]; then + echo "Could not create PID file" + exit 1 + fi + fi + else + echo $$ > $PID_FILE + if [ $? -ne 0 ]; then + echo "Could not create PID file" + exit 1 + fi fi } @@ -86,9 +109,9 @@ function errlog(){ trap 'panic' \ SIGHUP SIGINT SIGQUIT SIGILL SIGTRAP SIGABRT SIGFPE \ SIGKILL SIGBUS SIGSEGV SIGSYS SIGPIPE SIGALRM SIGTERM SIGURG \ - SIGSTOP SIGTSTP SIGCONT SIGCHLD SIGTTIN SIGTTOU SIGIO SIGXCPU \ + SIGSTOP SIGTSTP SIGCONT SIGTTIN SIGTTOU SIGIO SIGXCPU \ SIGXFSZ SIGVTALRM SIGPROF SIGWINCH SIGUSR1 SIGUSR2 - trap 'errlog' ERR # Traps errors that aren't handled and logs them without exiting +trap 'errlog' ERR # Traps errors that aren't handled and logs them without exiting # create pid file ($pid > file) # exit if exists @@ -99,10 +122,10 @@ function enroll(){ jamflog "Generating CSR & KEY" local CSR=$(openssl req \ - -new \ - -nodes \ - -newkey rsa:2048 \ - -keyout "$KEY_FILE" \ + -new \ + -nodes \ + -newkey rsa:2048 \ + -keyout "$KEY_FILE" \ -subj "$SUBJ" | tee "$CSR_FILE" | openssl base64 -e ; exit ${PIPESTATUS[0]}) if [ $? ]; then @@ -113,10 +136,15 @@ function enroll(){ return 1 fi + CSR=$(echo $CSR|tr -d '\n ') local PAYLOAD="{\"csr\":\"$CSR\", \"sn\":\"$SN\", \"hn\":\"$HN\"}" - (curl \ - --cacert $CA_FILE \ + local extra_options=() + if [[ -n $BASIC_AUTH ]]; then + extra_options+=(-u "$BASIC_AUTH") + fi + + ($CURL_EXEC \ --request POST \ --url "$MLAPS_ENDPOINT/enroll" \ --retry $CURL_N_RETRIES \ @@ -124,6 +152,7 @@ function enroll(){ --retry-delay $CURL_DELAY \ --retry-max-time $CURL_MAX_RETRY_TIME \ -H 'Content-Type: application/json' \ + "${extra_options[@]}" \ --data "$PAYLOAD" | jq -r '.response' | tee "$CRT_FILE"; exit ${PIPESTATUS[0]} ;) if [ $? ]; then @@ -150,12 +179,12 @@ function checkin(){ local PAYLOAD="{\"sn\":\"$SN\", \"hn\":\"$HN\"}" - local CHECKIN_DATA=$(curl \ - --cacert $CA_FILE \ - --request POST \ - --cert "$CRT_FILE" \ - --key "$KEY_FILE" \ - --data "$PAYLOAD" \ + local CHECKIN_DATA=$(curl \ + --cacert "$CA_FILE" \ + --request POST \ + --cert "$CRT_FILE" \ + --key "$KEY_FILE" \ + --data "$PAYLOAD" \ --url "$MLAPS_ENDPOINT/checkin" \ --retry $CURL_N_RETRIES \ --max-time $CURL_MAX_T \ @@ -192,9 +221,8 @@ function send_pw(){ #$(printf "$" "$1" "$2" "$UPDATEID") local PAYLOAD="{\"Success_Status\":\"$1\", \"Password\":\"$2\", \"updateSessionID\":\"$UPDATEID\"}" - local PW_DATA=$(curl \ + local PW_DATA=$($CURL_EXEC \ --request POST \ - --cacert $CA_FILE \ --cert "$CRT_FILE" \ --key "$KEY_FILE" \ --data "$PAYLOAD" \ @@ -259,17 +287,16 @@ function gen_passwd(){ function send_pw_res(){ jamflog $1 local PAYLOAD="{\"res\":\"$1\", \"updateSessionID\":\"$UPDATEID\"}" - local PW_DATA=$(curl \ - --request POST \ - --cacert $CA_FILE \ - --cert "$CRT_FILE" \ - --key "$KEY_FILE" \ - --data "$PAYLOAD" \ - --url "$MLAPS_ENDPOINT/password-confirm"\ - --retry $CURL_N_RETRIES \ - --max-time $CURL_MAX_T \ - --retry-delay $CURL_DELAY \ - --retry-max-time $CURL_MAX_RETRY_TIME \ + local PW_DATA=$($CURL_EXEC \ + --request POST \ + --cert "$CRT_FILE" \ + --key "$KEY_FILE" \ + --data "$PAYLOAD" \ + --url "$MLAPS_ENDPOINT/password-confirm" \ + --retry $CURL_N_RETRIES \ + --max-time $CURL_MAX_T \ + --retry-delay $CURL_DELAY \ + --retry-max-time $CURL_MAX_RETRY_TIME \ --header 'Content-Type: application/json') if [ $? -ne 0 ]; then @@ -316,15 +343,30 @@ function set_pw(){ fi done + if CURL_EXEC=$(brew --prefix curl); then + jamflog "Found brew curl, using instead of built-in curl" + CURL_EXEC="$CURL_EXEC/bin/curl" + BREW_CURL_FOUND=true + else + jamflog "Using built-in curl, requires " + CURL_EXEC='curl --cacert "$CA_FILE"' + BREW_CURL_FOUND=false + fi + + local extra_options=() + if [[ -n $BASIC_AUTH ]]; then + extra_options+=(-u "$BASIC_AUTH") + fi + #check/wait for a internet connection - while ! curl --cacert $CA_FILE -Is https://mlaps.$YOURCOMPANY.com &> /dev/null ; do + while ! $CURL_EXEC ${extra_options[@]} -Is $MLAPS_HOSTNAME/ping &> /dev/null ; do sleep 1 done shlock -f $PID_FILE -p $$ || cleanupPid if [ -s "$UPDATE_ID_FILE" ]; then - jamflog "Found valid updatesession id..." + jamflog "Found updatesession id..." UPDATEID="$(<"$UPDATE_ID_FILE")" set_pw else