]>
Commit | Line | Data |
---|---|---|
9b23cd6d AB |
1 | #!/usr/bin/env sh |
2 | ||
3 | # OpenStack Barbican deploy hook | |
4 | # | |
5 | # This requires you to have OpenStackClient and python-barbicanclient | |
6 | # installed. | |
7 | # | |
8 | # You will require Keystone V3 credentials loaded into your environment, which | |
9 | # could be either password or v3applicationcredential type. | |
10 | # | |
11 | # Author: Andy Botting <andy@andybotting.com> | |
12 | ||
13 | openstack_deploy() { | |
14 | _cdomain="$1" | |
15 | _ckey="$2" | |
16 | _ccert="$3" | |
17 | _cca="$4" | |
18 | _cfullchain="$5" | |
19 | ||
20 | _debug _cdomain "$_cdomain" | |
21 | _debug _ckey "$_ckey" | |
22 | _debug _ccert "$_ccert" | |
23 | _debug _cca "$_cca" | |
24 | _debug _cfullchain "$_cfullchain" | |
25 | ||
26 | if ! _exists openstack; then | |
27 | _err "OpenStack client not found" | |
28 | return 1 | |
29 | fi | |
30 | ||
31 | _openstack_credentials || return $? | |
32 | ||
33 | _info "Generate import pkcs12" | |
34 | _import_pkcs12="$(_mktemp)" | |
35 | if ! _openstack_to_pkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca"; then | |
36 | _err "Error creating pkcs12 certificate" | |
37 | return 1 | |
38 | fi | |
39 | _debug _import_pkcs12 "$_import_pkcs12" | |
3ce967d8 | 40 | _base64_pkcs12=$(_base64 "multiline" <"$_import_pkcs12") |
9b23cd6d AB |
41 | |
42 | secretHrefs=$(_openstack_get_secrets) | |
43 | _debug secretHrefs "$secretHrefs" | |
44 | _openstack_store_secret || return $? | |
45 | ||
46 | if [ -n "$secretHrefs" ]; then | |
47 | _info "Cleaning up existing secret" | |
48 | _openstack_delete_secrets || return $? | |
49 | fi | |
50 | ||
51 | _info "Certificate successfully deployed" | |
52 | return 0 | |
53 | } | |
54 | ||
55 | _openstack_store_secret() { | |
56 | if ! openstack secret store --name "$_cdomain." -t 'application/octet-stream' -e base64 --payload "$_base64_pkcs12"; then | |
57 | _err "Failed to create OpenStack secret" | |
58 | return 1 | |
59 | fi | |
60 | return | |
61 | } | |
62 | ||
63 | _openstack_delete_secrets() { | |
64 | echo "$secretHrefs" | while read -r secretHref; do | |
65 | _info "Deleting old secret $secretHref" | |
66 | if ! openstack secret delete "$secretHref"; then | |
67 | _err "Failed to delete OpenStack secret" | |
68 | return 1 | |
69 | fi | |
70 | done | |
71 | return | |
72 | } | |
73 | ||
74 | _openstack_get_secrets() { | |
75 | if ! secretHrefs=$(openstack secret list -f value --name "$_cdomain." | cut -d' ' -f1); then | |
76 | _err "Failed to list secrets" | |
77 | return 1 | |
78 | fi | |
79 | echo "$secretHrefs" | |
80 | } | |
81 | ||
82 | _openstack_to_pkcs() { | |
83 | # The existing _toPkcs command can't allow an empty password, due to sh | |
84 | # -z test, so copied here and forcing the empty password. | |
85 | _cpfx="$1" | |
86 | _ckey="$2" | |
87 | _ccert="$3" | |
88 | _cca="$4" | |
89 | ||
90 | ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:" | |
91 | } | |
92 | ||
93 | _openstack_credentials() { | |
94 | _debug "Check OpenStack credentials" | |
95 | ||
96 | # If we have OS_AUTH_URL already set in the environment, then assume we want | |
97 | # to use those, otherwise use stored credentials | |
98 | if [ -n "$OS_AUTH_URL" ]; then | |
99 | _debug "OS_AUTH_URL env var found, using environment" | |
100 | else | |
101 | _debug "OS_AUTH_URL not found, loading stored credentials" | |
102 | OS_AUTH_URL="${OS_AUTH_URL:-$(_readaccountconf_mutable OS_AUTH_URL)}" | |
103 | OS_IDENTITY_API_VERSION="${OS_IDENTITY_API_VERSION:-$(_readaccountconf_mutable OS_IDENTITY_API_VERSION)}" | |
104 | OS_AUTH_TYPE="${OS_AUTH_TYPE:-$(_readaccountconf_mutable OS_AUTH_TYPE)}" | |
105 | OS_APPLICATION_CREDENTIAL_ID="${OS_APPLICATION_CREDENTIAL_ID:-$(_readaccountconf_mutable OS_APPLICATION_CREDENTIAL_ID)}" | |
106 | OS_APPLICATION_CREDENTIAL_SECRET="${OS_APPLICATION_CREDENTIAL_SECRET:-$(_readaccountconf_mutable OS_APPLICATION_CREDENTIAL_SECRET)}" | |
107 | OS_USERNAME="${OS_USERNAME:-$(_readaccountconf_mutable OS_USERNAME)}" | |
108 | OS_PASSWORD="${OS_PASSWORD:-$(_readaccountconf_mutable OS_PASSWORD)}" | |
109 | OS_PROJECT_NAME="${OS_PROJECT_NAME:-$(_readaccountconf_mutable OS_PROJECT_NAME)}" | |
110 | OS_PROJECT_ID="${OS_PROJECT_ID:-$(_readaccountconf_mutable OS_PROJECT_ID)}" | |
111 | OS_USER_DOMAIN_NAME="${OS_USER_DOMAIN_NAME:-$(_readaccountconf_mutable OS_USER_DOMAIN_NAME)}" | |
112 | OS_USER_DOMAIN_ID="${OS_USER_DOMAIN_ID:-$(_readaccountconf_mutable OS_USER_DOMAIN_ID)}" | |
113 | OS_PROJECT_DOMAIN_NAME="${OS_PROJECT_DOMAIN_NAME:-$(_readaccountconf_mutable OS_PROJECT_DOMAIN_NAME)}" | |
114 | OS_PROJECT_DOMAIN_ID="${OS_PROJECT_DOMAIN_ID:-$(_readaccountconf_mutable OS_PROJECT_DOMAIN_ID)}" | |
115 | fi | |
116 | ||
117 | # Check each var and either save or clear it depending on whether its set. | |
118 | # The helps us clear out old vars in the case where a user may want | |
119 | # to switch between password and app creds | |
120 | _debug "OS_AUTH_URL" "$OS_AUTH_URL" | |
121 | if [ -n "$OS_AUTH_URL" ]; then | |
122 | export OS_AUTH_URL | |
123 | _saveaccountconf_mutable OS_AUTH_URL "$OS_AUTH_URL" | |
124 | else | |
125 | unset OS_AUTH_URL | |
126 | _clearaccountconf SAVED_OS_AUTH_URL | |
127 | fi | |
128 | ||
129 | _debug "OS_IDENTITY_API_VERSION" "$OS_IDENTITY_API_VERSION" | |
130 | if [ -n "$OS_IDENTITY_API_VERSION" ]; then | |
131 | export OS_IDENTITY_API_VERSION | |
132 | _saveaccountconf_mutable OS_IDENTITY_API_VERSION "$OS_IDENTITY_API_VERSION" | |
133 | else | |
134 | unset OS_IDENTITY_API_VERSION | |
135 | _clearaccountconf SAVED_OS_IDENTITY_API_VERSION | |
136 | fi | |
137 | ||
138 | _debug "OS_AUTH_TYPE" "$OS_AUTH_TYPE" | |
139 | if [ -n "$OS_AUTH_TYPE" ]; then | |
140 | export OS_AUTH_TYPE | |
141 | _saveaccountconf_mutable OS_AUTH_TYPE "$OS_AUTH_TYPE" | |
142 | else | |
143 | unset OS_AUTH_TYPE | |
144 | _clearaccountconf SAVED_OS_AUTH_TYPE | |
145 | fi | |
146 | ||
147 | _debug "OS_APPLICATION_CREDENTIAL_ID" "$OS_APPLICATION_CREDENTIAL_ID" | |
148 | if [ -n "$OS_APPLICATION_CREDENTIAL_ID" ]; then | |
149 | export OS_APPLICATION_CREDENTIAL_ID | |
150 | _saveaccountconf_mutable OS_APPLICATION_CREDENTIAL_ID "$OS_APPLICATION_CREDENTIAL_ID" | |
151 | else | |
152 | unset OS_APPLICATION_CREDENTIAL_ID | |
153 | _clearaccountconf SAVED_OS_APPLICATION_CREDENTIAL_ID | |
154 | fi | |
155 | ||
156 | _secure_debug "OS_APPLICATION_CREDENTIAL_SECRET" "$OS_APPLICATION_CREDENTIAL_SECRET" | |
157 | if [ -n "$OS_APPLICATION_CREDENTIAL_SECRET" ]; then | |
158 | export OS_APPLICATION_CREDENTIAL_SECRET | |
159 | _saveaccountconf_mutable OS_APPLICATION_CREDENTIAL_SECRET "$OS_APPLICATION_CREDENTIAL_SECRET" | |
160 | else | |
161 | unset OS_APPLICATION_CREDENTIAL_SECRET | |
162 | _clearaccountconf SAVED_OS_APPLICATION_CREDENTIAL_SECRET | |
163 | fi | |
164 | ||
165 | _debug "OS_USERNAME" "$OS_USERNAME" | |
166 | if [ -n "$OS_USERNAME" ]; then | |
167 | export OS_USERNAME | |
168 | _saveaccountconf_mutable OS_USERNAME "$OS_USERNAME" | |
169 | else | |
170 | unset OS_USERNAME | |
171 | _clearaccountconf SAVED_OS_USERNAME | |
172 | fi | |
173 | ||
174 | _secure_debug "OS_PASSWORD" "$OS_PASSWORD" | |
175 | if [ -n "$OS_PASSWORD" ]; then | |
176 | export OS_PASSWORD | |
177 | _saveaccountconf_mutable OS_PASSWORD "$OS_PASSWORD" | |
178 | else | |
179 | unset OS_PASSWORD | |
180 | _clearaccountconf SAVED_OS_PASSWORD | |
181 | fi | |
182 | ||
183 | _debug "OS_PROJECT_NAME" "$OS_PROJECT_NAME" | |
184 | if [ -n "$OS_PROJECT_NAME" ]; then | |
185 | export OS_PROJECT_NAME | |
186 | _saveaccountconf_mutable OS_PROJECT_NAME "$OS_PROJECT_NAME" | |
187 | else | |
188 | unset OS_PROJECT_NAME | |
189 | _clearaccountconf SAVED_OS_PROJECT_NAME | |
190 | fi | |
191 | ||
192 | _debug "OS_PROJECT_ID" "$OS_PROJECT_ID" | |
193 | if [ -n "$OS_PROJECT_ID" ]; then | |
194 | export OS_PROJECT_ID | |
195 | _saveaccountconf_mutable OS_PROJECT_ID "$OS_PROJECT_ID" | |
196 | else | |
197 | unset OS_PROJECT_ID | |
198 | _clearaccountconf SAVED_OS_PROJECT_ID | |
199 | fi | |
200 | ||
201 | _debug "OS_USER_DOMAIN_NAME" "$OS_USER_DOMAIN_NAME" | |
202 | if [ -n "$OS_USER_DOMAIN_NAME" ]; then | |
203 | export OS_USER_DOMAIN_NAME | |
204 | _saveaccountconf_mutable OS_USER_DOMAIN_NAME "$OS_USER_DOMAIN_NAME" | |
205 | else | |
206 | unset OS_USER_DOMAIN_NAME | |
207 | _clearaccountconf SAVED_OS_USER_DOMAIN_NAME | |
208 | fi | |
209 | ||
210 | _debug "OS_USER_DOMAIN_ID" "$OS_USER_DOMAIN_ID" | |
211 | if [ -n "$OS_USER_DOMAIN_ID" ]; then | |
212 | export OS_USER_DOMAIN_ID | |
213 | _saveaccountconf_mutable OS_USER_DOMAIN_ID "$OS_USER_DOMAIN_ID" | |
214 | else | |
215 | unset OS_USER_DOMAIN_ID | |
216 | _clearaccountconf SAVED_OS_USER_DOMAIN_ID | |
217 | fi | |
218 | ||
219 | _debug "OS_PROJECT_DOMAIN_NAME" "$OS_PROJECT_DOMAIN_NAME" | |
220 | if [ -n "$OS_PROJECT_DOMAIN_NAME" ]; then | |
221 | export OS_PROJECT_DOMAIN_NAME | |
222 | _saveaccountconf_mutable OS_PROJECT_DOMAIN_NAME "$OS_PROJECT_DOMAIN_NAME" | |
223 | else | |
224 | unset OS_PROJECT_DOMAIN_NAME | |
225 | _clearaccountconf SAVED_OS_PROJECT_DOMAIN_NAME | |
226 | fi | |
227 | ||
228 | _debug "OS_PROJECT_DOMAIN_ID" "$OS_PROJECT_DOMAIN_ID" | |
229 | if [ -n "$OS_PROJECT_DOMAIN_ID" ]; then | |
230 | export OS_PROJECT_DOMAIN_ID | |
231 | _saveaccountconf_mutable OS_PROJECT_DOMAIN_ID "$OS_PROJECT_DOMAIN_ID" | |
232 | else | |
233 | unset OS_PROJECT_DOMAIN_ID | |
234 | _clearaccountconf SAVED_OS_PROJECT_DOMAIN_ID | |
235 | fi | |
236 | ||
237 | if [ "$OS_AUTH_TYPE" = "v3applicationcredential" ]; then | |
238 | # Application Credential auth | |
239 | if [ -z "$OS_APPLICATION_CREDENTIAL_ID" ] || [ -z "$OS_APPLICATION_CREDENTIAL_SECRET" ]; then | |
240 | _err "When using OpenStack application credentials, OS_APPLICATION_CREDENTIAL_ID" | |
241 | _err "and OS_APPLICATION_CREDENTIAL_SECRET must be set." | |
242 | _err "Please check your credentials and try again." | |
243 | return 1 | |
244 | fi | |
245 | else | |
246 | # Password auth | |
247 | if [ -z "$OS_USERNAME" ] || [ -z "$OS_PASSWORD" ]; then | |
248 | _err "OpenStack username or password not found." | |
249 | _err "Please check your credentials and try again." | |
250 | return 1 | |
251 | fi | |
252 | ||
253 | if [ -z "$OS_PROJECT_NAME" ] && [ -z "$OS_PROJECT_ID" ]; then | |
254 | _err "When using password authentication, OS_PROJECT_NAME or" | |
255 | _err "OS_PROJECT_ID must be set." | |
256 | _err "Please check your credentials and try again." | |
257 | return 1 | |
258 | fi | |
259 | fi | |
260 | ||
261 | return 0 | |
262 | } |