deploy/synology_dsm.sh

   1 #!/usr/bin/env sh
   2
   3 # Here is a script to deploy cert to Synology DSM
   4 #
   5 # it requires the jq and curl are in the $PATH and the following
   6 # environment variables must be set:
   7 #
   8 # SYNO_Username - Synology Username to login (must be an administrator)
   9 # SYNO_Password - Synology Password to login
  10 # SYNO_Certificate - Certificate description to target for replacement
  11 #
  12 # The following environmental variables may be set if you don't like their
  13 # default values:
  14 #
  15 # SYNO_Scheme - defaults to http
  16 # SYNO_Hostname - defaults to localhost
  17 # SYNO_Port - defaults to 5000
  18 # SYNO_DID - device ID to skip OTP - defaults to empty
  19 #
  20 #returns 0 means success, otherwise error.
  21
  22 ########  Public functions #####################
  23
  24 #domain keyfile certfile cafile fullchain
  25 synology_dsm_deploy() {
  26
  27   _cdomain="$1"
  28   _ckey="$2"
  29   _ccert="$3"
  30   _cca="$4"
  31
  32   _debug _cdomain "$_cdomain"
  33
  34   # Get Username and Password, but don't save until we successfully authenticate
  35   _getdeployconf SYNO_Username
  36   _getdeployconf SYNO_Password
  37   _getdeployconf SYNO_Create
  38   _getdeployconf SYNO_DID
  39   if [ -z "${SYNO_Username:-}" ] || [ -z "${SYNO_Password:-}" ]; then
  40     _err "SYNO_Username & SYNO_Password must be set"
  41     return 1
  42   fi
  43   _debug2 SYNO_Username "$SYNO_Username"
  44   _secure_debug2 SYNO_Password "$SYNO_Password"
  45
  46   # Optional scheme, hostname, and port for Synology DSM
  47   _getdeployconf SYNO_Scheme
  48   _getdeployconf SYNO_Hostname
  49   _getdeployconf SYNO_Port
  50
  51   # default vaules for scheme, hostname, and port
  52   # defaulting to localhost and http because it's localhost...
  53   [ -n "${SYNO_Scheme}" ] || SYNO_Scheme="http"
  54   [ -n "${SYNO_Hostname}" ] || SYNO_Hostname="localhost"
  55   [ -n "${SYNO_Port}" ] || SYNO_Port="5000"
  56
  57   _savedeployconf SYNO_Scheme "$SYNO_Scheme"
  58   _savedeployconf SYNO_Hostname "$SYNO_Hostname"
  59   _savedeployconf SYNO_Port "$SYNO_Port"
  60
  61   _debug2 SYNO_Scheme "$SYNO_Scheme"
  62   _debug2 SYNO_Hostname "$SYNO_Hostname"
  63   _debug2 SYNO_Port "$SYNO_Port"
  64
  65   # Get the certificate description, but don't save it until we verfiy it's real
  66   _getdeployconf SYNO_Certificate
  67   _debug SYNO_Certificate "${SYNO_Certificate:-}"
  68
  69   # shellcheck disable=SC1003 # We are not trying to escape a single quote
  70   if printf "%s" "$SYNO_Certificate" | grep '\\'; then
  71     _err "Do not use a backslash (\) in your certificate description"
  72     return 1
  73   fi
  74
  75   _base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port"
  76   _debug _base_url "$_base_url"
  77
  78   _debug "Getting API version"
  79   response=$(_get "$_base_url/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth")
  80   api_version=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"maxVersion" *: *\([0-9]*\).*/\1/p')
  81   _debug3 response "$response"
  82   _debug3 api_version "$api_version"
  83
  84   # Login, get the token from JSON and session id from cookie
  85   _info "Logging into $SYNO_Hostname:$SYNO_Port"
  86   encoded_username="$(printf "%s" "$SYNO_Username" | _url_encode)"
  87   encoded_password="$(printf "%s" "$SYNO_Password" | _url_encode)"
  88
  89   if [ -n "$SYNO_DID" ]; then
  90     _H1="Cookie: did=$SYNO_DID"
  91     export _H1
  92     _debug3 H1 "${_H1}"
  93   fi
  94
  95   response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
  96   token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p')
  97   _debug3 response "$response"
  98   _debug token "$token"
  99
 100   if [ -z "$token" ]; then
 101     _err "Unable to authenticate to $SYNO_Hostname:$SYNO_Port using $SYNO_Scheme."
 102     _err "Check your username and password."
 103     _err "If two-factor authentication is enabled for the user, you have to choose another user."
 104     return 1
 105   fi
 106   sid=$(echo "$response" | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p')
 107
 108   _H1="X-SYNO-TOKEN: $token"
 109   export _H1
 110   _debug2 H1 "${_H1}"
 111
 112   # Now that we know the username and password are good, save them
 113   _savedeployconf SYNO_Username "$SYNO_Username"
 114   _savedeployconf SYNO_Password "$SYNO_Password"
 115   _savedeployconf SYNO_DID "$SYNO_DID"
 116
 117   _info "Getting certificates in Synology DSM"
 118   response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi")
 119   _debug3 response "$response"
 120   escaped_certificate="$(printf "%s" "$SYNO_Certificate" | sed 's/\([].*^$[]\)/\\\1/g;s/"/\\\\"/g')"
 121   _debug escaped_certificate "$escaped_certificate"
 122   id=$(echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\"id\":\"\([^\"]*\).*/\1/p")
 123   _debug2 id "$id"
 124
 125   if [ -z "$id" ] && [ -z "${SYNO_Create:-}" ]; then
 126     _err "Unable to find certificate: $SYNO_Certificate and \$SYNO_Create is not set"
 127     return 1
 128   fi
 129
 130   # we've verified this certificate description is a thing, so save it
 131   _savedeployconf SYNO_Certificate "$SYNO_Certificate" "base64"
 132
 133   _info "Generate form POST request"
 134   nl="\0015\0012"
 135   delim="--------------------------$(_utc_date | tr -d -- '-: ')"
 136   content="--$delim${nl}Content-Disposition: form-data; name=\"key\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")\0012"
 137   content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"cert\"; filename=\"$(basename "$_ccert")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ccert")\0012"
 138   content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"inter_cert\"; filename=\"$(basename "$_cca")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cca")\0012"
 139   content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id"
 140   content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}"
 141   if echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
 142     _debug2 default "this is the default certificate"
 143     content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}true"
 144   else
 145     _debug2 default "this is NOT the default certificate"
 146   fi
 147   content="$content${nl}--$delim--${nl}"
 148   content="$(printf "%b_" "$content")"
 149   content="${content%_}" # protect trailing \n
 150
 151   _info "Upload certificate to the Synology DSM"
 152   response=$(_post "$content" "$_base_url/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=$token&_sid=$sid" "" "POST" "multipart/form-data; boundary=${delim}")
 153   _debug3 response "$response"
 154
 155   if ! echo "$response" | grep '"error":' >/dev/null; then
 156     if echo "$response" | grep '"restart_httpd":true' >/dev/null; then
 157       _info "http services were restarted"
 158     else
 159       _info "http services were NOT restarted"
 160     fi
 161     return 0
 162   else
 163     _err "Unable to update certificate, error code $response"
 164     return 1
 165   fi
 166 }