deploy/synology_dsm.sh

   1 #!/usr/bin/env sh
   2
   3 # Here is a script to deploy cert to Synology DSM
   4 #
   5 # it requires the jq and curl are in the $PATH and the following
   6 # environment variables must be set:
   7 #
   8 # SYNO_Username - Synology Username to login (must be an administrator)
   9 # SYNO_Password - Synology Password to login
  10 # SYNO_Certificate - Certificate description to target for replacement
  11 #
  12 # The following environmental variables may be set if you don't like their
  13 # default values:
  14 #
  15 # SYNO_Scheme - defaults to http
  16 # SYNO_Hostname - defaults to localhost
  17 # SYNO_Port - defaults to 5000
  18 # SYNO_DID - device ID to skip OTP - defaults to empty
  19 #
  20 #returns 0 means success, otherwise error.
  21
  22 ########  Public functions #####################
  23
  24 _syno_get_cookie_data() {
  25   grep -i "\W$1=" "$HTTP_HEADER" | grep -i "^Set-Cookie:" | _tail_n 1 | _egrep_o "$1=[^;]*;" | tr -d ';'
  26 }
  27
  28 #domain keyfile certfile cafile fullchain
  29 synology_dsm_deploy() {
  30
  31   _cdomain="$1"
  32   _ckey="$2"
  33   _ccert="$3"
  34   _cca="$4"
  35
  36   _debug _cdomain "$_cdomain"
  37
  38   # Get Username and Password, but don't save until we successfully authenticate
  39   _getdeployconf SYNO_Username
  40   _getdeployconf SYNO_Password
  41   _getdeployconf SYNO_Create
  42   _getdeployconf SYNO_DID
  43   if [ -z "${SYNO_Username:-}" ] || [ -z "${SYNO_Password:-}" ]; then
  44     _err "SYNO_Username & SYNO_Password must be set"
  45     return 1
  46   fi
  47   _debug2 SYNO_Username "$SYNO_Username"
  48   _secure_debug2 SYNO_Password "$SYNO_Password"
  49
  50   # Optional scheme, hostname, and port for Synology DSM
  51   _getdeployconf SYNO_Scheme
  52   _getdeployconf SYNO_Hostname
  53   _getdeployconf SYNO_Port
  54
  55   # default vaules for scheme, hostname, and port
  56   # defaulting to localhost and http because it's localhost...
  57   [ -n "${SYNO_Scheme}" ] || SYNO_Scheme="http"
  58   [ -n "${SYNO_Hostname}" ] || SYNO_Hostname="localhost"
  59   [ -n "${SYNO_Port}" ] || SYNO_Port="5000"
  60
  61   _savedeployconf SYNO_Scheme "$SYNO_Scheme"
  62   _savedeployconf SYNO_Hostname "$SYNO_Hostname"
  63   _savedeployconf SYNO_Port "$SYNO_Port"
  64
  65   _debug2 SYNO_Scheme "$SYNO_Scheme"
  66   _debug2 SYNO_Hostname "$SYNO_Hostname"
  67   _debug2 SYNO_Port "$SYNO_Port"
  68
  69   # Get the certificate description, but don't save it until we verfiy it's real
  70   _getdeployconf SYNO_Certificate
  71   _debug SYNO_Certificate "${SYNO_Certificate:-}"
  72
  73   _base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port"
  74   _debug _base_url "$_base_url"
  75
  76   _debug "Getting API version"
  77   response=$(_get "$_base_url/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth")
  78   api_version=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"maxVersion" *: *\([0-9]*\).*/\1/p')
  79   _debug3 response "$response"
  80   _debug3 api_version "$api_version"
  81
  82   # Login, get the token from JSON and session id from cookie
  83   _info "Logging into $SYNO_Hostname:$SYNO_Port"
  84   encoded_username="$(printf "%s" "$SYNO_Username" | _url_encode)"
  85   encoded_password="$(printf "%s" "$SYNO_Password" | _url_encode)"
  86
  87   if [ ! -z "$SYNO_DID" ]; then
  88     _H1="Cookie: did=$SYNO_DID"
  89     export _H1
  90     _debug3 H1 "${_H1}"
  91   fi
  92
  93   response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
  94   token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p')
  95   _debug3 response "$response"
  96   _debug token "$token"
  97
  98   if [ -z "$token" ]; then
  99     _err "Unable to authenticate to $SYNO_Hostname:$SYNO_Port using $SYNO_Scheme."
 100     _err "Check your username and password."
 101     return 1
 102   fi
 103   sid=$(echo "$response" | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p')
 104
 105   _H1="X-SYNO-TOKEN: $token"
 106   export _H1
 107   _debug2 H1 "${_H1}"
 108
 109   # Now that we know the username and password are good, save them
 110   _savedeployconf SYNO_Username "$SYNO_Username"
 111   _savedeployconf SYNO_Password "$SYNO_Password"
 112   _savedeployconf SYNO_DID "$SYNO_DID"
 113
 114   _info "Getting certificates in Synology DSM"
 115   response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi")
 116   _debug3 response "$response"
 117   id=$(echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\"id\":\"\([^\"]*\).*/\1/p")
 118   _debug2 id "$id"
 119
 120   if [ -z "$id" ] && [ -z "${SYNO_Create:-}" ]; then
 121     _err "Unable to find certificate: $SYNO_Certificate and \$SYNO_Create is not set"
 122     return 1
 123   fi
 124
 125   # we've verified this certificate description is a thing, so save it
 126   _savedeployconf SYNO_Certificate "$SYNO_Certificate"
 127
 128   default=false
 129   if echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
 130     default=true
 131   fi
 132   _debug2 default "$default"
 133
 134   _info "Generate form POST request"
 135   nl="\0015\0012"
 136   delim="--------------------------$(_utc_date | tr -d -- '-: ')"
 137   content="--$delim${nl}Content-Disposition: form-data; name=\"key\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")\0012"
 138   content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"cert\"; filename=\"$(basename "$_ccert")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ccert")\0012"
 139   content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"inter_cert\"; filename=\"$(basename "$_cca")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cca")\0012"
 140   content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id"
 141   content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}"
 142   content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}${default}"
 143   content="$content${nl}--$delim--${nl}"
 144   content="$(printf "%b_" "$content")"
 145   content="${content%_}" # protect trailing \n
 146
 147   _info "Upload certificate to the Synology DSM"
 148   response=$(_post "$content" "$_base_url/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=$token&_sid=$sid" "" "POST" "multipart/form-data; boundary=${delim}")
 149   _debug3 response "$response"
 150
 151   if ! echo "$response" | grep '"error":' >/dev/null; then
 152     if echo "$response" | grep '"restart_httpd":true' >/dev/null; then
 153       _info "http services were restarted"
 154     else
 155       _info "http services were NOT restarted"
 156     fi
 157     return 0
 158   else
 159     _err "Unable to update certificate, error code $response"
 160     return 1
 161   fi
 162 }