Merge branch 'add_basic_auth_method_and_passwordfile_input' into 'master'

Added basic auth method and passwordfile

See merge request bgstack15/certreq!3

1 files changed, 17 insertions, 10 deletions

diff --git a/files/certreq.sh b/files/certreq.sh
index e5b5b40..459df53 100755
--- a/files/certreq.sh
+++ b/files/certreq.sh
@@ -16,6 +16,7 @@
 #    2018-09-10 add CERTREQ_OPENSSL_BIN and CERTREQ_OPENSSL_CONF values, and SAN support
 #    2019-07-25 fix chain_file name if DN is a particular format
 #    2023-06-06 Fix #4: bug related to compressed responses from server
+#    2023-06-21 Add basic auth method and attempt at adding password file argument
 # Usage: in ansible role certreq
 #    Microsoft CA cert templates have permissions on them. A user must be able to "enroll" on the template.
 # Reference: ftemplate.sh 2017-10-10x; framework.sh 2017-10-09a
@@ -27,15 +28,16 @@ certreqversion="2023-06-06a"
 
 usage() {
    less -F >&2 <<ENDUSAGE
-usage: certreq.sh [-dhV] [-u username] [-p password] [-w tempdir] [-t template] [--cn CN] [--ca <CA hostname>] [-l|-g] [--list|--csr /path/to/file|--fetch|--request] [--no-ca] [--reqid <reqid_string>] [--openssl-bin /bin/openssl] [--openssl-conf /opt/openssl.cnf] [--auth ntlm|negotiate]
+usage: certreq.sh [-dhV] [-u username] [-p password] [--pf passwordfile ][-w tempdir] [-t template] [--cn CN] [--ca <CA hostname>] [-l|-g] [--list|--csr /path/to/file|--fetch|--request] [--no-ca] [--reqid <reqid_string>] [--openssl-bin /bin/openssl] [--openssl-conf /opt/openssl.cnf] [--auth basic|ntlm|negotiate]
 version ${certreqversion}
  -d debug   Show debugging info, including parsed variables.
  -h usage   Show this usage block.
  -V version Show script version number.
- -u username User to connect via ntlm (or negotiate) to CA. Can be "username" or "domain\\username"
+ -u username User to connect via basic or ntlm auth (or negotiate) to CA. Can be "username" or "domain\\username"
  -p password
  -w workdir  Temp directory to work in. Default is \$(mktemp -d).
  -t template Template to request from CA. Default is "ConfigMgrLinuxClientCertificate"
+ --pf --password-file Passwordfile in case you don't want to write password in clear text.
  --cn        CN to request. Default is \$( hostname -f )
  --ca        CA hostname or base URL. Example: ca2.example.com
  --reqid <value>  Request ID. Needed by --fetch action.
@@ -44,7 +46,7 @@ version ${certreqversion}
  --openssl-conf <value>  Use this config for openssl. Default is none.
  --dnssans <value>  Use a pipe-delimited set of values as subjectAltName dns entries.
  --ipsans <value>  Use a pipe-delimited set of values as subjectAltName ip entries.
- --auth <value>  Either ntlm or negotiate, for the curl statements. Negotiate uses the kerberos ticket for the host, so use the kerberos object name for -u and a blank -p. Default is "ntlm"
+ --auth <value>  Either basic, ntlm or negotiate, for the curl statements. Negotiate uses the kerberos ticket for the host, so use the kerberos object name for -u and a blank -p. Default is "basic"
 ACTIONS:
  --list      list available templates and exit.
  --csr filename Provide a .csr file instead of making a new csr. Accepts "stdin" to read from standard in.
@@ -466,6 +468,7 @@ parseFlag() {
       "V" | "fcheck" | "version" ) ferror "${scriptfile} version ${certreqversion}"; exit 1001;;
       "u" | "user" | "username" ) getval; CERTREQ_USER="${tempval}";;
       "p" | "pass" | "password" ) getval; CERTREQ_PASS="${tempval}";;
+      "pf" | "password-file" ) getval; test -r "${tempval}" && CERTREQ_PASS="$( cat "${tempval}" )" || ferror "Invalid password file ${tempval}; leaving password blank!";; # Read password from file
       "w" | "work" | "workdir" ) getval; CERTREQ_WORKDIR="${tempval}";;
       "t" | "temp" | "template" ) getval; CERTREQ_TEMPLATE="${tempval}";;
       "cn" | "common-name" | "commonname" ) getval; CERTREQ_CNPARAM="${tempval}";;
@@ -485,9 +488,10 @@ parseFlag() {
       "ipsans" | "ip-sans" | "ipsan" | "ip-san" ) getval; CERTREQ_IPSANS="${tempval}";;
       "auth" ) getval ;
          case "${tempval}" in
+            "basic") CERTREQ_AUTH=basic ;;
             "ntlm") CERTREQ_AUTH=ntlm ;;
             "negotiate") CERTREQ_AUTH=negotiate ;;
-            *) ferror "Warning: --auth must be either \"ntlm\" or \"negotiate\". Using \"ntlm.\"" CERTREQ_AUTH=ntlm ;;
+            *) ferror "Warning: --auth must be either \"basic\", \"ntlm\" or \"negotiate\". Using \"basic.\"" ; CERTREQ_AUTH=basic ;;
          esac
          ;;
    esac
@@ -608,9 +612,9 @@ if test -n "${CERTREQ_CAPARAM}";
 then
    # trim down to just the hostname
    CERTREQ_CAPARAM="$( echo "${CERTREQ_CAPARAM}" | sed -r -e 's/https?:\/\///g' -e 's/(\.[a-z]{2,3})\/$/\1/;' )"
-   CERTREQ_CA="http://${CERTREQ_CAPARAM}"
+   CERTREQ_CA="https://${CERTREQ_CAPARAM}"
 fi
-define_if_new CERTREQ_CA "http://ca2.ad.example.com"
+define_if_new CERTREQ_CA "https://ca2.ad.example.com"
 # generate cahost
 CERTREQ_CAHOST="$( echo "${CERTREQ_CA}" | sed -r -e 's/https?:\/\///g' -e 's/(\.[a-z]{2,3})\/$/\1/;' )"
 
@@ -763,7 +767,7 @@ debuglev 5 && {
    openssloutput="$( "${CERTREQ_OPENSSL_BIN}" x509 -in "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" -noout -subject -issuer -startdate -enddate 2>/dev/null )"
 
    # 1 interaction with website failed: invalid login credentials or curl returned non-zero value
-   if echo "${MESSAGE}" | grep -qiE 'unauthorized'  || test ${curloutput} -ne 0 ;
+   if echo "${MESSAGE}" | grep -qiE 'unauthorized'  || test ${curloutput:-0} -ne 0 ;
    then
       failed=$(( failed + 1 ))
    fi
@@ -775,9 +779,12 @@ debuglev 5 && {
    fi
 
    # 4 invalid cert file: incomplete cert file, or no issuer
-   if { ! grep -qE -- '--END CERTIFICATE--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" ; } || { ! echo "${openssloutput}" | grep -qE "issuer.*" ; } ;
-   then
-      failed=$(( failed + 4 ))
+   # Wrapped in if statement to not grep when doing --list since no cert is created during that process.
+   if test "${CERTREQ_ACTION}" != "list" ; then
+      if { ! grep -qE -- '--END CERTIFICATE--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" ; } || { ! echo "${openssloutput}" | grep -qE "issuer.*" ; } ;
+      then
+         failed=$(( failed + 4 ))
+      fi
    fi
 
 } 1> ${logfile} 2>&1