From 4e5866ab5d97f278ff710f0ad3ad5a8256b5f4e0 Mon Sep 17 00:00:00 2001
From: B Stack <bgstack15@gmail.com>
Date: Mon, 30 Jul 2018 16:19:06 -0400
Subject: add error check for "401 - Unauthorized"

---
 files/certreq.sh | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/files/certreq.sh b/files/certreq.sh
index bacdf75..2aa27f8 100755
--- a/files/certreq.sh
+++ b/files/certreq.sh
@@ -11,7 +11,7 @@
 #    2018-04-16 Add --list and --csr options
 #    2018-05-07 Add actions for using a CA with manually-approved certs
 #    2018-06-19 Fix get number of ca cert
-#    2018-07-30 add error check for "Denied" messages
+#    2018-07-30 add error checking on the request and authorization
 # Usage: in ansible role certreq
 #    Microsoft CA cert templates have permissions on them. A user must be able to "enroll" on the template.
 # Reference: ftemplate.sh 2017-10-10x; framework.sh 2017-10-09a
@@ -47,7 +47,8 @@ Return values under 1000: A non-zero value is the sum of the items listed here:
  4 Return code of curl statement that saves cert file is non-zero
  8 Cert file does not contain whole certificate
 16 Cert does not contain an issuer
-32 Request denied.
+32 Cert request denied
+64 Invalid credentials
 Return values above 1000:
 1001 Help or version info displayed
 1002 Count or type of flaglessvals is incorrect
@@ -155,6 +156,8 @@ submit_csr() {
    esac
 
    DISPOSITION="$( echo "${FULLPAGE}" | grep -oiE "The disposition message is.*" | grep -oiE "\".*\"" )"
+   MESSAGE="$( echo "${FULLPAGE}" | grep -oiE "<title>401.*" | grep -oiE ">.*<" | tr -d '<>' )"
+   MESSAGE="${MESSAGE:-${DISPOSITION}}" # use disposition if message is not available
 
 }
 
@@ -286,6 +289,7 @@ action_get_cert() {
       echo "OUTPUTLINK=${OUTPUTLINK}"
       echo "CERTLINK=${CERTLINK}"
       echo "DISPOSITION=${DISPOSITION}"
+      echo "MESSAGE=${MESSAGE}"
    }
 
    # FETCH SIGNED CERTIFICATE
@@ -340,6 +344,7 @@ action_request() {
       echo "OUTPUTLINK=${OUTPUTLINK}"
       echo "CERTLINK=${CERTLINK}"
       echo "DISPOSITION=${DISPOSITION}"
+      echo "MESSAGE=${MESSAGE}"
    }
          
 }
@@ -631,7 +636,8 @@ debuglev 5 && {
          grep -qE -- '--END CERTIFICATE--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" || failed=$(( failed + 8 ))
          #echo "${openssloutput}" | grep -qE "subject.*${CERTREQ_SUBJECT}" || failed=$(( failed + 16 ))
          echo "${openssloutput}" | grep -qE "issuer.*" || failed=$(( failed + 16 ))
-         echo "${DISPOSITION}" | grep -qiE 'denied' && failed=$(( failed + 32 ))
+         echo "${MESSAGE}" | grep -qiE 'policy' && failed=$(( failed + 32 ))
+         echo "${MESSAGE}" | grep -qiE 'unauthorized' && failed=$(( failed + 64 ))
          ;;
    esac
 
@@ -650,7 +656,7 @@ case "${CERTREQ_ACTION}" in
       echo "csr: ${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.csr"
       echo "key: ${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.key"
       echo "reqid: ${REQUESTID}"
-      echo "disposition: ${DISPOSITION}"
+      echo "message: ${MESSAGE}"
       echo "rc: ${failed}"
       ;;
 
@@ -666,11 +672,11 @@ case "${CERTREQ_ACTION}" in
       # for generate and generate-csr and everything else really
       echo "workdir: ${CERTREQ_WORKDIR}"
       echo "logfile: ${logfile}"
-      echo "csr: ${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt"
+      echo "csr: ${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.csr"
       echo "certificate: ${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt"
       echo "key: ${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.key"
       ! fistruthy "${CERTREQ_SKIP_CACERTS}" && echo "chain: ${CERTREQ_WORKDIR}/${CHAIN_FILE}"
-      echo "disposition: ${DISPOSITION}"
+      echo "message: ${MESSAGE}"
       echo "rc: ${failed}"
 
       ;;
-- 
cgit