From 370405f8a2cf363a9f1e6f9a4e1a79d7041dba08 Mon Sep 17 00:00:00 2001 From: Erling Li Teigen Date: Wed, 21 Jun 2023 15:10:00 +0200 Subject: Added basic auth method and passwordfile --- files/certreq.sh | 43 +++++++++++++++++++++++++++++++++---------- 1 file changed, 33 insertions(+), 10 deletions(-) (limited to 'files') diff --git a/files/certreq.sh b/files/certreq.sh index e5b5b40..9249bf1 100755 --- a/files/certreq.sh +++ b/files/certreq.sh @@ -16,6 +16,7 @@ # 2018-09-10 add CERTREQ_OPENSSL_BIN and CERTREQ_OPENSSL_CONF values, and SAN support # 2019-07-25 fix chain_file name if DN is a particular format # 2023-06-06 Fix #4: bug related to compressed responses from server +# 2023-06-21 Add basic auth method and attempt at adding password file argument # Usage: in ansible role certreq # Microsoft CA cert templates have permissions on them. A user must be able to "enroll" on the template. # Reference: ftemplate.sh 2017-10-10x; framework.sh 2017-10-09a @@ -27,13 +28,14 @@ certreqversion="2023-06-06a" usage() { less -F >&2 <] [-l|-g] [--list|--csr /path/to/file|--fetch|--request] [--no-ca] [--reqid ] [--openssl-bin /bin/openssl] [--openssl-conf /opt/openssl.cnf] [--auth ntlm|negotiate] +usage: certreq.sh [-dhV] [-u username] [-p password] [-pf passwordfile ][-w tempdir] [-t template] [--cn CN] [--ca ] [-l|-g] [--list|--csr /path/to/file|--fetch|--request] [--no-ca] [--reqid ] [--openssl-bin /bin/openssl] [--openssl-conf /opt/openssl.cnf] [--auth basic|ntlm|negotiate] version ${certreqversion} -d debug Show debugging info, including parsed variables. -h usage Show this usage block. -V version Show script version number. - -u username User to connect via ntlm (or negotiate) to CA. Can be "username" or "domain\\username" + -u username User to connect via basic or ntlm auth (or negotiate) to CA. Can be "username" or "domain\\username" -p password + -pf --password-file Passwordfile in case you don't want to write password in clear text. -w workdir Temp directory to work in. Default is \$(mktemp -d). -t template Template to request from CA. Default is "ConfigMgrLinuxClientCertificate" --cn CN to request. Default is \$( hostname -f ) @@ -44,7 +46,7 @@ version ${certreqversion} --openssl-conf Use this config for openssl. Default is none. --dnssans Use a pipe-delimited set of values as subjectAltName dns entries. --ipsans Use a pipe-delimited set of values as subjectAltName ip entries. - --auth Either ntlm or negotiate, for the curl statements. Negotiate uses the kerberos ticket for the host, so use the kerberos object name for -u and a blank -p. Default is "ntlm" + --auth Either basic, ntlm or negotiate, for the curl statements. Negotiate uses the kerberos ticket for the host, so use the kerberos object name for -u and a blank -p. Default is "basic" ACTIONS: --list list available templates and exit. --csr filename Provide a .csr file instead of making a new csr. Accepts "stdin" to read from standard in. @@ -466,6 +468,23 @@ parseFlag() { "V" | "fcheck" | "version" ) ferror "${scriptfile} version ${certreqversion}"; exit 1001;; "u" | "user" | "username" ) getval; CERTREQ_USER="${tempval}";; "p" | "pass" | "password" ) getval; CERTREQ_PASS="${tempval}";; + # I am struggling to find a way to add a option for -p|--password-file. When enabling this code the script just prints a newline with no output to tmpfiles. + # "pf" | "password-file" ) + # shift # Skip the flag itself + # if [ $# -gt 0 ]; then + # password_file="$1" + # if [ -r "$password_file" ]; then + # CERTREQ_PASS=$(cat "$password_file") + # else + # ferror "Unable to read password file: $password_file" + # exit 1 + # fi + # hasval=1 + # else + # ferror "Missing value for flag: $flag" + # exit 1 + # fi + # ;; "w" | "work" | "workdir" ) getval; CERTREQ_WORKDIR="${tempval}";; "t" | "temp" | "template" ) getval; CERTREQ_TEMPLATE="${tempval}";; "cn" | "common-name" | "commonname" ) getval; CERTREQ_CNPARAM="${tempval}";; @@ -485,9 +504,10 @@ parseFlag() { "ipsans" | "ip-sans" | "ipsan" | "ip-san" ) getval; CERTREQ_IPSANS="${tempval}";; "auth" ) getval ; case "${tempval}" in + "basic") CERTREQ_AUTH=basic ;; "ntlm") CERTREQ_AUTH=ntlm ;; "negotiate") CERTREQ_AUTH=negotiate ;; - *) ferror "Warning: --auth must be either \"ntlm\" or \"negotiate\". Using \"ntlm.\"" CERTREQ_AUTH=ntlm ;; + *) ferror "Warning: --auth must be either \"basic\", \"ntlm\" or \"negotiate\". Using \"basic.\"" CERTREQ_AUTH=basic ;; esac ;; esac @@ -608,9 +628,9 @@ if test -n "${CERTREQ_CAPARAM}"; then # trim down to just the hostname CERTREQ_CAPARAM="$( echo "${CERTREQ_CAPARAM}" | sed -r -e 's/https?:\/\///g' -e 's/(\.[a-z]{2,3})\/$/\1/;' )" - CERTREQ_CA="http://${CERTREQ_CAPARAM}" + CERTREQ_CA="https://${CERTREQ_CAPARAM}" fi -define_if_new CERTREQ_CA "http://ca2.ad.example.com" +define_if_new CERTREQ_CA "https://ca2.ad.example.com" # generate cahost CERTREQ_CAHOST="$( echo "${CERTREQ_CA}" | sed -r -e 's/https?:\/\///g' -e 's/(\.[a-z]{2,3})\/$/\1/;' )" @@ -763,7 +783,7 @@ debuglev 5 && { openssloutput="$( "${CERTREQ_OPENSSL_BIN}" x509 -in "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" -noout -subject -issuer -startdate -enddate 2>/dev/null )" # 1 interaction with website failed: invalid login credentials or curl returned non-zero value - if echo "${MESSAGE}" | grep -qiE 'unauthorized' || test ${curloutput} -ne 0 ; + if echo "${MESSAGE}" | grep -qiE 'unauthorized' || test ${curloutput:-0} -ne 0 ; then failed=$(( failed + 1 )) fi @@ -775,9 +795,12 @@ debuglev 5 && { fi # 4 invalid cert file: incomplete cert file, or no issuer - if { ! grep -qE -- '--END CERTIFICATE--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" ; } || { ! echo "${openssloutput}" | grep -qE "issuer.*" ; } ; - then - failed=$(( failed + 4 )) + # Wrapped in if statement to not grep when doing --list since no cert is created during that process. + if [[ "$CERTREQ_ACTION" != "list" ]]; then + if { ! grep -qE -- '--END CERTIFICATE--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" ; } || { ! echo "${openssloutput}" | grep -qE "issuer.*" ; } ; + then + failed=$(( failed + 4 )) + fi fi } 1> ${logfile} 2>&1 -- cgit From 1f15a7d9d6d2ed6728d643a988034833523a2d40 Mon Sep 17 00:00:00 2001 From: Erling Li Teigen Date: Wed, 21 Jun 2023 16:12:52 +0200 Subject: Fixed correct syntaxes and now have a valid passwordfile option --- files/certreq.sh | 26 +++++--------------------- 1 file changed, 5 insertions(+), 21 deletions(-) (limited to 'files') diff --git a/files/certreq.sh b/files/certreq.sh index 9249bf1..459df53 100755 --- a/files/certreq.sh +++ b/files/certreq.sh @@ -28,16 +28,16 @@ certreqversion="2023-06-06a" usage() { less -F >&2 <] [-l|-g] [--list|--csr /path/to/file|--fetch|--request] [--no-ca] [--reqid ] [--openssl-bin /bin/openssl] [--openssl-conf /opt/openssl.cnf] [--auth basic|ntlm|negotiate] +usage: certreq.sh [-dhV] [-u username] [-p password] [--pf passwordfile ][-w tempdir] [-t template] [--cn CN] [--ca ] [-l|-g] [--list|--csr /path/to/file|--fetch|--request] [--no-ca] [--reqid ] [--openssl-bin /bin/openssl] [--openssl-conf /opt/openssl.cnf] [--auth basic|ntlm|negotiate] version ${certreqversion} -d debug Show debugging info, including parsed variables. -h usage Show this usage block. -V version Show script version number. -u username User to connect via basic or ntlm auth (or negotiate) to CA. Can be "username" or "domain\\username" -p password - -pf --password-file Passwordfile in case you don't want to write password in clear text. -w workdir Temp directory to work in. Default is \$(mktemp -d). -t template Template to request from CA. Default is "ConfigMgrLinuxClientCertificate" + --pf --password-file Passwordfile in case you don't want to write password in clear text. --cn CN to request. Default is \$( hostname -f ) --ca CA hostname or base URL. Example: ca2.example.com --reqid Request ID. Needed by --fetch action. @@ -468,23 +468,7 @@ parseFlag() { "V" | "fcheck" | "version" ) ferror "${scriptfile} version ${certreqversion}"; exit 1001;; "u" | "user" | "username" ) getval; CERTREQ_USER="${tempval}";; "p" | "pass" | "password" ) getval; CERTREQ_PASS="${tempval}";; - # I am struggling to find a way to add a option for -p|--password-file. When enabling this code the script just prints a newline with no output to tmpfiles. - # "pf" | "password-file" ) - # shift # Skip the flag itself - # if [ $# -gt 0 ]; then - # password_file="$1" - # if [ -r "$password_file" ]; then - # CERTREQ_PASS=$(cat "$password_file") - # else - # ferror "Unable to read password file: $password_file" - # exit 1 - # fi - # hasval=1 - # else - # ferror "Missing value for flag: $flag" - # exit 1 - # fi - # ;; + "pf" | "password-file" ) getval; test -r "${tempval}" && CERTREQ_PASS="$( cat "${tempval}" )" || ferror "Invalid password file ${tempval}; leaving password blank!";; # Read password from file "w" | "work" | "workdir" ) getval; CERTREQ_WORKDIR="${tempval}";; "t" | "temp" | "template" ) getval; CERTREQ_TEMPLATE="${tempval}";; "cn" | "common-name" | "commonname" ) getval; CERTREQ_CNPARAM="${tempval}";; @@ -507,7 +491,7 @@ parseFlag() { "basic") CERTREQ_AUTH=basic ;; "ntlm") CERTREQ_AUTH=ntlm ;; "negotiate") CERTREQ_AUTH=negotiate ;; - *) ferror "Warning: --auth must be either \"basic\", \"ntlm\" or \"negotiate\". Using \"basic.\"" CERTREQ_AUTH=basic ;; + *) ferror "Warning: --auth must be either \"basic\", \"ntlm\" or \"negotiate\". Using \"basic.\"" ; CERTREQ_AUTH=basic ;; esac ;; esac @@ -796,7 +780,7 @@ debuglev 5 && { # 4 invalid cert file: incomplete cert file, or no issuer # Wrapped in if statement to not grep when doing --list since no cert is created during that process. - if [[ "$CERTREQ_ACTION" != "list" ]]; then + if test "${CERTREQ_ACTION}" != "list" ; then if { ! grep -qE -- '--END CERTIFICATE--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" ; } || { ! echo "${openssloutput}" | grep -qE "issuer.*" ; } ; then failed=$(( failed + 4 )) -- cgit