You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

262 lines
8.5 KiB

  1. #!/usr/bin/env sh
  2. # OpenStack Barbican deploy hook
  3. #
  4. # This requires you to have OpenStackClient and python-barbicanclient
  5. # installed.
  6. #
  7. # You will require Keystone V3 credentials loaded into your environment, which
  8. # could be either password or v3applicationcredential type.
  9. #
  10. # Author: Andy Botting <andy@andybotting.com>
  11. openstack_deploy() {
  12. _cdomain="$1"
  13. _ckey="$2"
  14. _ccert="$3"
  15. _cca="$4"
  16. _cfullchain="$5"
  17. _debug _cdomain "$_cdomain"
  18. _debug _ckey "$_ckey"
  19. _debug _ccert "$_ccert"
  20. _debug _cca "$_cca"
  21. _debug _cfullchain "$_cfullchain"
  22. if ! _exists openstack; then
  23. _err "OpenStack client not found"
  24. return 1
  25. fi
  26. _openstack_credentials || return $?
  27. _info "Generate import pkcs12"
  28. _import_pkcs12="$(_mktemp)"
  29. if ! _openstack_to_pkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca"; then
  30. _err "Error creating pkcs12 certificate"
  31. return 1
  32. fi
  33. _debug _import_pkcs12 "$_import_pkcs12"
  34. _base64_pkcs12=$(_base64 "multiline" < "$_import_pkcs12")
  35. secretHrefs=$(_openstack_get_secrets)
  36. _debug secretHrefs "$secretHrefs"
  37. _openstack_store_secret || return $?
  38. if [ -n "$secretHrefs" ]; then
  39. _info "Cleaning up existing secret"
  40. _openstack_delete_secrets || return $?
  41. fi
  42. _info "Certificate successfully deployed"
  43. return 0
  44. }
  45. _openstack_store_secret() {
  46. if ! openstack secret store --name "$_cdomain." -t 'application/octet-stream' -e base64 --payload "$_base64_pkcs12"; then
  47. _err "Failed to create OpenStack secret"
  48. return 1
  49. fi
  50. return
  51. }
  52. _openstack_delete_secrets() {
  53. echo "$secretHrefs" | while read -r secretHref; do
  54. _info "Deleting old secret $secretHref"
  55. if ! openstack secret delete "$secretHref"; then
  56. _err "Failed to delete OpenStack secret"
  57. return 1
  58. fi
  59. done
  60. return
  61. }
  62. _openstack_get_secrets() {
  63. if ! secretHrefs=$(openstack secret list -f value --name "$_cdomain." | cut -d' ' -f1); then
  64. _err "Failed to list secrets"
  65. return 1
  66. fi
  67. echo "$secretHrefs"
  68. }
  69. _openstack_to_pkcs() {
  70. # The existing _toPkcs command can't allow an empty password, due to sh
  71. # -z test, so copied here and forcing the empty password.
  72. _cpfx="$1"
  73. _ckey="$2"
  74. _ccert="$3"
  75. _cca="$4"
  76. ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca" -password "pass:"
  77. }
  78. _openstack_credentials() {
  79. _debug "Check OpenStack credentials"
  80. # If we have OS_AUTH_URL already set in the environment, then assume we want
  81. # to use those, otherwise use stored credentials
  82. if [ -n "$OS_AUTH_URL" ]; then
  83. _debug "OS_AUTH_URL env var found, using environment"
  84. else
  85. _debug "OS_AUTH_URL not found, loading stored credentials"
  86. OS_AUTH_URL="${OS_AUTH_URL:-$(_readaccountconf_mutable OS_AUTH_URL)}"
  87. OS_IDENTITY_API_VERSION="${OS_IDENTITY_API_VERSION:-$(_readaccountconf_mutable OS_IDENTITY_API_VERSION)}"
  88. OS_AUTH_TYPE="${OS_AUTH_TYPE:-$(_readaccountconf_mutable OS_AUTH_TYPE)}"
  89. OS_APPLICATION_CREDENTIAL_ID="${OS_APPLICATION_CREDENTIAL_ID:-$(_readaccountconf_mutable OS_APPLICATION_CREDENTIAL_ID)}"
  90. OS_APPLICATION_CREDENTIAL_SECRET="${OS_APPLICATION_CREDENTIAL_SECRET:-$(_readaccountconf_mutable OS_APPLICATION_CREDENTIAL_SECRET)}"
  91. OS_USERNAME="${OS_USERNAME:-$(_readaccountconf_mutable OS_USERNAME)}"
  92. OS_PASSWORD="${OS_PASSWORD:-$(_readaccountconf_mutable OS_PASSWORD)}"
  93. OS_PROJECT_NAME="${OS_PROJECT_NAME:-$(_readaccountconf_mutable OS_PROJECT_NAME)}"
  94. OS_PROJECT_ID="${OS_PROJECT_ID:-$(_readaccountconf_mutable OS_PROJECT_ID)}"
  95. OS_USER_DOMAIN_NAME="${OS_USER_DOMAIN_NAME:-$(_readaccountconf_mutable OS_USER_DOMAIN_NAME)}"
  96. OS_USER_DOMAIN_ID="${OS_USER_DOMAIN_ID:-$(_readaccountconf_mutable OS_USER_DOMAIN_ID)}"
  97. OS_PROJECT_DOMAIN_NAME="${OS_PROJECT_DOMAIN_NAME:-$(_readaccountconf_mutable OS_PROJECT_DOMAIN_NAME)}"
  98. OS_PROJECT_DOMAIN_ID="${OS_PROJECT_DOMAIN_ID:-$(_readaccountconf_mutable OS_PROJECT_DOMAIN_ID)}"
  99. fi
  100. # Check each var and either save or clear it depending on whether its set.
  101. # The helps us clear out old vars in the case where a user may want
  102. # to switch between password and app creds
  103. _debug "OS_AUTH_URL" "$OS_AUTH_URL"
  104. if [ -n "$OS_AUTH_URL" ]; then
  105. export OS_AUTH_URL
  106. _saveaccountconf_mutable OS_AUTH_URL "$OS_AUTH_URL"
  107. else
  108. unset OS_AUTH_URL
  109. _clearaccountconf SAVED_OS_AUTH_URL
  110. fi
  111. _debug "OS_IDENTITY_API_VERSION" "$OS_IDENTITY_API_VERSION"
  112. if [ -n "$OS_IDENTITY_API_VERSION" ]; then
  113. export OS_IDENTITY_API_VERSION
  114. _saveaccountconf_mutable OS_IDENTITY_API_VERSION "$OS_IDENTITY_API_VERSION"
  115. else
  116. unset OS_IDENTITY_API_VERSION
  117. _clearaccountconf SAVED_OS_IDENTITY_API_VERSION
  118. fi
  119. _debug "OS_AUTH_TYPE" "$OS_AUTH_TYPE"
  120. if [ -n "$OS_AUTH_TYPE" ]; then
  121. export OS_AUTH_TYPE
  122. _saveaccountconf_mutable OS_AUTH_TYPE "$OS_AUTH_TYPE"
  123. else
  124. unset OS_AUTH_TYPE
  125. _clearaccountconf SAVED_OS_AUTH_TYPE
  126. fi
  127. _debug "OS_APPLICATION_CREDENTIAL_ID" "$OS_APPLICATION_CREDENTIAL_ID"
  128. if [ -n "$OS_APPLICATION_CREDENTIAL_ID" ]; then
  129. export OS_APPLICATION_CREDENTIAL_ID
  130. _saveaccountconf_mutable OS_APPLICATION_CREDENTIAL_ID "$OS_APPLICATION_CREDENTIAL_ID"
  131. else
  132. unset OS_APPLICATION_CREDENTIAL_ID
  133. _clearaccountconf SAVED_OS_APPLICATION_CREDENTIAL_ID
  134. fi
  135. _secure_debug "OS_APPLICATION_CREDENTIAL_SECRET" "$OS_APPLICATION_CREDENTIAL_SECRET"
  136. if [ -n "$OS_APPLICATION_CREDENTIAL_SECRET" ]; then
  137. export OS_APPLICATION_CREDENTIAL_SECRET
  138. _saveaccountconf_mutable OS_APPLICATION_CREDENTIAL_SECRET "$OS_APPLICATION_CREDENTIAL_SECRET"
  139. else
  140. unset OS_APPLICATION_CREDENTIAL_SECRET
  141. _clearaccountconf SAVED_OS_APPLICATION_CREDENTIAL_SECRET
  142. fi
  143. _debug "OS_USERNAME" "$OS_USERNAME"
  144. if [ -n "$OS_USERNAME" ]; then
  145. export OS_USERNAME
  146. _saveaccountconf_mutable OS_USERNAME "$OS_USERNAME"
  147. else
  148. unset OS_USERNAME
  149. _clearaccountconf SAVED_OS_USERNAME
  150. fi
  151. _secure_debug "OS_PASSWORD" "$OS_PASSWORD"
  152. if [ -n "$OS_PASSWORD" ]; then
  153. export OS_PASSWORD
  154. _saveaccountconf_mutable OS_PASSWORD "$OS_PASSWORD"
  155. else
  156. unset OS_PASSWORD
  157. _clearaccountconf SAVED_OS_PASSWORD
  158. fi
  159. _debug "OS_PROJECT_NAME" "$OS_PROJECT_NAME"
  160. if [ -n "$OS_PROJECT_NAME" ]; then
  161. export OS_PROJECT_NAME
  162. _saveaccountconf_mutable OS_PROJECT_NAME "$OS_PROJECT_NAME"
  163. else
  164. unset OS_PROJECT_NAME
  165. _clearaccountconf SAVED_OS_PROJECT_NAME
  166. fi
  167. _debug "OS_PROJECT_ID" "$OS_PROJECT_ID"
  168. if [ -n "$OS_PROJECT_ID" ]; then
  169. export OS_PROJECT_ID
  170. _saveaccountconf_mutable OS_PROJECT_ID "$OS_PROJECT_ID"
  171. else
  172. unset OS_PROJECT_ID
  173. _clearaccountconf SAVED_OS_PROJECT_ID
  174. fi
  175. _debug "OS_USER_DOMAIN_NAME" "$OS_USER_DOMAIN_NAME"
  176. if [ -n "$OS_USER_DOMAIN_NAME" ]; then
  177. export OS_USER_DOMAIN_NAME
  178. _saveaccountconf_mutable OS_USER_DOMAIN_NAME "$OS_USER_DOMAIN_NAME"
  179. else
  180. unset OS_USER_DOMAIN_NAME
  181. _clearaccountconf SAVED_OS_USER_DOMAIN_NAME
  182. fi
  183. _debug "OS_USER_DOMAIN_ID" "$OS_USER_DOMAIN_ID"
  184. if [ -n "$OS_USER_DOMAIN_ID" ]; then
  185. export OS_USER_DOMAIN_ID
  186. _saveaccountconf_mutable OS_USER_DOMAIN_ID "$OS_USER_DOMAIN_ID"
  187. else
  188. unset OS_USER_DOMAIN_ID
  189. _clearaccountconf SAVED_OS_USER_DOMAIN_ID
  190. fi
  191. _debug "OS_PROJECT_DOMAIN_NAME" "$OS_PROJECT_DOMAIN_NAME"
  192. if [ -n "$OS_PROJECT_DOMAIN_NAME" ]; then
  193. export OS_PROJECT_DOMAIN_NAME
  194. _saveaccountconf_mutable OS_PROJECT_DOMAIN_NAME "$OS_PROJECT_DOMAIN_NAME"
  195. else
  196. unset OS_PROJECT_DOMAIN_NAME
  197. _clearaccountconf SAVED_OS_PROJECT_DOMAIN_NAME
  198. fi
  199. _debug "OS_PROJECT_DOMAIN_ID" "$OS_PROJECT_DOMAIN_ID"
  200. if [ -n "$OS_PROJECT_DOMAIN_ID" ]; then
  201. export OS_PROJECT_DOMAIN_ID
  202. _saveaccountconf_mutable OS_PROJECT_DOMAIN_ID "$OS_PROJECT_DOMAIN_ID"
  203. else
  204. unset OS_PROJECT_DOMAIN_ID
  205. _clearaccountconf SAVED_OS_PROJECT_DOMAIN_ID
  206. fi
  207. if [ "$OS_AUTH_TYPE" = "v3applicationcredential" ]; then
  208. # Application Credential auth
  209. if [ -z "$OS_APPLICATION_CREDENTIAL_ID" ] || [ -z "$OS_APPLICATION_CREDENTIAL_SECRET" ]; then
  210. _err "When using OpenStack application credentials, OS_APPLICATION_CREDENTIAL_ID"
  211. _err "and OS_APPLICATION_CREDENTIAL_SECRET must be set."
  212. _err "Please check your credentials and try again."
  213. return 1
  214. fi
  215. else
  216. # Password auth
  217. if [ -z "$OS_USERNAME" ] || [ -z "$OS_PASSWORD" ]; then
  218. _err "OpenStack username or password not found."
  219. _err "Please check your credentials and try again."
  220. return 1
  221. fi
  222. if [ -z "$OS_PROJECT_NAME" ] && [ -z "$OS_PROJECT_ID" ]; then
  223. _err "When using password authentication, OS_PROJECT_NAME or"
  224. _err "OS_PROJECT_ID must be set."
  225. _err "Please check your credentials and try again."
  226. return 1
  227. fi
  228. fi
  229. return 0
  230. }