forked from univention/ucs-appliance-container
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path61-setup-post-join-cleanup
162 lines (150 loc) · 4.79 KB
/
61-setup-post-join-cleanup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
#!/bin/bash
#
# Univention Container Mode - setup-post-join-cleanup
#
# Copyright 2020-2021 Univention GmbH
#
# http://www.univention.de/
#
# All rights reserved.
#
# The source code of this program is made available
# under the terms of the GNU Affero General Public License version 3
# (GNU AGPL V3) as published by the Free Software Foundation.
#
# Binary versions of this program provided by Univention to you as
# well as other copyrighted, protected or trademarked materials like
# Logos, graphics, fonts, specific documentations and configurations,
# cryptographic keys etc. are subject to a license agreement between
# you and Univention and not subject to the GNU AGPL V3.
#
# In the case you use this program under the terms of the GNU AGPL V3,
# the program is provided in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public
# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <http://www.gnu.org/licenses/>.
## util(s)
source /usr/lib/univention-container-mode/utils.sh || exit 1
## function(s)
# function name() { # name: (IN)[>(OUT)]
# echo function
# }
## ucr shell
eval "$(ucr shell hostname domainname)"
## declare
declare -a ucrchanges
# ucrchanges+=("key=value")
declare -a ucrremoves
# ucrremoves+=("key")
declare -A ucrcounter
# ucrcounter[<STRING>]=<INT>
declare -A ucrcommit
# ucrcommit+=/<PATH>/<FILE> OR ucrcommit[<FILE>]=/<PATH>/<FILE>
debug "### START SCRIPT($(pwd)/$0) ###"
## Setup post force join and cleanup in container mode environment
#
# check for temporary certificate(s)
univention-config-registry get apache2/ssl/ca | egrep --quiet -- "^/var/cache/univention-system-setup" &&
univention-config-registry unset \
apache2/ssl/certificate \
apache2/ssl/key \
apache2/ssl/ca
#
# check join status and run join scripts if needed
UniventionCheckJoinStatus
#
# check join status and cleanup container mode environment
# => ( test kerberos with machine secret )
# => ( link, verify and show certificate )
#
univention-check-join-status 2>&1 | egrep --quiet -- "^Joined successfully" && {
#
# init, list and destroy kerberos for local machine
kinit --password-file=/etc/machine.secret ${hostname}\$@$(ucr get kerberos/realm) && klist && kdestroy || /bin/true
#
# set force symbolic link ucs-root-ca.crt and ucsCA.crl for http(s) server
rm --force --verbose /var/www/ucs-root-ca.crt /var/www/ucsCA.crl && {
[[ -f /etc/univention/ssl/ucsCA/CAcert.pem ]] &&
ln \
--force \
--symbolic \
/etc/univention/ssl/ucsCA/CAcert.pem \
/var/www/ucs-root-ca.crt
[[ -f /etc/univention/ssl/ucsCA/crl/ucsCA.crl ]] &&
ln \
--force \
--symbolic \
/etc/univention/ssl/ucsCA/crl/ucsCA.crl \
/var/www/ucsCA.crl
}
#
# verify and show root certificate
[[ -f /etc/univention/ssl/ucsCA/CAcert.pem ]] && {
openssl verify /etc/univention/ssl/ucsCA/CAcert.pem &&
openssl x509 -noout -text -in \
/etc/univention/ssl/ucsCA/CAcert.pem || /bin/true
}
#
# verify and show local certificate(s)
for cert in $(find /etc/univention/ssl -maxdepth 1 -type l -exec basename {} \;) ucs-sso ucs-sso-ng; do
openssl verify /etc/univention/ssl/${cert}.${domainname}/cert.pem &&
openssl x509 -noout -text -in \
/etc/univention/ssl/${cert}.${domainname}/cert.pem || /bin/true
done
#
# show certificate revocation list
[[ -f /etc/univention/ssl/ucsCA/crl/crl.pem ]] &&
openssl crl -noout -text -in \
/etc/univention/ssl/ucsCA/crl/crl.pem || /bin/true
#
# set certificate(s) permission
getent group DC\ Backup\ Hosts && {
chown root:DC\ Backup\ Hosts \
--recursive \
--verbose \
/etc/univention/ssl
find \
/etc/univention/ssl \
-maxdepth 1 -type l \
-exec \
chown root:DC\ Backup\ Hosts \
--recursive \
--verbose {} \;
chmod g+rwX \
--recursive \
--verbose \
/etc/univention/ssl
id ${hostname}\$ && chown ${hostname}\$:DC\ Backup\ Hosts \
--recursive \
--verbose \
/etc/univention/ssl/${hostname} /etc/univention/ssl/${hostname}.${domainname} ||
/bin/true
}
#
# set certificate(s) permission for slave hosts
getent group DC\ Slave\ Hosts && {
chown root:DC\ Slave\ Hosts \
--verbose \
/etc/univention/ssl/ucsCA/CAcert.pem
}
}
#
## Setup post force join and cleanup in container mode environment
debug "### STOPP SCRIPT($(pwd)/$0) ###"
## ucr removes
UniventionConfigRegistryUnSet ${ucrremoves[@]}
## ucr changes
UniventionConfigRegistrySet ${ucrchanges[@]}
## ucr commit
UniventionConfigCommit ${ucrcommit[@]}
## cleanup
unset \
dcpass dcuser \
hostname domainname \
ucrchanges ucrremoves ucrcounter ucrcommit
debug "### CLEAN SCRIPT($(pwd)/$0) ###"