warengroup/wx
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: warengroup:77a54ef1f65e8a004677c3c44fc5ce0bceac5c17
Branches Tags
warengroup:master warengroup:develop
...
compare: warengroup:develop
Branches Tags
warengroup:develop warengroup:master

13 Commits
77a54ef1f6 ... develop

Author SHA1 Message Date
Christer Warén
869a22cb73 Add extra-vars parameter to use with Build tasks on Manager playbook in Infra command 2026-01-22 01:44:41 +02:00
Christer Warén
21db6ac4e9 Update Login in Config function 2026-01-22 01:30:42 +02:00
Christer Warén
7dd2a07186 Update SSH Keys Sign feature 2026-01-18 19:01:40 +02:00
Christer Warén
a37fce53e8 Update Login and Logout process 2026-01-18 18:54:36 +02:00
Christer Warén
a9539ffb9d Remove operation variable from Manager playbook in Infra command 2026-01-15 07:15:52 +02:00
Christer Warén
c479044caf Change hostname to host parameter in Infra command 2026-01-06 07:46:25 +02:00
Christer Warén
c9008a981b Fix Infra command 2026-01-04 08:26:52 +02:00
Christer Warén
a9e5b2c336 Use new arguments and fix Init playbook location in Infra command 2025-12-29 15:09:07 +02:00
Christer Warén
cf9bc49c27 Fix SSH subcommands 2025-12-12 16:52:58 +02:00
Christer Warén
d91a7c21c0 Rename Login Type to Auth Method 2025-12-03 13:30:21 +02:00
Christer Warén
7898e55f30 Fix missing token variable in login command when auth method is ldap 2025-11-26 21:16:39 +02:00
Christer Warén
3fafb66781 FIx typos part 2 2025-11-10 21:13:56 +02:00
Christer Warén
54409a4197 FIx typos 2025-11-10 19:48:07 +02:00
18 changed files with 194 additions and 108 deletions
Expand all files Collapse all files

37
src/commands/auth/login.sh
View File

@@ -6,25 +6,25 @@ wx-login(){
wxi-header "$ORG_HEADER" h3 wxi-header "$ORG_HEADER" h3
if [[ ! -z ${args['login-type']} ]] if [[ ! -z ${args['auth-method']} ]]
then then
LOGIN_TYPE=${args['login-type']} AUTH_METHOD=${args['auth-method']}
elif [[ ! -z ${args['token']} ]] elif [[ ! -z ${args['token']} ]]
then then
LOGIN_TYPE=token AUTH_METHOD=token
elif [[ -f "$HOME/.warengroup/config.json" && $(cat $HOME/.warengroup/config.json | jq -r .login.$ORG.token) != 'null' && $(cat $HOME/.warengroup/config.json | jq -r .login.$ORG.token) != '' ]] elif [[ $(wxi-config login read) ]]
then then
LOGIN_TYPE=token AUTH_METHOD=token
elif [[ ! -z ${args['username']} ]] elif [[ ! -z ${args['username']} ]]
then then
LOGIN_TYPE=ldap AUTH_METHOD=ldap
else else
LOGIN_TYPE=ldap AUTH_METHOD=ldap
fi fi
if [[ ! -z $LOGIN_TYPE ]] if [[ ! -z $AUTH_METHOD ]]
then then
case $LOGIN_TYPE in case $AUTH_METHOD in
ldap) ldap)
echo -n "Username: " echo -n "Username: "
if [[ ! -z ${args['username']} ]] if [[ ! -z ${args['username']} ]]
@@ -61,10 +61,12 @@ wx-login(){
if [[ -z $VAULT_LOGIN || ${#VAULT_LOGIN} -lt 95 || ${#VAULT_LOGIN} -gt 95 ]] if [[ -z $VAULT_LOGIN || ${#VAULT_LOGIN} -lt 95 || ${#VAULT_LOGIN} -gt 95 ]]
then then
wxi-content status "Login" "Failed" wxi-content status "Login" "Failed"
wxi-footer
wxi-stop wxi-stop
fi fi
wxi-config login TOKEN=$VAULT_LOGIN
wxi-config login write
;; ;;
token) token)
echo -n "Token: " echo -n "Token: "
@@ -74,9 +76,9 @@ wx-login(){
then then
TOKEN=${args['token']} TOKEN=${args['token']}
fi fi
elif [[ -f "$HOME/.warengroup/config.json" && $(cat $HOME/.warengroup/config.json | jq -r .login.$ORG.token) != 'null' && $(cat $HOME/.warengroup/config.json | jq -r .login.$ORG.token) != '' ]] elif [[ $(wxi-config login read) ]]
then then
TOKEN=$(cat $HOME/.warengroup/config.json | jq -r .login.$ORG.token) TOKEN=$(wxi-config login read)
else else
read -s TOKEN read -s TOKEN
fi fi
@@ -104,10 +106,19 @@ wx-login(){
if [[ -z $VAULT_LOGIN || ${#VAULT_LOGIN} -lt 95 || ${#VAULT_LOGIN} -gt 95 ]] if [[ -z $VAULT_LOGIN || ${#VAULT_LOGIN} -lt 95 || ${#VAULT_LOGIN} -gt 95 ]]
then then
wxi-content status "Login" "Failed" wxi-content status "Login" "Failed"
wxi-footer
if [[ $(wxi-config login read) ]]
then
wx-logout &> /dev/null
wx-login
else
wxi-stop wxi-stop
fi fi
fi
wxi-config login TOKEN=$VAULT_LOGIN
wxi-config login write
;; ;;
*) *)
wxi-content status "Login Type" "Unsupported" wxi-content status "Login Type" "Unsupported"

4
src/commands/auth/logout.sh
View File

@@ -14,10 +14,8 @@ wx-logout(){
then then
wxi-header "$ORG_HEADER" h3 wxi-header "$ORG_HEADER" h3
echo "Logging Out..." echo "Logging Out..."
TOKEN="" wxi-config login erase
wxi-config login
wxi-footer wxi-footer
wxi-stop
fi fi
} }

29
src/commands/infra.sh
View File

@@ -1,5 +1,5 @@
wx-infra(){ wx-infra(){
wx-login &> /dev/null wx-login
wx-auto &> /dev/null wx-auto &> /dev/null
wxi-header "Infra" wxi-header "Infra"
@@ -21,12 +21,12 @@ wx-infra(){
mkdir -p "$INFRA_PATH/vault" &> /dev/null mkdir -p "$INFRA_PATH/vault" &> /dev/null
curl \ curl \
-H "X-Vault-Token: $VAULT_TOKEN" \ -H "X-Vault-Token: $TOKEN" \
-X GET \ -X GET \
https://$VAULT_DOMAIN/v1/cli/data/cwchristerw/settings/infra -s | jq -r '.data.data.cwchristerw' > "$INFRA_PATH/vault/cwchristerw" https://$VAULT_DOMAIN/v1/cli/data/cwchristerw/settings/infra -s | jq -r '.data.data.cwchristerw' > "$INFRA_PATH/vault/cwchristerw"
curl \ curl \
-H "X-Vault-Token: $VAULT_TOKEN" \ -H "X-Vault-Token: $TOKEN" \
-X GET \ -X GET \
https://$VAULT_DOMAIN/v1/cli/data/cwchristerw/settings/infra -s | jq -r '.data.data.warengroup' > "$INFRA_PATH/vault/warengroup" https://$VAULT_DOMAIN/v1/cli/data/cwchristerw/settings/infra -s | jq -r '.data.data.warengroup' > "$INFRA_PATH/vault/warengroup"
fi fi
@@ -54,6 +54,8 @@ wx-infra(){
then then
wxi-header "Init" h3 wxi-header "Init" h3
host=${args['host']}
if [[ -z ${args['3']} ]] if [[ -z ${args['3']} ]]
then then
tags=init tags=init
@@ -61,15 +63,26 @@ wx-infra(){
tags=${args['3']} tags=${args['3']}
fi fi
ansible-playbook $INFRA_VAULT playbooks/init.yml -t $tags --limit "${args['limit']}" ansible-playbook $INFRA_VAULT init.yml --tags $tags --limit "$host"
elif [[ ${args['2']} == "manager" ]] elif [[ ${args['2']} == "manager" ]]
then then
wxi-header "Manager" h3 if [[ -z ${args['host']} ]]
ansible-playbook $INFRA_VAULT manager.yml --extra-vars "${args['extra-vars']}" then
host="*"
else else
wxi-header "Playbooks" h3 host=${args['host']}
fi
operation=${args['operation']}
extra_vars=${args['extra-vars']}
wxi-header "Manager" h3
ansible-playbook $INFRA_VAULT manager.yml --tags $operation --extra-vars "host=$host" --extra-vars="$extra_vars"
else
wxi-header "Infra" h3
host=${args['host']}
tags=${args['2']} tags=${args['2']}
ansible-playbook $INFRA_VAULT playbooks.yml -t $tags --limit "${args['limit']}" ansible-playbook $INFRA_VAULT infra.yml --tags $tags --limit "$host"
fi fi
cd "$OLDPWD" cd "$OLDPWD"
fi fi

2
src/commands/management/auto.sh
View File

@@ -1,4 +1,6 @@
wx-auto(){ wx-auto(){
wx-login
wxi-header "Auto" wxi-header "Auto"
wxi-restricted wxi-restricted
wxi-footer wxi-footer

3
src/commands/management/settings.sh
View File

@@ -1,4 +1,7 @@
wx-settings(){ wx-settings(){
wx-login
wx-auto &> /dev/null
wxi-header "Settings" wxi-header "Settings"
wxi-restricted --user wxi-restricted --user
wxi-footer wxi-footer

1
src/commands/ssh.sh
View File

@@ -1,6 +1,5 @@
wx-ssh(){ wx-ssh(){
wx-login &> /dev/null wx-login &> /dev/null
wx-auto &> /dev/null
case ${args['2']} in case ${args['2']} in
config) config)

2
src/commands/ssh/config/clean.sh
View File

@@ -2,7 +2,7 @@ wxi-ssh-config-clean(){
wxi-header "SSH / Config / Clean" wxi-header "SSH / Config / Clean"
wxi-restricted wxi-restricted
VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X GET --header "X-Vault-Token: $VAULT_TOKEN") VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X GET --header "X-Vault-Token: $TOKEN")
if [[ -f "$HOME/.ssh/config" && $VAULT_STATUS -eq 200 ]] if [[ -f "$HOME/.ssh/config" && $VAULT_STATUS -eq 200 ]]
then then
rm "$HOME/.ssh/config" rm "$HOME/.ssh/config"

2
src/commands/ssh/config/save.sh
View File

@@ -4,7 +4,7 @@ wxi-ssh-config-save(){
if [[ -f "$HOME/.ssh/config" ]] if [[ -f "$HOME/.ssh/config" ]]
then then
curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X POST --header "X-Vault-Token: $VAULT_TOKEN" -d "{ \"data\": { \"data\": \"$(cat ~/.ssh/config | base64 -w 0)\" } }" -s &> /dev/null curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X POST --header "X-Vault-Token: $TOKEN" -d "{ \"data\": { \"data\": \"$(cat ~/.ssh/config | base64 -w 0)\" } }" -s &> /dev/null
fi fi
wxi-footer wxi-footer
} }

6
src/commands/ssh/config/sync.sh
View File

@@ -2,15 +2,15 @@ wxi-ssh-config-sync(){
wxi-header "SSH / Config / Sync" wxi-header "SSH / Config / Sync"
wxi-restricted wxi-restricted
VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X GET --header "X-Vault-Token: $VAULT_TOKEN") VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X GET --header "X-Vault-Token: $TOKEN")
if [[ $VAULT_STATUS -eq 200 ]] if [[ $VAULT_STATUS -eq 200 ]]
then then
touch ~/.ssh/config touch ~/.ssh/config
SSH1_CONFIG_MD5=$(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X GET --header "X-Vault-Token: $VAULT_TOKEN" -s | jq -r '.data.data.data' | base64 -d | md5sum | base64) SSH1_CONFIG_MD5=$(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X GET --header "X-Vault-Token: $TOKEN" -s | jq -r '.data.data.data' | base64 -d | md5sum | base64)
SSH2_CONFIG_MD5=$(cat ~/.ssh/config | md5sum | base64) SSH2_CONFIG_MD5=$(cat ~/.ssh/config | md5sum | base64)
if [[ $SSH1_CONFIG_MD5 != $SSH2_CONFIG_MD5 ]] if [[ $SSH1_CONFIG_MD5 != $SSH2_CONFIG_MD5 ]]
then then
echo $(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X GET --header "X-Vault-Token: $VAULT_TOKEN" -s | jq -r '.data.data.data') | base64 -d > ~/.ssh/config 2>&1 echo $(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X GET --header "X-Vault-Token: $TOKEN" -s | jq -r '.data.data.data') | base64 -d > ~/.ssh/config 2>&1
chmod 700 ~/.ssh/config chmod 700 ~/.ssh/config
fi fi
fi fi

10
src/commands/ssh/keys.sh
View File

@@ -1,18 +1,18 @@
wxi-ssh-keys(){ wxi-ssh-keys(){
case ${args['3']} in case ${args['3']} in
generate) generate)
wxi-ssh-keys-retrieve wxi-ssh-keys-retrieve ${args['4']}
wxi-ssh-keys-generate wxi-ssh-keys-generate ${args['4']}
wxi-ssh-keys-save wxi-ssh-keys-save ${args['4']}
;; ;;
sign) sign)
wxi-ssh-keys-sign wxi-ssh-keys-sign
;; ;;
retrieve) retrieve)
wxi-ssh-keys-retrieve wxi-ssh-keys-retrieve ${args['4']}
;; ;;
save) save)
wxi-ssh-keys-save wxi-ssh-keys-save ${args['4']}
;; ;;
sync) sync)
wxi-ssh-keys-sync wxi-ssh-keys-sync

6
src/commands/ssh/keys/clean.sh
View File

@@ -11,16 +11,16 @@ wxi-ssh-keys-clean(){
rm "$HOME/.ssh/keys/$1.sig" &> /dev/null rm "$HOME/.ssh/keys/$1.sig" &> /dev/null
fi fi
else else
wx-ssh-keys-clean $ORG wxi-ssh-keys-clean $ORG
if [[ $USERNAME == "cwchristerw" ]] if [[ $USERNAME == "cwchristerw" ]]
then then
wx-ssh-keys-clean warengroup wxi-ssh-keys-clean warengroup
fi fi
for file in ~/.ssh/keys/* for file in ~/.ssh/keys/*
do do
VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$(basename "$file" .pub) -X GET --header "X-Vault-Token: $VAULT_TOKEN") VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$(basename "$file" .pub) -X GET --header "X-Vault-Token: $TOKEN")
if [[ $VAULT_STATUS -eq 200 ]] if [[ $VAULT_STATUS -eq 200 ]]
then then
rm "$file" &> /dev/null rm "$file" &> /dev/null

6
src/commands/ssh/keys/retrieve.sh
View File

@@ -4,12 +4,12 @@ wxi-ssh-keys-retrieve(){
if [[ ! -z $1 ]] if [[ ! -z $1 ]]
then then
VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: $VAULT_TOKEN") VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: $TOKEN")
if [[ $VAULT_STATUS -eq 200 ]] if [[ $VAULT_STATUS -eq 200 ]]
then then
echo $(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: $VAULT_TOKEN" -s | jq -r '.data.data.private') | base64 -d > ~/.ssh/keys/$1 2>&1 echo $(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: $TOKEN" -s | jq -r '.data.data.private') | base64 -d > ~/.ssh/keys/$1 2>&1
chmod 700 ~/.ssh/keys/$1 chmod 700 ~/.ssh/keys/$1
echo $(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: $VAULT_TOKEN" -s | jq -r '.data.data.public') | base64 -d > ~/.ssh/keys/$1.pub 2>&1 echo $(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: $TOKEN" -s | jq -r '.data.data.public') | base64 -d > ~/.ssh/keys/$1.pub 2>&1
chmod 700 ~/.ssh/keys/$1.pub chmod 700 ~/.ssh/keys/$1.pub
fi fi
fi fi

2
src/commands/ssh/keys/save.sh
View File

@@ -6,7 +6,7 @@ wxi-ssh-keys-save(){
then then
if [[ -f "$HOME/.ssh/keys/$1" ]] if [[ -f "$HOME/.ssh/keys/$1" ]]
then then
curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X POST --header "X-Vault-Token: $VAULT_TOKEN" -d "{ \"data\": { \"private\": \"$(cat ~/.ssh/keys/$1 | base64 -w 0)\", \"public\": \"$(cat ~/.ssh/keys/$1.pub | base64 -w 0)\" } }" -s &> /dev/null curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X POST --header "X-Vault-Token: $TOKEN" -d "{ \"data\": { \"private\": \"$(cat ~/.ssh/keys/$1 | base64 -w 0)\", \"public\": \"$(cat ~/.ssh/keys/$1.pub | base64 -w 0)\" } }" -s &> /dev/null
fi fi
fi fi
wxi-footer wxi-footer

9
src/commands/ssh/keys/sign.sh
View File

@@ -2,11 +2,12 @@ wxi-ssh-keys-sign(){
wxi-header "SSH / Keys / Sign" wxi-header "SSH / Keys / Sign"
wxi-restricted wxi-restricted
wx-ssh-keys-sign-create $ORG sysadmin 3600
if [[ $USERNAME == "cwchristerw" ]] if [[ $USERNAME == "cwchristerw" ]]
then then
wx-ssh-keys-sign-create warengroup sysadmin 3600 wxi-ssh-keys-sign-create cwchristerw sysadmin 3600
wxi-ssh-keys-sign-create warengroup sysadmin 3600
else
wxi-ssh-keys-sign-create $ORG sysadmin 3600
fi fi
wxi-footer wxi-footer
} }
@@ -22,6 +23,6 @@ wxi-ssh-keys-sign-create(){
if [[ -f "$HOME/.ssh/keys/$NAME" ]] if [[ -f "$HOME/.ssh/keys/$NAME" ]]
then then
wxi-content text "$NAME/$ROLE" wxi-content text "$NAME/$ROLE"
echo $(curl https://$VAULT_DOMAIN/v1/ssh/sign/$ROLE -X POST --header "X-Vault-Token: $VAULT_TOKEN" -d "{ \"public_key\": \"$(cat $HOME/.ssh/keys/$NAME.pub)\", \"valid_principals\": \"$PRINCIPALS,$USERNAME\", \"ttl\": \"$TTL\" }" -s | jq -r '.data.signed_key') > ~/.ssh/keys/$NAME.sig 2>&1 echo $(curl https://$VAULT_DOMAIN/v1/ssh/sign/$ROLE -X POST --header "X-Vault-Token: $TOKEN" -d "{ \"public_key\": \"$(cat $HOME/.ssh/keys/$NAME.pub)\", \"valid_principals\": \"$PRINCIPALS,$USERNAME\", \"ttl\": \"$TTL\" }" -s | jq -r '.data.signed_key') > ~/.ssh/keys/$NAME.sig 2>&1
fi fi
} }

8
src/commands/ssh/keys/sync.sh
View File

@@ -1,13 +1,13 @@
wxi-ssh-keys-sync(){ wxi-ssh-keys-sync(){
wxi-header "SSH / Keys / Sync" wxi-header "SSH / Keys / Sync"
wxi-restricted wxi-restricted
VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/metadata/$USERNAME/settings/ssh/keys -X LIST --header "X-Vault-Token: $VAULT_TOKEN") VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/metadata/$USERNAME/settings/ssh/keys -X LIST --header "X-Vault-Token: $TOKEN")
if [[ $VAULT_STATUS -eq 200 ]] if [[ $VAULT_STATUS -eq 200 ]]
then then
for name in $(curl https://$VAULT_DOMAIN/v1/cli/metadata/$USERNAME/settings/ssh/keys -X LIST --header "X-Vault-Token: $VAULT_TOKEN" -s | jq -r '.data.keys | @sh' | tr -d \') for name in $(curl https://$VAULT_DOMAIN/v1/cli/metadata/$USERNAME/settings/ssh/keys -X LIST --header "X-Vault-Token: $TOKEN" -s | jq -r '.data.keys | @sh' | tr -d \')
do do
echo $name wxi-content text $name
wx-ssh-keys-retrieve $name --multiple wxi-ssh-keys-retrieve $name &> /dev/null
done done
fi fi
wxi-footer wxi-footer

18
src/functions/config.sh
View File

@@ -1,7 +1,23 @@
wxi-config(){ wxi-config(){
case $1 in case $1 in
login) login)
jq '.login.'$ORG'.token = "'$VAULT_LOGIN'"' $HOME/.warengroup/config.json &> $HOME/.warengroup/config.json.tmp case $2 in
write)
jq '.login.'$ORG'.token = "'$TOKEN'"' $HOME/.warengroup/config.json &> $HOME/.warengroup/config.json.tmp
;;
read)
if [[ -f "$HOME/.warengroup/config.json" && $(cat $HOME/.warengroup/config.json | jq -r .login.$ORG.token) != 'null' && $(cat $HOME/.warengroup/config.json | jq -r .login.$ORG.token) != '' ]]
then
cat $HOME/.warengroup/config.json | jq -r .login.$ORG.token
else
return 1
fi
;;
erase)
TOKEN=""
wxi-config login write
;;
esac
;; ;;
*) *)
echo -n "" echo -n ""

4
src/functions/restricted.sh
View File

@@ -28,10 +28,10 @@ wxi-restricted(){
wxi-stop wxi-stop
;; ;;
esac esac
elif [[ $(hostname -d) = *"devices.waren.io" ]] elif [[ $(hostname -d) == "devices.waren.io" ]]
then then
ORG=warengroup ORG=warengroup
elif [[ $(hostname -d) = *"devices.christerwaren.fi" ]] elif [[ $(hostname -d) == "devices.christerwaren.fi" ]]
then then
ORG=cwchristerw ORG=cwchristerw
fi fi

149
wx
View File

@@ -12,7 +12,23 @@ declare -Ax messages
wxi-config(){ wxi-config(){
case $1 in case $1 in
login) login)
jq '.login.'$ORG'.token = "'$VAULT_LOGIN'"' $HOME/.warengroup/config.json &> $HOME/.warengroup/config.json.tmp case $2 in
write)
jq '.login.'$ORG'.token = "'$TOKEN'"' $HOME/.warengroup/config.json &> $HOME/.warengroup/config.json.tmp
;;
read)
if [[ -f "$HOME/.warengroup/config.json" && $(cat $HOME/.warengroup/config.json | jq -r .login.$ORG.token) != 'null' && $(cat $HOME/.warengroup/config.json | jq -r .login.$ORG.token) != '' ]]
then
cat $HOME/.warengroup/config.json | jq -r .login.$ORG.token
else
return 1
fi
;;
erase)
TOKEN=""
wxi-config login write
;;
esac
;; ;;
*) *)
echo -n "" echo -n ""
@@ -52,10 +68,10 @@ wxi-restricted(){
wxi-stop wxi-stop
;; ;;
esac esac
elif [[ $(hostname -d) = *"devices.waren.io" ]] elif [[ $(hostname -d) == "devices.waren.io" ]]
then then
ORG=warengroup ORG=warengroup
elif [[ $(hostname -d) = *"devices.christerwaren.fi" ]] elif [[ $(hostname -d) == "devices.christerwaren.fi" ]]
then then
ORG=cwchristerw ORG=cwchristerw
fi fi
@@ -271,7 +287,7 @@ wxi-footer
} }
wx-infra(){ wx-infra(){
wx-login &> /dev/null wx-login
wx-auto &> /dev/null wx-auto &> /dev/null
wxi-header "Infra" wxi-header "Infra"
@@ -293,12 +309,12 @@ wx-infra(){
mkdir -p "$INFRA_PATH/vault" &> /dev/null mkdir -p "$INFRA_PATH/vault" &> /dev/null
curl \ curl \
-H "X-Vault-Token: $VAULT_TOKEN" \ -H "X-Vault-Token: $TOKEN" \
-X GET \ -X GET \
https://$VAULT_DOMAIN/v1/cli/data/cwchristerw/settings/infra -s | jq -r '.data.data.cwchristerw' > "$INFRA_PATH/vault/cwchristerw" https://$VAULT_DOMAIN/v1/cli/data/cwchristerw/settings/infra -s | jq -r '.data.data.cwchristerw' > "$INFRA_PATH/vault/cwchristerw"
curl \ curl \
-H "X-Vault-Token: $VAULT_TOKEN" \ -H "X-Vault-Token: $TOKEN" \
-X GET \ -X GET \
https://$VAULT_DOMAIN/v1/cli/data/cwchristerw/settings/infra -s | jq -r '.data.data.warengroup' > "$INFRA_PATH/vault/warengroup" https://$VAULT_DOMAIN/v1/cli/data/cwchristerw/settings/infra -s | jq -r '.data.data.warengroup' > "$INFRA_PATH/vault/warengroup"
fi fi
@@ -326,6 +342,8 @@ wx-infra(){
then then
wxi-header "Init" h3 wxi-header "Init" h3
host=${args['host']}
if [[ -z ${args['3']} ]] if [[ -z ${args['3']} ]]
then then
tags=init tags=init
@@ -333,15 +351,26 @@ wx-infra(){
tags=${args['3']} tags=${args['3']}
fi fi
ansible-playbook $INFRA_VAULT playbooks/init.yml -t $tags --limit "${args['limit']}" ansible-playbook $INFRA_VAULT init.yml --tags $tags --limit "$host"
elif [[ ${args['2']} == "manager" ]] elif [[ ${args['2']} == "manager" ]]
then then
wxi-header "Manager" h3 if [[ -z ${args['host']} ]]
ansible-playbook $INFRA_VAULT manager.yml --extra-vars "${args['extra-vars']}" then
host="*"
else else
wxi-header "Playbooks" h3 host=${args['host']}
fi
operation=${args['operation']}
extra_vars=${args['extra-vars']}
wxi-header "Manager" h3
ansible-playbook $INFRA_VAULT manager.yml --tags $operation --extra-vars "host=$host" --extra-vars="$extra_vars"
else
wxi-header "Infra" h3
host=${args['host']}
tags=${args['2']} tags=${args['2']}
ansible-playbook $INFRA_VAULT playbooks.yml -t $tags --limit "${args['limit']}" ansible-playbook $INFRA_VAULT infra.yml --tags $tags --limit "$host"
fi fi
cd "$OLDPWD" cd "$OLDPWD"
fi fi
@@ -350,7 +379,6 @@ wx-infra(){
wx-ssh(){ wx-ssh(){
wx-login &> /dev/null wx-login &> /dev/null
wx-auto &> /dev/null
case ${args['2']} in case ${args['2']} in
config) config)
@@ -390,25 +418,25 @@ wx-login(){
wxi-header "$ORG_HEADER" h3 wxi-header "$ORG_HEADER" h3
if [[ ! -z ${args['login-type']} ]] if [[ ! -z ${args['auth-method']} ]]
then then
LOGIN_TYPE=${args['login-type']} AUTH_METHOD=${args['auth-method']}
elif [[ ! -z ${args['token']} ]] elif [[ ! -z ${args['token']} ]]
then then
LOGIN_TYPE=token AUTH_METHOD=token
elif [[ -f "$HOME/.warengroup/config.json" && $(cat $HOME/.warengroup/config.json | jq -r .login.$ORG.token) != 'null' && $(cat $HOME/.warengroup/config.json | jq -r .login.$ORG.token) != '' ]] elif [[ $(wxi-config login read) ]]
then then
LOGIN_TYPE=token AUTH_METHOD=token
elif [[ ! -z ${args['username']} ]] elif [[ ! -z ${args['username']} ]]
then then
LOGIN_TYPE=ldap AUTH_METHOD=ldap
else else
LOGIN_TYPE=ldap AUTH_METHOD=ldap
fi fi
if [[ ! -z $LOGIN_TYPE ]] if [[ ! -z $AUTH_METHOD ]]
then then
case $LOGIN_TYPE in case $AUTH_METHOD in
ldap) ldap)
echo -n "Username: " echo -n "Username: "
if [[ ! -z ${args['username']} ]] if [[ ! -z ${args['username']} ]]
@@ -445,10 +473,12 @@ wx-login(){
if [[ -z $VAULT_LOGIN || ${#VAULT_LOGIN} -lt 95 || ${#VAULT_LOGIN} -gt 95 ]] if [[ -z $VAULT_LOGIN || ${#VAULT_LOGIN} -lt 95 || ${#VAULT_LOGIN} -gt 95 ]]
then then
wxi-content status "Login" "Failed" wxi-content status "Login" "Failed"
wxi-footer
wxi-stop wxi-stop
fi fi
wxi-config login TOKEN=$VAULT_LOGIN
wxi-config login write
;; ;;
token) token)
echo -n "Token: " echo -n "Token: "
@@ -458,9 +488,9 @@ wx-login(){
then then
TOKEN=${args['token']} TOKEN=${args['token']}
fi fi
elif [[ -f "$HOME/.warengroup/config.json" && $(cat $HOME/.warengroup/config.json | jq -r .login.$ORG.token) != 'null' && $(cat $HOME/.warengroup/config.json | jq -r .login.$ORG.token) != '' ]] elif [[ $(wxi-config login read) ]]
then then
TOKEN=$(cat $HOME/.warengroup/config.json | jq -r .login.$ORG.token) TOKEN=$(wxi-config login read)
else else
read -s TOKEN read -s TOKEN
fi fi
@@ -488,10 +518,19 @@ wx-login(){
if [[ -z $VAULT_LOGIN || ${#VAULT_LOGIN} -lt 95 || ${#VAULT_LOGIN} -gt 95 ]] if [[ -z $VAULT_LOGIN || ${#VAULT_LOGIN} -lt 95 || ${#VAULT_LOGIN} -gt 95 ]]
then then
wxi-content status "Login" "Failed" wxi-content status "Login" "Failed"
wxi-footer
if [[ $(wxi-config login read) ]]
then
wx-logout &> /dev/null
wx-login
else
wxi-stop wxi-stop
fi fi
fi
wxi-config login TOKEN=$VAULT_LOGIN
wxi-config login write
;; ;;
*) *)
wxi-content status "Login Type" "Unsupported" wxi-content status "Login Type" "Unsupported"
@@ -537,10 +576,8 @@ wx-logout(){
then then
wxi-header "$ORG_HEADER" h3 wxi-header "$ORG_HEADER" h3
echo "Logging Out..." echo "Logging Out..."
TOKEN="" wxi-config login erase
wxi-config login
wxi-footer wxi-footer
wxi-stop
fi fi
} }
@@ -609,6 +646,8 @@ wx-update(){
} }
wx-auto(){ wx-auto(){
wx-login
wxi-header "Auto" wxi-header "Auto"
wxi-restricted wxi-restricted
wxi-footer wxi-footer
@@ -628,6 +667,9 @@ wx-clean(){
} }
wx-settings(){ wx-settings(){
wx-login
wx-auto &> /dev/null
wxi-header "Settings" wxi-header "Settings"
wxi-restricted --user wxi-restricted --user
wxi-footer wxi-footer
@@ -658,18 +700,18 @@ wxi-ssh-config(){
wxi-ssh-keys(){ wxi-ssh-keys(){
case ${args['3']} in case ${args['3']} in
generate) generate)
wxi-ssh-keys-retrieve wxi-ssh-keys-retrieve ${args['4']}
wxi-ssh-keys-generate wxi-ssh-keys-generate ${args['4']}
wxi-ssh-keys-save wxi-ssh-keys-save ${args['4']}
;; ;;
sign) sign)
wxi-ssh-keys-sign wxi-ssh-keys-sign
;; ;;
retrieve) retrieve)
wxi-ssh-keys-retrieve wxi-ssh-keys-retrieve ${args['4']}
;; ;;
save) save)
wxi-ssh-keys-save wxi-ssh-keys-save ${args['4']}
;; ;;
sync) sync)
wxi-ssh-keys-sync wxi-ssh-keys-sync
@@ -688,7 +730,7 @@ wxi-ssh-config-clean(){
wxi-header "SSH / Config / Clean" wxi-header "SSH / Config / Clean"
wxi-restricted wxi-restricted
VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X GET --header "X-Vault-Token: $VAULT_TOKEN") VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X GET --header "X-Vault-Token: $TOKEN")
if [[ -f "$HOME/.ssh/config" && $VAULT_STATUS -eq 200 ]] if [[ -f "$HOME/.ssh/config" && $VAULT_STATUS -eq 200 ]]
then then
rm "$HOME/.ssh/config" rm "$HOME/.ssh/config"
@@ -710,7 +752,7 @@ wxi-ssh-config-save(){
if [[ -f "$HOME/.ssh/config" ]] if [[ -f "$HOME/.ssh/config" ]]
then then
curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X POST --header "X-Vault-Token: $VAULT_TOKEN" -d "{ \"data\": { \"data\": \"$(cat ~/.ssh/config | base64 -w 0)\" } }" -s &> /dev/null curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X POST --header "X-Vault-Token: $TOKEN" -d "{ \"data\": { \"data\": \"$(cat ~/.ssh/config | base64 -w 0)\" } }" -s &> /dev/null
fi fi
wxi-footer wxi-footer
} }
@@ -719,15 +761,15 @@ wxi-ssh-config-sync(){
wxi-header "SSH / Config / Sync" wxi-header "SSH / Config / Sync"
wxi-restricted wxi-restricted
VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X GET --header "X-Vault-Token: $VAULT_TOKEN") VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X GET --header "X-Vault-Token: $TOKEN")
if [[ $VAULT_STATUS -eq 200 ]] if [[ $VAULT_STATUS -eq 200 ]]
then then
touch ~/.ssh/config touch ~/.ssh/config
SSH1_CONFIG_MD5=$(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X GET --header "X-Vault-Token: $VAULT_TOKEN" -s | jq -r '.data.data.data' | base64 -d | md5sum | base64) SSH1_CONFIG_MD5=$(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X GET --header "X-Vault-Token: $TOKEN" -s | jq -r '.data.data.data' | base64 -d | md5sum | base64)
SSH2_CONFIG_MD5=$(cat ~/.ssh/config | md5sum | base64) SSH2_CONFIG_MD5=$(cat ~/.ssh/config | md5sum | base64)
if [[ $SSH1_CONFIG_MD5 != $SSH2_CONFIG_MD5 ]] if [[ $SSH1_CONFIG_MD5 != $SSH2_CONFIG_MD5 ]]
then then
echo $(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X GET --header "X-Vault-Token: $VAULT_TOKEN" -s | jq -r '.data.data.data') | base64 -d > ~/.ssh/config 2>&1 echo $(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/config -X GET --header "X-Vault-Token: $TOKEN" -s | jq -r '.data.data.data') | base64 -d > ~/.ssh/config 2>&1
chmod 700 ~/.ssh/config chmod 700 ~/.ssh/config
fi fi
fi fi
@@ -747,16 +789,16 @@ wxi-ssh-keys-clean(){
rm "$HOME/.ssh/keys/$1.sig" &> /dev/null rm "$HOME/.ssh/keys/$1.sig" &> /dev/null
fi fi
else else
wx-ssh-keys-clean $ORG wxi-ssh-keys-clean $ORG
if [[ $USERNAME == "cwchristerw" ]] if [[ $USERNAME == "cwchristerw" ]]
then then
wx-ssh-keys-clean warengroup wxi-ssh-keys-clean warengroup
fi fi
for file in ~/.ssh/keys/* for file in ~/.ssh/keys/*
do do
VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$(basename "$file" .pub) -X GET --header "X-Vault-Token: $VAULT_TOKEN") VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$(basename "$file" .pub) -X GET --header "X-Vault-Token: $TOKEN")
if [[ $VAULT_STATUS -eq 200 ]] if [[ $VAULT_STATUS -eq 200 ]]
then then
rm "$file" &> /dev/null rm "$file" &> /dev/null
@@ -787,12 +829,12 @@ wxi-ssh-keys-retrieve(){
if [[ ! -z $1 ]] if [[ ! -z $1 ]]
then then
VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: $VAULT_TOKEN") VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: $TOKEN")
if [[ $VAULT_STATUS -eq 200 ]] if [[ $VAULT_STATUS -eq 200 ]]
then then
echo $(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: $VAULT_TOKEN" -s | jq -r '.data.data.private') | base64 -d > ~/.ssh/keys/$1 2>&1 echo $(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: $TOKEN" -s | jq -r '.data.data.private') | base64 -d > ~/.ssh/keys/$1 2>&1
chmod 700 ~/.ssh/keys/$1 chmod 700 ~/.ssh/keys/$1
echo $(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: $VAULT_TOKEN" -s | jq -r '.data.data.public') | base64 -d > ~/.ssh/keys/$1.pub 2>&1 echo $(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: $TOKEN" -s | jq -r '.data.data.public') | base64 -d > ~/.ssh/keys/$1.pub 2>&1
chmod 700 ~/.ssh/keys/$1.pub chmod 700 ~/.ssh/keys/$1.pub
fi fi
fi fi
@@ -808,7 +850,7 @@ wxi-ssh-keys-save(){
then then
if [[ -f "$HOME/.ssh/keys/$1" ]] if [[ -f "$HOME/.ssh/keys/$1" ]]
then then
curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X POST --header "X-Vault-Token: $VAULT_TOKEN" -d "{ \"data\": { \"private\": \"$(cat ~/.ssh/keys/$1 | base64 -w 0)\", \"public\": \"$(cat ~/.ssh/keys/$1.pub | base64 -w 0)\" } }" -s &> /dev/null curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X POST --header "X-Vault-Token: $TOKEN" -d "{ \"data\": { \"private\": \"$(cat ~/.ssh/keys/$1 | base64 -w 0)\", \"public\": \"$(cat ~/.ssh/keys/$1.pub | base64 -w 0)\" } }" -s &> /dev/null
fi fi
fi fi
wxi-footer wxi-footer
@@ -818,11 +860,12 @@ wxi-ssh-keys-sign(){
wxi-header "SSH / Keys / Sign" wxi-header "SSH / Keys / Sign"
wxi-restricted wxi-restricted
wx-ssh-keys-sign-create $ORG sysadmin 3600
if [[ $USERNAME == "cwchristerw" ]] if [[ $USERNAME == "cwchristerw" ]]
then then
wx-ssh-keys-sign-create warengroup sysadmin 3600 wxi-ssh-keys-sign-create cwchristerw sysadmin 3600
wxi-ssh-keys-sign-create warengroup sysadmin 3600
else
wxi-ssh-keys-sign-create $ORG sysadmin 3600
fi fi
wxi-footer wxi-footer
} }
@@ -838,20 +881,20 @@ wxi-ssh-keys-sign-create(){
if [[ -f "$HOME/.ssh/keys/$NAME" ]] if [[ -f "$HOME/.ssh/keys/$NAME" ]]
then then
wxi-content text "$NAME/$ROLE" wxi-content text "$NAME/$ROLE"
echo $(curl https://$VAULT_DOMAIN/v1/ssh/sign/$ROLE -X POST --header "X-Vault-Token: $VAULT_TOKEN" -d "{ \"public_key\": \"$(cat $HOME/.ssh/keys/$NAME.pub)\", \"valid_principals\": \"$PRINCIPALS,$USERNAME\", \"ttl\": \"$TTL\" }" -s | jq -r '.data.signed_key') > ~/.ssh/keys/$NAME.sig 2>&1 echo $(curl https://$VAULT_DOMAIN/v1/ssh/sign/$ROLE -X POST --header "X-Vault-Token: $TOKEN" -d "{ \"public_key\": \"$(cat $HOME/.ssh/keys/$NAME.pub)\", \"valid_principals\": \"$PRINCIPALS,$USERNAME\", \"ttl\": \"$TTL\" }" -s | jq -r '.data.signed_key') > ~/.ssh/keys/$NAME.sig 2>&1
fi fi
} }
wxi-ssh-keys-sync(){ wxi-ssh-keys-sync(){
wxi-header "SSH / Keys / Sync" wxi-header "SSH / Keys / Sync"
wxi-restricted wxi-restricted
VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/metadata/$USERNAME/settings/ssh/keys -X LIST --header "X-Vault-Token: $VAULT_TOKEN") VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/metadata/$USERNAME/settings/ssh/keys -X LIST --header "X-Vault-Token: $TOKEN")
if [[ $VAULT_STATUS -eq 200 ]] if [[ $VAULT_STATUS -eq 200 ]]
then then
for name in $(curl https://$VAULT_DOMAIN/v1/cli/metadata/$USERNAME/settings/ssh/keys -X LIST --header "X-Vault-Token: $VAULT_TOKEN" -s | jq -r '.data.keys | @sh' | tr -d \') for name in $(curl https://$VAULT_DOMAIN/v1/cli/metadata/$USERNAME/settings/ssh/keys -X LIST --header "X-Vault-Token: $TOKEN" -s | jq -r '.data.keys | @sh' | tr -d \')
do do
echo $name wxi-content text $name
wx-ssh-keys-retrieve $name --multiple wxi-ssh-keys-retrieve $name &> /dev/null
done done
fi fi
wxi-footer wxi-footer