wx-ssh-keys(){ wx-restricted case $1 in generate) wx-ssh-keys-retrieve $2 wx-ssh-keys-generate $2 wx-ssh-keys-save $2 ;; sign) wx-ssh-keys-sign ;; retrieve) wx-ssh-keys-retrieve $2 ;; save) wx-ssh-keys-save $2 ;; sync) wx-ssh-keys-sync $2 ;; delete) wx-ssh-keys-delete $2 ;; clean) wx-ssh-keys-clean $2 ;; *) wx-stop ;; esac } wx-ssh-keys-generate(){ wx-header "SSH / Keys / Generate" wx-restricted if [[ ! -z $1 ]] then if [[ ! -f "$HOME/.ssh/keys/$1" ]] then ssh-keygen -t ed25519 -f $HOME/.ssh/keys/$1 -q -N "" -C "$USERNAME" &> /dev/null fi fi } wx-ssh-keys-sign(){ wx-header "SSH / Keys / Sign" wx-restricted if [[ $ORG == "warengroup" && $USERNAME != "cwchristerw" ]] then wx-ssh-keys-sign-create warengroup sysadmin 3600 elif [[ $ORG == "cwinfo" && $USERNAME != "cwchristerw" ]] then wx-ssh-keys-sign-create cwinfo sysadmin 3600 elif [[ $ORG == "cwchristerw" || $USERNAME == "cwchristerw" ]] then wx-ssh-keys-sign-create warengroup sysadmin 3600 wx-ssh-keys-sign-create cwinfo sysadmin 3600 wx-ssh-keys-sign-create cwchristerw sysadmin 3600 fi } wx-ssh-keys-sign-create(){ wx-restricted NAME=$1 ROLE=$2 PRINCIPALS=$2 TTL=$3 if [[ ! -f "$HOME/.ssh/keys/$NAME" ]] then ssh-keygen -t ed25519 -f $HOME/.ssh/keys/$NAME -q -N "" -C "$USERNAME" &> /dev/null fi if [[ -f "$HOME/.ssh/keys/$NAME" ]] then echo "$NAME/$ROLE" echo $(curl https://$VAULT_DOMAIN/v1/ssh/sign/$ROLE -X POST --header "X-Vault-Token: ${config["login",$ORG]}" -d "{ \"public_key\": \"$(cat $HOME/.ssh/keys/$NAME.pub)\", \"valid_principals\": \"$PRINCIPALS,$USERNAME\", \"ttl\": \"$TTL\" }" -s | jq -r '.data.signed_key') > ~/.ssh/keys/$NAME.sig 2>&1 fi } wx-ssh-keys-retrieve(){ if [[ -z $2 ]] then wx-header "SSH / Keys / Retrieve" fi wx-restricted if [[ ! -z $1 ]] then VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: ${config["login",$ORG]}") if [[ $VAULT_STATUS -eq 200 ]] then echo $(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: ${config["login",$ORG]}" -s | jq -r '.data.data.private') | base64 -d > ~/.ssh/keys/$1 2>&1 chmod 700 ~/.ssh/keys/$1 echo $(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: ${config["login",$ORG]}" -s | jq -r '.data.data.public') | base64 -d > ~/.ssh/keys/$1.pub 2>&1 chmod 700 ~/.ssh/keys/$1.pub fi fi } wx-ssh-keys-save(){ wx-header "SSH / Keys / Save" wx-restricted if [[ ! -z $1 ]] then if [[ -f "$HOME/.ssh/keys/$1" ]] then curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X POST --header "X-Vault-Token: ${config["login",$ORG]}" -d "{ \"data\": { \"private\": \"$(cat ~/.ssh/keys/$1 | base64 -w 0)\", \"public\": \"$(cat ~/.ssh/keys/$1.pub | base64 -w 0)\" } }" -s &> /dev/null fi fi } wx-ssh-keys-sync(){ wx-header "SSH / Keys / Sync" wx-restricted VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/metadata/$USERNAME/settings/ssh/keys -X LIST --header "X-Vault-Token: ${config["login",$ORG]}") if [[ $VAULT_STATUS -eq 200 ]] then for name in $(curl https://$VAULT_DOMAIN/v1/cli/metadata/$USERNAME/settings/ssh/keys -X LIST --header "X-Vault-Token: ${config["login",$ORG]}" -s | jq -r '.data.keys | @sh' | tr -d \') do echo $name wx-ssh-keys-retrieve $name --multiple done fi } wx-ssh-keys-clean(){ if [[ -z $1 ]] then wx-header "SSH / Keys / Clean" fi wx-restricted if [[ ! -z $1 ]] then if [[ -f "$HOME/.ssh/keys/$1" && $(basename "$HOME/.ssh/keys/$1") != "legacy" ]] then rm "$HOME/.ssh/keys/$1" &> /dev/null rm "$HOME/.ssh/keys/$1.pub" &> /dev/null rm "$HOME/.ssh/keys/$1.sig" &> /dev/null fi else if [[ $ORG == "warengroup" && $USERNAME != "cwchristerw" ]] then wx-ssh-keys-clean warengroup elif [[ $ORG == "cwinfo" && $USERNAME != "cwchristerw" ]] then wx-ssh-keys-clean cwinfo elif [[ $ORG == "cwchristerw" || $USERNAME == "cwchristerw" ]] then wx-ssh-keys-clean warengroup wx-ssh-keys-clean cwinfo wx-ssh-keys-clean cwchristerw fi for file in ~/.ssh/keys/* do VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$(basename "$file" .pub) -X GET --header "X-Vault-Token: ${config["login",$ORG]}") if [[ $(basename "$file") != "legacy" && $VAULT_STATUS -eq 200 ]] then rm "$file" &> /dev/null fi done fi }