170 lines
5.3 KiB
Bash
170 lines
5.3 KiB
Bash
wx-ssh-keys(){
|
|
wx-restricted
|
|
|
|
case $1 in
|
|
generate)
|
|
wx-ssh-keys-retrieve $2
|
|
wx-ssh-keys-generate $2
|
|
wx-ssh-keys-save $2
|
|
;;
|
|
sign)
|
|
wx-ssh-keys-sign
|
|
;;
|
|
retrieve)
|
|
wx-ssh-keys-retrieve $2
|
|
;;
|
|
save)
|
|
wx-ssh-keys-save $2
|
|
;;
|
|
sync)
|
|
wx-ssh-keys-sync $2
|
|
;;
|
|
delete)
|
|
wx-ssh-keys-delete $2
|
|
;;
|
|
clean)
|
|
wx-ssh-keys-clean $2
|
|
;;
|
|
*)
|
|
wx-stop
|
|
;;
|
|
esac
|
|
}
|
|
|
|
wx-ssh-keys-generate(){
|
|
wx-header "SSH / Keys / Generate"
|
|
wx-restricted
|
|
if [[ ! -z $1 ]]
|
|
then
|
|
if [[ ! -f "$HOME/.ssh/keys/$1" ]]
|
|
then
|
|
ssh-keygen -t ed25519 -f $HOME/.ssh/keys/$1 -q -N "" -C "$USERNAME" &> /dev/null
|
|
fi
|
|
fi
|
|
}
|
|
|
|
wx-ssh-keys-sign(){
|
|
wx-header "SSH / Keys / Sign"
|
|
wx-restricted
|
|
|
|
if [[ $ORG == "warengroup" && $USERNAME != "cwchristerw" ]]
|
|
then
|
|
wx-ssh-keys-sign-create warengroup sysadmin 3600
|
|
elif [[ $ORG == "cwinfo" && $USERNAME != "cwchristerw" ]]
|
|
then
|
|
wx-ssh-keys-sign-create cwinfo sysadmin 3600
|
|
elif [[ $ORG == "cwchristerw" || $USERNAME == "cwchristerw" ]]
|
|
then
|
|
wx-ssh-keys-sign-create warengroup sysadmin 3600
|
|
wx-ssh-keys-sign-create cwinfo sysadmin 3600
|
|
wx-ssh-keys-sign-create cwchristerw sysadmin 3600
|
|
fi
|
|
}
|
|
|
|
wx-ssh-keys-sign-create(){
|
|
wx-restricted
|
|
|
|
NAME=$1
|
|
ROLE=$2
|
|
PRINCIPALS=$2
|
|
TTL=$3
|
|
|
|
if [[ ! -f "$HOME/.ssh/keys/$NAME" ]]
|
|
then
|
|
ssh-keygen -t ed25519 -f $HOME/.ssh/keys/$NAME -q -N "" -C "$USERNAME" &> /dev/null
|
|
fi
|
|
|
|
if [[ -f "$HOME/.ssh/keys/$NAME" ]]
|
|
then
|
|
echo "$NAME/$ROLE"
|
|
echo $(curl https://$VAULT_DOMAIN/v1/ssh/sign/$ROLE -X POST --header "X-Vault-Token: ${config["login",$ORG]}" -d "{ \"public_key\": \"$(cat $HOME/.ssh/keys/$NAME.pub)\", \"valid_principals\": \"$PRINCIPALS,$USERNAME\", \"ttl\": \"$TTL\" }" -s | jq -r '.data.signed_key') > ~/.ssh/keys/$NAME.sig 2>&1
|
|
fi
|
|
}
|
|
|
|
wx-ssh-keys-retrieve(){
|
|
if [[ -z $2 ]]
|
|
then
|
|
wx-header "SSH / Keys / Retrieve"
|
|
fi
|
|
|
|
wx-restricted
|
|
if [[ ! -z $1 ]]
|
|
then
|
|
VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: ${config["login",$ORG]}")
|
|
if [[ $VAULT_STATUS -eq 200 ]]
|
|
then
|
|
echo $(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: ${config["login",$ORG]}" -s | jq -r '.data.data.private') | base64 -d > ~/.ssh/keys/$1 2>&1
|
|
chmod 700 ~/.ssh/keys/$1
|
|
echo $(curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X GET --header "X-Vault-Token: ${config["login",$ORG]}" -s | jq -r '.data.data.public') | base64 -d > ~/.ssh/keys/$1.pub 2>&1
|
|
chmod 700 ~/.ssh/keys/$1.pub
|
|
fi
|
|
fi
|
|
}
|
|
|
|
wx-ssh-keys-save(){
|
|
wx-header "SSH / Keys / Save"
|
|
wx-restricted
|
|
if [[ ! -z $1 ]]
|
|
then
|
|
if [[ -f "$HOME/.ssh/keys/$1" ]]
|
|
then
|
|
curl https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$1 -X POST --header "X-Vault-Token: ${config["login",$ORG]}" -d "{ \"data\": { \"private\": \"$(cat ~/.ssh/keys/$1 | base64 -w 0)\", \"public\": \"$(cat ~/.ssh/keys/$1.pub | base64 -w 0)\" } }" -s &> /dev/null
|
|
fi
|
|
fi
|
|
}
|
|
|
|
wx-ssh-keys-sync(){
|
|
wx-header "SSH / Keys / Sync"
|
|
wx-restricted
|
|
|
|
VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/metadata/$USERNAME/settings/ssh/keys -X LIST --header "X-Vault-Token: ${config["login",$ORG]}")
|
|
if [[ $VAULT_STATUS -eq 200 ]]
|
|
then
|
|
for name in $(curl https://$VAULT_DOMAIN/v1/cli/metadata/$USERNAME/settings/ssh/keys -X LIST --header "X-Vault-Token: ${config["login",$ORG]}" -s | jq -r '.data.keys | @sh' | tr -d \')
|
|
do
|
|
echo $name
|
|
wx-ssh-keys-retrieve $name --multiple
|
|
done
|
|
fi
|
|
}
|
|
|
|
wx-ssh-keys-clean(){
|
|
if [[ -z $1 ]]
|
|
then
|
|
wx-header "SSH / Keys / Clean"
|
|
fi
|
|
wx-restricted
|
|
|
|
if [[ ! -z $1 ]]
|
|
then
|
|
if [[ -f "$HOME/.ssh/keys/$1" && $(basename "$HOME/.ssh/keys/$1") != "legacy" ]]
|
|
then
|
|
rm "$HOME/.ssh/keys/$1" &> /dev/null
|
|
rm "$HOME/.ssh/keys/$1.pub" &> /dev/null
|
|
rm "$HOME/.ssh/keys/$1.sig" &> /dev/null
|
|
fi
|
|
else
|
|
if [[ $ORG == "warengroup" && $USERNAME != "cwchristerw" ]]
|
|
then
|
|
wx-ssh-keys-clean warengroup
|
|
elif [[ $ORG == "cwinfo" && $USERNAME != "cwchristerw" ]]
|
|
then
|
|
wx-ssh-keys-clean cwinfo
|
|
elif [[ $ORG == "cwchristerw" || $USERNAME == "cwchristerw" ]]
|
|
then
|
|
wx-ssh-keys-clean warengroup
|
|
wx-ssh-keys-clean cwinfo
|
|
wx-ssh-keys-clean cwchristerw
|
|
fi
|
|
|
|
for file in ~/.ssh/keys/*
|
|
do
|
|
VAULT_STATUS=$(curl -s -o /dev/null -w "%{http_code}" https://$VAULT_DOMAIN/v1/cli/data/$USERNAME/settings/ssh/keys/$(basename "$file" .pub) -X GET --header "X-Vault-Token: ${config["login",$ORG]}")
|
|
if [[ $(basename "$file") != "legacy" && $VAULT_STATUS -eq 200 ]]
|
|
then
|
|
rm "$file" &> /dev/null
|
|
fi
|
|
done
|
|
fi
|
|
}
|