ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2024-09-20 15:05:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: add yubico-piv-checker install script

Browse source
This commit is contained in:
Stéphane Lesimple 2020-12-30 09:56:41 +00:00 committed by Stéphane Lesimple
parent 7aa655bcd2
commit 62d6393d56
18 changed files with 328 additions and 217 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.github/workflows/freebsd.yml vendored
View file

@ -24,6 +24,7 @@ jobs:
rsync -a . /opt/bastion/ rsync -a . /opt/bastion/
/opt/bastion/bin/admin/packages-check.sh -i /opt/bastion/bin/admin/packages-check.sh -i
/opt/bastion/bin/admin/install-ttyrec.sh -s /opt/bastion/bin/admin/install-ttyrec.sh -s
/opt/bastion/bin/admin/install-yubico-piv-checker.sh -s
/opt/bastion/bin/admin/install --new-install --no-wait /opt/bastion/bin/admin/install --new-install --no-wait
ssh-keygen -t ed25519 -f id_user ssh-keygen -t ed25519 -f id_user
ssh-keygen -t ed25519 -f id_root ssh-keygen -t ed25519 -f id_root

199
bin/admin/install-ttyrec.sh
View file

@ -2,98 +2,31 @@
# vim: set filetype=sh ts=4 sw=4 sts=4 et: # vim: set filetype=sh ts=4 sw=4 sts=4 et:
set -e set -e
RELEASE_API_URL='https://api.github.com/repos/ovh/ovh-ttyrec/releases' PROGRAM_NAME=ovh-ttyrec
RELEASE_API_URL="https://api.github.com/repos/ovh/$PROGRAM_NAME/releases"
basedir=$(readlink -f "$(dirname "$0")"/../..) basedir=$(readlink -f "$(dirname "$0")"/../..)
# shellcheck source=lib/shell/functions.inc # shellcheck source=lib/shell/install.inc
. "$basedir"/lib/shell/functions.inc . "$basedir"/lib/shell/install.inc
usage() { set_download_url_package() {
cat <<EOF type="$1"
Options: case "$type" in
-s Download and install precompiled ttyrec static binaries in /usr/local/bin rpm) set_download_url "/${PROGRAM_NAME}-.+\\.$archre\\.rpm$";;
-d Download the prebuilt Debian package, and install it (for Debian, Ubuntu and derivatives) deb) set_download_url "/${PROGRAM_NAME}_.+_$archre\\.deb$";;
-r Download the prebuild RPM package, and install it (for RHEL, CentOS and derivatives) *) exit 1;;
-a Automatically detect the OS to install the proper package type, fallback to static binaries if no package applies esac
-h Show this help
EOF
}
set_download_url() {
pattern="$1"
action_doing "Looking for download tool..."
if command -v wget >/dev/null; then
action_done wget
_apicall() {
wget -q -O - --header="Accept: application/vnd.github.v3+json" "$1" || true
}
_download() {
wget -q "$1"
}
elif command -v curl >/dev/null; then
action_done curl
_apicall() {
curl -sL -H 'Accept: application/vnd.github.v3+json' "$1" || true
}
_download() {
curl -sL -O "$1"
}
elif command -v fetch >/dev/null; then
action_done fetch
_apicall() {
fetch -o - "$1" || true
}
_download() {
fetch "$1"
}
else
action_error "Couldn't find wget, curl nor fetch"
exit 1
fi
action_doing "Getting latest release for arch $arch..."
payload=$(mktemp)
# shellcheck disable=SC2064
trap "rm -f $payload" EXIT
_apicall $RELEASE_API_URL > "$payload"
if command -v jq >/dev/null; then
# If we have jq, we can do it properly
url=$(jq -r '.[0].assets|.[]|.browser_download_url' < "$payload" | grep -F "$pattern" | head -n1)
elif perl -MJSON -e 1 2>/dev/null; then
# If we don't, there's a good chance we have Perl with the JSON module, use it
url=$(perl -MJSON -e 'undef $/; $d=decode_json(<>); foreach(@{ $d->[0]{assets} || [] }) { $_=$_->{browser_download_url}; /\Q'"$pattern"'\E/ && print && exit }' "$payload" | head -n1)
else
# Otherwise, go the ugly way, don't bother the user in installing jq just for this need
url=$(grep -Eo 'https://[a-z0-9./_-]+' "$payload" | grep -F "$pattern" | head -n1)
fi
if [ -n "$url" ]; then
action_detail "$url"
else
action_error "Couldn't find a proper URL for your architecture ($arch), looked for pattern '$pattern'. You may have to compile ovh-ttyrec yourself!"
exit 1
fi
}
prepare_temp_folder() {
tmpfolder=$(mktemp -d)
# shellcheck disable=SC2064
trap "test -d '$tmpfolder' && rm -rf -- '$tmpfolder'" EXIT
cd "$tmpfolder"
} }
action_static() { action_static() {
if command -v dpkg >/dev/null; then set_archre
set_arch_from_deb
elif command -v rpm >/dev/null; then
set_arch_from_rpm
else
arch=$(uname -m)
fi
os=$(uname -s | tr '[:upper:]' '[:lower:]') os=$(uname -s | tr '[:upper:]' '[:lower:]')
set_download_url "_$arch-$os-static-binary.tar.gz" if [ "$arch" = "x86_64" ] || [ "$arch" = "amd64" ]; then
set_download_url "/${PROGRAM_NAME}.*_(x86_|amd)64-$os-static-binary\\.tar\\.gz$"
else
set_download_url "/${PROGRAM_NAME}.*_$arch-$os-static-binary\\.tar\\.gz$"
fi
prepare_temp_folder prepare_temp_folder
_download "$url" _download "$url"
@ -119,100 +52,4 @@ action_static() {
cd / cd /
} }
set_arch_from_deb() { install_main "$@"
arch=$(dpkg --print-architecture)
}
action_debian() {
if ! command -v dpkg >/dev/null; then
echo "Couldn't find dpkg, aborting" >&2
exit 1
fi
set_arch_from_deb
set_download_url "_$arch.deb"
prepare_temp_folder
_download "$url"
action_done
action_doing "Installing package"
if dpkg -i -- *.deb; then
action_done
else
action_error
fi
cd /
}
set_arch_from_rpm() {
arch=$(rpm -E '%{_arch}')
# in some cases, %{_arch} is not defined, so the macro isn't expanded.
# In that case, find it ourselves
if [ "$arch" = "%{_arch}" ]; then
arch=$(rpm --showrc | grep "^install arch" | awk '{print $4}')
fi
}
action_rpm() {
if ! command -v rpm >/dev/null; then
echo "Couldn't find rpm, aborting" >&2
exit 1
fi
set_arch_from_rpm
set_download_url ".$arch.rpm"
prepare_temp_folder
_download "$url"
action_done
action_doing "Installing package"
if rpm -Uvh -- *.rpm; then
action_done
else
action_error
fi
cd /
}
action_auto() {
action_doing "Detecting OS..."
action_detail "Found $OS_FAMILY"
if [ "$OS_FAMILY" = Linux ]; then
action_detail "Found distro $LINUX_DISTRO version $DISTRO_VERSION (major $DISTRO_VERSION_MAJOR), distro like $DISTRO_LIKE"
fi
action_done
case "$DISTRO_LIKE" in
*debian*) action_debian;;
*rhel*) action_rpm;;
*suse*) action_rpm;;
*)
if [ "$OS_FAMILY" = Linux ]; then
action_static
else
echo "This script doesn't support this OS yet ($DISTRO_LIKE)" >&2
exit 1
fi;;
esac
}
if [ "$OS_FAMILY" != "Linux" ] && [ "$OS_FAMILY" != "FreeBSD" ]; then
echo "Sorry, your OS ($OS_FAMILY) is not supported." >&2
exit 1
fi
while getopts :sdrah arg; do
case "$arg" in
s) action_static; exit 0;;
d) action_debian; exit 0;;
r) action_rpm; exit 0;;
a) action_auto; exit 0;;
h) usage; exit 0;;
?) echo "Invalid option: -$OPTARG"; usage; exit 1;;
esac
done
usage

48
bin/admin/install-yubico-piv-checker.sh Executable file
View file

@ -0,0 +1,48 @@
#! /usr/bin/env bash
# vim: set filetype=sh ts=4 sw=4 sts=4 et:
set -e
PROGRAM_NAME=yubico-piv-checker
RELEASE_API_URL="https://api.github.com/repos/ovh/$PROGRAM_NAME/releases"
basedir=$(readlink -f "$(dirname "$0")"/../..)
# shellcheck source=lib/shell/install.inc
. "$basedir"/lib/shell/install.inc
set_download_url_package() {
type="$1"
case "$type" in
rpm) set_download_url "/${PROGRAM_NAME}-.+\\.$archre\\.rpm$";;
deb) set_download_url "/${PROGRAM_NAME}_.+_$archre\\.deb$";;
*) exit 1;;
esac
}
action_static() {
set_archre
os=$(uname -s | tr '[:upper:]' '[:lower:]')
if [ "$arch" = "x86_64" ] || [ "$arch" = "amd64" ]; then
set_download_url "/${PROGRAM_NAME}.*_${os}_(x86_|amd)64\\.tar\\.gz$"
else
set_download_url "/${PROGRAM_NAME}.*_${os}_$arch\\.tar\\.gz$"
fi
prepare_temp_folder
_download "$url"
# we have just one archive file in the current temp directory
# shellcheck disable=SC2035
tar xzf *.tar.gz
action_done
action_doing "Installing files"
for file in $PROGRAM_NAME; do
action_detail "/usr/local/bin/$file"
install -m 0755 "$file" /usr/local/bin/
done
action_done
cd /
}
install_main "$@"

7
docker/Dockerfile.centos7
View file

@ -2,10 +2,11 @@ FROM centos:7
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
# cache builds efficiently: just copy the scripts to install packages first # cache builds efficiently: just copy the scripts to install packages first
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
COPY lib/shell /opt/bastion/lib/shell/ COPY lib/shell /opt/bastion/lib/shell/
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
RUN test -e /etc/syslog-ng/syslog-ng.conf && \ RUN test -e /etc/syslog-ng/syslog-ng.conf && \
@ -23,5 +24,5 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
# start at entrypoint # start at entrypoint
ENTRYPOINT /opt/bastion/docker/entrypoint.sh ENTRYPOINT /opt/bastion/docker/entrypoint.sh
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1
# TESTFROM centos:7.9.2009 centos:7.8.2003 centos:7.7.1908 # TESTFROM centos:7.9.2009 centos:7.8.2003 centos:7.7.1908

7
docker/Dockerfile.centos8
View file

@ -2,10 +2,11 @@ FROM centos:8
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
# cache builds efficiently: just copy the scripts to install packages first # cache builds efficiently: just copy the scripts to install packages first
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
COPY lib/shell /opt/bastion/lib/shell/ COPY lib/shell /opt/bastion/lib/shell/
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
RUN test -e /etc/syslog-ng/syslog-ng.conf && \ RUN test -e /etc/syslog-ng/syslog-ng.conf && \
@ -23,5 +24,5 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
# start at entrypoint # start at entrypoint
ENTRYPOINT /opt/bastion/docker/entrypoint.sh ENTRYPOINT /opt/bastion/docker/entrypoint.sh
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1
# TESTFROM centos:8.3.2011 centos:8.2.2004 centos:8.1.1911 # TESTFROM centos:8.3.2011 centos:8.2.2004 centos:8.1.1911

7
docker/Dockerfile.debian10
View file

@ -2,10 +2,11 @@ FROM debian:buster
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
# cache builds efficiently: just copy the scripts to install packages first # cache builds efficiently: just copy the scripts to install packages first
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
COPY lib/shell /opt/bastion/lib/shell/ COPY lib/shell /opt/bastion/lib/shell/
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
# handle locales # handle locales
RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
@ -26,4 +27,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
# start at entrypoint # start at entrypoint
ENTRYPOINT /opt/bastion/docker/entrypoint.sh ENTRYPOINT /opt/bastion/docker/entrypoint.sh
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1

7
docker/Dockerfile.debian8
View file

@ -2,10 +2,11 @@ FROM debian:jessie
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
# cache builds efficiently: just copy the scripts to install packages first # cache builds efficiently: just copy the scripts to install packages first
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
COPY lib/shell /opt/bastion/lib/shell/ COPY lib/shell /opt/bastion/lib/shell/
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
# handle locales # handle locales
RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
@ -26,4 +27,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
# start at entrypoint # start at entrypoint
ENTRYPOINT /opt/bastion/docker/entrypoint.sh ENTRYPOINT /opt/bastion/docker/entrypoint.sh
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1

7
docker/Dockerfile.debian9
View file

@ -2,10 +2,11 @@ FROM debian:stretch
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
# cache builds efficiently: just copy the scripts to install packages first # cache builds efficiently: just copy the scripts to install packages first
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
COPY lib/shell /opt/bastion/lib/shell/ COPY lib/shell /opt/bastion/lib/shell/
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
# handle locales # handle locales
RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
@ -26,4 +27,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
# start at entrypoint # start at entrypoint
ENTRYPOINT /opt/bastion/docker/entrypoint.sh ENTRYPOINT /opt/bastion/docker/entrypoint.sh
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1

7
docker/Dockerfile.opensuse150
View file

@ -2,10 +2,11 @@ FROM opensuse/leap:15.0
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
# cache builds efficiently: just copy the scripts to install packages first # cache builds efficiently: just copy the scripts to install packages first
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
COPY lib/shell /opt/bastion/lib/shell/ COPY lib/shell /opt/bastion/lib/shell/
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
RUN test -e /etc/syslog-ng/syslog-ng.conf && \ RUN test -e /etc/syslog-ng/syslog-ng.conf && \
@ -23,4 +24,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
# start at entrypoint # start at entrypoint
ENTRYPOINT /opt/bastion/docker/entrypoint.sh ENTRYPOINT /opt/bastion/docker/entrypoint.sh
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 HAS_PIV=1

7
docker/Dockerfile.opensuse151
View file

@ -2,10 +2,11 @@ FROM opensuse/leap:15.1
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
# cache builds efficiently: just copy the scripts to install packages first # cache builds efficiently: just copy the scripts to install packages first
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
COPY lib/shell /opt/bastion/lib/shell/ COPY lib/shell /opt/bastion/lib/shell/
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
# disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log # disable /dev/kmsg handling by syslog-ng and explicitly enable /dev/log
RUN test -e /etc/syslog-ng/syslog-ng.conf && \ RUN test -e /etc/syslog-ng/syslog-ng.conf && \
@ -23,4 +24,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
# start at entrypoint # start at entrypoint
ENTRYPOINT /opt/bastion/docker/entrypoint.sh ENTRYPOINT /opt/bastion/docker/entrypoint.sh
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 HAS_PIV=1

7
docker/Dockerfile.opensuse152
View file

@ -2,10 +2,11 @@ FROM opensuse/leap:15.2
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
# cache builds efficiently: just copy the scripts to install packages first # cache builds efficiently: just copy the scripts to install packages first
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
COPY lib/shell /opt/bastion/lib/shell/ COPY lib/shell /opt/bastion/lib/shell/
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-r"]
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-r"]
# disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log # disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log
RUN test -e /etc/syslog-ng/syslog-ng.conf && \ RUN test -e /etc/syslog-ng/syslog-ng.conf && \
@ -23,4 +24,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
# start at entrypoint # start at entrypoint
ENTRYPOINT /opt/bastion/docker/entrypoint.sh ENTRYPOINT /opt/bastion/docker/entrypoint.sh
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 HAS_PIV=1

2
docker/Dockerfile.sandbox
View file

@ -13,6 +13,8 @@ RUN \
/opt/bastion/bin/admin/packages-check.sh -i -d -s && \ /opt/bastion/bin/admin/packages-check.sh -i -d -s && \
# download and install the ttyrec deb package (-d) \ # download and install the ttyrec deb package (-d) \
/opt/bastion/bin/admin/install-ttyrec.sh -d && \ /opt/bastion/bin/admin/install-ttyrec.sh -d && \
# download and install the yubico-piv-checker deb package (-d) \
/opt/bastion/bin/admin/install-yubico-piv-checker.sh -d && \
# cleanup packages cache to save space \ # cleanup packages cache to save space \
rm -rf /var/cache/apt && \ rm -rf /var/cache/apt && \
# handle locales \ # handle locales \

7
docker/Dockerfile.ubuntu1404
View file

@ -2,10 +2,11 @@ FROM ubuntu:14.04
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
# cache builds efficiently: just copy the scripts to install packages first # cache builds efficiently: just copy the scripts to install packages first
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
COPY lib/shell /opt/bastion/lib/shell/ COPY lib/shell /opt/bastion/lib/shell/
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
# handle locales # handle locales
RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
@ -26,4 +27,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
# start at entrypoint # start at entrypoint
ENTRYPOINT /opt/bastion/docker/entrypoint.sh ENTRYPOINT /opt/bastion/docker/entrypoint.sh
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=0 HAS_PAMTESTER=0 HAS_PIV=1

7
docker/Dockerfile.ubuntu1604
View file

@ -2,10 +2,11 @@ FROM ubuntu:16.04
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
# cache builds efficiently: just copy the scripts to install packages first # cache builds efficiently: just copy the scripts to install packages first
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
COPY lib/shell /opt/bastion/lib/shell/ COPY lib/shell /opt/bastion/lib/shell/
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
# handle locales # handle locales
RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
@ -26,4 +27,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
# start at entrypoint # start at entrypoint
ENTRYPOINT /opt/bastion/docker/entrypoint.sh ENTRYPOINT /opt/bastion/docker/entrypoint.sh
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1

7
docker/Dockerfile.ubuntu1804
View file

@ -2,10 +2,11 @@ FROM ubuntu:18.04
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
# cache builds efficiently: just copy the scripts to install packages first # cache builds efficiently: just copy the scripts to install packages first
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
COPY lib/shell /opt/bastion/lib/shell/ COPY lib/shell /opt/bastion/lib/shell/
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
# handle locales # handle locales
RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
@ -26,4 +27,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
# start at entrypoint # start at entrypoint
ENTRYPOINT /opt/bastion/docker/entrypoint.sh ENTRYPOINT /opt/bastion/docker/entrypoint.sh
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1

7
docker/Dockerfile.ubuntu2004
View file

@ -2,10 +2,11 @@ FROM ubuntu:20.04
LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com" LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
# cache builds efficiently: just copy the scripts to install packages first # cache builds efficiently: just copy the scripts to install packages first
COPY bin/admin/install-ttyrec.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/ COPY bin/admin/install-ttyrec.sh bin/admin/install-yubico-piv-checker.sh bin/admin/packages-check.sh /opt/bastion/bin/admin/
COPY lib/shell /opt/bastion/lib/shell/ COPY lib/shell /opt/bastion/lib/shell/
RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"] RUN ["/opt/bastion/bin/admin/packages-check.sh","-i","-d","-s"]
RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"] RUN ["/opt/bastion/bin/admin/install-ttyrec.sh","-d"]
RUN ["/opt/bastion/bin/admin/install-yubico-piv-checker.sh","-d"]
# handle locales # handle locales
RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen RUN echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen
@ -26,4 +27,4 @@ RUN ["/opt/bastion/bin/admin/install","--new-install","--no-wait"]
# start at entrypoint # start at entrypoint
ENTRYPOINT /opt/bastion/docker/entrypoint.sh ENTRYPOINT /opt/bastion/docker/entrypoint.sh
# TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 # TESTENV HAS_ED25519=1 HAS_BLACKLIST=0 HAS_MFA=1 HAS_PAMTESTER=1 HAS_PIV=1

13
lib/shell/functions.inc
View file

@ -300,6 +300,19 @@ add_user_to_group_compat()
fi fi
} }
del_user_from_group_compat()
{
local _user="$1" _group="$2"
if command -v gpasswd >/dev/null ; then
gpasswd -d "$_user" "$_group"
elif command -v pw >/dev/null ; then
pw groupmod -n "$_group" -d "$_user"
else
echo "del_user_from_group_compat: don't know how to del $_user from $_group!" >&2
return 1
fi
}
_logtag="$(basename "$0")[$$]" _logtag="$(basename "$0")[$$]"
__log() __log()
{ {

198
lib/shell/install.inc Normal file
View file

@ -0,0 +1,198 @@
# vim: set filetype=sh ts=4 sw=4 sts=4 et:
# shellcheck shell=bash
# common parts of install-ttyrec.sh and install-yubico-piv-checker.sh
# shellcheck source=lib/shell/functions.inc disable=SC2128
. "$(dirname "$BASH_SOURCE")"/functions.inc
install_usage() {
cat <<EOF
Options:
-s Download and install precompiled $PROGRAM_NAME static binaries in /usr/local/bin
-d Download the prebuilt Debian package, and install it (for Debian, Ubuntu and derivatives)
-r Download the prebuild RPM package, and install it (for RHEL, CentOS and derivatives)
-a Automatically detect the OS to install the proper package type, fallback to static binaries if no package applies
-h Show this help
EOF
}
set_download_url() {
pattern="$1"
action_doing "Looking for download tool..."
if command -v wget >/dev/null; then
action_done wget
_apicall() {
wget -q -O - --header="Accept: application/vnd.github.v3+json" "$1" || true
}
_download() {
wget -q "$1"
}
elif command -v curl >/dev/null; then
action_done curl
_apicall() {
curl -sL -H 'Accept: application/vnd.github.v3+json' "$1" || true
}
_download() {
curl -sL -O "$1"
}
elif command -v fetch >/dev/null; then
action_done fetch
_apicall() {
fetch -o - "$1" || true
}
_download() {
fetch "$1"
}
else
action_error "Couldn't find wget, curl nor fetch"
exit 1
fi
action_doing "Getting latest release for arch $arch..."
payload=$(mktemp)
# shellcheck disable=SC2064
trap "rm -f $payload" EXIT
_apicall "$RELEASE_API_URL" > "$payload"
if command -v jq >/dev/null; then
# If we have jq, we can do it properly
urls="$(jq -r '.[0].assets|.[]|.browser_download_url' < "$payload")"
elif perl -MJSON -e 1 2>/dev/null; then
# If we don't, there's a good chance we have Perl with the JSON module, use it
urls="$(perl -MJSON -e 'undef $/; $d=decode_json(<>); exit if ref $d ne "ARRAY"; foreach(@{ $d->[0]{assets} || [] }) { print $_->{browser_download_url}."\n" }' "$payload")"
else
# Otherwise, go the ugly way, don't bother the user in installing jq just for this need
urls="$(grep -Eo 'https://[a-z0-9./_-]+' "$payload")"
fi
url="$(echo "$urls" | grep -E "$pattern" | head -n1)"
if [ -n "$url" ]; then
action_detail "$url"
elif [ ! -s "$payload" ]; then
action_error "API returned an empty body, did we hit the query limit?"
exit 1
elif [ -z "$urls" ]; then
action_error "Couldn't find any URL in the returned body, did we hit the query limit? Body follows:"
cat "$payload"
exit 1
else
action_error "Couldn't find a proper URL for your architecture ($arch), looked for pattern '$pattern'. You may have to compile $PROGRAM_NAME yourself!"
action_detail "Maybe the release asset naming pattern has changed and we're not aware, if you think one of the packages below match your OS & arch, you may download & install them manually:"
for line in $urls; do
action_detail "$line"
done
exit 1
fi
}
prepare_temp_folder() {
tmpfolder=$(mktemp -d)
# shellcheck disable=SC2064
trap "test -d '$tmpfolder' && rm -rf -- '$tmpfolder'" EXIT
cd "$tmpfolder" || exit 1
}
# shellcheck disable=SC2034
set_archre() {
if command -v dpkg >/dev/null; then
arch=$(dpkg --print-architecture)
elif command -v rpm >/dev/null; then
arch=$(rpm -E '%{_arch}')
# in some cases, %{_arch} is not defined, so the macro isn't expanded,
# we have to find it ourselves
if [ "$arch" = "%{_arch}" ]; then
arch=$(rpm --showrc | grep "^install arch" | awk '{print $4}')
fi
else
arch=$(uname -m)
fi
if [ "$arch" = "x86_64" ] || [ "$arch" = "amd64" ]; then
archre="(x86_|amd)64"
else
archre="$arch"
fi
}
action_package() {
type="$1"
case "$type" in
deb)
if ! command -v dpkg >/dev/null; then
echo "Couldn't find dpkg, aborting" >&2
exit 1
fi;;
rpm)
if ! command -v rpm >/dev/null; then
echo "Couldn't find rpm, aborting" >&2
exit 1
fi;;
*) echo "Unsupported package type $type" >&2; exit 1;;
esac
set_archre
set_download_url_package "$type"
prepare_temp_folder
_download "$url"
action_done
action_doing "Installing package"
case "$type" in
deb) dpkg -i -- *.deb; ret=$?;;
rpm) rpm -Uvh -- *.rpm; ret=$?;;
*) exit 1;;
esac
if [ "$ret" = 0 ]; then
action_done
else
action_error
fi
cd /
}
action_auto() {
action_doing "Detecting OS..."
action_detail "Found $OS_FAMILY"
if [ "$OS_FAMILY" = Linux ]; then
action_detail "Found distro $LINUX_DISTRO version $DISTRO_VERSION (major $DISTRO_VERSION_MAJOR), distro like $DISTRO_LIKE"
fi
action_done
case "$DISTRO_LIKE" in
*debian*) action_package deb;;
*rhel*) action_package rpm;;
*suse*) action_package rpm;;
*)
if [ "$OS_FAMILY" = Linux ]; then
action_static
else
echo "This script doesn't support this OS yet ($DISTRO_LIKE)" >&2
exit 1
fi;;
esac
}
install_main() {
if [ "$OS_FAMILY" != "Linux" ] && [ "$OS_FAMILY" != "FreeBSD" ]; then
echo "Sorry, your OS ($OS_FAMILY) is not supported." >&2
exit 1
fi
while getopts :sdrah arg; do
case "$arg" in
s) action_static; exit 0;;
d) action_package deb; exit 0;;
r) action_package rpm; exit 0;;
a) action_auto; exit 0;;
h) usage; exit 0;;
?) echo "Invalid option: -$OPTARG"; usage; exit 1;;
esac
done
install_usage
}