forked from OneIdentity/safeguard-bash
-
Notifications
You must be signed in to change notification settings - Fork 0
/
setup.sh
executable file
·212 lines (186 loc) · 7.64 KB
/
setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
#!/bin/bash
if [ -z "$(which jq 2> /dev/null)" ]; then
>&2 echo "This script requires jq for parsing and manipulating responses."
exit 1
fi
# Handle script parameters and usage
if [ "$1" = "-h" ]; then
cat <<EOF
USAGE: setup.sh [-h] appliance
You must specify the appliance network address
-h Show help and exit
EOF
exit 1
fi
if [ -z "$1" ]; then
read -p "Appliance network address: " Appliance
else
Appliance=$1
fi
# This script is meant to be run from within a fresh safeguard-bash Docker container
if test -t 1; then
YELLOW='\033[1;33m'
CYAN='\033[1;36m'
NC='\033[0m'
fi
# Get the directory of this script while executing
ScriptDir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# Get the directory of the rest of safeguard-bash (may be same directory)
if [ -x "$ScriptDir/connect-safeguard.sh" ]; then
SafeguardDir="$ScriptDir"
elif [ -x "../../../src/connect-safeguard.sh" ]; then
SafeguardDir="$( cd ../../../src && pwd )"
else
cat <<EOF
Unable to find the safeguard-bash scripts.
The best way to run this sample is from a safeguard-bash docker container.
EOF
exit 1
fi
# Trusted certificates to upload to establish the chain of trust in Safeguard
CaCertFile="$ScriptDir/certs/A2ATestCA.cert.pem"
IssuingCertFile="$ScriptDir/certs/issuing-A2ATestCA.cert.pem"
# Certificiate file and private key file in PEM format
ClientCertFile="$ScriptDir/certs/A2AUser.p12"
# Normally you wouldn't store this certificate password directly in your script file,
# but this is just a sample setup script.
ClientCertPassword="test"
# You can generate your own CAs for a two-level PKI using the new-test-ca.sh script
# in the src/utils directory. The new-test-cert.sh script will generate certificates
# for client authentication (SSL) or server authentication (SSL). It will also help
# with generating a certificate for audit log signing.
# Login details for the Safeguard certificate user to create
CertUserName="SampleTestA2AUser"
Thumbprint=$(openssl pkcs12 -in $ClientCertFile -nodes -passin "pass:$ClientCertPassword" | openssl x509 -sha1 -noout -fingerprint | cut -d= -f2 | tr -d :)
# Login details of Setup user to create (deleted after script is run)
SetupUserName="SampleSetupA2AUserDELETEME"
SetupUserPassword="AbcDEF12345qq"
# Test asset and account
AssetName="safeguard-bash-test"
AccountName="a2a"
# Test a2a registration
A2ARegName="safeguard-bash-test-a2a-reg"
echo "ScriptDir=$ScriptDir"
echo "SafeguardDir=$SafeguardDir"
echo "CertUserName=$CertUserName"
echo "Thumbprint=$Thumbprint"
echo "ClientCertFile=$ClientCertFile"
echo -e "${YELLOW}\nLogging into Safeguard as user admin (local/Admin)...${NC}"
$SafeguardDir/connect-safeguard.sh -a $Appliance -i local -u Admin
if [ $? -ne 0 ]; then
echo "Unable to connect to $Appliance"
exit 1
fi
echo -e "${YELLOW}\nInstalling trusted root...${NC}"
$SafeguardDir/install-trusted-certificate.sh -C $CaCertFile
echo -e "${YELLOW}\nInstalling intermediate ca...${NC}"
$SafeguardDir/install-trusted-certificate.sh -C $IssuingCertFile
echo -e "${YELLOW}\nAdding certificate user named $CertUserName...${NC}"
Result=$($SafeguardDir/invoke-safeguard-method.sh -s core -m POST -U Users -N -b "{
\"PrimaryAuthenticationProviderId\": -2,
\"UserName\": \"$CertUserName\",
\"PrimaryAuthenticationIdentity\": \"$Thumbprint\"
}")
Error=$(echo $Result | jq .Code 2> /dev/null)
echo $Result | jq .
if [ -z "$Error" -o "$Error" = "null" ]; then
echo $Result | jq .
CertUserId=$(echo $Result | jq .Id)
else
echo "Unable to create certificate user ($CertUserName)"
exit 1
fi
echo -e "${YELLOW}\nAdding setup user named $SetupUserName...${NC}"
Result=$($SafeguardDir/invoke-safeguard-method.sh -s core -m POST -U Users -N -b "{
\"PrimaryAuthenticationProviderId\": -1,
\"UserName\": \"$SetupUserName\",
\"AdminRoles\": [\"PolicyAdmin\",\"AssetAdmin\"]
}")
Error=$(echo $Result | jq .Code 2> /dev/null)
echo $Result | jq .
if [ -z "$Error" -o "$Error" = "null" ]; then
UserId=$(echo $Result | jq .Id)
echo -e "${YELLOW}\nSeting setup user password (if this fails due to policy modify this script)...${NC}"
$SafeguardDir/invoke-safeguard-method.sh -s core -m PUT -U "Users/$UserId/Password" -b "\"$SetupUserPassword\""
else
echo "Unable to create setup user (local/$SetupUserName)"
exit 1
fi
echo -e "${YELLOW}\nLogging out as user admin (local/Admin)...${NC}"
$SafeguardDir/disconnect-safeguard.sh
echo -e "${YELLOW}\nLogging into Safeguard as setup user (local/$SetupUserName)...${NC}"
$SafeguardDir/connect-safeguard.sh -a $Appliance -i local -u $SetupUserName -p <<<$SetupUserPassword
if [ $? -ne 0 ]; then
echo "Unable to connect to $Appliance"
exit 1
fi
echo -e "${YELLOW}\nCreating a test asset ($AssetName)...${NC}"
Result=$($SafeguardDir/invoke-safeguard-method.sh -s core -m POST -U Assets -N -b "{
\"AssetPartitionId\": -1,
\"PlatformId\": 190,
\"Name\": \"$AssetName\",
\"Description\": \"This should be deleted\"
}")
Error=$(echo $Result | jq .Code 2> /dev/null)
echo $Result | jq .
if [ -z "$Error" -o "$Error" = "null" ]; then
AssetId=$(echo $Result | jq .Id)
echo -e "${YELLOW}\nCreating a test account ($AccountName)...${NC}"
Result=$($SafeguardDir/invoke-safeguard-method.sh -s core -m POST -U AssetAccounts -N -b "{
\"AssetId\": $AssetId,
\"Name\": \"$AccountName\",
\"Description\": \"This should be deleted\"
}")
Error=$(echo $Result | jq .Code 2> /dev/null)
echo $Result | jq .
if [ -z "$Error" -o "$Error" = "null" ]; then
AccountId=$(echo $Result | jq .Id)
echo -e "${YELLOW}\nCreating a test a2a registration ($A2ARegName)...${NC}"
Result=$($SafeguardDir/invoke-safeguard-method.sh -s core -m POST -U A2ARegistrations -N -b "{
\"CertificateUserId\": $CertUserId,
\"AppName\": \"$A2ARegName\",
\"Description\": \"This should be deleted\"
}")
Error=$(echo $Result | jq .Code 2> /dev/null)
echo $Result | jq .
if [ -z "$Error" -o "$Error" = "null" ]; then
A2ARegId=$(echo $Result | jq .Id)
Result=$($SafeguardDir/invoke-safeguard-method.sh -s core -m POST -U "A2ARegistrations/$A2ARegId/RetrievableAccounts" -N -b "{
\"SystemId\": $AssetId,
\"AccountId\": $AccountId
}")
Error=$(echo $Result | jq .Code 2> /dev/null)
echo $Result | jq .
if [ -z "$Error" -o "$Error" = "null" ]; then
ApiKey=$(echo $Result | jq .ApiKey)
else
echo "Unable to create test a2a registration account retrieval"
fi
else
echo "Unable to create test a2a registration ($A2ARegName)"
fi
else
echo "Unable to create test account ($AssetName/$AccountName)"
fi
else
echo "Unable to create test asset ($AssetName)"
fi
echo -e "${YELLOW}\nLogging out as setup user ($SetupUserName)...${NC}"
$SafeguardDir/disconnect-safeguard.sh
echo -e "${YELLOW}\nLogging into Safeguard as user admin (local/Admin)...${NC}"
$SafeguardDir/connect-safeguard.sh -a $Appliance -i local -u Admin
if [ $? -ne 0 ]; then
echo "Unable to connect to $Appliance"
exit 1
fi
echo -e "${YELLOW}\nDeleting setup user (local/$SetupUserName)...${NC}"
$SafeguardDir/invoke-safeguard-method.sh -s core -m DELETE -U "Users/$UserId"
echo -e "${YELLOW}\nLogging out as user admin (local/Admin)...${NC}"
$SafeguardDir/disconnect-safeguard.sh
if [ -z "$ApiKey" ]; then
echo "Something has gone wrong and you need to clean up and try to run this script again."
exit 1
else
echo -e "${YELLOW}Thumbprint${NC}=${CYAN}$Thumbprint${NC}"
echo -e "${YELLOW}ApiKey${NC}=${CYAN}$ApiKey${NC}"
fi