-
Notifications
You must be signed in to change notification settings - Fork 1
/
certificate_generator.sh
executable file
·308 lines (289 loc) · 8.71 KB
/
certificate_generator.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
#!/bin/bash
# _____ _ _ _ _ ____ _____ ___ ___ _ _ ____
#| ___| | | | \ | |/ ___|_ _|_ _/ _ \| \ | / ___|
#| |_ | | | | \| | | | | | | | | | \| \___ \
#| _| | |_| | |\ | |___ | | | | |_| | |\ |___) |
#|_| \___/|_| \_|\____| |_| |___\___/|_| \_|____/
#
function GENPASS() {
#!/bin/bash
if [ $# -eq 2 ]
then
export tamanho=$2
else
export tamanho=13
fi
function HIGH() {
# tr -dc A-Za-z0-9!?@#_ < /dev/urandom | head -c ${tamanho} | xargs
while true
do
export PASSWORD=$(tr -dc 'A-Za-z0-9!?@#_' < /dev/urandom | head -c ${tamanho} | xargs)
if [ $(echo $PASSWORD | sed -e "s/./&\n/g" | egrep "\!|@|#|_|\?" | wc -l ) -gt 2 ] && \
[ $(echo $PASSWORD | sed -e "s/./&\n/g" | grep "[0-9]" | wc -l ) -gt 2 ] && \
[ $(echo $PASSWORD | sed -e "s/./&\n/g" | grep "[a-z]" | wc -l ) -gt 2 ] && \
[ $(echo $PASSWORD | sed -e "s/./&\n/g" | grep "[A-Z]" | wc -l ) -gt 2 ]
then
echo GOOD $PASSWORD
break
else
echo WEAK $PASSWORD
fi
done
}
function MEDIUM() {
tr -dc A-Za-z0-9_ < /dev/urandom | head -c ${tamanho} | xargs
}
function LOW() {
tr -dc A-Za-z0-9 < /dev/urandom | head -c ${tamanho} | xargs
}
function NUMBER() {
tr -dc 0-9 < /dev/urandom | head -c ${tamanho} | xargs
}
function HEXA() {
tr -dc A-F0-9 < /dev/urandom | head -c ${tamanho} | xargs
}
function FAKEWWN() {
tr -dc A-F0-9 < /dev/urandom | head -c 16 | xargs | sed -e "s/^0x//g" | sed -r "s/../&:/g" | sed -e "s/$://g" | tr "a-z" "A-Z" | sed -e "s/:$//g"
}
function HELP() {
echo HELP
echo $(echo $0 | tr '\/' '\n' | tail -n 1) \<numero de caracteres\> \| \[ alto \| medio \| baixo \| numero \| hexa \] \<numero de caracteres\>
echo $(echo $0 | tr '\/' '\n' | tail -n 1) \[ alto \| medio \| baixo \| numero \| hexa \| fakewwn\]
echo $(echo $0 | tr '\/' '\n' | tail -n 1) \#Opção default utiliza a complexidade alta com $tamanho caracteres
}
case $1 in
alto)
HIGH
;;
medio)
MEDIUM
;;
baixo)
LOW
;;
numero)
NUMBER
;;
hexa)
HEXA
;;
fakewwn)
FAKEWWN
;;
help)
HELP
;;
ajuda)
HELP
;;
*)
re='^[0-9]+$'
if ! [[ $1 =~ $re ]]
then
export tamanho=13
else
export tamanho=$1
fi
HIGH
;;
esac
}
function CENSOR() {
coproc stdbuf -o0 sed "s/"$1"/***/g" &
while read -r LINE
do
echo "$LINE" >&${COPROC[1]}
read -u ${COPROC[0]} msg
echo "$msg"
done
kill $COPROC_PID
}
function CENSOR_BUILD() {
export SECRETSTRING=''
echo $1 | tr ';' '\n' | \
while read SECRET
do
export SECRETSTRING="CENSOR $SECRET | $SECRETSTRING"
echo $SECRETSTRING
done | tail -n 1 | sed -e "s/|$//g"
}
function TEST_BIN() {
if [ $(which $1 | wc -l | awk '{print $1} ') -eq 0 ]
then
echo $1 not found
break
else
if [ $(file "$(which $1)" 1>&1 >/dev/null;echo $?) -ne 0 ]
then
echo $1 not found
break
else
echo $1 OK
fi
fi
}
function TEMPFILE() {
case $1 in
create)
mktemp
;;
delete)
rm -f $2
;;
*)
EXITNOW "could not create temporary file"
;;
esac
}
function RUN() {
export RC=3
while true
do
date
echo $1 | eval "$(CENSOR_BUILD $CENSORSTRING)"
time eval $1 | eval "$(CENSOR_BUILD $CENSORSTRING)"
if [ $? -ne 0 ]
then
echo FAIL $?
echo FAIL $1 | eval "$(CENSOR_BUILD $CENSORSTRING)"
case $2 in
ignore)
export RC=0
;;
retry)
if [ $RC -eq 3 ]
then
export RC=2
sleep 10
else
export RC=1
exit 1
fi
;;
*)
exit 1
;;
esac
else
echo SUCCESS $1 | eval "$(CENSOR_BUILD $CENSORSTRING)"
export RC=0
fi
if [ $RC -eq 0 ]
then
break
fi
done
}
function CONCAT_CA() {
export TMPCERT=$(TEMPFILE create)
cat $1 > $TMPCERT
cat $2 >> $TMPCERT
cp $TMPCERT $2
TEMPFILE delete $TMPCERT
}
function CERTIFICATE() {
if [[ "$SSL_SUBJECT" == "" ]]
then
export SSL_SUBJECT="'/C="$SSL_CERT_C"/ST="$SSL_CERT_ST"/L="$SSL_CERT_L"/O="$SSL_CERT_O"/OU="$SSL_CERT_OU"/CN="$K8S_NAME"-admission-service."$K8S_NAMESPACE".svc.cluster.local/emailAddress="$SSL_CERT_EMAIL"'"
fi
if [[ "$SSL_ALTNAME" == "" ]]
then
export SSL_ALTNAME="subjectAltName=DNS:"$K8S_NAME"-admission-service."$K8S_NAMESPACE".svc.cluster.local,DNS:"$K8S_NAME"-admission-service."$K8S_NAMESPACE".svc"
fi
echo $SSL_SUBJECT
echo $SSL_ALTNAME
RUN "openssl genrsa -des3 -passout pass:$SSL_PASS -out $TMPBASEDIR/$SSL_CA_KEY $SSL_LENGTH"
RUN "openssl req -x509 -new -nodes -key $TMPBASEDIR/$SSL_CA_KEY -passin pass:$SSL_PASS -sha256 -days 3650 -out $TMPBASEDIR/$SSL_CA_CERT -subj $SSL_SUBJECT"
RUN "openssl genrsa -out $TMPBASEDIR/$SSL_DEVICE_KEY $SSL_LENGTH"
RUN "openssl req -new -key $TMPBASEDIR/$SSL_DEVICE_KEY -out $TMPBASEDIR/$SSL_REQUEST_KEY -subj $SSL_SUBJECT"
RUN "openssl x509 -req -in $TMPBASEDIR/$SSL_REQUEST_KEY -CA $TMPBASEDIR/$SSL_CA_CERT -CAkey $TMPBASEDIR/$SSL_CA_KEY -CAcreateserial -out $TMPBASEDIR/$SSL_DEVICE_CERT -days 3650 -sha256 -passin pass:$SSL_PASS -extfile <(printf "$SSL_ALTNAME")"
RUN "openssl pkcs12 -export -in $TMPBASEDIR/$SSL_DEVICE_CERT -inkey $TMPBASEDIR/$SSL_DEVICE_KEY -name awh -out $TMPBASEDIR/SRC-$SSL_KS_P12 -passin pass:$SSL_PASS -passout pass:$SSL_PASS"
RUN "keytool -importkeystore -destkeystore $TMPBASEDIR/$SSL_KS_P12 -srckeystore $TMPBASEDIR/SRC-$SSL_KS_P12 -srcstoretype PKCS12 -deststoretype pkcs12 -srcstorepass $SSL_PASS -deststorepass $SSL_PASS"
RUN "keytool -importkeystore -destkeystore $TMPBASEDIR/$SSL_KS_JKS -srckeystore $TMPBASEDIR/SRC-$SSL_KS_P12 -srcstoretype PKCS12 -deststoretype jks -srcstorepass $SSL_PASS -deststorepass $SSL_PASS"
}
function HELM_GET_VALUE() {
cat $1 | yq "$2"
}
# _____ _____ ____ _____
#|_ _| ____/ ___|_ _|
# | | | _| \___ \ | |
# | | | |___ ___) || |
# |_| |_____|____/ |_|
#
for BIN in {yq,jq,keytool,openssl}
do
TEST_BIN $BIN
done
#__ ___ ____ ____
#\ \ / / \ | _ \/ ___|
# \ \ / / _ \ | |_) \___ \
# \ V / ___ \| _ < ___) |
# \_/_/ \_\_| \_\____/
#
export KUBECONFIG=$HOME/.kube/configs/kind
#export SSL_PASS="$(GENPASS | grep ^GOOD | awk '{print $2}' )"
export SSL_CA_KEY=rootCA.key
export SSL_CA_CERT=rootCA.crt
export SSL_DEVICE_KEY=device.key
export SSL_REQUEST_KEY=device.csr
export SSL_DEVICE_CERT=device.crt
export SSL_KS_P12=ks.p12
export SSL_KS_JKS=ks.jks
export SSL_LENGTH=2048
export SSL_EXPIRE=3650
export SSL_CERT_EMAIL=fake@kubeomatic.org
export SSL_CERT_C=BR
export SSL_CERT_ST=Sao_Paulo
export SSL_CERT_L=Sao_Paulo
export SSL_CERT_O=kubeomatic.io
export SSL_CERT_OU=kubeomatic
# export SSL_SUBJECT="'/C=BR/ST=Sao_Paulo/L=Sao_Paulo/O=clusterlab.com.br/OU=Clusterlab/CN=timebomb-admission-service.timebomb.svc.cluster.local/emailAddress=devops@clusterlab.com.br'"
# export SSL_ALTNAME="subjectAltName=DNS:timebomb-admission-service.timebomb.svc.cluster.local,DNS:timebomb-admission-service.timebomb.svc"
export TMPBASEDIR=tmp
export BASEDIR=extra
# ____ ____ _____ ____ _ ____ _____
#| _ \| _ \| ____| _ \ / \ | _ \| ____|
#| |_) | |_) | _| | |_) / _ \ | |_) | _|
#| __/| _ <| |___| __/ ___ \| _ <| |___
#|_| |_| \_\_____|_| /_/ \_\_| \_\_____|
#
if [ $# -eq 1 ] && [ -f $1 ]
then
export VALUES=$1
else
echo Not Enought Arguments
exit 1
fi
export SSL_PASS="$(HELM_GET_VALUE $VALUES '.certificate.keyStorePAss')"
export K8S_NAMESPACE=$(HELM_GET_VALUE $VALUES '.common.nameSpace')
export K8S_NAME=$(HELM_GET_VALUE $VALUES '.common.name')
export WORKDIR=$(pwd)
export CENSORSTRING=$SSL_PASS
cd $WORKDIR
# ____ _ _ _ _ ____
#| _ \| | | | \ | / ___|
#| |_) | | | | \| \___ \
#| _ <| |_| | |\ |___) |
#|_| \_\\___/|_| \_|____/
#
# echo $TMPBASEDIR/$SSL_KS_P12
# echo $VALUES
# file $VALUES
# exit
if ! [ -f $TMPBASEDIR/$SSL_KS_P12 ]
then
if ! [ -f $TMPBASEDIR ]
then
RUN "mkdir -p $TMPBASEDIR" ignore
fi
CERTIFICATE
else
echo Skippping Certificate creation
fi
#RUN "kubectl create ns $K8S_NAMESPACE"
# if [ -f $TMPBASEDIR/$SSL_KS_P12 ]
# then
# RUN "kubectl -n $K8S_NAMESPACE create secret generic $K8S_NAME-secret --from-file $TMPBASEDIR/$SSL_KS_P12"
# else
# echo Keystore \"$TMPBASEDIR/$SSL_KS_P12\" not found. Could not crete secret.
# fi