Work in progress

ncharles · Aug 31, 2019 · 810c9fd · 810c9fd
1 parent 4a5c037
commit 810c9fd
Show file tree

Hide file tree

Showing 3 changed files with 3,549 additions and 1,310 deletions.
diff --git a/contrib/inventory-generation/inventory-generation b/contrib/inventory-generation/inventory-generation
@@ -16,7 +16,7 @@
 # @man +
 # @man *-p --path*: use the given path to for the data generated
 
-set -x
+set -e
 
 DATA=false
 NUMBER=0
@@ -25,10 +25,22 @@ WIPE=false
 TEMPLATE=tml.ocs
 DEST_PATH=data
 
+DEST_INVENTORIES=inventories
+DEST_INVENTORIES_TMP=inventories_tmp
+
+# Private key passphrase
+PASSPHRASE="Cfengine passphrase"
+
 # detect if any option has been passed to the script
 ANY_OPTION_DEFINED=false
 
 
+#Definining list of inventory (short & long)
+DEF_LONG_OS_NAME=("Microsoft Windows Server 2019 Standard" "Debian GNU/Linux 9.1 (stretch)" "Debian GNU/Linux 9.2 (stretch)" "Debian GNU/Linux 8.6 (Jessie)" "CentOS Linux release 7.6.1810 (Core)" "CentOS Linux release 7.4.1810 (Core)" "CentOS Linux release 6.10 (Final)")
+DEF_SHORT_OS_NAME=(Windows Debian Debian Debian Centos Centos Centos)
+
+MAX_SOFT_VERSION=100
+
 # Output usage
 function usage()
 {
@@ -73,17 +85,22 @@ function generate_data {
   do
     UUID=$(uuidgen)
 
-    mkdir ${DEST_PATH}/${UUID}
+    mkdir ${DEST_PATH}/${UUID} || true
 
-    openssl genrsa -des3 -out ${DEST_PATH}/${UUID}/localhost.priv -passout "pass:Cfengine passphrase" 4096
-    openssl rsa -in ${DEST_PATH}/${UUID}/localhost.priv -passin "pass:Cfengine passphrase" -RSAPublicKey_out -out ${DEST_PATH}/${UUID}/localhost.pub
+    openssl genrsa -des3 -out ${DEST_PATH}/${UUID}/localhost.priv -passout "pass:${PASSPHRASE}" 4096
+    openssl rsa -in ${DEST_PATH}/${UUID}/localhost.priv -passin "pass:${PASSPHRASE}" -RSAPublicKey_out -out ${DEST_PATH}/${UUID}/localhost.pub
+
+
+    openssl req -new -sha256 -key ${DEST_PATH}/${UUID}/localhost.priv -out ${DEST_PATH}/${UUID}/agent.cert -passin "pass:${PASSPHRASE}" -x509 -days 3650 -extensions agent_cert -config openssl-agent.cnf -subj "/UID=${UUID}"
 
     echo "RUDDER_TEST_${i}" > ${DEST_PATH}/${UUID}/hostname
 
 
     IP4=$((IP4+1))
     validate_ip
 
+    echo "${UUID}" > ${DEST_PATH}/${UUID}/uuid
+
     echo "${IP1}.${IP2}.${IP3}.${IP4}" > ${DEST_PATH}/${UUID}/ip
 
     echo "d0:ab:d5:e5:90:e8" > ${DEST_PATH}/${UUID}/mac
@@ -98,7 +115,75 @@ function generate_data {
 
 }
 
+function create_inventory {
+  mkdir ${DEST_INVENTORIES} || true
+  mkdir ${DEST_INVENTORIES_TMP} || true
+
+  echo "Creating inventories based on the folders in ${DEST_PATH}"
+
+  # compute numer of OSs
+  os_list_size=${#DEF_LONG_OS_NAME[@]}
+  echo $os_list_size
+
+  # List all data 
+  for d in ${DEST_PATH}/*; do
+    if [ -d "$d" ]; then
+
+      # File path in the rudder utilities format (for better maintenance)
+      CERT=$d/agent.cert
+      PRIVKEY=$d/localhost.priv
+
+      # read variables    
+      UUID=$(<$d/uuid)
+      IP=$(<$d/ip)
+      MAC=$(<$d/mac)
+      OS_NAME=$(<$d/osname)
+      FULL_OS_NAME=$(<$d/fullosname)
+      AGENT_VERSION=$(<$d/agent_version)
+      RUDDER_HOSTNAME=$(<$d/hostname)
+
+      PUBLIC_KEY=$(<$d/localhost.pub)
+      AGENT_CERT=$(<$CERT)
+      #Random value
+      RAND_OS_VAL=$((RANDOM%$os_list_size))
+      RAND_OS_NAME=${DEF_SHORT_OS_NAME[$RAND_OS_VAL]}
+      RAND_FULL_OS_NAME=${DEF_LONG_OS_NAME[$RAND_OS_VAL]}     
+
+      RAND_SOFT_VERSION=$(($RANDOM%$MAX_SOFT_VERSION))
+
+      filename=${RUDDER_HOSTNAME}-${UUID}.ocs
+
+      tmp_file=${DEST_INVENTORIES_TMP}/${filename}
+      ready_file=${DEST_INVENTORIES}/${filename}.gz
+      # replace values in template and create temp file
+      eval "cat <<EOF
+$(<template/RUDDER-Template.ocs) 
+EOF" > ${tmp_file}
+
+      # sign it
+      # We do not include certs as the server already knows them
+      openssl smime -sign -text -nocerts -signer "${CERT}" -inkey "${PRIVKEY}" -passin "pass:${PASSPHRASE}" \
+        -in "${tmp_file}" -out "${tmp_file}.signed"
+
+      if [ $? -eq 0 ]; then
+        # Move temp file
+        mv "${tmp_file}.signed" "${tmp_file}"
+      else
+        echo "${red}error${normal}: ${tmp_file} could not be signed"
+        rm -f "${tmp_file}.signed"
+        exit 1
+      fi
+      gzip -f "${tmp_file}"
+      # (Very likely) atomic move in ready reports dir
+      mv "${tmp_file}.gz" "${ready_file}"
+    fi
+  done
+
+  # Finally, cleaning all temporary data
+  #rm -rf ${DEST_INVENTORY_TMP}
+  echo "Done!"
 
+}
 function wipe {
   echo "Wipping folder ${DEST_PATH}"
   echo "Type ctrl-c to abort now and return to continue."
@@ -109,7 +194,7 @@ function wipe {
 
 
 # Defines available options
-OPTIONS=d:g:wt:p:
+OPTIONS=d:gwt:p:
 #LONGOPTS=data:,generate,wipe,template:,DEST_PATH:
 LONGOPTS=data:
 
@@ -190,3 +275,9 @@ then
   generate_data
 fi
 
+
+# Generate the data
+if [ "${GENERATE}" = "true" ]
+then
+  create_inventory
+fi
diff --git a/contrib/inventory-generation/openssl-agent.cnf b/contrib/inventory-generation/openssl-agent.cnf
@@ -0,0 +1,25 @@
+# mandatory for some openssl commands
+[ req ]
+distinguished_name = req_distinguished_name
+
+[ req_distinguished_name ]
+
+
+# DOC: https://superuser.com/questions/738612/openssl-ca-keyusage-extension/1248085#1248085
+# There is no real check on those features by openssl except basicConstraints
+# We don't use critical not pathlen to avoid incompatibilities with future checks
+
+# keyCertSign: certificate signature
+# cRLSign: crl signature
+# digitalSignature: file signature (not used for crl, may be used for DHE)
+# dataEncipherment: file encryption (usualy no used, we cipher a temporary key instead)
+# keyEncipherment: key exchange (for tls with RSA)
+# keyAgreement: key exchange (for tls with DHE)
+
+[ agent_cert ]
+# subject = /CN=hostname/UID=uuid
+basicConstraints        = CA:FALSE
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always, issuer:always
+keyUsage                = digitalSignature, dataEncipherment, keyEncipherment, keyAgreement 
+#extendedKeyUsage        = clientAuth