You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
|
#!/bin/sh
# This script deploys your cert to a s3 bucket. # export S3_BUCKET=acme # export S3_REGION=eu-central-1 # export AWS_PROFILE=default # export AWS_ACCESS_KEY_ID=exampleid # export AWS_SECRET_ACCESS_KEY=examplekey # # Checks to see if awscli present # If not, use curl + aws v4 signature to upload object # Make sure your keys have access to upload objects. # Also make sure your default region is correct, otherwise, override with $S3_REGION
######## Public functions #####################
#domain keyfile certfile cafile fullchain s3_deploy() { _cdomain="$1" _ckey="$2" _ccert="$3" _cca="$4" _cfullchain="$5" if [ -z "$S3_BUCKET" ] ; then _err "You haven't specified the bucket name yet." _err "Please set it via export and try again." _err "e.g. export S3_BUCKET=acme" return 1 fi
if [ -z "$AWS_PROFILE" ]; then AWS_PROFILE="default" fi
if ! _exists aws; then _debug "AWS CLI not installed, defaulting to curl method" _aws_cli_installed=0 else _debug "AWS CLI installed, defaulting ignoring curl method" _aws_cli_installed=1 S3_REGION="$(aws configure get region --profile ${AWS_PROFILE})" fi
if [ "$_aws_cli_installed" -eq "0" ] && ([ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]); then _err "AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY not set." _err "Please set them via export, or use the aws-cli." return 1 fi
if [ -z "$S3_REGION" ]; then S3_REGION="us-east-1" fi
# Save s3 options if it's succesful (First run case) _saveaccountconf S3_BUCKET "$S3_BUCKET" _saveaccountconf S3_REGION "$S3_REGION" _saveaccountconf AWS_PROFILE "$AWS_PROFILE"
_debug _cdomain "$_cdomain" _debug _ckey "$_ckey" _debug _ccert "$_ccert" _debug _cca "$_cca" _debug _cfullchain "$_cfullchain" _debug S3_BUCKET "$S3_BUCKET" _debug AWS_PROFILE "$AWS_PROFILE" _secure_debug AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID" _secure_debug AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY" # REMOVE BEFORE COMMIT, ONLY FOR DEBUGGING _aws_cli_installed=1
_info "Deploying certificate to s3 bucket: $S3_BUCKET in $S3_REGION" if [ "$_aws_cli_installed" -eq "0" ]; then _debug "deploying with curl method" else _debug "deploying with aws cli method" fi
# private _deploy_to_bucket "$_ckey" "$_cdomain/$_cdomain.key" # public _deploy_to_bucket "$_ccert" "$_cdomain/$_cdomain.cer" # ca _deploy_to_bucket "$_cca" "$_cdomain/ca.cer" # fullchain _deploy_to_bucket "$_cfullchain" "$_cdomain/fullchain.cer"
return 0
}
#################### Private functions below ##################################
_deploy_to_bucket() { if [ "$_aws_cli_installed" -eq "0" ]; then _deploy_with_curl "$1" "$2" else _deploy_with_awscli "$1" "$2" fi }
_deploy_with_awscli() { file="$1" prefix="$2" aws s3 cp "$file" s3://"$S3_BUCKET"/"$prefix" --region "$S3_REGION" --profile "$AWS_PROFILE" }
_deploy_with_curl() {
file="${1}" bucket="${S3_BUCKET}" prefix="${2}" region="${S3_REGION}" acl="private" timestamp="$(date -u "+%Y-%m-%d %H:%M:%S")" signed_headers="date;host;x-amz-acl;x-amz-content-sha256;x-amz-date"
if [ "$(uname)" = "Darwin" ]; then iso_timestamp=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%Y%m%dT%H%M%SZ") date_scope=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%Y%m%d") date_header=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%a, %d %h %Y %T %Z") else iso_timestamp=$(date -ud "${timestamp}" "+%Y%m%dT%H%M%SZ") date_scope=$(date -ud "${timestamp}" "+%Y%m%d") date_header=$(date -ud "${timestamp}" "+%a, %d %h %Y %T %Z") fi
_info "Uploading $S3_BUCKET/$prefix"
export _H1 export _H2 export _H3 export _H4 export _H5 _H1="Authorization: AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${date_scope}/${region}/s3/aws4_request,SignedHeaders=${signed_headers},Signature=$(_signature)" _H2="Date:${date_header}" _H3="x-amz-acl:${acl}" _H4="x-amz-content-sha256:$(_payload_hash)" _H5="x-amz-date:${iso_timestamp}"
_debug2 "$(_post "${file}" "https://$bucket.s3.$region.amazonaws.com/$prefix")" }
#################### Private functions below ##################################
_payload_hash() { echo "$(shasum -ba 256 "$file")%% *" }
_canonical_request() { echo "PUT" echo "/${prefix}" echo "" echo "date:${date_header}" echo "host:${bucket}.s3.${region}.amazonaws.com" echo "x-amz-acl:${acl}" echo "x-amz-content-sha256:$(_payload_hash)" echo "x-amz-date:${iso_timestamp}" echo "" echo "${signed_headers}"
_payload_hash }
_canonical_request_hash() { echo "$(_canonical_request | shasum -a 256)%% *" }
_string_to_sign() { echo "AWS4-HMAC-SHA256" echo "${iso_timestamp}" echo "${date_scope}/${region}/s3/aws4_request" _canonical_request_hash }
_signature_key() { secret_key=$(echo "AWS4${AWS_SECRET_ACCESS_KEY?}" | _hex_dump) date_key=$(echo "${date_scope}" | _hmac "sha256" "${secret_key}" hex | _hex_dump) region_key=$(echo "${region}" | _hmac "sha256" "${date_key}" hex | _hex_dump) service_key=$(echo "s3" | _hmac "sha256" "${region_key}" hex | _hex_dump) printf "aws4_request" | _hmac "sha256" "${service_key}" hex | _hex_dump }
_signature() { _string_to_sign | _hmac "sha256" "$(_signature_key)" | _hex_dump | sed "s/^.* //" }
|