You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

189 lines
5.2 KiB

8 years ago
8 years ago
  1. #!/bin/sh
  2. # This script deploys your cert to a s3 bucket.
  3. # export S3_BUCKET=acme
  4. # export S3_REGION=eu-central-1
  5. # export AWS_PROFILE=default
  6. # export AWS_ACCESS_KEY_ID=exampleid
  7. # export AWS_SECRET_ACCESS_KEY=examplekey
  8. #
  9. # Checks to see if awscli present
  10. # If not, use curl + aws v4 signature to upload object
  11. # Make sure your keys have access to upload objects.
  12. # Also make sure your default region is correct, otherwise, override with $S3_REGION
  13. ######## Public functions #####################
  14. #domain keyfile certfile cafile fullchain
  15. s3_deploy() {
  16. _cdomain="$1"
  17. _ckey="$2"
  18. _ccert="$3"
  19. _cca="$4"
  20. _cfullchain="$5"
  21. if [ -z "$S3_BUCKET" ] ; then
  22. _err "You haven't specified the bucket name yet."
  23. _err "Please set it via export and try again."
  24. _err "e.g. export S3_BUCKET=acme"
  25. return 1
  26. fi
  27. if [ -z "$AWS_PROFILE" ]; then
  28. AWS_PROFILE="default"
  29. fi
  30. if ! _exists aws; then
  31. _debug "AWS CLI not installed, defaulting to curl method"
  32. _aws_cli_installed=0
  33. else
  34. _debug "AWS CLI installed, defaulting ignoring curl method"
  35. _aws_cli_installed=1
  36. S3_REGION="$(aws configure get region --profile ${AWS_PROFILE})"
  37. fi
  38. if [ "$_aws_cli_installed" -eq "0" ] && ([ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]); then
  39. _err "AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY not set."
  40. _err "Please set them via export, or use the aws-cli."
  41. return 1
  42. fi
  43. if [ -z "$S3_REGION" ]; then
  44. S3_REGION="us-east-1"
  45. fi
  46. # Save s3 options if it's succesful (First run case)
  47. _saveaccountconf S3_BUCKET "$S3_BUCKET"
  48. _saveaccountconf S3_REGION "$S3_REGION"
  49. _saveaccountconf AWS_PROFILE "$AWS_PROFILE"
  50. _debug _cdomain "$_cdomain"
  51. _debug _ckey "$_ckey"
  52. _debug _ccert "$_ccert"
  53. _debug _cca "$_cca"
  54. _debug _cfullchain "$_cfullchain"
  55. _debug S3_BUCKET "$S3_BUCKET"
  56. _debug AWS_PROFILE "$AWS_PROFILE"
  57. _secure_debug AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID"
  58. _secure_debug AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
  59. # REMOVE BEFORE COMMIT, ONLY FOR DEBUGGING
  60. _aws_cli_installed=1
  61. _info "Deploying certificate to s3 bucket: $S3_BUCKET in $S3_REGION"
  62. if [ "$_aws_cli_installed" -eq "0" ]; then
  63. _debug "deploying with curl method"
  64. else
  65. _debug "deploying with aws cli method"
  66. fi
  67. # private
  68. _deploy_to_bucket "$_ckey" "$_cdomain/$_cdomain.key"
  69. # public
  70. _deploy_to_bucket "$_ccert" "$_cdomain/$_cdomain.cer"
  71. # ca
  72. _deploy_to_bucket "$_cca" "$_cdomain/ca.cer"
  73. # fullchain
  74. _deploy_to_bucket "$_cfullchain" "$_cdomain/fullchain.cer"
  75. return 0
  76. }
  77. #################### Private functions below ##################################
  78. _deploy_to_bucket() {
  79. if [ "$_aws_cli_installed" -eq "0" ]; then
  80. _deploy_with_curl "$1" "$2"
  81. else
  82. _deploy_with_awscli "$1" "$2"
  83. fi
  84. }
  85. _deploy_with_awscli() {
  86. file="$1"
  87. prefix="$2"
  88. aws s3 cp "$file" s3://"$S3_BUCKET"/"$prefix" --region "$S3_REGION" --profile "$AWS_PROFILE"
  89. }
  90. _deploy_with_curl() {
  91. file="${1}"
  92. bucket="${S3_BUCKET}"
  93. prefix="${2}"
  94. region="${S3_REGION}"
  95. acl="private"
  96. timestamp="$(date -u "+%Y-%m-%d %H:%M:%S")"
  97. signed_headers="date;host;x-amz-acl;x-amz-content-sha256;x-amz-date"
  98. if [ "$(uname)" = "Darwin" ]; then
  99. iso_timestamp=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%Y%m%dT%H%M%SZ")
  100. date_scope=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%Y%m%d")
  101. date_header=$(date -ujf "%Y-%m-%d %H:%M:%S" "${timestamp}" "+%a, %d %h %Y %T %Z")
  102. else
  103. iso_timestamp=$(date -ud "${timestamp}" "+%Y%m%dT%H%M%SZ")
  104. date_scope=$(date -ud "${timestamp}" "+%Y%m%d")
  105. date_header=$(date -ud "${timestamp}" "+%a, %d %h %Y %T %Z")
  106. fi
  107. _info "Uploading $S3_BUCKET/$prefix"
  108. export _H1
  109. export _H2
  110. export _H3
  111. export _H4
  112. export _H5
  113. _H1="Authorization: AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${date_scope}/${region}/s3/aws4_request,SignedHeaders=${signed_headers},Signature=$(_signature)"
  114. _H2="Date:${date_header}"
  115. _H3="x-amz-acl:${acl}"
  116. _H4="x-amz-content-sha256:$(_payload_hash)"
  117. _H5="x-amz-date:${iso_timestamp}"
  118. _debug2 "$(_post "${file}" "https://$bucket.s3.$region.amazonaws.com/$prefix")"
  119. }
  120. #################### Private functions below ##################################
  121. _payload_hash() {
  122. echo "$(shasum -ba 256 "$file")%% *"
  123. }
  124. _canonical_request() {
  125. echo "PUT"
  126. echo "/${prefix}"
  127. echo ""
  128. echo "date:${date_header}"
  129. echo "host:${bucket}.s3.${region}.amazonaws.com"
  130. echo "x-amz-acl:${acl}"
  131. echo "x-amz-content-sha256:$(_payload_hash)"
  132. echo "x-amz-date:${iso_timestamp}"
  133. echo ""
  134. echo "${signed_headers}"
  135. _payload_hash
  136. }
  137. _canonical_request_hash() {
  138. echo "$(_canonical_request | shasum -a 256)%% *"
  139. }
  140. _string_to_sign() {
  141. echo "AWS4-HMAC-SHA256"
  142. echo "${iso_timestamp}"
  143. echo "${date_scope}/${region}/s3/aws4_request"
  144. _canonical_request_hash
  145. }
  146. _signature_key() {
  147. secret_key=$(echo "AWS4${AWS_SECRET_ACCESS_KEY?}" | _hex_dump)
  148. date_key=$(echo "${date_scope}" | _hmac "sha256" "${secret_key}" hex | _hex_dump)
  149. region_key=$(echo "${region}" | _hmac "sha256" "${date_key}" hex | _hex_dump)
  150. service_key=$(echo "s3" | _hmac "sha256" "${region_key}" hex | _hex_dump)
  151. printf "aws4_request" | _hmac "sha256" "${service_key}" hex | _hex_dump
  152. }
  153. _signature() {
  154. _string_to_sign | _hmac "sha256" "$(_signature_key)" | _hex_dump | sed "s/^.* //"
  155. }