diff --git a/deploy/sophosxg.sh b/deploy/sophosxg.sh new file mode 100644 index 00000000..7fba5413 --- /dev/null +++ b/deploy/sophosxg.sh @@ -0,0 +1,198 @@ +#!/usr/bin/env sh +# +# This deploy script deploys to a Sophos XG appliance +# DEPLOY_SOPHOSXG_HOST="" +# DEPLOY_SOPHOSXG_USER="" +# DEPLOY_SOPHOSXG_PASSWORD="" +# DEPLOY_SOPHOSXG_NAME="domain" +# DEPLOY_SOPHOSXG_PFX_PASSWORD="s0ph0sXG" +# DEPLOY_SOPHOSXG_HTTPS_INSECURE="1" + +######## Public functions ##################### + +#action pfx user password name pfxpass host +sophosxg_do_req() { + + # does curl request to upload certificate to sophos appliance + + # check number of args + [ $# -eq 7 ] || return 1 + + # set vars + _do_req_action="$1" + _do_req_pfx="$2" + _do_req_user="$3" + _do_req_password="$4" + _do_req_name="$5" + _do_req_pfxpass="$6" + _do_req_host="$7" + + # create temp file for xml + _info "Creating request XML" + _do_req_xml="$(_mktemp)" + if [ ! -f "$_do_req_xml" ]; then + _err "Error creating temp file for XML" + return 1 + fi + + # create xml request + echo " + + + ${_do_req_user} + ${_do_req_password} + + + + UploadCertificate + ${_do_req_name} + ${_do_req_pfxpass} + pkcs12 + certificate.p12 + + + + +" > "$_do_req_xml" + + # dont verify certificate if HTTPS_INSECURE was set + if [ "$Le_Deploy_sophosxg_https_insecure" = "1" ] || [ "$HTTPS_INSECURE" ]; then + _sophosxg_curl="$_sophosxg_curl --insecure" + fi + + # do request with curl + $_sophosxg_curl --silent -F "reqxml=<$_do_req_xml" -F "file=@$_do_req_pfx;filename=certificate.p12" "https://$_do_req_host/webconsole/APIController?" | grep -q '' + ret=$? + + # remove xml file + rm -f "$_do_req_xml" + + return $ret +} + +#domain keyfile certfile cafile fullchain +sophosxg_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + # check for curl first + if _exists "curl"; then + _sophosxg_curl="curl --silent" + else + _err "curl is required" + return 1 + fi + + # Some defaults + DEFAULT_SOPHOSXG_PFX_PASSWORD="s0ph0sXG" + DEFAULT_SOPHOSXG_NAME="$_cdomain" + DEFAULT_SOPHOSXG_HTTPS_INSECURE="1" + + if [ -f "$DOMAIN_CONF" ]; then + # shellcheck disable=SC1090 + . "$DOMAIN_CONF" + fi + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + # HOST is required + if [ -z "$DEPLOY_SOPHOSXG_HOST" ]; then + if [ -z "$Le_Deploy_sophosxg_host" ]; then + _err "DEPLOY_SOPHOSXG_HOST not defined." + return 1 + fi + else + Le_Deploy_sophosxg_host="$DEPLOY_SOPHOSXG_HOST" + _savedomainconf Le_Deploy_sophosxg_host "$Le_Deploy_sophosxg_host" + fi + + # USER is required + if [ -z "$DEPLOY_SOPHOSXG_USER" ]; then + if [ -z "$Le_Deploy_sophosxg_user" ]; then + _err "DEPLOY_SOPHOSXG_USER not defined." + return 1 + fi + else + Le_Deploy_sophosxg_user="$DEPLOY_SOPHOSXG_USER" + _savedomainconf Le_Deploy_sophosxg_user "$Le_Deploy_sophosxg_user" + fi + + # PASSWORD is required + if [ -z "$DEPLOY_SOPHOSXG_PASSWORD" ]; then + if [ -z "$Le_Deploy_sophosxg_password" ]; then + _err "DEPLOY_SOPHOSXG_PASSWORD not defined." + return 1 + fi + else + Le_Deploy_sophosxg_password="$DEPLOY_SOPHOSXG_PASSWORD" + _savedomainconf Le_Deploy_sophosxg_password "$Le_Deploy_sophosxg_password" + fi + + # PFX_PASSWORD is optional. If not provided then use default + if [ -n "$DEPLOY_SOPHOSXG_PFX_PASSWORD" ]; then + Le_Deploy_sophosxg_pfx_password="$DEPLOY_SOPHOSXG_PFX_PASSWORD" + _savedomainconf Le_Deploy_sophosxg_pfx_password "$Le_Deploy_sophosxg_pfx_password" + elif [ -z "$Le_Deploy_sophosxg_pfx_password" ]; then + Le_Deploy_sophosxg_pfx_password="$DEFAULT_SOPHOSXG_PFX_PASSWORD" + fi + + # NAME is optional. If not provided then use $_cdomain + if [ -n "$DEPLOY_SOPHOSXG_NAME" ]; then + Le_Deploy_sophosxg_name="$DEPLOY_SOPHOSXG_NAME" + _savedomainconf Le_Deploy_sophosxg_name "$Le_Deploy_sophosxg_name" + elif [ -z "$Le_Deploy_sophosxg_name" ]; then + Le_Deploy_sophosxg_name="$DEFAULT_SOPHOSXG_NAME" + fi + + # HTTPS_INSECURE is optional. Defaults to 1 (true) + if [ -n "$DEPLOY_SOPHOSXG_HTTPS_INSECURE" ]; then + Le_Deploy_sophosxg_https_insecure="$DEPLOY_SOPHOSXG_HTTPS_INSECURE" + _savedomainconf Le_Deploy_sophosxg_https_insecure "$Le_Deploy_sophosxg_https_insecure" + elif [ -z "$Le_Deploy_sophosxg_https_insecure" ]; then + Le_Deploy_sophosxg_https_insecure="$DEFAULT_SOPHOSXG_HTTPS_INSECURE" + fi + + # create temp pkcs12 file + _info "Generating pkcs12 file" + _import_pkcs12="$(_mktemp)" + if [ ! -f "$_import_pkcs12" ]; then + _err "Error creating temp file for pkcs12" + return 1 + fi + if ! _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$Le_Deploy_sophosxg_pfx_password"; then + _err "Error exporting to pkcs12" + [ -f "$_import_pkcs12" ] && rm -f "$_import_pkcs12" + return 1 + fi + + # do upload of cert - attempt to "update" and on failure try "add" + _req_action_success="no" + for _req_action in update add; do + _info "Uploading certificate: $_req_action" + + if sophosxg_do_req "$_req_action" "$_import_pkcs12" "$Le_Deploy_sophosxg_user" "$Le_Deploy_sophosxg_password" "$Le_Deploy_sophosxg_name" "$Le_Deploy_sophosxg_pfx_password" "$Le_Deploy_sophosxg_host"; then + _req_action_success="yes" + break + fi + _info "$_req_action failed" + done + + # clean up pfx + [ -f "$_import_pkcs12" ] && rm -f "$_import_pkcs12" + + # check final result + if [ "$_req_action_success" = "no" ]; then + _err "Upload failed permanently" + return 1 + fi + + return 0 + +}