Added sophosxg deploy hook

New deploy hook for Sophos XG firewall appliance

deploy/sophosxg.sh

@@ -0,0 +1,198 @@
+#!/usr/bin/env sh
+#
+# This deploy script deploys to a Sophos XG appliance
+# DEPLOY_SOPHOSXG_HOST="<NO DEFAULT - REQUIRED - host:port>"
+# DEPLOY_SOPHOSXG_USER="<NO DEFAULT - REQUIRED - string>"
+# DEPLOY_SOPHOSXG_PASSWORD="<NO DEFAULT - REQUIRED - string>"
+# DEPLOY_SOPHOSXG_NAME="domain"
+# DEPLOY_SOPHOSXG_PFX_PASSWORD="s0ph0sXG"
+# DEPLOY_SOPHOSXG_HTTPS_INSECURE="1"
+
+########  Public functions #####################
+
+#action pfx user password name pfxpass host
+sophosxg_do_req() {
+
+  # does curl request to upload certificate to sophos appliance
+
+  # check number of args
+  [ $# -eq 7 ] || return 1
+
+  # set vars
+  _do_req_action="$1"
+  _do_req_pfx="$2"
+  _do_req_user="$3"
+  _do_req_password="$4"
+  _do_req_name="$5"
+  _do_req_pfxpass="$6"
+  _do_req_host="$7"
+
+  # create temp file for xml
+  _info "Creating request XML"
+  _do_req_xml="$(_mktemp)"
+  if [ ! -f "$_do_req_xml" ]; then
+    _err "Error creating temp file for XML"
+    return 1
+  fi
+
+  # create xml request
+  echo "
+<Request>
+  <Login>
+    <Username>${_do_req_user}</Username>
+    <Password>${_do_req_password}</Password>
+  </Login>
+  <Set operation=\"${_do_req_action}\">
+    <Certificate>
+      <Action>UploadCertificate</Action>
+      <Name>${_do_req_name}</Name>
+      <Password>${_do_req_pfxpass}</Password>
+      <CertificateFormat>pkcs12</CertificateFormat>
+      <CertificateFile>certificate.p12</CertificateFile>
+      <PrivateKeyFile></PrivateKeyFile>
+    </Certificate>
+  </Set>
+</Request>
+" > "$_do_req_xml"
+
+  # dont verify certificate if HTTPS_INSECURE was set
+  if [ "$Le_Deploy_sophosxg_https_insecure" = "1" ] || [ "$HTTPS_INSECURE" ]; then
+    _sophosxg_curl="$_sophosxg_curl --insecure"
+  fi
+
+  # do request with curl
+  $_sophosxg_curl --silent -F "reqxml=<$_do_req_xml" -F "file=@$_do_req_pfx;filename=certificate.p12" "https://$_do_req_host/webconsole/APIController?" | grep -q '<Status code="200">'
+  ret=$?
+
+  # remove xml file
+  rm -f "$_do_req_xml"
+
+  return $ret
+}
+
+#domain keyfile certfile cafile fullchain
+sophosxg_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  # check for curl first
+  if _exists "curl"; then
+    _sophosxg_curl="curl --silent"
+  else
+    _err "curl is required"
+    return 1
+  fi
+
+  # Some defaults
+  DEFAULT_SOPHOSXG_PFX_PASSWORD="s0ph0sXG"
+  DEFAULT_SOPHOSXG_NAME="$_cdomain"
+  DEFAULT_SOPHOSXG_HTTPS_INSECURE="1"
+
+  if [ -f "$DOMAIN_CONF" ]; then
+    # shellcheck disable=SC1090
+    . "$DOMAIN_CONF"
+  fi
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  # HOST is required
+  if [ -z "$DEPLOY_SOPHOSXG_HOST" ]; then
+    if [ -z "$Le_Deploy_sophosxg_host" ]; then
+      _err "DEPLOY_SOPHOSXG_HOST not defined."
+      return 1
+    fi
+  else
+    Le_Deploy_sophosxg_host="$DEPLOY_SOPHOSXG_HOST"
+    _savedomainconf Le_Deploy_sophosxg_host "$Le_Deploy_sophosxg_host"
+  fi
+
+  # USER is required
+  if [ -z "$DEPLOY_SOPHOSXG_USER" ]; then
+    if [ -z "$Le_Deploy_sophosxg_user" ]; then
+      _err "DEPLOY_SOPHOSXG_USER not defined."
+      return 1
+    fi
+  else
+    Le_Deploy_sophosxg_user="$DEPLOY_SOPHOSXG_USER"
+    _savedomainconf Le_Deploy_sophosxg_user "$Le_Deploy_sophosxg_user"
+  fi
+
+  # PASSWORD is required
+  if [ -z "$DEPLOY_SOPHOSXG_PASSWORD" ]; then
+    if [ -z "$Le_Deploy_sophosxg_password" ]; then
+      _err "DEPLOY_SOPHOSXG_PASSWORD not defined."
+      return 1
+    fi
+  else
+    Le_Deploy_sophosxg_password="$DEPLOY_SOPHOSXG_PASSWORD"
+    _savedomainconf Le_Deploy_sophosxg_password "$Le_Deploy_sophosxg_password"
+  fi
+
+  # PFX_PASSWORD is optional. If not provided then use default
+  if [ -n "$DEPLOY_SOPHOSXG_PFX_PASSWORD" ]; then
+    Le_Deploy_sophosxg_pfx_password="$DEPLOY_SOPHOSXG_PFX_PASSWORD"
+    _savedomainconf Le_Deploy_sophosxg_pfx_password "$Le_Deploy_sophosxg_pfx_password"
+  elif [ -z "$Le_Deploy_sophosxg_pfx_password" ]; then
+    Le_Deploy_sophosxg_pfx_password="$DEFAULT_SOPHOSXG_PFX_PASSWORD"
+  fi
+
+  # NAME is optional. If not provided then use $_cdomain
+  if [ -n "$DEPLOY_SOPHOSXG_NAME" ]; then
+    Le_Deploy_sophosxg_name="$DEPLOY_SOPHOSXG_NAME"
+    _savedomainconf Le_Deploy_sophosxg_name "$Le_Deploy_sophosxg_name"
+  elif [ -z "$Le_Deploy_sophosxg_name" ]; then
+    Le_Deploy_sophosxg_name="$DEFAULT_SOPHOSXG_NAME"
+  fi
+
+  # HTTPS_INSECURE is optional. Defaults to 1 (true)
+  if [ -n "$DEPLOY_SOPHOSXG_HTTPS_INSECURE" ]; then
+    Le_Deploy_sophosxg_https_insecure="$DEPLOY_SOPHOSXG_HTTPS_INSECURE"
+    _savedomainconf Le_Deploy_sophosxg_https_insecure "$Le_Deploy_sophosxg_https_insecure"
+  elif [ -z "$Le_Deploy_sophosxg_https_insecure" ]; then
+    Le_Deploy_sophosxg_https_insecure="$DEFAULT_SOPHOSXG_HTTPS_INSECURE"
+  fi
+
+  # create temp pkcs12 file
+  _info "Generating pkcs12 file"
+  _import_pkcs12="$(_mktemp)"
+  if [ ! -f "$_import_pkcs12" ]; then
+    _err "Error creating temp file for pkcs12"
+    return 1
+  fi
+  if ! _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$Le_Deploy_sophosxg_pfx_password"; then
+    _err "Error exporting to pkcs12"
+    [ -f "$_import_pkcs12" ] && rm -f "$_import_pkcs12"
+    return 1
+  fi
+
+  # do upload of cert - attempt to "update" and on failure try "add"
+  _req_action_success="no"
+  for _req_action in update add; do
+    _info "Uploading certificate: $_req_action"
+    
+    if sophosxg_do_req "$_req_action" "$_import_pkcs12" "$Le_Deploy_sophosxg_user" "$Le_Deploy_sophosxg_password" "$Le_Deploy_sophosxg_name" "$Le_Deploy_sophosxg_pfx_password" "$Le_Deploy_sophosxg_host"; then
+      _req_action_success="yes"
+      break
+    fi
+    _info "$_req_action failed"
+  done
+
+  # clean up pfx
+  [ -f "$_import_pkcs12" ] && rm -f "$_import_pkcs12"
+
+  # check final result
+  if [ "$_req_action_success" = "no" ]; then
+    _err "Upload failed permanently"
+    return 1
+  fi
+
+  return 0 
+
+}