@ -39,7 +39,7 @@
################################################################################
# Dependencies:
# - curl
# - synouser & synogroup (When available and SYNO_USE_TEMP_ADMIN is set )
# - synouser & synogroup & synosetkeyvalue (Required for SYNO_USE_TEMP_ADMIN=1 )
################################################################################
# Return value:
# 0 means success, otherwise error.
@ -66,14 +66,17 @@ synology_dsm_deploy() {
_getdeployconf SYNO_DEVICE_NAME
# Prepare to use temp admin if SYNO_USE_TEMP_ADMIN is set
_debug2 SYNO_USE_TEMP_ADMIN " $SYNO_USE_TEMP_ADMIN "
_getdeployconf SYNO_USE_TEMP_ADMIN
_check2cleardeployconfexp SYNO_USE_TEMP_ADMIN
_debug2 SYNO_USE_TEMP_ADMIN " $SYNO_USE_TEMP_ADMIN "
if [ -n " $SYNO_USE_TEMP_ADMIN " ] ; then
if ! _exists synouser || ! _exists synogroup; then
_err "Tools are missing for creating temp admin user, please set SYNO_USERNAME and SYNO_PASSWORD instead."
if ! _exists synouser || ! _exists synogroup || ! _exists synosetkeyvalue; then
_err "Missing required tools to creat temp admin user, please set SYNO_USERNAME and SYNO_PASSWORD instead."
return 1
fi
if synouser --help 2>& 1 | grep -q 'Permission denied' ; then
_err "For creating temp admin user, the deploy script must be run as root."
return 1
fi
@ -184,7 +187,7 @@ synology_dsm_deploy() {
_debug SYNO_LOCAL_HOSTNAME " ${ SYNO_LOCAL_HOSTNAME :- } "
if [ " $SYNO_LOCAL_HOSTNAME " != "1" ] && [ " $SYNO_LOCAL_HOSTNAME " = = " $SYNO_HOSTNAME " ] ; then
if [ " $SYNO_HOSTNAME " != "localhost" ] && [ " $SYNO_HOSTNAME " != "127.0.0.1" ] ; then
_err " SYNO_USE_TEMP_ADMIN=1 Only support locally deployment, if you are sure that hostname $SYNO_HOSTNAME is targeting to your **current local machine**, execute 'export SYNO_LOCAL_HOSTNAME=1' then rerun. "
_err " SYNO_USE_TEMP_ADMIN=1 only support local deployment, though if you are sure that the hostname $SYNO_HOSTNAME is targeting to your **current local machine**, then execute 'export SYNO_LOCAL_HOSTNAME=1' then rerun. "
return 1
fi
fi
@ -201,7 +204,7 @@ synology_dsm_deploy() {
# shellcheck disable=SC2086
synogroup --member administrators $cur_admins $SYNO_USERNAME >/dev/null
else
_err "Tool synogroup may be broken, please set SYNO_USERNAME and SYNO_PASSWORD instead."
_err "The t ool synogroup may be broken, please set SYNO_USERNAME and SYNO_PASSWORD instead."
return 1
fi
else
@ -212,7 +215,7 @@ synology_dsm_deploy() {
otp_enforce_option = $( synogetkeyvalue /etc/synoinfo.conf otp_enforce_option)
if [ -n " $otp_enforce_option " ] && [ " ${ otp_enforce_option :- "none" } " != "none" ] ; then
synosetkeyvalue /etc/synoinfo.conf otp_enforce_option none
_info "Temporary disabled enforce 2FA-OTP to complete authentication."
_info "Temporary disabled enforce 2FA-OTP to complete temp admin authentication."
_info "previous_otp_enforce_option" " $otp_enforce_option "
else
otp_enforce_option = ""
@ -230,7 +233,7 @@ synology_dsm_deploy() {
error_code = $( echo " $response " | grep '"error":' | grep -o '"code":[0-9]*' | grep -o '[0-9]*' )
_debug2 error_code " $error_code "
# Account has 2FA-OTP enabled, since error 403 reported.
# https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_Administration_CLI_Guide .pdf
# https://global.download.synology.com/download/Document/Software/DeveloperGuide/Os/DSM/All/enu/DSM_Login_Web_API_Guide_enu .pdf
if [ " $error_code " = = "403" ] ; then
if [ -z " $SYNO_DEVICE_NAME " ] ; then
printf "Enter device name or leave empty for default (CertRenewal): "
@ -274,12 +277,16 @@ synology_dsm_deploy() {
_err "Failed to authenticate with provided 2FA-OTP code, please try again in a new terminal window."
elif [ " $error_code " = = "406" ] ; then
if [ -n " $SYNO_USE_TEMP_ADMIN " ] ; then
_err "SYNO_USE_TEMP_ADMIN=1 is not supported if enforce auth with 2FA-OTP is enabled ."
_err "Failed with unexcepted error, please report this by providing full log with '--debug 3' ."
else
_err "Enforce auth with 2FA-OTP enabled, please configure the user to enable 2FA-OTP to continue."
fi
elif [ " $error_code " = = "400" ] || [ " $error_code " = = "401" ] || [ " $error_code " = = "408" ] || [ " $error_code " = = "409" ] || [ " $error_code " = = "410" ] ; then
_err "Failed to authenticate with a non-existent or disabled account, or the account password is incorrect or has expired."
elif [ " $error_code " = = "400" ] ; then
_err "Failed to authenticate, no such account or incorrect password."
elif [ " $error_code " = = "401" ] ; then
_err "Failed to authenticate with a non-existent account."
elif [ " $error_code " = = "408" ] || [ " $error_code " = = "409" ] || [ " $error_code " = = "410" ] ; then
_err "Failed to authenticate, the account password has expired or must be changed."
else
_err " Failed to authenticate with error: $error_code . "
fi
@ -293,7 +300,7 @@ synology_dsm_deploy() {
_debug SynoToken " $token "
if [ -z " $sid " ] || [ -z " $token " ] ; then
# Still can't get necessary info even got no errors, may Synology have API updated?
_err " Unable to authenticate to $_base_url , you may report the full log to the community . "
_err " Unable to authenticate to $_base_url , you may report this by providing full log with '--debug 3' . "
_temp_admin_cleanup " $SYNO_USE_TEMP_ADMIN " " $SYNO_USERNAME "
return 1
fi
@ -331,7 +338,7 @@ synology_dsm_deploy() {
if [ " $error_code " -eq 105 ] ; then
_err "Current user is not administrator and does not have sufficient permission for deploying."
else
_err " Failed to fetch certificate info with error : $error_code , please try again or contact Synology to learn more. "
_err " Failed to fetch certificate info: $error_code , please try again or contact Synology to learn more. "
fi
_temp_admin_cleanup " $SYNO_USE_TEMP_ADMIN " " $SYNO_USERNAME "
return 1
Scruel Tao
6 months ago
GitHub