diff --git a/revoke_key.sh b/revoke_key.sh index d3e7173..5053acb 100755 --- a/revoke_key.sh +++ b/revoke_key.sh @@ -1,22 +1,93 @@ #!/usr/bin/env bash -script_dir="$(dirname $(realpath $0))" +script_name="$(basename $(realpath $0))" +working_dir="$(dirname $(realpath $0))" log_file="$(mktemp)" _date="$(date +%Y-%m-%d-%H%M)" key_names_reserverd="ta ca server" +#if [[ $# -eq 0 ]] ; then +# BATCH_MODE=false +#elif [[ -z "${BATCH_MODE}" ]] ; then +# BATCH_MODE=false +#fi + # - For checking if revokation was successfull # - _CHECK_DIR="$(mktemp -d)" _RT_CERT="${_CHECK_DIR}/revoke-test.pem" -#--------------------------------------- -#----------------------------- -# Some functions -#----------------------------- -#--------------------------------------- + +# ---------- +# Base Function(s) +# ---------- + +usage() { + + + [[ -n "$1" ]] && error "$1" + + + [[ $terminal ]] && echo -e " +\033[1mUsage:\033[m + + $(basename $0) [OPTION [OPTION .. + +\033[1mDescription\033[m + + Revoke a given key from a alos given (local) OpenVPN Service + +\033[1mOptions\033[m + + -b + No interaction possible - run this script in batch mode + + -C + The nae of the instance of the OpenVPN servive from which a key is requested + to remove. + + Example: + + -C \033[1mopp-home\033[m - Revoke a key from OpenVPN service, which is startet with + configuration \033[1m/etc/openvpn/opp-home\033[m + + + -h + Prints this help. + + -N + the name of the key, which is requested ti revoke from OpenVPN Service + + -S + Don't restart Service after (successfully) revoking the given key + +\033[1mFiles\033[m + + No script configuration file is used. + + Configuration files for the OpenVPN service must be exists, i.e. for service \033[1mopp-home\033[m + + ${working_dir}/conf/server-opp-home.conf + + +\033[1mExample:\033[m + + interactive run - all needed parameters will be requested: + + $(basename $0) + + running in batch mode - revoke key 'gudrun' from local OpenVPN service 'opp-home'. + Dont restart service if finished. + + $(basename $0) -b -S -C opp-home -N gudrun + +" + + clean_up 1 + +} clean_up() { @@ -28,7 +99,7 @@ clean_up() { } blank_line() { - if $terminal ; then + if $terminal && ! ${BATCH_MODE}; then echo "" fi } @@ -48,69 +119,124 @@ is_int() { } echononl(){ - echo X\\c > /tmp/shprompt$$ - if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then - echo -e -n "$*\\c" 1>&2 - else - echo -e -n "$*" 1>&2 + if $terminal && ! ${BATCH_MODE} ; then + echo X\\c > /tmp/shprompt$$ + if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then + echo -e -n "$*\\c" 1>&2 + else + echo -e -n "$*" 1>&2 + fi + rm /tmp/shprompt$$ fi - rm /tmp/shprompt$$ } - -error(){ - echo "" - echo -e "\t[ \033[31m\033[1mError\033[m ]: $*" - echo "" -} - fatal(){ echo "" - echo -e "\t[ \033[31m\033[1mFatal\033[m ]: $*" - echo "" - echo -e "\t\033[37m\033[1mscript will be interrupted\033[m\033[m" + if $terminal ; then + echo -e " [ \033[31m\033[1mFatal\033[m ]: $*" + echo "" + echo -e " \033[31m\033[1mScript was interupted\033[m!" + else + echo " [ Fatal ]: $*" + echo "" + echo " Script was terminated...." + fi echo "" clean_up 1 } +error (){ + echo "" + if $terminal && ! ${BATCH_MODE} ; then + echo -e " [ \033[31m\033[1mError\033[m ]: $*" + else + echo "[ Error ]: $*" + fi + echo "" +} warn (){ echo "" - echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" + if $terminal && ! ${BATCH_MODE} ; then + echo -e " [ \033[33m\033[1mWarning\033[m ]: $*" + else + echo "[ Warning ]: $*" + fi echo "" } -info (){ - echo "" - echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" - echo "" +warn_only_terminal () { + if $terminal && ! ${BATCH_MODE} ; then + echo "" + echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" + echo "" + fi } + +info (){ + if $terminal && ! ${BATCH_MODE} ; then + echo "" + echo -e " [ \033[32m\033[1mInfo\033[m ] $*" + echo "" + fi +} + +ok (){ + if $terminal && ! ${BATCH_MODE} ; then + echo "" + echo -e " [ \033[32m\033[1mOk\033[m ] $*" + echo "" + fi +} + print_command () { echo "" echo -e "\t\033[33m\033[1mCommand was\033[m: $*" echo "" } + echo_done() { - echo -e "\033[80G[ \033[32mdone\033[m ]" + if $terminal && ! ${BATCH_MODE} ; then + echo -e "\033[75G[ \033[32mdone\033[m ]" + fi } echo_ok() { - echo -e "\033[80G[ \033[32mok\033[m ]" + if $terminal && ! ${BATCH_MODE} ; then + echo -e "\033[75G[ \033[32mok\033[m ]" + fi } -echo_warning() { - echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]" +echo_warn() { + if $terminal && ! ${BATCH_MODE} ; then + echo -e "\033[75G[ \033[33mwarn\033[m ]" + fi } echo_failed(){ - echo -e "\033[80G[ \033[1;31mfailed\033[m ]" + if $terminal && ! ${BATCH_MODE} ; then + echo -e "\033[75G[ \033[1;31mfailed\033[m ]" + fi } echo_skipped() { - echo -e "\033[80G[ \033[37mskipped\033[m ]" + if $terminal && ! ${BATCH_MODE} ; then + echo -e "\033[75G[ \033[90m\033[1mskipped\033[m ]" + fi +} +echo_wait(){ + if $terminal && ! ${BATCH_MODE} ; then + echo -en "\033[75G[ \033[5m\033[1m...\033[m ]" + fi } trap clean_up SIGHUP SIGINT SIGTERM +# ---------- +# - Some checks .. +# ---------- - -# ------------- -# --- Check some prerequisites -# ------------- +# - Running in a terminal? +# - +if [[ -t 1 ]] ; then + terminal=true +else + terminal=false +fi # -Is systemd supported on this system? # - @@ -123,69 +249,123 @@ if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then fi -clear -echo "" -echo -e "\033[21G\033[32mRevoke OpenVPN key.. \033[m" -echo "" -echo "" +# ---------- +# - Read commandline parameter +# ---------- + +BATCH_MODE=false +OPENVPN_SERVER_CONFIG= +KEY_NAME_TO_REVOKE= +RESTART_OPENVPN_SERVICE=true + +while getopts bC:hN:S opt ; do + case $opt in + b) BATCH_MODE=true + ;; + C) OPENVPN_SERVER_CONFIG="${OPTARG}" + ;; + h) usage + ;; + N) KEY_NAME_TO_REVOKE="${OPTARG}" + ;; + S) RESTART_OPENVPN_SERVICE=false + ;; + esac +done + +if ${BATCH_MODE} ; then + if [[ -z "${OPENVPN_SERVER_CONFIG}" ]] && [[ -z "${KEY_NAME_TO_REVOKE}" ]]; then + fatal "In batch mode both a server configuration (-C) and the key name (-N) musit be specified!" + elif [[ -z "${OPENVPN_SERVER_CONFIG}" ]] ; then + fatal "In batch mode also a server configuration (-C) must be specified!" + elif [[ -z "${KEY_NAME_TO_REVOKE}" ]]; then + fatal "In batch mode also the key name (-N) must be specified!" + fi +fi + + +#clear +if $terminal && ! ${BATCH_MODE} ; then + echo "" + echo -e "\033[21G\033[32mRevoke OpenVPN key.. \033[m" + echo "" + echo "" +fi declare -a conf_file_arr=() declare -a conf_name_arr=() -for _conf_file in `ls ${script_dir}/conf/server-*.conf 2>/dev/null` ; do - conf_file_arr+=("${_conf_file}") +for _conf_file in `ls ${working_dir}/conf/server-*.conf 2>/dev/null` ; do _basename=$(basename $_conf_file) _tmp_name=${_basename%%.*} _tmp_name=${_tmp_name#*-} - conf_name_arr+=("$_tmp_name") + if ${BATCH_MODE} ; then + if [[ "${_tmp_name}" = "${OPENVPN_SERVER_CONFIG}" ]]; then + conf_file="${_conf_file}" + break + fi + else + conf_name_arr+=("$_tmp_name") + conf_file_arr+=("${_conf_file}") + fi done -if [[ ${#conf_file_arr[@]} -lt 1 ]] ; then +if [[ ${#conf_file_arr[@]} -lt 1 ]] && [[ -z "${conf_file}" ]]; then fatal "NO Configuration found!" fi -echo "" +blank_line declare -i i=0 -if [[ ${#conf_file_arr[@]} -gt 1 ]] ; then - echo "" - echo "Which Configuration should be loaded?" - echo "" - for _conf_file in ${conf_file_arr[@]} ; do - echo " [${i}] ${conf_name_arr[${i}]}" - (( i++ )) - done - _OK=false - echo - echononl "Eingabe: " - while ! $_OK ; do - read _IN - if is_number "$_IN" && [[ -n ${conf_file_arr[$_IN]} ]]; then - conf_file=${conf_file_arr[$_IN]} - _OK=true - else - echo "" - echo -e "\tFalsche Eingabe !" +if ! ${BATCH_MODE} ; then + if [[ ${#conf_file_arr[@]} -gt 1 ]] ; then + if $terminal ; then + echo "" + echo "Which Configuration should be loaded?" echo "" - echononl "Eingabe: " fi - done + for _conf_file in ${conf_file_arr[@]} ; do + if $terminal ; then + echo " [${i}] ${conf_name_arr[${i}]}" + fi + (( i++ )) + done + _OK=false + blank_line + echononl "Eingabe: " + while ! $_OK ; do + read _IN + if is_number "$_IN" && [[ -n ${conf_file_arr[$_IN]} ]]; then + conf_file=${conf_file_arr[$_IN]} + _OK=true + else + if is_number "$_IN" && [[ -n ${conf_file_arr[$_IN]} ]]; then + if $terminal ; then + echo "" + echo -e "\tFalsche Eingabe !" + echo "" + fi + echononl "Eingabe: " + fi + fi + done -else - conf_file=${conf_file_arr[0]} + else + conf_file=${conf_file_arr[0]} + fi fi -echo "" -echo -e "\033[32m--\033[m" -echo "" +if $terminal && ! ${BATCH_MODE} ; then + echo "" + echo -e "\033[32m--\033[m" + echo "" +fi -#--------------------------------------- -#----------------------------- -# Read Configurations from $conf_file -#----------------------------- -#--------------------------------------- +# ---------- +# - Read Configurations from $conf_file +# ---------- echononl " Load Configuration File $(basename ${conf_file}).." if [[ ! -f "$conf_file" ]]; then @@ -219,18 +399,24 @@ fi -echo "" -echo -e "\033[32m--\033[m" -echo "" -KEY_NAME_TO_REVOKE="" +if $terminal && ! ${BATCH_MODE} ; then + echo "" + echo -e "\033[32m--\033[m" + echo "" +fi +#KEY_NAME_TO_REVOKE="" if [ -z "$KEY_NAME_TO_REVOKE" ]; then - echo "Insert key name you wish to revoke." - echo "" - echo "" + if $terminal && ! ${BATCH_MODE} ; then + echo "Insert key name you wish to revoke." + echo "" + echo "" + fi echononl "key name to revoke: " read KEY_NAME_TO_REVOKE while [ "X$KEY_NAME_TO_REVOKE" = "X" ] ; do - echo -e "\n\t\033[33m\033[1mKey name is required!\033[m\n" + if $terminal && ! ${BATCH_MODE} ; then + echo -e "\n\t\033[33m\033[1mKey name is required!\033[m\n" + fi echononl "key name: " read KEY_NAME_TO_REVOKE done @@ -260,29 +446,36 @@ if [[ ! -f "${_CLIENT_CERT}" ]]; then fatal "Key '$KEY_NAME_TO_REVOKE' not found!" fi -echo "" -echo -e "\033[32m--\033[m" -echo "" -echo "Key to revoke...........: $(basename "$_CLIENT_KEY")" +if $terminal && ! ${BATCH_MODE} ; then + echo "" + echo -e "\033[32m--\033[m" + echo "" -info "Going to revoke key \033[37m\033[1m$(basename "$_CLIENT_KEY")\033[m.." -echo -n "To continue type uppercase 'YES': " -read OK -echo "" -if [[ "$OK" != "YES" ]] ; then - fatal "Abort by user request - Answer as not 'YES'" + echo "Server Configuration....: ${OPENVPN_SERVER_CONFIG}" + echo "Key to revoke...........: $(basename "$_CLIENT_KEY")" + + info "Going to revoke key \033[37m\033[1m$(basename "$_CLIENT_KEY")\033[m.." + echo -n "To continue type uppercase 'YES': " + read OK + echo "" + if [[ "$OK" != "YES" ]] ; then + fatal "Abort by user request - Answer as not 'YES'" + fi +fi + +# ---------- +# - Main part of script +# ---------- + +if $terminal && ! ${BATCH_MODE} ; then + echo "" + echo "" + echo -e " \033[1mMain part of script - Goimg to revoke key of requested user $(basename "$_CLIENT_KEY")..\033[m" + echo "" fi - - -#--------------------------------------- -#----------------------------- -# Revoke Key -#----------------------------- -#--------------------------------------- - -echo "" +blank_line # --- # - Backup existing OpenVPN directory @@ -473,21 +666,25 @@ else fi # --- -# - Start apache webservice +# - Restart OpenVPN service # --- echo "" echononl "\tRestart OpenVPN Service.." -if $systemd_supported ; then - systemctl restart openvpn > $log_file 2>&1 +if ${RESTART_OPENVPN_SERVICE} ; then + if $systemd_supported ; then + systemctl restart openvpn > $log_file 2>&1 + else + /etc/init.d/openvpn restart > $log_file 2>&1 + fi + if [ "$?" = "0" ]; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + warn "Restarting OpenVPN Service failed!." + fi else - /etc/init.d/openvpn restart > $log_file 2>&1 -fi -if [ "$?" = "0" ]; then - echo_ok -else - echo_failed - error "$(cat $log_file)" - warn "Restarting OpenVPN Service failed!." + echo_skipped fi