install/openvpn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

revoke_key.sh: add support for command line parameters.

Browse Source
This commit is contained in:
Christoph 2024-05-11 15:19:13 +02:00
parent 565af91d8c
commit df3e40f29c
1 changed files with 314 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

351
revoke_key.sh
View File

@ -1,22 +1,93 @@
#!/usr/bin/env bash #!/usr/bin/env bash
script_dir="$(dirname $(realpath $0))" script_name="$(basename $(realpath $0))"
working_dir="$(dirname $(realpath $0))"
log_file="$(mktemp)" log_file="$(mktemp)"
_date="$(date +%Y-%m-%d-%H%M)" _date="$(date +%Y-%m-%d-%H%M)"
key_names_reserverd="ta ca server" key_names_reserverd="ta ca server"
#if [[ $# -eq 0 ]] ; then
# BATCH_MODE=false
#elif [[ -z "${BATCH_MODE}" ]] ; then
# BATCH_MODE=false
#fi
# - For checking if revokation was successfull # - For checking if revokation was successfull
# - # -
_CHECK_DIR="$(mktemp -d)" _CHECK_DIR="$(mktemp -d)"
_RT_CERT="${_CHECK_DIR}/revoke-test.pem" _RT_CERT="${_CHECK_DIR}/revoke-test.pem"
#---------------------------------------
#----------------------------- # ----------
# Some functions # Base Function(s)
#----------------------------- # ----------
#---------------------------------------
usage() {
[[ -n "$1" ]] && error "$1"
[[ $terminal ]] && echo -e "
\033[1mUsage:\033[m
$(basename $0) [OPTION [OPTION ..
\033[1mDescription\033[m
Revoke a given key from a alos given (local) OpenVPN Service
\033[1mOptions\033[m
-b
No interaction possible - run this script in batch mode
-C <name-of the OpenVPN service instance>
The nae of the instance of the OpenVPN servive from which a key is requested
to remove.
Example:
-C \033[1mopp-home\033[m - Revoke a key from OpenVPN service, which is startet with
configuration \033[1m/etc/openvpn/opp-home\033[m
-h
Prints this help.
-N <key-name>
the name of the key, which is requested ti revoke from OpenVPN Service
-S
Don't restart Service after (successfully) revoking the given key
\033[1mFiles\033[m
No script configuration file is used.
Configuration files for the OpenVPN service must be exists, i.e. for service \033[1mopp-home\033[m
${working_dir}/conf/server-opp-home.conf
\033[1mExample:\033[m
interactive run - all needed parameters will be requested:
$(basename $0)
running in batch mode - revoke key 'gudrun' from local OpenVPN service 'opp-home'.
Dont restart service if finished.
$(basename $0) -b -S -C opp-home -N gudrun
"
clean_up 1
}
clean_up() { clean_up() {
@ -28,7 +99,7 @@ clean_up() {
} }
blank_line() { blank_line() {
if $terminal ; then if $terminal && ! ${BATCH_MODE}; then
echo "" echo ""
fi fi
} }
@ -48,6 +119,7 @@ is_int() {
} }
echononl(){ echononl(){
if $terminal && ! ${BATCH_MODE} ; then
echo X\\c > /tmp/shprompt$$ echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2 echo -e -n "$*\\c" 1>&2
@ -55,62 +127,116 @@ echononl(){
echo -e -n "$*" 1>&2 echo -e -n "$*" 1>&2
fi fi
rm /tmp/shprompt$$ rm /tmp/shprompt$$
fi
} }
error(){
echo ""
echo -e "\t[ \033[31m\033[1mError\033[m ]: $*"
echo ""
}
fatal(){ fatal(){
echo "" echo ""
echo -e "\t[ \033[31m\033[1mFatal\033[m ]: $*" if $terminal ; then
echo -e " [ \033[31m\033[1mFatal\033[m ]: $*"
echo "" echo ""
echo -e "\t\033[37m\033[1mscript will be interrupted\033[m\033[m" echo -e " \033[31m\033[1mScript was interupted\033[m!"
else
echo " [ Fatal ]: $*"
echo ""
echo " Script was terminated...."
fi
echo "" echo ""
clean_up 1 clean_up 1
} }
error (){
echo ""
if $terminal && ! ${BATCH_MODE} ; then
echo -e " [ \033[31m\033[1mError\033[m ]: $*"
else
echo "[ Error ]: $*"
fi
echo ""
}
warn (){ warn (){
echo "" echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" if $terminal && ! ${BATCH_MODE} ; then
echo -e " [ \033[33m\033[1mWarning\033[m ]: $*"
else
echo "[ Warning ]: $*"
fi
echo "" echo ""
} }
info (){ warn_only_terminal () {
if $terminal && ! ${BATCH_MODE} ; then
echo "" echo ""
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
echo "" echo ""
fi
} }
info (){
if $terminal && ! ${BATCH_MODE} ; then
echo ""
echo -e " [ \033[32m\033[1mInfo\033[m ] $*"
echo ""
fi
}
ok (){
if $terminal && ! ${BATCH_MODE} ; then
echo ""
echo -e " [ \033[32m\033[1mOk\033[m ] $*"
echo ""
fi
}
print_command () { print_command () {
echo "" echo ""
echo -e "\t\033[33m\033[1mCommand was\033[m: $*" echo -e "\t\033[33m\033[1mCommand was\033[m: $*"
echo "" echo ""
} }
echo_done() { echo_done() {
echo -e "\033[80G[ \033[32mdone\033[m ]" if $terminal && ! ${BATCH_MODE} ; then
echo -e "\033[75G[ \033[32mdone\033[m ]"
fi
} }
echo_ok() { echo_ok() {
echo -e "\033[80G[ \033[32mok\033[m ]" if $terminal && ! ${BATCH_MODE} ; then
echo -e "\033[75G[ \033[32mok\033[m ]"
fi
} }
echo_warning() { echo_warn() {
echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]" if $terminal && ! ${BATCH_MODE} ; then
echo -e "\033[75G[ \033[33mwarn\033[m ]"
fi
} }
echo_failed(){ echo_failed(){
echo -e "\033[80G[ \033[1;31mfailed\033[m ]" if $terminal && ! ${BATCH_MODE} ; then
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
fi
} }
echo_skipped() { echo_skipped() {
echo -e "\033[80G[ \033[37mskipped\033[m ]" if $terminal && ! ${BATCH_MODE} ; then
echo -e "\033[75G[ \033[90m\033[1mskipped\033[m ]"
fi
}
echo_wait(){
if $terminal && ! ${BATCH_MODE} ; then
echo -en "\033[75G[ \033[5m\033[1m...\033[m ]"
fi
} }
trap clean_up SIGHUP SIGINT SIGTERM trap clean_up SIGHUP SIGINT SIGTERM
# ----------
# - Some checks ..
# ----------
# - Running in a terminal?
# ------------- # -
# --- Check some prerequisites if [[ -t 1 ]] ; then
# ------------- terminal=true
else
terminal=false
fi
# -Is systemd supported on this system? # -Is systemd supported on this system?
# - # -
@ -123,41 +249,90 @@ if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then
fi fi
clear # ----------
echo "" # - Read commandline parameter
echo -e "\033[21G\033[32mRevoke OpenVPN key.. \033[m" # ----------
echo ""
echo "" BATCH_MODE=false
OPENVPN_SERVER_CONFIG=
KEY_NAME_TO_REVOKE=
RESTART_OPENVPN_SERVICE=true
while getopts bC:hN:S opt ; do
case $opt in
b) BATCH_MODE=true
;;
C) OPENVPN_SERVER_CONFIG="${OPTARG}"
;;
h) usage
;;
N) KEY_NAME_TO_REVOKE="${OPTARG}"
;;
S) RESTART_OPENVPN_SERVICE=false
;;
esac
done
if ${BATCH_MODE} ; then
if [[ -z "${OPENVPN_SERVER_CONFIG}" ]] && [[ -z "${KEY_NAME_TO_REVOKE}" ]]; then
fatal "In batch mode both a server configuration (-C) and the key name (-N) musit be specified!"
elif [[ -z "${OPENVPN_SERVER_CONFIG}" ]] ; then
fatal "In batch mode also a server configuration (-C) must be specified!"
elif [[ -z "${KEY_NAME_TO_REVOKE}" ]]; then
fatal "In batch mode also the key name (-N) must be specified!"
fi
fi
#clear
if $terminal && ! ${BATCH_MODE} ; then
echo ""
echo -e "\033[21G\033[32mRevoke OpenVPN key.. \033[m"
echo ""
echo ""
fi
declare -a conf_file_arr=() declare -a conf_file_arr=()
declare -a conf_name_arr=() declare -a conf_name_arr=()
for _conf_file in `ls ${script_dir}/conf/server-*.conf 2>/dev/null` ; do for _conf_file in `ls ${working_dir}/conf/server-*.conf 2>/dev/null` ; do
conf_file_arr+=("${_conf_file}")
_basename=$(basename $_conf_file) _basename=$(basename $_conf_file)
_tmp_name=${_basename%%.*} _tmp_name=${_basename%%.*}
_tmp_name=${_tmp_name#*-} _tmp_name=${_tmp_name#*-}
if ${BATCH_MODE} ; then
if [[ "${_tmp_name}" = "${OPENVPN_SERVER_CONFIG}" ]]; then
conf_file="${_conf_file}"
break
fi
else
conf_name_arr+=("$_tmp_name") conf_name_arr+=("$_tmp_name")
conf_file_arr+=("${_conf_file}")
fi
done done
if [[ ${#conf_file_arr[@]} -lt 1 ]] ; then if [[ ${#conf_file_arr[@]} -lt 1 ]] && [[ -z "${conf_file}" ]]; then
fatal "NO Configuration found!" fatal "NO Configuration found!"
fi fi
echo "" blank_line
declare -i i=0 declare -i i=0
if [[ ${#conf_file_arr[@]} -gt 1 ]] ; then if ! ${BATCH_MODE} ; then
if [[ ${#conf_file_arr[@]} -gt 1 ]] ; then
if $terminal ; then
echo "" echo ""
echo "Which Configuration should be loaded?" echo "Which Configuration should be loaded?"
echo "" echo ""
fi
for _conf_file in ${conf_file_arr[@]} ; do for _conf_file in ${conf_file_arr[@]} ; do
if $terminal ; then
echo " [${i}] ${conf_name_arr[${i}]}" echo " [${i}] ${conf_name_arr[${i}]}"
fi
(( i++ )) (( i++ ))
done done
_OK=false _OK=false
echo blank_line
echononl "Eingabe: " echononl "Eingabe: "
while ! $_OK ; do while ! $_OK ; do
read _IN read _IN
@ -165,27 +340,32 @@ if [[ ${#conf_file_arr[@]} -gt 1 ]] ; then
conf_file=${conf_file_arr[$_IN]} conf_file=${conf_file_arr[$_IN]}
_OK=true _OK=true
else else
if is_number "$_IN" && [[ -n ${conf_file_arr[$_IN]} ]]; then
if $terminal ; then
echo "" echo ""
echo -e "\tFalsche Eingabe !" echo -e "\tFalsche Eingabe !"
echo "" echo ""
fi
echononl "Eingabe: " echononl "Eingabe: "
fi fi
fi
done done
else else
conf_file=${conf_file_arr[0]} conf_file=${conf_file_arr[0]}
fi
fi fi
echo "" if $terminal && ! ${BATCH_MODE} ; then
echo -e "\033[32m--\033[m" echo ""
echo "" echo -e "\033[32m--\033[m"
echo ""
fi
#--------------------------------------- # ----------
#----------------------------- # - Read Configurations from $conf_file
# Read Configurations from $conf_file # ----------
#-----------------------------
#---------------------------------------
echononl " Load Configuration File $(basename ${conf_file}).." echononl " Load Configuration File $(basename ${conf_file}).."
if [[ ! -f "$conf_file" ]]; then if [[ ! -f "$conf_file" ]]; then
@ -219,18 +399,24 @@ fi
echo "" if $terminal && ! ${BATCH_MODE} ; then
echo -e "\033[32m--\033[m" echo ""
echo "" echo -e "\033[32m--\033[m"
KEY_NAME_TO_REVOKE="" echo ""
fi
#KEY_NAME_TO_REVOKE=""
if [ -z "$KEY_NAME_TO_REVOKE" ]; then if [ -z "$KEY_NAME_TO_REVOKE" ]; then
if $terminal && ! ${BATCH_MODE} ; then
echo "Insert key name you wish to revoke." echo "Insert key name you wish to revoke."
echo "" echo ""
echo "" echo ""
fi
echononl "key name to revoke: " echononl "key name to revoke: "
read KEY_NAME_TO_REVOKE read KEY_NAME_TO_REVOKE
while [ "X$KEY_NAME_TO_REVOKE" = "X" ] ; do while [ "X$KEY_NAME_TO_REVOKE" = "X" ] ; do
if $terminal && ! ${BATCH_MODE} ; then
echo -e "\n\t\033[33m\033[1mKey name is required!\033[m\n" echo -e "\n\t\033[33m\033[1mKey name is required!\033[m\n"
fi
echononl "key name: " echononl "key name: "
read KEY_NAME_TO_REVOKE read KEY_NAME_TO_REVOKE
done done
@ -260,29 +446,36 @@ if [[ ! -f "${_CLIENT_CERT}" ]]; then
fatal "Key '$KEY_NAME_TO_REVOKE' not found!" fatal "Key '$KEY_NAME_TO_REVOKE' not found!"
fi fi
echo "" if $terminal && ! ${BATCH_MODE} ; then
echo -e "\033[32m--\033[m" echo ""
echo "" echo -e "\033[32m--\033[m"
echo "Key to revoke...........: $(basename "$_CLIENT_KEY")" echo ""
info "Going to revoke key \033[37m\033[1m$(basename "$_CLIENT_KEY")\033[m.." echo "Server Configuration....: ${OPENVPN_SERVER_CONFIG}"
echo -n "To continue type uppercase 'YES': " echo "Key to revoke...........: $(basename "$_CLIENT_KEY")"
read OK
echo "" info "Going to revoke key \033[37m\033[1m$(basename "$_CLIENT_KEY")\033[m.."
if [[ "$OK" != "YES" ]] ; then echo -n "To continue type uppercase 'YES': "
read OK
echo ""
if [[ "$OK" != "YES" ]] ; then
fatal "Abort by user request - Answer as not 'YES'" fatal "Abort by user request - Answer as not 'YES'"
fi
fi
# ----------
# - Main part of script
# ----------
if $terminal && ! ${BATCH_MODE} ; then
echo ""
echo ""
echo -e " \033[1mMain part of script - Goimg to revoke key of requested user $(basename "$_CLIENT_KEY")..\033[m"
echo ""
fi fi
blank_line
#---------------------------------------
#-----------------------------
# Revoke Key
#-----------------------------
#---------------------------------------
echo ""
# --- # ---
# - Backup existing OpenVPN directory # - Backup existing OpenVPN directory
@ -473,21 +666,25 @@ else
fi fi
# --- # ---
# - Start apache webservice # - Restart OpenVPN service
# --- # ---
echo "" echo ""
echononl "\tRestart OpenVPN Service.." echononl "\tRestart OpenVPN Service.."
if $systemd_supported ; then if ${RESTART_OPENVPN_SERVICE} ; then
if $systemd_supported ; then
systemctl restart openvpn > $log_file 2>&1 systemctl restart openvpn > $log_file 2>&1
else else
/etc/init.d/openvpn restart > $log_file 2>&1 /etc/init.d/openvpn restart > $log_file 2>&1
fi fi
if [ "$?" = "0" ]; then if [ "$?" = "0" ]; then
echo_ok echo_ok
else else
echo_failed echo_failed
error "$(cat $log_file)" error "$(cat $log_file)"
warn "Restarting OpenVPN Service failed!." warn "Restarting OpenVPN Service failed!."
fi
else
echo_skipped
fi fi