Closed magicmarkh-zz closed 5 years ago
main(){ printf '\n-----' printf '\nThis Script will pull a secret via REST.' secret_pull printf '\n-----\n' }
secret_pull(){ local companyname="acme" local conjurCert="/root/conjur-"$companyname".pem" local api=$(cat ~/.netrc | awk '/password/ {print $2}') local hostname=$(cat ~/.netrc | awk '/login/ {print $2}') local secret_name="apps/secrets/ci-variables/jenkins_secret" local auth=$(curl -s --cacert $conjurCert -H "Content-Type: text/plain" -X POST -d "$api" https://conjur-master/authn/$companyname/$hostname/authenticate) local auth_token=$(echo -n $auth | base64 | tr -d '\r\n') local secret_retrieve=$(curl --cacert $conjurCert -s -X GET -H "Authorization: Token token=\"$auth_token\"" https://conjur-master/secrets/$companyname/variable/$secret_name) printf "\n" printf "\nSecret is: $secret_retrieve" }
main
OR do this...
during setup.sh copy the config.ini file to the policy directory (or just put it there at the start)
Then when the volume gets mounted, the config file will be in the policy directory on the container
Then the script would look like this....
main(){ printf '\n-----' printf '\nThis Script will pull a secret via REST.' secret_pull printf '\n-----\n' }
secret_pull(){ source <(grep = config.ini) local conjurCert="/root/conjur-"$company_name".pem" local api=$(cat ~/.netrc | awk '/password/ {print $2}') local hostname=$(cat ~/.netrc | awk '/login/ {print $2}') local secret_name="apps/secrets/ci-variables/jenkins_secret" local auth=$(curl -s --cacert $conjurCert -H "Content-Type: text/plain" -X POST -d "$api" https://conjur-master/authn/$company_name/$hostname/authenticate) local auth_token=$(echo -n $auth | base64 | tr -d '\r\n') local secret_retrieve=$(curl --cacert $conjurCert -s -X GET -H "Authorization: Token token=\"$auth_token\"" https://conjur-master/secrets/$company_name/variable/$secret_name) printf "\n" printf "\nSecret is: $secret_retrieve" }
main
Add this at the beginning of "install_conjur" function to prompt user for input for company name and hostname:
#Gather Company Name
local done=0
while : ; do
read -p 'Please enter your company name: ' compvar
printf "%s\n" "You entered $compvar, is this correct (Yes or No)?"
select yn in "Yes" "No"; do
case $yn in
Yes ) local done=1; sed -i "s+company_name=.*+company_name=$compvar+g" config.ini; break;;
No ) echo ""; break;;
esac
done
if [[ "$done" -ne 0 ]]; then
break
fi
done
#Gather Hostname
local done=0
while : ; do
read -p 'Please enter fully qualified domain name or hostname: ' hostvar
printf "%s\n" "You entered $hostvar, is this correct (Yes or No)?"
select yn in "Yes" "No"; do
case $yn in
Yes ) local done=1; sed -i "s+master_name=.*+master_name=$hostvar+g" config.ini; break;;
No ) echo ""; break;;
esac
done
if [[ "$done" -ne 0 ]]; then
break
fi
done
Add prior to the end of the install_conjur function:
#Updating cli-retrieve script based on config.ini
sed -i "s+acme+$company_name+g" $PWD/policy/cli-retrieve-password.sh
sed -i "s+conjur-master+$master_name+g" $PWD/policy/cli-retrieve-password.sh
I tested the above and the changes worked with a quick test on CentOS. You would need to test them on Ubuntu. We can prompt for password twice and hide the output and compare strings if you wanted to for the password portion but it would still be written in plaintext in the file.
opted not to prompt for entry. company name and conjur dns name now carry through to cli script
Rather than have a hard coded secret/acme/etc... use a variable, or build script on the fly