Update CLI-Retrieve script with variables rather than hard coded retrieve parameters

[magicmarkh-zz]

Rather than have a hard coded secret/acme/etc... use a variable, or build script on the fly

[cybermaroun]

main(){ printf '\n-----' printf '\nThis Script will pull a secret via REST.' secret_pull printf '\n-----\n' }

secret_pull(){ local companyname="acme" local conjurCert="/root/conjur-"$companyname".pem" local api=$(cat ~/.netrc | awk '/password/ {print $2}') local hostname=$(cat ~/.netrc | awk '/login/ {print $2}') local secret_name="apps/secrets/ci-variables/jenkins_secret" local auth=$(curl -s --cacert $conjurCert -H "Content-Type: text/plain" -X POST -d "$api" https://conjur-master/authn/$companyname/$hostname/authenticate) local auth_token=$(echo -n $auth | base64 | tr -d '\r\n') local secret_retrieve=$(curl --cacert $conjurCert -s -X GET -H "Authorization: Token token=\"$auth_token\"" https://conjur-master/secrets/$companyname/variable/$secret_name) printf "\n" printf "\nSecret is: $secret_retrieve" }

main

[cybermaroun]

OR do this...

during setup.sh copy the config.ini file to the policy directory (or just put it there at the start)

Then when the volume gets mounted, the config file will be in the policy directory on the container

Then the script would look like this....

main(){ printf '\n-----' printf '\nThis Script will pull a secret via REST.' secret_pull printf '\n-----\n' }

secret_pull(){ source <(grep = config.ini) local conjurCert="/root/conjur-"$company_name".pem" local api=$(cat ~/.netrc | awk '/password/ {print $2}') local hostname=$(cat ~/.netrc | awk '/login/ {print $2}') local secret_name="apps/secrets/ci-variables/jenkins_secret" local auth=$(curl -s --cacert $conjurCert -H "Content-Type: text/plain" -X POST -d "$api" https://conjur-master/authn/$company_name/$hostname/authenticate) local auth_token=$(echo -n $auth | base64 | tr -d '\r\n') local secret_retrieve=$(curl --cacert $conjurCert -s -X GET -H "Authorization: Token token=\"$auth_token\"" https://conjur-master/secrets/$company_name/variable/$secret_name) printf "\n" printf "\nSecret is: $secret_retrieve" }

main

[strick-j]

Add this at the beginning of "install_conjur" function to prompt user for input for company name and hostname: #Gather Company Name local done=0 while : ; do read -p 'Please enter your company name: ' compvar printf "%s\n" "You entered $compvar, is this correct (Yes or No)?" select yn in "Yes" "No"; do case $yn in Yes ) local done=1; sed -i "s+company_name=.*+company_name=$compvar+g" config.ini; break;; No ) echo ""; break;; esac done if [[ "$done" -ne 0 ]]; then break fi done

#Gather Hostname local done=0 while : ; do read -p 'Please enter fully qualified domain name or hostname: ' hostvar printf "%s\n" "You entered $hostvar, is this correct (Yes or No)?" select yn in "Yes" "No"; do case $yn in Yes ) local done=1; sed -i "s+master_name=.*+master_name=$hostvar+g" config.ini; break;; No ) echo ""; break;; esac done if [[ "$done" -ne 0 ]]; then break fi done

Add prior to the end of the install_conjur function: #Updating cli-retrieve script based on config.ini sed -i "s+acme+$company_name+g" $PWD/policy/cli-retrieve-password.sh sed -i "s+conjur-master+$master_name+g" $PWD/policy/cli-retrieve-password.sh

I tested the above and the changes worked with a quick test on CentOS. You would need to test them on Ubuntu. We can prompt for password twice and hide the output and compare strings if you wanted to for the password portion but it would still be written in plaintext in the file.

[magicmarkh-zz]

opted not to prompt for entry. company name and conjur dns name now carry through to cli script