CLOUD-4745: ensure certificates are up to date

VERSION

@@ -1 +1 @@
-0.1.63
+0.1.64

bin/ih-setup

@@ -52,10 +52,18 @@ declare -a IH_SETUP_DOMAINS
 # they are for the user to customize.
 export IH_CUSTOM_DIR="$IH_DIR/custom"
 
+if [ ! -d "$IH_CUSTOM_DIR" ]; then
+  mkdir "$IH_CUSTOM_DIR"
+fi
+
 # The directory where IH shell default files are to be installed
 # These are files that may be overwritten during an upgrade
 export IH_DEFAULT_DIR="$IH_DIR/default"
 
+if [ ! -d "$IH_DEFAULT_DIR" ]; then
+  mkdir "$IH_DEFAULT_DIR"
+fi
+
 # If a step sets this then the ih-setup script will
 # write out a warning to the user that they should
 # source their .rcs when the script is done.

formula/ih-core.rb

@@ -1,5 +1,5 @@
 class IhCore < Formula
-  VERSION="0.1.63"
+  VERSION="0.1.64"
   desc "Brew formula for installing core tools used at Included Health engineering."
   homepage "https://github.com/ConsultingMD/homebrew-ih-public"
   license "CC BY-NC-ND 4.0"

lib/core/certificates/step.sh

@@ -2,6 +2,13 @@
 
 # IH_CORE_DIR will be set to the directory containing the bin and lib directories.
 
+CA_DIR="$HOME/.ih/certs"
+SOURCE_CA_PATH="$IH_CORE_LIB_DIR/core/certificates/certs/grand_rounds_chained_ca.pem"
+INSTALLED_CA_PATH="$CA_DIR/grand_rounds_chained_ca.pem"
+SOURCE_CERT_SCRIPT="$IH_CORE_LIB_DIR/core/certificates/default/11_certificates.sh"
+INSTALLED_CERT_SCRIPT="$IH_DEFAULT_DIR/11_certificates.sh"
+MOZILLA_PATH="$CA_DIR/mozilla.pem"
+
 function ih::setup::core.certificates::help() {
   # shellcheck disable=SC2016
   echo 'Trust the certificates used by the VPN DLP
@@ -24,12 +31,20 @@ function ih::setup::core.certificates::help() {
 # Check if the step has been installed and return 0 if it has.
 # Otherwise return 1.
 function ih::setup::core.certificates::test() {
+  if [ ! -f "$INSTALLED_CERT_SCRIPT" ]; then
+    return 1
+  fi
 
-  if [ ! -f "$IH_DEFAULT_DIR/11_certificates.sh" ]; then
+  if [ ! -d "$CA_DIR" ]; then
     return 1
   fi
 
-  if [ ! -d "$HOME/.ih/certs" ]; then
+  # Compare both the CA cert and the certificates script with their sources
+  if [ ! -f "$INSTALLED_CA_PATH" ] || ! diff -q "$SOURCE_CA_PATH" "$INSTALLED_CA_PATH" >/dev/null; then
+    return 1
+  fi
+
+  if ! diff -q "$SOURCE_CERT_SCRIPT" "$INSTALLED_CERT_SCRIPT" >/dev/null; then
     return 1
   fi
 
@@ -42,10 +57,6 @@ function ih::setup::core.certificates::deps() {
 }
 
 function ih::setup::core.certificates::install() {
-
-  local CA_DIR="$HOME/.ih/certs"
-  local CA_PATH="$CA_DIR/grand_rounds_chained_ca.pem"
-  local MOZILLA_PATH="$CA_DIR"/mozilla.pem
   mkdir -p "$CA_DIR"
   ih::log::info "Copying internal CA certs into $CA_DIR"
 
@@ -85,7 +96,7 @@ function ih::setup::core.certificates::install() {
     return 1
   fi
   # Append our DLP certs to the mozilla bundle.
-  cat "$CA_PATH" >>"$MOZILLA_PATH"
+  cat "$INSTALLED_CA_PATH" >>"$MOZILLA_PATH"
 
   # Download a CA cert that AWS sometimes uses, which is not
   # included in the Mozilla bundle. This affects a few people
@@ -107,13 +118,13 @@ function ih::setup::core.certificates::install() {
   OPENSSL_FOUND=$?
   if [[ "$OPENSSL_FOUND" -eq 0 ]]; then
     ih::log::info "Copying internal CA cert to brew OpenSSL certs..."
-    cp "$CA_PATH" "$OPENSSL_PATH"/gr_root_ca.pem
+    cp "$INSTALLED_CA_PATH" "$OPENSSL_PATH"/gr_root_ca.pem
     REHASH_PATH=$(brew info openssl | grep -oE "/usr/local/opt/openssl.*")
     $REHASH_PATH
   fi
 
   ih::log::info "Rehashing brew OpenSSL certs..."
   "$(brew --prefix)"/opt/openssl/bin/c_rehash
 
-  cp -f "$IH_CORE_LIB_DIR/core/certificates/default/11_certificates.sh" "$IH_DEFAULT_DIR/11_certificates.sh"
+  cp -f "$SOURCE_CERT_SCRIPT" "$INSTALLED_CERT_SCRIPT"
 }