From 24d0824f4064c820c29bfb4a6a9998eaf2f3cf88 Mon Sep 17 00:00:00 2001 From: Daniel Villalobos Date: Thu, 12 Sep 2024 15:46:41 +0200 Subject: [PATCH 1/3] Add new line if not present in the clients.yml file --- DAPS/register_connector.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/DAPS/register_connector.sh b/DAPS/register_connector.sh index 0a2b944..0a400d9 100755 --- a/DAPS/register_connector.sh +++ b/DAPS/register_connector.sh @@ -31,7 +31,8 @@ contains "$AKI" "$SUB" CLIENT_CERT_SHA="$(openssl x509 -in "$CLIENT_CERT" -noout -sha256 -fingerprint | tr '[:upper:]' '[:lower:]' | tr -d : | sed 's/.*=//')" -cat >> config/clients.yml <>config/clients.yml < Date: Tue, 17 Sep 2024 09:33:26 +0200 Subject: [PATCH 2/3] Add a check for existing user in the file --- DAPS/register_connector.sh | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/DAPS/register_connector.sh b/DAPS/register_connector.sh index 0a400d9..a6c384e 100755 --- a/DAPS/register_connector.sh +++ b/DAPS/register_connector.sh @@ -1,8 +1,8 @@ #!/bin/sh if [ ! $# -ge 1 ] || [ ! $# -le 3 ]; then - echo "Usage: $0 NAME (SECURITY_PROFILE) (CERTFILE)" - exit 1 + echo "Usage: $0 NAME (SECURITY_PROFILE) (CERTFILE)" + exit 1 fi CLIENT_NAME=$1 @@ -17,20 +17,25 @@ AKI="$(openssl x509 -in "keys/${CLIENT_NAME}.cert" -noout -text | grep -A1 "Auth SUB='keyid' contains() { - string="$AKI" - substring="$SUB" - if test "${string#*$substring}" != "$string" - then - CLIENT_ID="$SKI:$AKI" # $substring is in $string - else - CLIENT_ID="$SKI:keyid:$AKI" # $substring is not in $string - fi + string="$AKI" + substring="$SUB" + if test "${string#*$substring}" != "$string"; then + CLIENT_ID="$SKI:$AKI" # $substring is in $string + else + CLIENT_ID="$SKI:keyid:$AKI" # $substring is not in $string + fi } contains "$AKI" "$SUB" CLIENT_CERT_SHA="$(openssl x509 -in "$CLIENT_CERT" -noout -sha256 -fingerprint | tr '[:upper:]' '[:lower:]' | tr -d : | sed 's/.*=//')" +# Check if client with the same ID or name already exists +if grep -q "client_id: $CLIENT_ID" config/clients.yml || grep -q "client_name: $CLIENT_NAME" config/clients.yml; then + echo "Client with ID $CLIENT_ID or name $CLIENT_NAME already exists in config/clients.yml. Skipping addition." + exit 0 +fi + cat >>config/clients.yml < Date: Tue, 17 Sep 2024 15:01:55 +0200 Subject: [PATCH 3/3] Completly refactor script --- DAPS/register_connector.sh | 81 +++++++++++++++++++------------------- 1 file changed, 40 insertions(+), 41 deletions(-) diff --git a/DAPS/register_connector.sh b/DAPS/register_connector.sh index a6c384e..0f550ba 100755 --- a/DAPS/register_connector.sh +++ b/DAPS/register_connector.sh @@ -1,60 +1,59 @@ #!/bin/sh -if [ ! $# -ge 1 ] || [ ! $# -le 3 ]; then +# Validate the number of arguments (1 to 3) +if [ "$#" -lt 1 ] || [ "$#" -gt 3 ]; then echo "Usage: $0 NAME (SECURITY_PROFILE) (CERTFILE)" exit 1 fi CLIENT_NAME=$1 - CLIENT_SECURITY_PROFILE=$2 [ -z "$CLIENT_SECURITY_PROFILE" ] && CLIENT_SECURITY_PROFILE="idsc:BASE_SECURITY_PROFILE" - CLIENT_CERT="keys/$CLIENT_NAME.cert" -SKI="$(openssl x509 -in "keys/${CLIENT_NAME}.cert" -noout -text | grep -A1 "Subject Key Identifier" | tail -n 1 | tr -d ' ')" -AKI="$(openssl x509 -in "keys/${CLIENT_NAME}.cert" -noout -text | grep -A1 "Authority Key Identifier" | tail -n 1 | tr -d ' ')" +# Extract SKI and AKI using openssl +SKI="$(openssl x509 -in "$CLIENT_CERT" -noout -text | grep -A1 "Subject Key Identifier" | tail -n 1 | tr -d ' ')" +AKI="$(openssl x509 -in "$CLIENT_CERT" -noout -text | grep -A1 "Authority Key Identifier" | tail -n 1 | tr -d ' ')" SUB='keyid' -contains() { - string="$AKI" - substring="$SUB" - if test "${string#*$substring}" != "$string"; then - CLIENT_ID="$SKI:$AKI" # $substring is in $string - else - CLIENT_ID="$SKI:keyid:$AKI" # $substring is not in $string - fi -} - -contains "$AKI" "$SUB" +# Determine CLIENT_ID based on presence of 'keyid' in AKI +if echo "$AKI" | grep -q "$SUB"; then + CLIENT_ID="$SKI:$AKI" +else + CLIENT_ID="$SKI:keyid:$AKI" +fi CLIENT_CERT_SHA="$(openssl x509 -in "$CLIENT_CERT" -noout -sha256 -fingerprint | tr '[:upper:]' '[:lower:]' | tr -d : | sed 's/.*=//')" -# Check if client with the same ID or name already exists -if grep -q "client_id: $CLIENT_ID" config/clients.yml || grep -q "client_name: $CLIENT_NAME" config/clients.yml; then - echo "Client with ID $CLIENT_ID or name $CLIENT_NAME already exists in config/clients.yml. Skipping addition." +# Check if a client with the same client_id or client_name exists +CLIENT_EXISTS=$(yq eval '.[] | select(.client_id == "'"$CLIENT_ID"'" or .client_name == "'"$CLIENT_NAME"'")' config/clients.yml) + +if [ -n "$CLIENT_EXISTS" ]; then + echo "Client with ID $CLIENT_ID or name $CLIENT_NAME already exists. Updating the existing entry." + + # Update client_id, client_name, and transportCertsSha256 for the exact matching entry + yq eval -i ' + map( + select(.client_id == "'"$CLIENT_ID"'" or .client_name == "'"$CLIENT_NAME"'") |= + (.client_id = "'"$CLIENT_ID"'" | + .client_name = "'"$CLIENT_NAME"'" | + (.attributes[] | select(.key == "transportCertsSha256").value) = "'"$CLIENT_CERT_SHA"'") + ) + ' config/clients.yml + + echo "Client entry updated successfully." exit 0 fi -cat >>config/clients.yml <>config/clients.yml +fi + +# Append the new client entry +yq eval -i '. += [{"client_id": "'"$CLIENT_ID"'", "client_name": "'"$CLIENT_NAME"'", "grant_types": "client_credentials", "token_endpoint_auth_method": "private_key_jwt", "scope": "idsc:IDS_CONNECTOR_ATTRIBUTES_ALL", "attributes": [{"key": "idsc", "value": "IDS_CONNECTOR_ATTRIBUTES_ALL"}, {"key": "securityProfile", "value": "'"$CLIENT_SECURITY_PROFILE"'"}, {"key": "referringConnector", "value": "http://'"${CLIENT_NAME}"'.demo"}, {"key": "@type", "value": "ids:DatPayload"}, {"key": "@context", "value": "https://w3id.org/idsa/contexts/context.jsonld"}, {"key": "transportCertsSha256", "value": "'"$CLIENT_CERT_SHA"'"}], "import_certfile": "'"$CLIENT_CERT"'"}]' config/clients.yml + +echo "Client entry added successfully."