-
Notifications
You must be signed in to change notification settings - Fork 37
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
scripts: supporting remote re-provisioning
- Loading branch information
1 parent
0a7922a
commit bc4066d
Showing
1 changed file
with
127 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,127 @@ | ||
| #!/usr/bin/env bash | ||
|
|
||
| set -o errexit # abort on nonzero exit status | ||
| set -o errtrace # pass ERR trap down to functions, substitutions, etc | ||
| set -o nounset # abort on unbound variable | ||
| set -o pipefail # don’t hide errors within pipes | ||
|
|
||
| [[ "${BASH_VERSINFO:-0}" -ge 4 ]] || { echo "Bash version 4 or higher is required."; exit 1; } | ||
|
|
||
| usage() { | ||
| echo "Usage $0 [OPTIONS] <teleport-tunnel|ipv4> | ||
| Options: | ||
| -r, --reprovision Re-provisioning the device and skips fetching of attestation certificate | ||
| -t, --plug-trust Path for plug_and_trust.tar.gz on the host (required for prod images) | ||
| -p, --passphrase Expected to be used with IPv4 (required for dev images with ssh access)" | ||
| } | ||
|
|
||
| setup_plug_and_trust() { | ||
| local remote="${1}" | ||
| local plug_trust="${2}" | ||
| local ssh_prefix="${3}" | ||
|
|
||
| if ${ssh_prefix} ssh "worldcoin@${remote}" '! [[ -d /service_mode ]]'; then | ||
| # NOTE: The following case, should only be met in production images, where tsh | ||
| # is the only available option for remote access. SOON will be deprecated | ||
| if [[ -n "${plug_trust}" ]]; then | ||
| ${ssh_prefix} scp "${plug_trust}" "root@${remote}:/tmp/plug_and_trust.tar.gz" | ||
| ${ssh_prefix} ssh "root@${remote}" <<EOF | ||
| set -euo | ||
| tar -xzf /tmp/plug_and_trust.tar.gz -C /tmp/plug_and_trust | ||
| mount --bind /tmp/plug_and_trust /service_mode | ||
| EOF | ||
| else | ||
| echo "Error: --plug-trust option is required" | ||
| usage; exit 1 | ||
| fi | ||
| fi | ||
| } | ||
|
|
||
| provision_device() { | ||
| local remote="${1}" | ||
| local short="${2}" | ||
| local ssh_prefix="${3}" | ||
|
|
||
| local user="worldcoin" | ||
| local prov_dir="/usr/persistent/se" | ||
| if [[ "${ssh_prefix}" == "tsh" ]]; then | ||
| user="root" | ||
| fi | ||
|
|
||
| # If /se/keystore is not present, provisioning process was never executed, or the folder was deleted by the user | ||
| # In this case, reprovisioniong (--short flag) is not allowed for fear of wiping the attestation certificate | ||
| if [[ ${short} ]]; then | ||
| ${ssh_prefix} ssh "worldcoin@${remote}" << EOF | ||
| set -euo | ||
| mkdir -p ${prov_dir} | ||
| cd -- ${prov_dir} | ||
| /service_mode/provision.sh | ||
| EOF | ||
| else | ||
| ${ssh_prefix} ssh "${user}@${remote}" <<EOF | ||
| set -euo | ||
| sudo su || true | ||
| [[ -d ${prov_dir}/keystore ]] || echo "${prov_dir}/keystore: does not exist, re-provisioning not allowed" && exit 1 | ||
| mount -o remount,exec /tmp | ||
| systemctl stop nv-tee-supplicant.service | ||
| cp /usr/persistent/se/keystore/f0000013.cert /usr/persistent/ || true | ||
| rm -rf /usr/persistent/tee/ /usr/persistent/se/keystore | ||
| systemctl start nv-tee-supplicant.service | ||
| /service_mode/delete-all.sh | ||
| su worldcoin -c "cd -- ${prov_dir}; /service_mode/provision.sh --short" | ||
| cp /usr/persistent/f0000013.cert /usr/persistent/se/keystore/ || true | ||
| EOF | ||
| fi | ||
| } | ||
|
|
||
| main() { | ||
| local arg | ||
| local remote | ||
| local plug_trust="" | ||
| local short=false | ||
| local passphrase="" | ||
| local ssh_prefix="tsh" | ||
| local positional_args=() | ||
|
|
||
| while [[ $# -gt 0 ]]; do | ||
| arg="${1}"; shift | ||
| case ${arg} in | ||
| -h | --help) | ||
| usage; exit 0 ;; | ||
| -r | --reprovision) | ||
| short=true ;; | ||
| -p | --passphrase) | ||
| passphrase="${1}"; shift ;; | ||
| -t | --plug-trust) | ||
| plug_trust="${1}"; shift ;; | ||
| -*) | ||
| echo "Invalid argument: ${arg}" | ||
| usage; exit 1 ;; | ||
| *) | ||
| positional_args+=( "${arg}" ) ;; | ||
| esac | ||
| done | ||
| set -- "${positional_args[@]}" | ||
|
|
||
| if [[ "$#" -ne 1 ]]; then | ||
| echo "Error: teleport-tunnel or IPv4 is required" | ||
| usage; exit 1 | ||
| fi | ||
|
|
||
| remote="${1}" | ||
| if [[ "${remote}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | ||
| if [[ -z "${passphrase}" ]]; then | ||
| echo "Error: Passphrase is missing for IPv4 connection" | ||
| usage; exit 1 | ||
| fi | ||
| ssh_prefix="sshpass -p "${passphrase}" ssh" | ||
| fi | ||
|
|
||
| setup_plug_and_trust "${remote}" "${plug_trust}" "${ssh_prefix}" | ||
| provision_device "${remote}" "${short}" "${ssh_prefix}" | ||
| } | ||
|
|
||
| if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then | ||
| main "$@" | ||
| fi |