labca/commander

#!/usr/bin/env bash

set -euo pipefail

LOGFILE=/opt/logs/commander.log

err_report() {
    echo "ERROR! On line $1 in commander script"
}

trap 'err_report $LINENO' INT TERM ERR

dn=$(dirname $0)
source "$dn/utils.sh"

function wait_server() {
    local url="$1"

    local status=0
    local cnt=0

    set +e
    res=$(curl -o /dev/null -sSLk --head --write-out '%{http_code}\n' $url 2>&1)
    if [ $? -ne 0 ]; then
        echo -n $res
    fi
    set -e
    while [ $cnt -lt 40 ] && [ "$status" != "200" ]; do
        status=$(curl -o /dev/null -sSL --head --write-out '%{http_code}\n' $url 2>>$LOGFILE)
        let cnt=$cnt+1
        if [ "$status" != "200" ]; then
            sleep 5
        fi
    done
}


read txt
case $txt in
"docker-restart")
    cd /opt/boulder
    COMPOSE_HTTP_TIMEOUT=120 docker compose restart boulder bmysql bconsul bpkilint gui nginx &>>$LOGFILE
    sleep 45
    wait_up $PS_MYSQL &>>$LOGFILE
    wait_up $PS_CONSUL 2 &>>$LOGFILE
    wait_up $PS_PKILINT &>>$LOGFILE
    wait_up $PS_LABCA &>>$LOGFILE
    wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
    ;;
"acme-request")
    wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
    cd /etc/nginx/ssl
    [ -e account.key ] || openssl genrsa 4096 > account.key
    [ ! -f labca_key.pem ] || mv labca_key.pem labca_key_rsa.pem
    [ -e labca_key_rsa.pem ] || openssl genrsa 4096 > labca_key_rsa.pem
    [ -e labca_key_ecdsa.pem ] || openssl ecparam -name secp384r1 -genkey -out labca_key_ecdsa.pem

    set +e
    curve_count=$(openssl pkey -pubin -in /opt/boulder/labca/test-ca.pubkey.pem -text | grep -i curve | wc -l)
    set -e
    [ "$curve_count" == "0" ] && ln -sf labca_key_rsa.pem labca_key.pem || /bin/true
    [ "$curve_count" != "0" ] && ln -sf labca_key_ecdsa.pem labca_key.pem || /bin/true

    if [ -e labca_cert.pem ]; then
        if [ ! -e domain.csr ]; then
            san=$(openssl x509 -noout -text -in labca_cert.pem | grep DNS:)
            openssl req -new -utf8 -sha256 -key labca_key.pem -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=$san")) > domain.csr
        fi

        hash=$(openssl x509 -hash -noout -in labca_cert.pem)
        issuer_hash=$(openssl x509 -issuer_hash -noout -in labca_cert.pem)
    fi
    if [ "$hash" == "$issuer_hash" ] || ! expires=$(openssl x509 -checkend 172800 -noout -in labca_cert.pem); then
        url=$(grep 'DEFAULT_DIRECTORY_URL =' /opt/labca/acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g')
        wait_server $url
        sleep 10
        /opt/labca/renew
    fi

    ln -sf /opt/labca/cron_d /etc/cron.d/labca
    ln -sf /opt/labca/logrotate_d /etc/logrotate.d/labca
    ;;
"acme-change")
    read fqdn
    cd /etc/nginx/ssl
    [ ! -f labca_key.pem ] || mv labca_key.pem labca_key_rsa.pem
    [ -e labca_key_rsa.pem ] || openssl genrsa 4096 > labca_key_rsa.pem
    [ -e labca_key_ecdsa.pem ] || openssl ecparam -name secp384r1 -genkey -out labca_key_ecdsa.pem

    set +e
    curve_count=$(openssl pkey -pubin -in /opt/boulder/labca/test-ca.pubkey.pem -text | grep -i curve | wc -l)
    set -e
    [ "$curve_count" == "0" ] && ln -sf labca_key_rsa.pem labca_key.pem || /bin/true
    [ "$curve_count" != "0" ] && ln -sf labca_key_ecdsa.pem labca_key.pem || /bin/true

    openssl req -new -utf8 -sha256 -key labca_key.pem -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:$fqdn")) > domain.csr
    url=$(grep 'DEFAULT_DIRECTORY_URL =' /opt/labca/acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g')
    wait_server $url
    sleep 10
    /opt/labca/renew
    ;;
"nginx-remove-redirect")
    perl -i -p0e 's/\n    # BEGIN temporary redirect\n    location = \/ \{\n        return 302 \/admin\/;\n    }\n    # END temporary redirect\n//igs' /etc/nginx/conf.d/labca.conf
    ;;
"nginx-reload")
    cd /opt/boulder
    docker compose exec nginx nginx -s reload &>>$LOGFILE
    ;;
"nginx-restart")
    cd /opt/boulder
    docker compose restart nginx &>>$LOGFILE
    ;;
"log-cert")
    [ -f /etc/nginx/ssl/acme_tiny.log ] && tail -200 /etc/nginx/ssl/acme_tiny.log || /bin/true
    exit 0
    ;;
"log-commander")
    [ -f $LOGFILE ] && tail -200 $LOGFILE || /bin/true
    exit 0
    ;;
"log-control-notail")
    cd /opt/boulder
    docker compose logs --no-color --tail=50 control
    ;;
"log-cron")
    [ -f /opt/logs/cron.log ] && tail -n200 -f /opt/logs/cron.log || /bin/true
    exit 0
    ;;
"log-boulder")
    cd /opt/boulder
    docker compose logs -f --no-color --tail=50 boulder
    ;;
"log-boulder-notail")
    cd /opt/boulder
    docker compose logs --no-color --tail=50 boulder
    ;;
"log-audit")
    cd /opt/boulder
    docker compose logs --no-color boulder | grep "\[AUDIT\]" | grep -v "grpc: parseServiceConfig error unmarshaling  due to unexpected end of JSON input" | tail -50
    docker compose logs -f --no-color --tail=0 boulder | grep "\[AUDIT\]"
    ;;
"log-activity")
    cd /opt/boulder
    echo "GMT"
    docker compose logs --no-color boulder | grep "\[AUDIT\]" | grep -v "grpc: parseServiceConfig error unmarshaling  due to unexpected end of JSON input" | tail -15
    exit 0
    ;;
"log-labca")
    cd /opt/boulder
    docker compose logs -f --no-color --tail=50 gui
    ;;
"log-labca-notail")
    cd /opt/boulder
    docker compose logs --no-color --tail=50 gui
    ;;
"log-web")
    cd /opt/boulder
    docker compose logs -f --no-color --tail=50 nginx
    ;;
"log-components")
    nginx=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -nginx-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
    svc=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -control-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
    boulder=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -boulder-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
    labca=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- labca-gui) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
    mysql=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bmysql-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
    consul=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bconsul-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
    pkilint=$(docker inspect $(docker ps --format "{{.Names}}" | grep -- -bpkilint-) | grep -i started | grep -v depends_on | sed -e "s/[^:]*:\(.*\)/\1/" | sed -e "s/.*\"\(.*\)\".*/\1/")
    echo "$nginx|$svc|$boulder|$labca|$mysql|$consul|$pkilint"
    exit 0
    ;;
"log-uptime")
    timezone=$(cat /etc/timezone)
    uptime=$(uptime -s)
    echo "$timezone|$uptime"
    exit 0
    ;;
"log-stats")
    docker stats --no-stream -a | grep " labca-"
    ;;
"revoke-cert")
    read serial
    read reason
    cd /opt/boulder
    docker compose exec boulder bin/admin -config labca/config/admin.json revoke-cert -serial $serial -reason $reason -dry-run=false 2>&1
    ;;
"test-email")
    read recipient
    cd /opt/boulder
    docker compose exec boulder bin/mail-tester --config labca/config/expiration-mailer.json $recipient 2>&1
    ;;
"boulder-start")
    cd /opt/boulder
    COMPOSE_HTTP_TIMEOUT=120 docker compose up -d bmysql bconsul bpkilint
    wait_up $PS_MYSQL &>>$LOGFILE
    wait_up $PS_CONSUL 2 &>>$LOGFILE
    wait_up $PS_PKILINT &>>$LOGFILE
    COMPOSE_HTTP_TIMEOUT=120 docker compose up -d boulder
    wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
    ;;
"boulder-stop")
    cd /opt/boulder
    docker compose stop boulder
    docker compose stop bmysql bconsul bpkilint
    wait_down $PS_MYSQL &>>$LOGFILE
    wait_down $PS_CONSUL &>>$LOGFILE
    wait_down $PS_PKILINT &>>$LOGFILE
    wait_down $PS_BOULDER &>>$LOGFILE
    ;;
"boulder-restart")
    cd /opt/boulder
    COMPOSE_HTTP_TIMEOUT=120 docker compose restart boulder bmysql bconsul bpkilint &>>$LOGFILE
    sleep 30
    wait_up $PS_MYSQL &>>$LOGFILE
    wait_up $PS_CONSUL 2 &>>$LOGFILE
    wait_up $PS_PKILINT &>>$LOGFILE
    wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE
    ;;
"labca-restart")
    cd /opt/boulder
    COMPOSE_HTTP_TIMEOUT=120 docker compose restart gui
    sleep 15
    wait_up $PS_LABCA &>>$LOGFILE
    ;;
"mysql-restart")
    cd /opt/boulder
    set +e
    COMPOSE_HTTP_TIMEOUT=120 docker compose restart bmysql
    set -e
    ;;
"consul-restart")
    cd /opt/boulder
    set +e
    COMPOSE_HTTP_TIMEOUT=120 docker compose restart bconsul
    set -e
    ;;
"pkilint-restart")
    cd /opt/boulder
    set +e
    COMPOSE_HTTP_TIMEOUT=120 docker compose restart bpkilint
    set -e
    ;;
"log-backups")
    ls -1tr /opt/backup || /bin/true
    exit 0
    ;;
"log-server-backup")
    /opt/labca/backup
    exit 0
    ;;
"backup-delete")
    read backup
    rm -f /opt/backup/$backup
    ;;
"backup-restore")
    read backup
    /opt/labca/restore "$backup"
    sleep 3
    ;;
"server-restart")
    cd /opt/boulder
    nohup docker compose restart gui & >/dev/null
    nohup docker compose restart nginx & >/dev/null
    ;;
"version-update")
    cd $dn
    branch="$(git symbolic-ref --short HEAD 2>/dev/null)" || branch="(none)"
    if [ "$branch" == "master" ] || [ "$branch" == "main" ] || [ "$branch" == "(none)" ]; then
        nohup /labca/install &>>$LOGFILE
    else
        nohup /labca/install -b $branch &>>$LOGFILE
    fi
    ;;
"gen-issuer-crl")
    cd /opt/boulder
    docker compose exec -i boulder ./bin/boulder crl-updater --config labca/config/crl-updater.json -runOnce -debug-addr :18021 &>>$LOGFILE
    /opt/labca/checkcrl &>>$LOGFILE
    ;;
"check-crl")
    /opt/labca/checkcrl &>>$LOGFILE
    ;;
*)
    echo "Unknown command '$txt'. ERROR!"
    exit 1
    ;;
esac

echo "ok"