admin.bash

#!/bin/bash # Copyright 2019 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. GREEN="\e[32m" RED="\e[31m" RESET="\e[0m" # Default "Admin Tool" client IDs and secrets. Can override via "set ...". IC_CLIENT_ID="1b2b57c0-46dc-48ce-bd5b-389f26489bcd" IC_CLIENT_SECRET="94cb4a9b-2f96-4b59-851e-5791dd3040b4" DAM_CLIENT_ID="0ef2f928-ba67-47b6-9cd6-288be82e3497" DAM_CLIENT_SECRET="64f1b6b3-abbe-48b4-bfa9-67f6d1ab910d" STATE_FILE=~/.fa_admin API_VERSION="v1alpha" REALM="master" ENVIRONMENT="" # For curl debug use: # CURL_OPTIONS="-v --trace-ascii /dev/stdout -s" CURL_OPTIONS="-s" # Commands are added here and usage is auto-generated. Note that user supplied # args can be supplied (e.g. "<name>") starting on the 4th input and must then # be on every second input. Avoid conflicts with arg commands and non-arg # commands by pretending all <named_arg> fields are removed and seeing if there # is a collision. Example: "print hello" and "print hello <name>" collide. # # Most service endpoint commands will make one of three types of calls: # 1. curl_public <dam|ic> <resource_path>: when anyone can hit the endpoint. # 2. <dam_curl_client|ic_curl_client> <resource_path>: when client_id and # client_secret are needed to identify the application. # 3. <dam_curl_auth|ic_curl_auth> <resource_path>: when client id/secret and # an access_token are required to identify the app and the user. declare -A COMMANDS=( # DAM commands ["check dam clients"]='dam_curl_client "/dam/${API_VERSION?}/${REALM?}/clients:sync"' ["print dam config"]='dam_curl_auth "/dam/${API_VERSION?}/${REALM?}/config"' ["print dam config history"]='dam_curl_auth "/dam/${API_VERSION?}/${REALM?}/config/history"' ["print dam info"]='curl_public "dam" "/dam"' ["print dam processes"]='dam_curl_auth "/dam/${API_VERSION?}/${REALM?}/processes"' ["print dam process <name>"]='dam_curl_auth "/dam/${API_VERSION?}/${REALM?}/processes/$4"' ["print dam resource <name>"]='dam_curl_client "/dam/${API_VERSION?}/${REALM?}/resources/$4"' ["print dam resource <name> views"]='dam_curl_client "/dam/${API_VERSION?}/${REALM?}/resources/$4/views"' ["print dam resource <name> view <name>"]='dam_curl_client "/dam/${API_VERSION?}/${REALM?}/resources/$4/views/$6"' ["print dam resource <name> view <name> roles"]='dam_curl_client "/dam/${API_VERSION?}/${REALM?}/resources/$4/views/$6/roles"' ["print dam resource <name> view <name> role <name>"]='dam_curl_client "/dam/${API_VERSION?}/${REALM?}/resources/$4/views/$6/roles"' ["print dam resources"]='dam_curl_client "/dam/${API_VERSION?}/${REALM?}/resources"' ["print dam services"]='dam_curl_client "/dam/${API_VERSION?}/${REALM?}/services"' ["print dam personas"]='dam_curl_client "/dam/${API_VERSION?}/${REALM?}/testPersonas"' ["print dam roles"]='dam_curl_client "/dam/${API_VERSION?}/${REALM?}/damRoleCategories"' ["print dam translators"]='dam_curl_client "/dam/${API_VERSION?}/${REALM?}/passportTranslators"' ["print dam views"]='dam_curl_client "/dam/${API_VERSION?}/${REALM?}/flatViews"' ["sync dam clients"]='dam_curl_client "/dam/${API_VERSION?}/${REALM?}/clients:sync" "POST"' # IC commands ["check ic clients"]='ic_curl_client "/identity/${API_VERSION?}/${REALM?}/clients:sync"' ["print ic config"]='ic_curl_auth "/identity/${API_VERSION?}/${REALM?}/config"' ["print ic config history"]='ic_curl_auth "/identity/${API_VERSION?}/${REALM?}/config/history"' ["print ic idps"]='ic_curl_client "/identity/${API_VERSION?}/${REALM?}/identityProviders"' ["print ic info"]='curl_public "ic" "/identity"' ["print ic me"]='ic_curl_auth "/identity/scim/v2/${REALM?}/Me"' ["print ic translators"]='ic_curl_client "/identity/${API_VERSION?}/${REALM?}/passportTranslators"' ["print ic user <name>"]='ic_curl_auth "/identity/scim/v2/${REALM?}/Users/$4"' ["print ic users"]='ic_curl_auth "/identity/scim/v2/${REALM?}/Users"' ["sync ic clients"]='ic_curl_client "/identity/${API_VERSION?}/${REALM?}/clients:sync" "POST"' ["print ic user <name> consent"]='ic_curl_auth "/identity/${API_VERSION?}/${REALM?}/users/$4/consents"' ["delete ic user <name> consent <consent_id>"]='ic_curl_auth "/identity/${API_VERSION?}/${REALM?}/users/$4/consents/$6" "DELETE"' # Admin state commands # ["login dam"]='curl_login "dam" "/dam" "DAM_ACCESS_TOKEN" "DAM_REFRESH_TOKEN"' ["login ic"]='curl_login "ic" "/identity" "IC_ACCESS_TOKEN" "IC_REFRESH_TOKEN"' # ["state_refresh dam"]='state_refresh "dam" "${DAM_CLIENT_ID}" "${DAM_CLIENT_SECRET}"' # ["state_refresh ic"]='state_refresh "ic" "${IC_CLIENT_ID}" "${IC_CLIENT_SECRET}"' ["set dam access_token <token>"]='state_update "DAM_ACCESS_TOKEN" "$4"' ["set dam client <client_id>"]='state_update "DAM_CLIENT_ID" "$4"' ["set dam refresh_token <token>"]='state_update "DAM_REFRESH_TOKEN" "$4"' ["set dam secret <secret>"]='state_update "DAM_CLIENT_SECRET" "$4"' ["set dam user <email>"]='state_update "DAM_USER_EMAIL" "$4"' ["set env <environment>"]='state_update "ENVIRONMENT" "$3"' ["set ic access_token <token>"]='state_update "IC_ACCESS_TOKEN" "$4"' ["set ic client <client_id>"]='state_update "IC_CLIENT_ID" "$4"' ["set ic refresh_token <token>"]='state_update "IC_REFRESH_TOKEN" "$4"' ["set ic secret <secret>"]='state_update "IC_CLIENT_SECRET" "$4"' ["set ic user <email>"]='state_update "IC_USER_EMAIL" "$4"' ["set project <project_id>"]='state_update "PROJECT" "$3"' ["set realm <realm>"]='state_update "REALM" "$3"' ["print state"]='state_print' # ["refresh dam"]='refresh_access "dam" ${DAM_CLIENT_ID?} ${DAM_CLIENT_SECRET?} ${DAM_REFRESH_TOKEN?}' # ["refresh ic"]='refresh_access "ic" ${IC_CLIENT_ID?} ${IC_CLIENT_SECRET?} ${IC_REFRESH_TOKEN?}' ["reset state"]='state_reset' ) # Only commands on this list are allowed in the COMMANDS list above. declare -A COMMAND_ALLOWLIST=( ["curl_login"]=true ["curl_public"]=true ["dam_curl_auth"]=true ["dam_curl_client"]=true ["ic_curl_auth"]=true ["ic_curl_client"]=true ["refresh_access"]=true ["state_print"]=true ["state_refresh"]=true ["state_reset"]=true ["state_update"]=true ) ##################################################### # State helper functions # ##################################################### # Sets variable $1 to value $2 and saves it to disk to be retrieved on # subsequent runs. state_update() { if [[ "$1" == "" || "$2" == "" ]]; then print_usage exit 1 fi export "$1"="$2" state_save } # Loads a set of variables (i.e. state) from disk. See the "set ..." commands # for a list of such variables. state_load() { if test -f "${STATE_FILE?}"; then local settings=`cat "${STATE_FILE?}"` local settings=(${settings/$'\n'/ }) # Don't blindly eval() something we loaded from elsewhere. Instead, process # one line at a time and verify of the form of A=B with explicit "export" # command for context within this script. for setting in "${settings[@]}"; do local parts=(${setting//=/ }) NAME="${parts[0]}" VALUE="${parts[1]}" if [[ "${NAME}" == "" ]]; then echo -e ${RED?}'invalid state "'"${setting}"'": recommend running "admin.bash reset state"'${RESET?} exit 2 fi # This check prevents injecting commands into this script by ensuring # that input is simple identifier characters and doesn't a means to # manipulate/escape string quote state, etc. if grep '^[-0-9a-zA-Z_.@=]*$' <<<${setting} > /dev/null; then export "$NAME"="$VALUE" else echo -e "${RED?}invalid characters in state \"${setting}\": recommend running \"admin.bash state reset\"${RESET?}" exit 2 fi done fi } # Generates the contents of the state as a string to be saved or printed. state_string() { STATE_STRING="PROJECT=${PROJECT}\nENVIRONMENT=${ENVIRONMENT}\nREALM=${REALM}\nDAM_CLIENT_ID=${DAM_CLIENT_ID}\nDAM_CLIENT_SECRET=${DAM_CLIENT_SECRET}\nIC_CLIENT_ID=${IC_CLIENT_ID}\nIC_CLIENT_SECRET=${IC_CLIENT_SECRET}\nDAM_REFRESH_TOKEN=${DAM_REFRESH_TOKEN}\nDAM_ACCESS_TOKEN=${DAM_ACCESS_TOKEN}\nIC_REFRESH_TOKEN=${IC_REFRESH_TOKEN}\nIC_ACCESS_TOKEN=${IC_ACCESS_TOKEN}\nDAM_USER_EMAIL=${DAM_USER_EMAIL}\nIC_USER_EMAIL=${IC_USER_EMAIL}\n" } # Generate all state as a string and print it. state_print() { state_string printf "${STATE_STRING}" } # Generate all state and a string and save it to disk. state_save() { state_string printf "${STATE_STRING}" >"${STATE_FILE?}" echo -e ${GREEN?}'state updated'${RESET?} } # Remove the state file from disk. Will inherit default state values on the # next run. state_reset() { rm "${STATE_FILE?}" > /dev/null 2>&1 echo -e ${GREEN?}'state reset complete'${RESET?} } # state_refresh <dam|ic> <client_id> <client_secret> # Present a login page link and ask user to paste refresh token. state_refresh() { local dash="-" if [[ "${ENVIRONMENT}" == "" ]]; then dash="" fi state_login_redirect "$1" echo Visit: "${REDIRECT}?client_id=$2&client_secret=$3" echo read -p "Paste refresh token and press enter: " refresh echo if [[ "${refresh}" == "" ]]; then echo -e ${RED?}'refresh token not provided'${RESET?} exit 1 fi if [[ "$1" == "ic" ]]; then IC_REFRESH_TOKEN="${refresh}" else DAM_REFRESH_TOKEN="${refresh}" fi echo -e ${GREEN?}'received refresh token'${RESET?} state_save } # state_login_redirect <dam|ic> # Generate a URL to use for login state_login_redirect() { local dash="-" if [[ "${ENVIRONMENT}" == "" ]]; then dash="" fi REDIRECT="https://$1demo${dash}${ENVIRONMENT}-dot-${PROJECT}.appspot.com/test" } ##################################################### # Curl helper functions # ##################################################### # curl_public <dam|ic> <resource_path> # Generates a URL then performs a GET using curl as part of a RESTful API. curl_public() { if [[ "$2" == "" ]]; then echo -e "${RED?}must provide RESTful path to resource${RESET?}" exit 2 fi local dash="-" if [[ "${ENVIRONMENT}" == "" ]]; then dash="" fi RESULT=`curl -s "$1${dash}${ENVIRONMENT}-dot-${PROJECT}.appspot.com$2"` curl_print } # curl_client <dam|ic> <resource_path> <client_id> <client_secret> [method] [input] [quiet] # Generates a URL then performs a GET using curl as part of a RESTful API. # Unlike curl_public, this function adds the client id/secret to the request. curl_client() { if [[ "$4" == "" ]]; then echo -e "${RED?}client id and secret required: use \"admin set $1 secret <paste_secret>\" etc${RESET?}" exit 2 fi local method="$5" if [[ "${method}" == "" ]]; then method="GET" fi local dash="-" if [[ "${ENVIRONMENT}" == "" ]]; then dash="" fi local input="" if [[ "$6" != "" ]]; then input="&$6" fi RESULT=`curl ${CURL_OPTIONS} -X "${method}" -H "Content-Length: 0" -H "Content-Type: application/x-www-form-urlencoded" "$1${dash}${ENVIRONMENT}-dot-${PROJECT}.appspot.com$2?client_id=$3&client_secret=$4${input}"` if [[ "$7" == "" ]]; then curl_print fi } # curl_auth <dam|ic> <resource_path> <client_id> <client_secret> <access_token> [method] # Generates a URL then performs a GET using curl as part of a RESTful API. # Unlike curl_public, this function adds the auth headers and client id/secret # to the request. curl_auth() { if [[ "$5" == "" ]]; then echo -e "${RED?}login access_token required: use \"admin set $1 access_token <paste_token>\"${RESET?}" exit 2 fi local dash="-" if [[ "${ENVIRONMENT}" == "" ]]; then dash="" fi local method="GET" if [[ "$6" != "" ]]; then method=$6 fi RESULT=`curl ${CURL_OPTIONS} -X "${method}" -H "Authorization: bearer $5" -H "Content-Type: application/x-www-form-urlencoded" "$1${dash}${ENVIRONMENT}-dot-${PROJECT}.appspot.com$2?client_id=$3&client_secret=$4"` curl_print } curl_print() { # Check to see if result is JSON, then pretty print in JSON if available. `jq -e <<< "${RESULT}" > /dev/null 2>&1` if [[ "$?" == "0" ]]; then printf "`jq -e <<< "${RESULT}"`" else echo "${RESULT}" fi echo } # dam_curl_auth <resource_path> # Wrapper for curl_auth that supplies a set of DAM inputs for client id/secret # and access token that were loaded from disk. Makes it easier to write COMMANDS # by abstracting all of these details. dam_curl_auth() { curl_auth "dam" "$1" "${DAM_CLIENT_ID}" "${DAM_CLIENT_SECRET}" "${DAM_ACCESS_TOKEN}" "$2" } # dam_curl_client <resource_path> [method] # Wrapper for curl_client that supplies a set of DAM inputs for client id/secret. dam_curl_client() { curl_client "dam" "$1" "${DAM_CLIENT_ID}" "${DAM_CLIENT_SECRET}" "$2" } # ic_curl_auth <resource_path> # Wrapper for curl_auth that supplies a set of IC inputs for client id/secret # and access token that were loaded from disk. Makes it easier to write COMMANDS # by abstracting all of these details. ic_curl_auth() { curl_auth "ic" "$1" "${IC_CLIENT_ID}" "${IC_CLIENT_SECRET}" "${IC_ACCESS_TOKEN}" "$2" } # ic_curl_client <resource_path> [method] [input] [quiet] # Wrapper for curl_client that supplies a set of IC inputs for client id/secret. ic_curl_client() { curl_client "ic" "$1" "${IC_CLIENT_ID}" "${IC_CLIENT_SECRET}" "$2" "$3" "$4" } # curl_login <dam|ic> <rootPath> <accessTokenVar> <refreshTokenVar> # Walks user through the steps to capture auth access_token and refresh_token. curl_login() { local cmd=ic_curl_client local user=${IC_USER_EMAIL} if [[ "$1" == "dam" ]]; then cmd=dam_curl_client user=${DAM_USER_EMAIL} fi if [[ "${user}" == "" ]]; then echo -e "${RED?}Must set user first using 'admin.bash set $1 user <email>'${RESET?}" exit 2 fi $cmd "$2/cli/register/auto" "POST" "email=${user}" "quiet" if [[ "$?" != "0" ]]; then curl_print echo echo -e "${RED?}Login failed${RESET?}" exit 2 fi local id=`jq -r '.id' <<< "${RESULT}"` local url=`jq -r '.authUrl' <<< "${RESULT}"` local secret=`jq -r '.secret' <<< "${RESULT}"` echo "Login via this link in a browser: $url" echo "Press enter after login is successful..." read $cmd "/identity/cli/register/${id}" "GET" "login_secret=${secret}" "quiet" if [[ "$?" != "0" ]]; then curl_print echo echo -e "${RED?}Get login state curl command failed${RESET?}" exit 2 fi local atok=`jq -r '.accessToken' <<< "${RESULT}"` local rtok=`jq -r '.refreshToken' <<< "${RESULT}"` if [[ "${atok}" == "" || "${atok}" == "null" || "${rtok}" == "" || "${rtok}" == "null" ]]; then curl_print echo echo -e "${RED?}Get login state values failed${RESET?}" exit 2 fi export "$3"="${atok}" export "$4"="${rtok}" state_save } # refresh_access <dam|ic> <client_id> <client_secret> <refresh_token> # Use a refresh token to fetch a new access token and store it in state. refresh_access() { local basic_auth=`echo "$2:$3" | base64 -w 0 | sed 's/+/-/g; s/\//_/g'` local dash="-" if [[ "${ENVIRONMENT}" == "" ]]; then dash="" fi state_login_redirect "$1" RESULT=`curl ${CURL_OPTIONS} -X POST -H "Authorization: Basic ${basic_auth}" -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d "grant_type=refresh_token&redirect_uri=${REDIRECT}&refresh_token=$4" https://$1${dash}${ENVIRONMENT}-dot-${PROJECT}.appspot.com/oauth2/token` curl_print } ##################################################### # Generate COMMAND_LOOKUP and Usage # ##################################################### # Generates the usage from COMMANDS and prints them. print_usage() { echo -e ${RED?}'Usage: admin <command>'${RESET?} echo -e ${RED?}' commands:'${RESET?} for cmd in "${!COMMANDS[@]}"; do echo -e "${RED?} ${cmd}${RESET?}" done | sort echo echo -e "${RED?}Note: some commands are only available in experimental mode${RESET?}" echo } # Removes any input parameters from COMMANDS usage key. This is used to generate # a lookup table of commands and match incoming commands with parameters like # "<name>". remove_key_params() { words=( $1 ) keys=() for word in "${words[@]}"; do if [[ "${word:0:1}" != "<" ]]; then keys+=( "${word}" ) fi done keys=$(printf " %s" ${keys[@]}) LOOKUP_KEY=${keys:1} } # Generates COMMAND_LOOKUP from COMMANDS by removing input parameters. declare -A COMMAND_LOOKUP for cmd in "${!COMMANDS[@]}"; do remove_key_params "$cmd" COMMAND_LOOKUP["${LOOKUP_KEY?}"]="${COMMANDS[${cmd}]}" done ##################################################### # Command Execution # ##################################################### # Executes a command by expanding the input parameters from $1. run_command() { echo -e "${GREEN?}${PROJECT?} ${ENVIRONMENT?} ${REALM?}${RESET?}" # Manually replace variables without eval() and strip quotes from args. local line=$1 local re='(.*)(\$\{([^\}]+)\})(.*)' while [[ $line =~ $re ]]; do varname=${BASH_REMATCH[3]/\?/} line="${BASH_REMATCH[1]}${!varname}${BASH_REMATCH[4]}" done args=() declare -a "array=( $(echo ${line} | tr '`$<>' '????') )" for arg in "${array[@]}"; do arg=${arg/\"/} arg=${arg/\"/} args+=( $arg ) done # Check allowlist to see if this command is authorized to limit risk from # variables injecting bad stuff. if [[ "${COMMAND_ALLOWLIST[${args[0]}]}" == "" ]]; then echo -e "${RED?}command \"${args[0]}\" is not on the allowlist and therefore this command is unauthorized${RESET?}" exit 2 fi # Execute the allowlisted command with parameters. ${args[@]} if [[ "$?" == "0" ]]; then echo -e "${GREEN?}done${RESET?}" else echo -e "${RED?}command failed${RESET?}" fi echo exit $? } # Prepare for processing input. state_load # Lookup the command from COMMANDS, but adjust for the last input being a # variable if the first word in the command is "set". lookup="$@" if [[ "${lookup}" == "" ]]; then print_usage exit 1 fi words=( $lookup ) if [[ "${words[0]}" == "set" ]]; then words[-1]="" lookup=$(printf " %s" ${words[@]}) lookup=${lookup:1} fi # Now we have the lookup string for commands in COMMAND_LOOKUP, so find what to # execute ("exec") and if it is empty, there is no such command. exec="${COMMAND_LOOKUP[$lookup]}" if [[ "${exec}" != "" ]]; then # Do substitutions here before the function call changes the args. exec=${exec/\$3/$3} exec=${exec/\$4/$4} exec=${exec/\$5/$5} exec=${exec/\$6/$6} run_command "${exec}" fi # Not found. Try substituting <name> on every second parameter starting at 4th. for ((i=3;i<${#words[@]};i=i+2)); do words[i]="<name>" done lookup=$(printf " %s" ${words[@]}) lookup=${lookup:1} remove_key_params "${lookup}" exec="${COMMAND_LOOKUP[${LOOKUP_KEY?}]}" if [[ "${exec}" != "" ]]; then # Do substitutions here before the function call changes the args. exec=${exec/\$3/$3} exec=${exec/\$4/$4} exec=${exec/\$5/$5} exec=${exec/\$6/$6} run_command "${exec}" fi # Fell through from the last 2 command lookups. Command not found. Print usage. print_usage

admin.bash (362 lines of code) (raw):