Commit b3bf4573 authored by Stavros-Anastasios Charismiadis's avatar Stavros-Anastasios Charismiadis
Browse files

fix parsing of certificate

parent 63c5caf9
Loading
Loading
Loading
Loading
Loading
+9 −3
Original line number Diff line number Diff line
@@ -19,9 +19,15 @@ while [ $ATTEMPT -lt $MAX_RETRIES ]; do
    ATTEMPT=$((ATTEMPT+1))
    RESP=$(curl -s -k --header "X-Vault-Token: $VAULT_TOKEN" \
        --request GET "$VAULT_ADDR/v1/secret/data/capif/${CCF_ID}/nginx")
    CRT=$(echo "$RESP" | jq -r '.data.data.server_crt // empty')
    KEY=$(echo "$RESP" | jq -r '.data.data.server_key // empty')
    CA=$(echo  "$RESP" | jq -r '.data.data.ca // empty')
    # skip this attempt if Vault didn't return valid JSON yet
    if ! printf '%s' "$RESP" | jq -e . >/dev/null 2>&1; then
        echo "[prepare_publish] invalid/empty JSON from Vault, retrying"
        sleep $RETRY_DELAY
        continue
    fi
    CRT=$(printf '%s' "$RESP" | jq -r '.data.data.server_crt // empty')
    KEY=$(printf '%s' "$RESP" | jq -r '.data.data.server_key // empty')
    CA=$(printf  '%s' "$RESP" | jq -r '.data.data.ca // empty')
    if [ -n "$CRT" ] && [ -n "$KEY" ] && [ -n "$CA" ]; then
        printf '%s\n' "$CRT" > "$CERTS_DIR/server.crt"
        printf '%s\n' "$KEY" > "$CERTS_DIR/server.key"
+9 −3
Original line number Diff line number Diff line
@@ -19,9 +19,15 @@ fetch_certs() {
        attempt=$((attempt+1))
        resp=$(curl -s -k --header "X-Vault-Token: $VAULT_TOKEN" \
            --request GET "$VAULT_ADDR/v1/secret/data/capif/${ccf_id}/nginx")
        crt=$(echo "$resp" | jq -r '.data.data.server_crt // empty')
        key=$(echo "$resp" | jq -r '.data.data.server_key // empty')
        ca=$(echo  "$resp" | jq -r '.data.data.ca // empty')
        # skip this attempt if Vault didn't return valid JSON yet
        if ! printf '%s' "$resp" | jq -e . >/dev/null 2>&1; then
            echo "[prepare_helper] invalid/empty JSON from Vault, retrying"
            sleep $RETRY_DELAY
            continue
        fi
        crt=$(printf '%s' "$resp" | jq -r '.data.data.server_crt // empty')
        key=$(printf '%s' "$resp" | jq -r '.data.data.server_key // empty')
        ca=$(printf  '%s' "$resp" | jq -r '.data.data.ca // empty')
        if [ -n "$crt" ] && [ -n "$key" ] && [ -n "$ca" ]; then
            printf '%s\n' "$crt" > "$CERTS_DIR/server.crt"
            printf '%s\n' "$key" > "$CERTS_DIR/server.key"
+8 −13
Original line number Diff line number Diff line
@@ -186,24 +186,19 @@ store_certs_in_vault() {
    ###############################################################
    echo "Storing CAPIF certificates in Vault..."

    SERVER_CRT_ESCAPED=$(sed ':a;N;$!ba;s/\n/\\n/g' $CERTS_FOLDER/server.crt)
    SERVER_KEY_ESCAPED=$(sed ':a;N;$!ba;s/\n/\\n/g' $CERTS_FOLDER/server.key)
    SERVER_PUB_ESCAPED=$(sed ':a;N;$!ba;s/\n/\\n/g' $CERTS_FOLDER/server_pub.pem)
    CA_ESCAPED=$(sed ':a;N;$!ba;s/\n/\\n/g' $CERTS_FOLDER/ca.crt)

    # Build the payload with jq so all newlines/CRs/control chars are escaped correctly
    PAYLOAD=$(jq -n \
        --rawfile crt "$CERTS_FOLDER/server.crt" \
        --rawfile key "$CERTS_FOLDER/server.key" \
        --rawfile pub "$CERTS_FOLDER/server_pub.pem" \
        --rawfile ca  "$CERTS_FOLDER/ca.crt" \
        '{data: {server_crt: $crt, server_key: $key, server_pub: $pub, ca: $ca}}')
    # Store the server certificate, private key and CA certificate in Vault under secret/data/capif/<ccf_id>/nginx
    VAULT_RESPONSE=$(curl -s -w "%{http_code}" -o /tmp/vault_resp.json \
    -X POST \
    -H "X-Vault-Token: $VAULT_TOKEN" \
    -H "Content-Type: application/json" \
    -d "{
        \"data\": {
        \"server_crt\": \"${SERVER_CRT_ESCAPED}\",
        \"server_key\": \"${SERVER_KEY_ESCAPED}\",
        \"server_pub\": \"${SERVER_PUB_ESCAPED}\",
        \"ca\": \"${CA_ESCAPED}\"
        }
    }" \
    -d "$PAYLOAD" \
    "$VAULT_ADDR/v1/secret/data/capif/${CCF_ID}/nginx")

    if [ "$VAULT_RESPONSE" != "200" ] && [ "$VAULT_RESPONSE" != "204" ]; then