forked from jpanesar07/delius-oauth2-server
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathrotate_clientID_cloudplatform_app.sh
More file actions
118 lines (91 loc) · 4.26 KB
/
rotate_clientID_cloudplatform_app.sh
File metadata and controls
118 lines (91 loc) · 4.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#!/usr/bin/env bash
set -e
if ! echo "$BASH_VERSION" | grep -E "^[45]" &> /dev/null; then
echo "Found bash version: $BASH_VERSION"
echo "Ensure you are using bash version 4 or 5"
exit 1
fi
# Set via env vars for auth
#ENV=
#USER=
#CLIENTID=(clientID with rotate permissions)
#CLIENTSECRET=
[ $# -eq 0 ] && { echo "Usage: $0 [baseClientID]"; exit 1; }
BASE_CLIENT_ID=$1
# Test mandatory env vars
enforce_var_set() {
if [[ ! -v $1 ]]; then
echo "$1 environment variable not set."
exit 1
fi
}
enforce_var_set ENV
enforce_var_set USER
enforce_var_set CLIENTID
enforce_var_set CLIENTSECRET
enforce_var_set BASE_CLIENT_ID
# Run against cloudplatforms k8s cluster by default, otherwise set KUBE_CONTEXT
kubectl config use-context "${KUBE_CONTEXT:-live-1.cloud-platform.service.justice.gov.uk}"
CLIENT="${CLIENTID}:${CLIENTSECRET}"
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
. "${DIR}"/token-functions.sh
HOST=$(calculateHostname "${ENV}")
AUTH_TOKEN_HEADER=$(authenticate "${CLIENT}" "${USER}")
HTTPIE_SESSION="./.httpie_session_auth.json"
HTTPIE_OPTS=("--body" "--check-status" "--timeout=4.5" "--session-read-only=${HTTPIE_SESSION}")
# Setup httpie session, enable preview API features
if ! OUTPUT=$(http --check-status --ignore-stdin --session=${HTTPIE_SESSION} "${HOST}/auth/api/client/${CLIENTID}" "${AUTH_TOKEN_HEADER}"); then
echo "Unable to talk to HMPPS AUTH API, check credentials are set correctly and permissions granted."
echo "$OUTPUT"
exit 1
fi
hmpps_auth() {
http "${HTTPIE_OPTS[@]}" "$@"
}
echo "Working on env \"${ENV}\""
echo "Talking to host \"${HOST}\""
# Fetch clientID data
echo "Fetching deployment data for clientID \"${BASE_CLIENT_ID}\""
clientInfo_json=$(hmpps_auth GET "${HOST}/auth/api/client/${BASE_CLIENT_ID}")
namespace=$(echo "${clientInfo_json}" | jq -r .clientDeployment.namespace)
deployment=$(echo "${clientInfo_json}" | jq -r .clientDeployment.deployment)
secretName=$(echo "${clientInfo_json}" | jq -r .clientDeployment.secretName)
clientIdKey=$(echo "${clientInfo_json}" | jq -r .clientDeployment.clientIdKey)
secretKey=$(echo "${clientInfo_json}" | jq -r .clientDeployment.secretKey)
# Duplicate clientID get new secret
results_json=$(hmpps_auth PUT "${HOST}/auth/api/client/${BASE_CLIENT_ID}")
new_clientID_name=$(echo "${results_json}" | jq -r .clientId)
new_clientID_b64name=$(echo "${results_json}" | jq -r .base64ClientId)
new_clientID_b64secret=$(echo "${results_json}" | jq -r .base64ClientSecret)
echo "New clientID created '${new_clientID_name}'"
# Check if $clientIdKey exists and is readable
if ! kubectl -n "${namespace}" get secrets "${secretName}" -o json | jq -e "select(.data[\"${clientIdKey}\"] != null)" &>/dev/null; then
echo "Unable to find k8s secret with key \"${secretKey}\" in \"${clientIdKey}\" for namespace \"${namespace}\""
exit 1
fi
# Save current clientID for delete at the end.
currentClientID=$(kubectl -n "${namespace}" get secrets "${secretName}" -o json | jq -r ".data[\"${clientIdKey}\"] | @base64d")
# Check if $secretKey exists and is readable
if ! kubectl -n "${namespace}" get secrets "${secretName}" -o json | jq -e "select(.data[\"${secretKey}\"] != null)" &>/dev/null; then
echo "Unable to find k8s secret with key \"${secretKey}\" in \"${secretName}\" for namespace \"${namespace}\""
exit 1
fi
# Check if $deployment exists and is readable
if ! kubectl -n "${namespace}" get deployment "${deployment}" &>/dev/null; then
echo "Unable to find deployment \"${deployment}\" in namespace \"${namespace}\""
exit 1
fi
# Update k8s secret with new clientID and secret
echo "Updating k8s secret \"${secretName}\" with new clientID and secret."
kubectl -n "${namespace}" get secrets "${secretName}" -o json | \
jq ".data[\"${clientIdKey}\"]=\"$(echo -n "$new_clientID_b64name")\"" | \
jq ".data[\"${secretKey}\"]=\"$(echo -n "$new_clientID_b64secret")\"" | \
kubectl -n "${namespace}" apply -f -
# Restart the app deployment
echo "Restarting deployment \"${deployment}\""
kubectl -n "${namespace}" rollout restart deployment "${deployment}"
# Wait for restart to complete
kubectl -n "${namespace}" rollout status deployment "${deployment}"
### Delete the old secret no longer used
echo "Deleting old clientID ${currentClientID}"
hmpps_auth DELETE "${HOST}/auth/api/client/${currentClientID}"