From 16eed2c238c70958aab520c7695626001de53885 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=A1clav=20Barto=C5=A1?= <bartos@cesnet.cz>
Date: Wed, 11 Apr 2018 16:19:45 +0200
Subject: [PATCH] warden_apply.sh: URL of warden_ra must be passed as parameter

+ possibility to specify cacert
---
 warden3/contrib/warden_ra/README          |  4 ++--
 warden3/contrib/warden_ra/warden_apply.sh | 23 +++++++++++++++--------
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/warden3/contrib/warden_ra/README b/warden3/contrib/warden_ra/README
index 9f6789f..51932cd 100644
--- a/warden3/contrib/warden_ra/README
+++ b/warden3/contrib/warden_ra/README
@@ -57,7 +57,7 @@ to the new client administrator along with other setup information.
 The client administrator runs the application script with application
 password:
 
-    warden_apply.sh org.example.warden.client P4SSW0RD
+    warden_apply.sh https://warden.example.org/warden-ra/ org.example.warden.client P4SSW0RD
 
 The script creates new X509 key, CSR certificate request and makes call to
 the Warden RA web service, where it obtains the new complete certificate.
@@ -69,7 +69,7 @@ Prolonging existing client credentials
 The client administrator runs the application script with his existing valid
 Warden credentials, which he needs to prolong:
 
-    warden_apply.sh org.example.warden.client cert.pem key.pem
+    warden_apply.sh https://warden.example.org/warden-ra/ org.example.warden.client cert.pem key.pem
 
 The script creates new X509 key, CSR certificate request and makes call to
 the Warden RA web service, where it obtains the new complete certificate.
diff --git a/warden3/contrib/warden_ra/warden_apply.sh b/warden3/contrib/warden_ra/warden_apply.sh
index 5d5f971..18024c6 100644
--- a/warden3/contrib/warden_ra/warden_apply.sh
+++ b/warden3/contrib/warden_ra/warden_apply.sh
@@ -1,21 +1,28 @@
 #!/bin/bash
 
-url='https://warden-hub.cesnet.cz/warden-ra/getCert'
 key=key.pem
 csr=csr.pem
 cert=cert.pem
 result=${TMPDIR:-${TMP:-/tmp}}/cert.$$.$RANDOM
 config=${TMPDIR:-${TMP:-/tmp}}/conf.$$.$RANDOM
-client="$1"
-password="$2"
-incert="$2"
-inkey="$3"
+if [ "$1" == "--cacert" ]; then
+  cacert="--cacert $2"
+  shift
+  shift
+fi
+url="$1"
+client="$2"
+password="$3"
+incert="$4"
+inkey="$5"
 
 trap 'rm -f "$config $result"' INT TERM HUP EXIT
 
 function flee { echo -e "$1"; exit $2; }
 
-[ -z "$client" -o -z "$password" ] && flee "Usage: ${0%.*} client.name password\n       ${0%.*} client.name cert_file key_file" 255
+[ -z "$client" -o -z "$password" ] && flee "Usage: ${0%.*} [--cacert CERT] url client.name password\n       ${0%.*} [--cacert CERT] url client.name cert_file key_file" 255
+
+url="${url%/}/getCert"
 
 for n in openssl curl; do
     command -v "$n" 2>&1 >/dev/null || flee "Haven't found $n binary." 251
@@ -32,9 +39,9 @@ echo -e "default_bits=2048\ndistinguished_name=rdn\nprompt=no\n[rdn]\ncommonName
 openssl req -new -nodes -batch -keyout "$key" -out "$csr" -config "$config" || flee "Error generating key/certificate request." 252
 
 if [ -z "$inkey" ]; then
-	curl --progress-bar --request POST --data-binary '@-' "$url?name=$client&password=$password" < "$csr" > "$result"
+    curl --progress-bar $cacert --request POST --data-binary '@-' "$url?name=$client&password=$password" < "$csr" > "$result"
 else
-	curl --progress-bar --request POST --data-binary '@-' --cert "$incert" --key "$inkey" "$url?name=$client" < "$csr" > "$result"
+    curl --progress-bar $cacert --request POST --data-binary '@-' --cert "$incert" --key "$inkey" "$url?name=$client" < "$csr" > "$result"
 fi
 
 case $(<$result) in '-----BEGIN CERTIFICATE-----'*)
-- 
GitLab