-
Notifications
You must be signed in to change notification settings - Fork 58
/
security.sh
executable file
·130 lines (123 loc) · 3.31 KB
/
security.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/bin/bash
#
# Tool to get and set certificates and passwords for the Jenkins JNLP Slave
#
# This tool takes the commands:
# set-password --account=ACCOUNT --service=SERVICE --password=PASSWORD
# get-password --account=ACCOUNT --service=SERVICE
# add-java-certificate --alias=ALIAS --certificate=/path/to/certificate
OSX_KEYCHAIN="login.keychain"
OSX_KEYCHAIN_PASS=""
OSX_KEYCHAIN_LOCK=~/Library/Keychains/.${OSX_KEYCHAIN}.lock
ACCOUNT=""
SERVICE=""
PASSWORD=""
CERTIFICATE=""
ALIAS=""
COMMAND=""
CACERT=""
AGENT=""
DARWIN_VERSION_MAJOR=$( uname -r | sed 's|\([^.]\)\..*|\1|g' )
if [ -f ~/Library/Keychains/.keychain_pass ]; then
chmod 400 ~/Library/Keychains/.keychain_pass
source ~/Library/Keychains/.keychain_pass
fi
while [ $# -gt 0 ]; do
case $1 in
set-password|get-password|add-java-certificate|add-apple-certificate|unlock|lock|show-password)
COMMAND=$1
;;
--keychain-password=*)
OSX_KEYCHAIN_PASS=${1#*=}
;;
--keychain=*)
OSX_KEYCHAIN=${1#*=}
;;
--account=*)
ACCOUNT=${1#*=}
;;
--service=*)
SERVICE="${1#*=}"
;;
--password=*)
PASSWORD=${1#*=}
;;
--certificate=*)
CERTIFICATE=${1#*=}
;;
--authority)
CA_CERT="-trustcacerts"
;;
--alias=*)
ALIAS=${1#*=}
;;
--agent)
AGENT=${1}
;;
*)
echo "Unknown option $1" 1>&2
exit 2
;;
esac
shift
done
if [[ -z $COMMAND || -z $OSX_KEYCHAIN || -z $OSX_KEYCHAIN_PASS ]]; then
exit 2
fi
if [ ! -f ~/Library/Keychains/${OSX_KEYCHAIN} ]; then
exit 1
fi
if [ "$COMMAND" == "show-password" ]; then
echo ${OSX_KEYCHAIN_PASS}
exit 0
fi
if [ "${COMMAND}" != "lock" ] ; then
security unlock-keychain -p ${OSX_KEYCHAIN_PASS} ${OSX_KEYCHAIN}
fi
case $COMMAND in
set-password)
if [[ ! -z $ACCOUNT && ! -z $SERVICE && ! -z $PASSWORD ]]; then
if [ $DARWIN_VERSION_MAJOR -ne 10 ]; then
security add-generic-password -U -w ${PASSWORD} -a ${ACCOUNT} -s "${SERVICE}" ${OSX_KEYCHAIN}
else
security 2>/dev/null delete-generic-password -a ${ACCOUNT} -s "${SERVICE}" ${OSX_KEYCHAIN} >/dev/null
security add-generic-password -w ${PASSWORD} -a ${ACCOUNT} -s "${SERVICE}" ${OSX_KEYCHAIN}
fi
fi
;;
get-password)
if [[ ! -z $ACCOUNT && ! -z $SERVICE ]]; then
if [ $DARWIN_VERSION_MAJOR -ge 12 ]; then
security find-generic-password -w -a ${ACCOUNT} -s "${SERVICE}" ${OSX_KEYCHAIN}
else
security 2>&1 find-generic-password -g -a ${ACCOUNT} -s "${SERVICE}" ${OSX_KEYCHAIN} | grep ^password | sed 's|^password: "\(.*\)"$|\1|g'
fi
fi
;;
add-apple-certificate)
if [ -f $CERTIFICATE ]; then
security import $CERTIFICATE -k ${OSX_KEYCHAIN} -A -T /usr/bin/codesign
fi
;;
add-java-certificate)
if [[ ! -z $ALIAS && -f $CERTIFICATE ]]; then
if [ $DARWIN_VERSION_MAJOR -ge 12 ]; then
KEYSTORE_PASS=$( security find-generic-password -w -a `whoami` -s java_truststore ${OSX_KEYCHAIN} )
else
KEYSTORE_PASS=$( security 2>&1 find-generic-password -g -a `whoami` -s java_truststore ${OSX_KEYCHAIN} | grep ^password | sed 's|^password: "\(.*\)"$|\1|g' )
fi
keytool -import ${CA_CERT} -alias ${ALIAS} -file ${CERTIFICATE} -storepass ${KEYSTORE_PASS}
fi
;;
lock)
rm ${OSX_KEYCHAIN_LOCK}
;;
unlock)
touch ${OSX_KEYCHAIN_LOCK}
;;
esac
if [[ "$COMMAND" != "unlock" || ! -f ${OSX_KEYCHAIN_LOCK} ]]; then
if [ "${AGENT}" != "--agent" ]; then
security lock-keychain ${OSX_KEYCHAIN}
fi
fi