generated from coulomb/repo-seed
57 lines
1.6 KiB
Bash
Executable File
57 lines
1.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# repair-realm-live.sh - attended repair for privacyIDEA realm bootstrap state.
|
|
#
|
|
# This wrapper prompts for live passwords, writes them only to a private
|
|
# temporary directory, runs the idempotent realm bootstrap, and removes the
|
|
# temporary files on exit.
|
|
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)
|
|
SSO_MFA_K8S_DIR=$(cd -- "$SCRIPT_DIR/.." && pwd)
|
|
PI_URL="${PI_URL:-https://pink.coulomb.social}"
|
|
|
|
if [[ ! -t 0 ]]; then
|
|
echo "ERROR: repair-realm-live.sh needs an interactive terminal for password prompts." >&2
|
|
exit 1
|
|
fi
|
|
|
|
export PATH="/home/worsch/.local/bin:$PATH"
|
|
umask 077
|
|
|
|
tmp="$(mktemp -d)"
|
|
cleanup() {
|
|
rm -rf "$tmp"
|
|
unset PI_ADMIN_PASSWORD LLDAP_LDAP_USER_PASS
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
mkdir -p "$tmp/privacyidea" "$tmp/lldap"
|
|
|
|
printf "privacyIDEA pi-admin password: " >&2
|
|
read -rs PI_ADMIN_PASSWORD
|
|
printf "\n" >&2
|
|
printf "LLDAP bind/admin password: " >&2
|
|
read -rs LLDAP_LDAP_USER_PASS
|
|
printf "\n" >&2
|
|
|
|
printf "PI_ADMIN_PASSWORD=%q\n" "$PI_ADMIN_PASSWORD" > "$tmp/privacyidea/secrets.env"
|
|
printf "LLDAP_LDAP_USER_PASS=%q\n" "$LLDAP_LDAP_USER_PASS" > "$tmp/lldap/secrets.env"
|
|
|
|
bash "$SCRIPT_DIR/bootstrap-realm.sh" "$tmp" "$PI_URL"
|
|
|
|
if ! bash "$SSO_MFA_K8S_DIR/verify-t06.sh" "$tmp"; then
|
|
cat >&2 <<'WARN'
|
|
|
|
[WARN] verify-t06 still reports failures. If realm, resolver, policies, and
|
|
self-service pass but KeyCape token checks fail, run the KeyCape privacyIDEA
|
|
MFA token repair action after platform-root enrollment.
|
|
WARN
|
|
fi
|
|
|
|
cat <<'OK'
|
|
|
|
[OK] privacyIDEA coulomb realm repair command finished. Enroll or re-enroll
|
|
platform-root TOTP in privacyIDEA next.
|
|
OK
|