summarylogtreecommitdiffstats
path: root/duo.install
blob: f9947e19e3292dccf1ff934e1472c7eed283232a (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108

#!/usr/bin/env bash

pre_install() {
    if systemctl is-active --quiet duo-device-health; then
        systemctl stop duo-device-health
    fi

    if systemctl is-active --quiet duo-desktop; then
        systemctl stop duo-desktop
    fi
}

post_install() {
    install_dir="/opt/duo/duo-desktop"
    config_path="${install_dir}/localhost.cfg"

    keys_dir="/etc/opt/duo/duo-desktop/https"
    key_path="${keys_dir}/duo-desktop.key"
    cert_path="${keys_dir}/duo-desktop.crt"
    pfx_path="${keys_dir}/duo-desktop.pfx"

    localdata_path_old="/root/.config/duo/devicehealth"
    localdata_path="/etc/opt/duo/duo-desktop/localdata"

    is_valid_cert_present() {
        if [[ -f $1 ]]; then
            cert=$(<"$1")

            # renew within 6 months
            six_months_seconds=15552000

            if ! echo "${cert}" | openssl x509 -checkend "${six_months_seconds}" >/dev/null; then
                false
                return
            else
                true
                return
            fi
        else
            false
        fi
    }

    directory_exists() {
        [[ -d $1 ]]
    }

    migrate_localdata_config_if_needed() {
        if directory_exists "${localdata_path_old}" && ! directory_exists "${localdata_path}"; then
            echo "Migrating localdata configs to new location..."
            mv "${localdata_path_old}" "${localdata_path}"
        fi
    }

    # check if we should install a new cert
    if ! is_valid_cert_present "${cert_path}"; then
        echo "No valid localhost certificate found. Generating..."
        mkdir -p "${keys_dir}"
        chmod 700 "${keys_dir}"
        openssl req \
            -newkey rsa:2048 -keyout "${key_path}" \
            -x509 \
            -days 1095 \
            -nodes \
            -config "${config_path}" \
            -out "${cert_path}" 2>/dev/null
        openssl pkcs12 -inkey "${key_path}" -in "${cert_path}" -export -out "${pfx_path}" -passout pass:
        rm -f "${key_path}"

        chmod 600 "${pfx_path}"
        chmod 644 "${cert_path}"

        # install into system
        trust anchor --store "${cert_path}"
    fi

    migrate_localdata_config_if_needed

    # install systemd service
    systemctl daemon-reload
    systemctl enable duo-desktop
    systemctl start duo-desktop

    echo Ensure your device has been registered with Duo.
    echo You probably need to supply the output of 'dmidecode --string system-uuid'
}

pre_upgrade() {
    pre_install
}

post_upgrade() {
    post_install
}

pre_remove() {
    systemctl stop duo-desktop
    systemctl disable duo-desktop
}

post_remove() {
    install_dir="/opt/duo/duo-desktop"
    keys_dir="/etc/opt/duo/duo-desktop/https"
    cert_path="${keys_dir}/duo-desktop.crt"

    trust anchor --remove "${cert_path}"
    rm -rf /etc/opt/duo
}