summarylogtreecommitdiffstats
path: root/duo.install
blob: 24ed0f4975155611b64ccff8aba59b16d0f12b52 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

#!/usr/bin/env bash

pre_install() {
	if systemctl is-active --quiet duo-device-health; then
	    systemctl stop duo-device-health
	fi

	if systemctl is-active --quiet duo-desktop; then
	    systemctl stop duo-desktop
	fi
}

post_install() {
	install_dir="/opt/duo/duo-desktop"
	config_path="${install_dir}/localhost.cfg"

	keys_dir="/etc/opt/duo/duo-desktop/https"
	key_path="${keys_dir}/duo-desktop.key"
	cert_path="${keys_dir}/duo-desktop.crt"
	pfx_path="${keys_dir}/duo-desktop.pfx"

	localdata_path_old="/root/.config/duo/devicehealth"
	localdata_path="/etc/opt/duo/duo-desktop/localdata"

	is_valid_cert_present () {
	    if [[ -f $1 ]]; then
	        cert=$(<$1)

	        # renew within 6 months
	        six_months_seconds=15552000

	        if ! echo "${cert}" | openssl x509 -checkend "${six_months_seconds}" >/dev/null; then
	            false; return
	        else
	            true; return
	        fi
	    else
	        false
	    fi
	}

	directory_exists () {
	    [[ -d $1 ]]
	}

	migrate_localdata_config_if_needed () {
	    if directory_exists "${localdata_path_old}" && ! directory_exists "${localdata_path}"; then
	        echo "Migrating localdata configs to new location..."
	        mv "${localdata_path_old}" "${localdata_path}"
	    fi
	}

	# check if we should install a new cert
	if ! is_valid_cert_present "${cert_path}" ; then
	    echo "No valid localhost certificate found. Generating..."
	    mkdir -p "${keys_dir}"
	    chmod 700 "${keys_dir}"
	    openssl req \
	        -newkey rsa:2048 -keyout "${key_path}" \
	        -x509 \
	        -days 1095 \
	        -nodes \
	        -config "${config_path}" \
	        -out "${cert_path}" 2>/dev/null
	    openssl pkcs12 -inkey "${key_path}" -in "${cert_path}" -export -out "${pfx_path}" -passout pass:
	    rm -f "${key_path}"

	    chmod 600 "${pfx_path}"
	    chmod 644 "${cert_path}"

	    # install into system
			trust anchor --store "${cert_path}"
	fi

	migrate_localdata_config_if_needed

	# install systemd service
	systemctl daemon-reload
	systemctl enable duo-desktop
	systemctl start duo-desktop

  echo Ensure your device has been registered with Duo.
	echo You probably need to supply the output of 'dmidecode --string system-uuid'
}

pre_upgrade() {
	pre_install
}

post_upgrade() {
	post_install
}

pre_remove() {
	systemctl stop duo-desktop
	systemctl disable duo-desktop
}

post_remove() {
	install_dir="/opt/duo/duo-desktop"
	keys_dir="/etc/opt/duo/duo-desktop/https"
	cert_path="${keys_dir}/duo-desktop.crt"

	trust anchor --remove "${cert_path}"
	rm -rf /etc/opt/duo
}