From: Lukas Schauer <lukas@schauer.so>
Date: Tue, 6 Feb 2018 22:08:40 +0000 (+0100)
Subject: fetch account information if missing
X-Git-Tag: v0.6.0~15
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=ad291207d0f2748fb904a3055f9e8ea95dc62095;p=thirdparty%2Fdehydrated.git

fetch account information if missing
---

diff --git a/dehydrated b/dehydrated
index 7357f6f..747dd6f 100755
--- a/dehydrated
+++ b/dehydrated
@@ -361,6 +361,27 @@ init_system() {
     echo "+ Account already registered!"
     exit 0
   fi
+
+  # Read account information or request from CA if missing
+  if [[ -e "${ACCOUNT_KEY_JSON}" ]]; then
+    ACCOUNT_ID="$(cat "${ACCOUNT_KEY_JSON}" | get_json_int_value id)"
+    if [[ ${API} -eq 1 ]]; then
+      ACCOUNT_URL="${CA_REG}/${ACCOUNT_ID}"
+    else
+      ACCOUNT_URL="${CA_ACCOUNT}/${ACCOUNT_ID}"
+    fi
+  else
+    echo "Fetching missing account information from CA..."
+    if [[ ${API} -eq 1 ]]; then
+      ACCOUNT_URL="$(signed_request "${CA_NEW_REG}" '{"resource": "new-reg", "onlyReturnExisting": true}' 4>&1 | grep ^Location: | awk '{print $2}' | tr -d '\r\n')"
+      ACCOUNT_INFO="$(signed_request "${ACCOUNT_URL}" '{"resource": "reg"}')"
+    else
+      ACCOUNT_URL="$(signed_request "${CA_NEW_ACCOUNT}" '{"only-return-existing": true}' 4>&1 | grep ^Location: | awk '{print $2}' | tr -d '\r\n')"
+      ACCOUNT_INFO="$(signed_request "${ACCOUNT_URL}" '{}')"
+    fi
+    ACCOUNT_ID="${ACCOUNT_URL##*/}"
+    echo "${ACCOUNT_INFO}" > "${ACCOUNT_KEY_JSON}"
+  fi
 }
 
 # Different sed version for different os types...
@@ -478,8 +499,14 @@ http_request() {
   fi
 
   if [[ ! "${statuscode:0:1}" = "2" ]]; then
-    if [[ -n "${CA_REVOKE_CERT:-}" ]] && [[ "${2}" = "${CA_REVOKE_CERT:-}" ]] && [[ "${statuscode}" = "409" ]]; then
+    # check for existing registration warning
+    if [[ ${API} -eq 1 ]] && [[ -n "${CA_NEW_REG:-}" ]] && [[ "${2}" = "${CA_NEW_REG:-}" ]] && [[ "${statuscode}" = "409" ]] && grep -q "Registration key is already in use" "${tempcont}"; then
+      # do nothing
+      :
+    # check for already-revoked warning
+    elif [[ -n "${CA_REVOKE_CERT:-}" ]] && [[ "${2}" = "${CA_REVOKE_CERT:-}" ]] && [[ "${statuscode}" = "409" ]]; then
       grep -q "Certificate already revoked" "${tempcont}" && return
+    # check for redirects on license
     elif [[ -n "${CA_TERMS:-}" ]] && [[ "${2}" = "${CA_TERMS:-}" ]] && [[ "${statuscode:0:1}" = "3" ]]; then
       # do nothing
       :
@@ -541,9 +568,8 @@ signed_request() {
     protected64="$(printf '%s' "${protected}" | urlbase64)"
   else
     # Build another header which also contains the previously received nonce and url and encode it as urlbase64
-    if [[ -e "${ACCOUNT_KEY_JSON}" ]] && [[ -n "$(cat "${ACCOUNT_KEY_JSON}" | get_json_int_value id)" ]]; then
-      REG_ID="$(cat "${ACCOUNT_KEY_JSON}" | get_json_int_value id)"
-      protected='{"alg": "RS256", "kid": "'"${CA_ACCOUNT}/${REG_ID}"'", "url": "'"${1}"'", "nonce": "'"${nonce}"'"}'
+    if [[ -n "${ACCOUNT_URL:-}" ]]; then
+      protected='{"alg": "RS256", "kid": "'"${ACCOUNT_URL}"'", "url": "'"${1}"'", "nonce": "'"${nonce}"'"}'
     else
       protected='{"alg": "RS256", "jwk": {"e": "'"${pubExponent64}"'", "kty": "RSA", "n": "'"${pubMod64}"'"}, "url": "'"${1}"'", "nonce": "'"${nonce}"'"}'
     fi
@@ -1019,27 +1045,26 @@ command_account() {
   FAILED=false
 
   NEW_ACCOUNT_KEY_JSON="$(_mktemp)"
-  REG_ID=$(cat "${ACCOUNT_KEY_JSON}" | get_json_int_value id)
 
   # Check if we have the registration id
-  if [[ -z "${REG_ID}" ]]; then
+  if [[ -z "${ACCOUNT_ID}" ]]; then
     _exiterr "Error retrieving registration id."
   fi
 
-  echo "+ Updating registration id: ${REG_ID} contact information..."
+  echo "+ Updating registration id: ${ACCOUNT_ID} contact information..."
   if [[ ${API} -eq 1 ]]; then
     # If an email for the contact has been provided then adding it to the registered account
     if [[ -n "${CONTACT_EMAIL}" ]]; then
-      (signed_request "${CA_REG}"/"${REG_ID}" '{"resource": "reg", "contact":["mailto:'"${CONTACT_EMAIL}"'"]}' > "${NEW_ACCOUNT_KEY_JSON}") || FAILED=true
+      (signed_request "${ACCOUNT_URL}" '{"resource": "reg", "contact":["mailto:'"${CONTACT_EMAIL}"'"]}' > "${NEW_ACCOUNT_KEY_JSON}") || FAILED=true
     else
-      (signed_request "${CA_REG}"/"${REG_ID}" '{"resource": "reg", "contact":[]}' > "${NEW_ACCOUNT_KEY_JSON}") || FAILED=true
+      (signed_request "${ACCOUNT_URL}" '{"resource": "reg", "contact":[]}' > "${NEW_ACCOUNT_KEY_JSON}") || FAILED=true
     fi
   else
     # If an email for the contact has been provided then adding it to the registered account
     if [[ -n "${CONTACT_EMAIL}" ]]; then
-      (signed_request "${CA_ACCOUNT}"/"${REG_ID}" '{"contact":["mailto:'"${CONTACT_EMAIL}"'"]}' > "${NEW_ACCOUNT_KEY_JSON}") || FAILED=true
+      (signed_request "${ACCOUNT_URL}" '{"contact":["mailto:'"${CONTACT_EMAIL}"'"]}' > "${NEW_ACCOUNT_KEY_JSON}") || FAILED=true
     else
-      (signed_request "${CA_ACCOUNT}"/"${REG_ID}" '{"contact":[]}' > "${NEW_ACCOUNT_KEY_JSON}") || FAILED=true
+      (signed_request "${ACCOUNT_URL}" '{"contact":[]}' > "${NEW_ACCOUNT_KEY_JSON}") || FAILED=true
     fi
   fi