From 3b4961a8cd513ef3514b78830187bdb2b841effd Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Thu, 25 Apr 2019 08:31:33 -0500
Subject: [PATCH] Create rotateSealerKey.sh

---
 container_files/idp/rotateSealerKey.sh | 58 ++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 container_files/idp/rotateSealerKey.sh

diff --git a/container_files/idp/rotateSealerKey.sh b/container_files/idp/rotateSealerKey.sh
new file mode 100644
index 0000000..5939eca
--- /dev/null
+++ b/container_files/idp/rotateSealerKey.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+ 
+set -e
+set -u
+  
+# Default IDP_HOME if not already set
+if [ ! -d "${IDP_HOME:=/opt/shibboleth-idp}" ]
+then
+    echo "ERROR: Directory does not exist: ${IDP_HOME}" >&2
+    exit 1
+fi
+ 
+function get_config {
+    # Key to lookup (escape . for regex lookup)
+    local KEY=${1:?"No key provided to look up value"}
+    # Passed default value
+    local DEFAULT="${2:-}"
+    # Lookup key, strip spaces, replace idp.home with IDP_HOME value
+    local RESULT=$(sed -rn '/^'"${KEY//./\\.}"'\s*=/ { s|^[^=]*=(.*)\s*$|\1|; s|%\{idp\.home\}|'"${IDP_HOME}"'|g; p}' ${IDP_HOME}/conf/idp.properties)
+    # Set if no result with default - exit if no default
+    echo ${RESULT:-${DEFAULT:?"No value in config and no default defined for: '${KEY}'"}}
+}
+ 
+# Get config values
+## Official config items ##
+storefile=$(get_config idp.sealer.storeResource)
+versionfile=$(get_config idp.sealer.versionResource)
+storepass=$(get_config idp.sealer.storePassword)
+alias=$(get_config idp.sealer.aliasBase secret)
+## Extended config items ##
+count=$(get_config idp.sealer._count 30)
+# default cannot be empty - so "self" is the default (self is skipped for syncing)
+sync_hosts=$(get_config idp.sealer._sync_hosts ${HOSTNAME})
+ 
+# Run the keygen utility
+${0%/*}/runclass.sh net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool \
+    --storefile "${storefile}" \
+    --storepass "${storepass}" \
+    --versionfile "${versionfile}" \
+    --alias "${alias}" \
+    --count "${count}"
+ 
+# Display current version
+echo "INFO: $(tac "${versionfile}" | tr "\n" " ")" >&2
+ 
+for EACH in ${sync_hosts}
+do
+    if [ "${HOSTNAME}" == "${EACH}" ]
+    then
+        echo "INFO: Host '${EACH}' is myself - skipping" >&2
+    elif ! ping -q -c 1 -W 3 ${EACH} >/dev/null 2>&1
+    then
+        echo "ERROR: Host '${EACH}' not reachable - skipping" >&2
+    else
+        # run scp in the background
+        scp "${storefile}" "${versionfile}" "${EACH}:${IDP_HOME}/credentials/" &
+    fi
+done