From 95d19dd51e0f469a7d1b07622fa743a35db470f2 Mon Sep 17 00:00:00 2001 From: Illia Chub Date: Thu, 27 Aug 2020 17:58:30 +0300 Subject: [PATCH] Installation script hardening and input validation --- static/.cloudflare.json | 1 + static/.cloudflare_records.json | 1 + static/.cloudflare_zones.json | 1 + static/.healthz.json | 0 static/.hetzner_machines.json | 382 ++++++++++++++++++++++++++++++++ static/.machine.json | 382 ++++++++++++++++++++++++++++++++ static/server.sh | 23 ++ 7 files changed, 790 insertions(+) create mode 100644 static/.cloudflare.json create mode 100644 static/.cloudflare_records.json create mode 100644 static/.cloudflare_zones.json create mode 100644 static/.healthz.json create mode 100644 static/.hetzner_machines.json create mode 100644 static/.machine.json diff --git a/static/.cloudflare.json b/static/.cloudflare.json new file mode 100644 index 0000000..0d2d77d --- /dev/null +++ b/static/.cloudflare.json @@ -0,0 +1 @@ +{"result":[{"id":"16c51875073bf7bcb2e1a994e93c570e","name":"ilchub.net","status":"active","paused":false,"type":"full","development_mode":0,"name_servers":["isabel.ns.cloudflare.com","miles.ns.cloudflare.com"],"original_name_servers":["ns25.domaincontrol.com","ns26.domaincontrol.com"],"original_registrar":"godaddy.com, llc (id: 146)","original_dnshost":null,"modified_on":"2020-08-13T10:22:53.002296Z","created_on":"2020-08-09T13:31:41.880166Z","activated_on":"2020-08-13T10:22:53.002296Z","meta":{"step":2,"wildcard_proxiable":false,"custom_certificate_quota":0,"page_rule_quota":3,"phishing_detected":false,"multiple_railguns_allowed":false},"owner":{"id":"5a61029cdf150aaabda864a3edfbd4ad","type":"user","email":"ilchub5@gmail.com"},"account":{"id":"22080e29eeb86c8f287fa5d3320120f7","name":"ilchub5@gmail.com"},"permissions":["#access:edit","#access:read","#analytics:read","#app:edit","#auditlogs:read","#billing:edit","#billing:read","#cache_purge:edit","#dns_records:edit","#dns_records:read","#lb:edit","#lb:read","#legal:edit","#legal:read","#logs:edit","#logs:read","#member:edit","#member:read","#organization:edit","#organization:read","#ssl:edit","#ssl:read","#stream:edit","#stream:read","#subscription:edit","#subscription:read","#teams:edit","#teams:read","#teams:report","#waf:edit","#waf:read","#webhooks:edit","#webhooks:read","#worker:edit","#worker:read","#zone:edit","#zone:read","#zone_settings:edit","#zone_settings:read"],"plan":{"id":"0feeeeeeeeeeeeeeeeeeeeeeeeeeeeee","name":"Free Website","price":0,"currency":"USD","frequency":"","is_subscribed":false,"can_subscribe":false,"legacy_id":"free","legacy_discount":false,"externally_managed":false}},{"id":"6e8d6d873dd09cbceac381c6f854b042","name":"scipttestingengine.tk","status":"active","paused":false,"type":"full","development_mode":0,"name_servers":["isabel.ns.cloudflare.com","miles.ns.cloudflare.com"],"original_name_servers":["isabel.ns.cloudflare.com","miles.ns.cloudflare.com"],"original_registrar":null,"original_dnshost":null,"modified_on":"2020-08-25T11:31:16.631765Z","created_on":"2020-08-25T11:29:57.055635Z","activated_on":"2020-08-25T11:31:16.631765Z","meta":{"step":2,"wildcard_proxiable":false,"custom_certificate_quota":0,"page_rule_quota":3,"phishing_detected":false,"multiple_railguns_allowed":false},"owner":{"id":"5a61029cdf150aaabda864a3edfbd4ad","type":"user","email":"ilchub5@gmail.com"},"account":{"id":"22080e29eeb86c8f287fa5d3320120f7","name":"ilchub5@gmail.com"},"permissions":["#access:edit","#access:read","#analytics:read","#app:edit","#auditlogs:read","#billing:edit","#billing:read","#cache_purge:edit","#dns_records:edit","#dns_records:read","#lb:edit","#lb:read","#legal:edit","#legal:read","#logs:edit","#logs:read","#member:edit","#member:read","#organization:edit","#organization:read","#ssl:edit","#ssl:read","#stream:edit","#stream:read","#subscription:edit","#subscription:read","#teams:edit","#teams:read","#teams:report","#waf:edit","#waf:read","#webhooks:edit","#webhooks:read","#worker:edit","#worker:read","#zone:edit","#zone:read","#zone_settings:edit","#zone_settings:read"],"plan":{"id":"0feeeeeeeeeeeeeeeeeeeeeeeeeeeeee","name":"Free Website","price":0,"currency":"USD","frequency":"","is_subscribed":false,"can_subscribe":false,"legacy_id":"free","legacy_discount":false,"externally_managed":false}}],"result_info":{"page":1,"per_page":20,"total_pages":1,"count":2,"total_count":2},"success":true,"errors":[],"messages":[]} \ No newline at end of file diff --git a/static/.cloudflare_records.json b/static/.cloudflare_records.json new file mode 100644 index 0000000..835d08d --- /dev/null +++ b/static/.cloudflare_records.json @@ -0,0 +1 @@ +{"success":false,"errors":[{"code":7003,"message":"Could not route to \/zones\/dns_records, perhaps your object identifier is invalid?"},{"code":7000,"message":"No route for that URI"}],"messages":[],"result":null} \ No newline at end of file diff --git a/static/.cloudflare_zones.json b/static/.cloudflare_zones.json new file mode 100644 index 0000000..116c88c --- /dev/null +++ b/static/.cloudflare_zones.json @@ -0,0 +1 @@ +{"success":false,"errors":[{"code":6003,"message":"Invalid request headers","error_chain":[{"code":6103,"message":"Invalid format for X-Auth-Key header"}]}],"messages":[],"result":null} \ No newline at end of file diff --git a/static/.healthz.json b/static/.healthz.json new file mode 100644 index 0000000..e69de29 diff --git a/static/.hetzner_machines.json b/static/.hetzner_machines.json new file mode 100644 index 0000000..1a1d1ea --- /dev/null +++ b/static/.hetzner_machines.json @@ -0,0 +1,382 @@ +{ + "servers": [ + { + "id": 6922622, + "name": "nixos", + "status": "running", + "created": "2020-07-29T12:46:54+00:00", + "public_net": { + "ipv4": { + "ip": "135.181.45.111", + "blocked": false, + "dns_ptr": "static.111.45.181.135.clients.your-server.de" + }, + "ipv6": { + "ip": "2a01:4f9:c010:bd04::/64", + "blocked": false, + "dns_ptr": [] + }, + "floating_ips": [] + }, + "private_net": [], + "server_type": { + "id": 2, + "name": "cx11-ceph", + "description": "CX11 Ceph Disk", + "cores": 1, + "memory": 2.0, + "disk": 20, + "deprecated": null, + "prices": [ + { + "location": "fsn1", + "price_hourly": { + "net": "0.0040000000", + "gross": "0.0040000000000000" + }, + "price_monthly": { + "net": "2.4900000000", + "gross": "2.4900000000000000" + } + }, + { + "location": "nbg1", + "price_hourly": { + "net": "0.0040000000", + "gross": "0.0040000000000000" + }, + "price_monthly": { + "net": "2.4900000000", + "gross": "2.4900000000000000" + } + }, + { + "location": "hel1", + "price_hourly": { + "net": "0.0040000000", + "gross": "0.0040000000000000" + }, + "price_monthly": { + "net": "2.4900000000", + "gross": "2.4900000000000000" + } + } + ], + "storage_type": "network", + "cpu_type": "shared" + }, + "datacenter": { + "id": 3, + "name": "hel1-dc2", + "description": "Helsinki 1 DC 2", + "location": { + "id": 3, + "name": "hel1", + "description": "Helsinki DC Park 1", + "country": "FI", + "city": "Helsinki", + "latitude": 60.169855, + "longitude": 24.938379, + "network_zone": "eu-central" + }, + "server_types": { + "supported": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14, + 15, + 22, + 23, + 24, + 25, + 26 + ], + "available": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14, + 15, + 22, + 23, + 24, + 25, + 26 + ], + "available_for_migration": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14, + 15, + 22, + 23, + 24, + 25, + 26 + ] + } + }, + "image": { + "id": 15512617, + "type": "system", + "status": "available", + "name": "ubuntu-20.04", + "description": "Ubuntu 20.04", + "image_size": null, + "disk_size": 5, + "created": "2020-04-23T17:55:14+00:00", + "created_from": null, + "bound_to": null, + "os_flavor": "ubuntu", + "os_version": "20.04", + "rapid_deploy": true, + "protection": { + "delete": false + }, + "deprecated": null, + "labels": {} + }, + "iso": null, + "rescue_enabled": false, + "locked": false, + "backup_window": null, + "outgoing_traffic": 452600000, + "ingoing_traffic": 7369804000, + "included_traffic": 21990232555520, + "protection": { + "delete": false, + "rebuild": false + }, + "labels": {}, + "volumes": [], + "load_balancers": [], + "primary_disk_size": 20 + }, + { + "id": 7361377, + "name": "nixos-mailserver", + "status": "running", + "created": "2020-08-27T10:17:50+00:00", + "public_net": { + "ipv4": { + "ip": "95.217.162.93", + "blocked": false, + "dns_ptr": "static.93.162.217.95.clients.your-server.de" + }, + "ipv6": { + "ip": "2a01:4f9:c010:807f::/64", + "blocked": false, + "dns_ptr": [] + }, + "floating_ips": [] + }, + "private_net": [], + "server_type": { + "id": 1, + "name": "cx11", + "description": "CX11", + "cores": 1, + "memory": 2.0, + "disk": 20, + "deprecated": null, + "prices": [ + { + "location": "fsn1", + "price_hourly": { + "net": "0.0040000000", + "gross": "0.0040000000000000" + }, + "price_monthly": { + "net": "2.4900000000", + "gross": "2.4900000000000000" + } + }, + { + "location": "hel1", + "price_hourly": { + "net": "0.0040000000", + "gross": "0.0040000000000000" + }, + "price_monthly": { + "net": "2.4900000000", + "gross": "2.4900000000000000" + } + }, + { + "location": "nbg1", + "price_hourly": { + "net": "0.0040000000", + "gross": "0.0040000000000000" + }, + "price_monthly": { + "net": "2.4900000000", + "gross": "2.4900000000000000" + } + } + ], + "storage_type": "local", + "cpu_type": "shared" + }, + "datacenter": { + "id": 3, + "name": "hel1-dc2", + "description": "Helsinki 1 DC 2", + "location": { + "id": 3, + "name": "hel1", + "description": "Helsinki DC Park 1", + "country": "FI", + "city": "Helsinki", + "latitude": 60.169855, + "longitude": 24.938379, + "network_zone": "eu-central" + }, + "server_types": { + "supported": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14, + 15, + 22, + 23, + 24, + 25, + 26 + ], + "available": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14, + 15, + 22, + 23, + 24, + 25, + 26 + ], + "available_for_migration": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14, + 15, + 22, + 23, + 24, + 25, + 26 + ] + } + }, + "image": { + "id": 15512617, + "type": "system", + "status": "available", + "name": "ubuntu-20.04", + "description": "Ubuntu 20.04", + "image_size": null, + "disk_size": 5, + "created": "2020-04-23T17:55:14+00:00", + "created_from": null, + "bound_to": null, + "os_flavor": "ubuntu", + "os_version": "20.04", + "rapid_deploy": true, + "protection": { + "delete": false + }, + "deprecated": null, + "labels": {} + }, + "iso": null, + "rescue_enabled": false, + "locked": false, + "backup_window": null, + "outgoing_traffic": null, + "ingoing_traffic": null, + "included_traffic": 21990232555520, + "protection": { + "delete": false, + "rebuild": false + }, + "labels": {}, + "volumes": [], + "load_balancers": [], + "primary_disk_size": 20 + } + ], + "meta": { + "pagination": { + "page": 1, + "per_page": 25, + "previous_page": null, + "next_page": null, + "last_page": 1, + "total_entries": 2 + } + } +} diff --git a/static/.machine.json b/static/.machine.json new file mode 100644 index 0000000..6295ff3 --- /dev/null +++ b/static/.machine.json @@ -0,0 +1,382 @@ +{ + "servers": [ + { + "id": 6922622, + "name": "nixos", + "status": "running", + "created": "2020-07-29T12:46:54+00:00", + "public_net": { + "ipv4": { + "ip": "135.181.45.111", + "blocked": false, + "dns_ptr": "static.111.45.181.135.clients.your-server.de" + }, + "ipv6": { + "ip": "2a01:4f9:c010:bd04::/64", + "blocked": false, + "dns_ptr": [] + }, + "floating_ips": [] + }, + "private_net": [], + "server_type": { + "id": 2, + "name": "cx11-ceph", + "description": "CX11 Ceph Disk", + "cores": 1, + "memory": 2.0, + "disk": 20, + "deprecated": null, + "prices": [ + { + "location": "fsn1", + "price_hourly": { + "net": "0.0040000000", + "gross": "0.0040000000000000" + }, + "price_monthly": { + "net": "2.4900000000", + "gross": "2.4900000000000000" + } + }, + { + "location": "nbg1", + "price_hourly": { + "net": "0.0040000000", + "gross": "0.0040000000000000" + }, + "price_monthly": { + "net": "2.4900000000", + "gross": "2.4900000000000000" + } + }, + { + "location": "hel1", + "price_hourly": { + "net": "0.0040000000", + "gross": "0.0040000000000000" + }, + "price_monthly": { + "net": "2.4900000000", + "gross": "2.4900000000000000" + } + } + ], + "storage_type": "network", + "cpu_type": "shared" + }, + "datacenter": { + "id": 3, + "name": "hel1-dc2", + "description": "Helsinki 1 DC 2", + "location": { + "id": 3, + "name": "hel1", + "description": "Helsinki DC Park 1", + "country": "FI", + "city": "Helsinki", + "latitude": 60.169855, + "longitude": 24.938379, + "network_zone": "eu-central" + }, + "server_types": { + "supported": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14, + 15, + 22, + 23, + 24, + 25, + 26 + ], + "available": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14, + 15, + 22, + 23, + 24, + 25, + 26 + ], + "available_for_migration": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14, + 15, + 22, + 23, + 24, + 25, + 26 + ] + } + }, + "image": { + "id": 15512617, + "type": "system", + "status": "available", + "name": "ubuntu-20.04", + "description": "Ubuntu 20.04", + "image_size": null, + "disk_size": 5, + "created": "2020-04-23T17:55:14+00:00", + "created_from": null, + "bound_to": null, + "os_flavor": "ubuntu", + "os_version": "20.04", + "rapid_deploy": true, + "protection": { + "delete": false + }, + "deprecated": null, + "labels": {} + }, + "iso": null, + "rescue_enabled": false, + "locked": false, + "backup_window": null, + "outgoing_traffic": 451072000, + "ingoing_traffic": 7369420000, + "included_traffic": 21990232555520, + "protection": { + "delete": false, + "rebuild": false + }, + "labels": {}, + "volumes": [], + "load_balancers": [], + "primary_disk_size": 20 + }, + { + "id": 7361377, + "name": "nixos-mailserver", + "status": "running", + "created": "2020-08-27T10:17:50+00:00", + "public_net": { + "ipv4": { + "ip": "95.217.162.93", + "blocked": false, + "dns_ptr": "static.93.162.217.95.clients.your-server.de" + }, + "ipv6": { + "ip": "2a01:4f9:c010:807f::/64", + "blocked": false, + "dns_ptr": [] + }, + "floating_ips": [] + }, + "private_net": [], + "server_type": { + "id": 1, + "name": "cx11", + "description": "CX11", + "cores": 1, + "memory": 2.0, + "disk": 20, + "deprecated": null, + "prices": [ + { + "location": "fsn1", + "price_hourly": { + "net": "0.0040000000", + "gross": "0.0040000000000000" + }, + "price_monthly": { + "net": "2.4900000000", + "gross": "2.4900000000000000" + } + }, + { + "location": "hel1", + "price_hourly": { + "net": "0.0040000000", + "gross": "0.0040000000000000" + }, + "price_monthly": { + "net": "2.4900000000", + "gross": "2.4900000000000000" + } + }, + { + "location": "nbg1", + "price_hourly": { + "net": "0.0040000000", + "gross": "0.0040000000000000" + }, + "price_monthly": { + "net": "2.4900000000", + "gross": "2.4900000000000000" + } + } + ], + "storage_type": "local", + "cpu_type": "shared" + }, + "datacenter": { + "id": 3, + "name": "hel1-dc2", + "description": "Helsinki 1 DC 2", + "location": { + "id": 3, + "name": "hel1", + "description": "Helsinki DC Park 1", + "country": "FI", + "city": "Helsinki", + "latitude": 60.169855, + "longitude": 24.938379, + "network_zone": "eu-central" + }, + "server_types": { + "supported": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14, + 15, + 22, + 23, + 24, + 25, + 26 + ], + "available": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14, + 15, + 22, + 23, + 24, + 25, + 26 + ], + "available_for_migration": [ + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 12, + 13, + 14, + 15, + 22, + 23, + 24, + 25, + 26 + ] + } + }, + "image": { + "id": 15512617, + "type": "system", + "status": "available", + "name": "ubuntu-20.04", + "description": "Ubuntu 20.04", + "image_size": null, + "disk_size": 5, + "created": "2020-04-23T17:55:14+00:00", + "created_from": null, + "bound_to": null, + "os_flavor": "ubuntu", + "os_version": "20.04", + "rapid_deploy": true, + "protection": { + "delete": false + }, + "deprecated": null, + "labels": {} + }, + "iso": null, + "rescue_enabled": false, + "locked": false, + "backup_window": null, + "outgoing_traffic": null, + "ingoing_traffic": null, + "included_traffic": 21990232555520, + "protection": { + "delete": false, + "rebuild": false + }, + "labels": {}, + "volumes": [], + "load_balancers": [], + "primary_disk_size": 20 + } + ], + "meta": { + "pagination": { + "page": 1, + "per_page": 25, + "previous_page": null, + "next_page": null, + "last_page": 1, + "total_entries": 2 + } + } +} diff --git a/static/server.sh b/static/server.sh index cb0677b..c18c625 100755 --- a/static/server.sh +++ b/static/server.sh @@ -179,9 +179,32 @@ PerformTests() done } +RunPreFlightChecks() +{ + curl -H "Authorization: Bearer $HETZNER_TOKEN" 'https://api.hetzner.cloud/v1/servers' > .hetzner_test.json + jq 'if .error != null then "Preflight checks failed" else "Success" end' .hetzner_test.json | if [ "Preflight checks failed" ] + then + echo "Hetzner Authorization failed" + exit -1 + fi +} + if test -z "$HETZNER_TOKEN" || test -z "$CLOUDFLARE_TOKEN" || test -z "$PASSWORD" then CollectData + if [ ${#HETZNER_TOKEN} != 64 ] + then + echo "Hetzner Token is incorrect. Please double check your input" + exit -1 + elif [ ${#CLOUDFLARE_TOKEN} != 40 ] + then + echo "Cloudflare Token is incorrect. Please double check your input" + exit -1 + elif [[ ${DOMAIN} != *.* ]] + then + echo "Got unexpected domain. Possibly wrong input" + exit -1 + fi fi InstallDependencies GenerateSSHKey