-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathallowlist.cron.sh
214 lines (180 loc) · 5.19 KB
/
allowlist.cron.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
#! /bin/bash
#
# Allowlist-cron.sh
# A script which can run as a cron job and notifies if the list
# of Fastly IPs has changed compared to the previous known list.
#
# This requires your system to have:
# curl - a command line web client
# md5(sum) - a command for calculating and checking sums of files
# mail(x) - a command line mail/smtp client
#
#
# Stores the list of 'current' IPs in CURRENT_IPS_FILE and uses diff
# to see if this has changed.
#
# If you have any bugs or issues with this script you can find assitance
# in the Fastly community forum at https://community.fastly.com/
#
# If you would like to submit a pull request or patch, please do so at my
# github repository: http://github.com/jondade/IP-allowlist-cron
#
# License: MIT
# Use of this script is entirely at the user's own risk. No warranty
# is offered or implied.
# Configuration variables.
# Update these as necessary.
EMAIL_RECIPIENTS=""
#
# No user serviceable parts after this point. Any changes are at the
# editors own risk. No support is offered.
#
# This will install the script to the /sbin directory for running.
function install {
echo "Please enter your list of email recipients. One per line. Blank line to finish."
ADDRESSES=$(read_addresses)
# Let's make sure required commands can be found is there.
if ! find_command mail; then
echo "Mail command not found. Cannot continue." >&2
exit 5
elif ! find_command curl; then
echo "Curl command not found. Cannot continue." >&2
exit 6
elif ! find_command md5sum -a ! which -s md5; then
echo "No MD5 tool found. Please install one and retry." >&2
exit 7
elif [ -z "$ADDRESSES" ]; then
echo "Email recipients is not valid. Please try again."
exit 8
elif ! find_command sed; then
echo "Could not find sed command. Cannot continue. Please install sed or manually install this script." >&2
exit 9
fi
# Duplicate this script into SCRIPTNAME and set permissions
cp "$(basename "$(test -L "$0" && readlink "$0" || echo "$0")")" ${SCRIPTNAME}
chmod 755 ${SCRIPTNAME}
# Set up some vars from random to make sure the Fastly API is not smashed all at once.
# by default this runs once a week.
minute=$(getnum 60)
hour=$(getnum 24)
day=$(getnum 7)
# Need to ensure the addresses are valid.
sed -i -e "s/EMAIL_RECIPIENTS=\"\"/EMAIL_RECIPIENTS=\"${ADDRESSES}\"/" ${SCRIPTNAME}
echo "$minute $hour * * $day ${SCRIPTNAME} -r" >> /etc/crontab
if [[ ! -e ${DATA_PATH} ]]; then
mkdir -p ${DATA_PATH}
fi
DATA=$(fetchIPData)
echo "${DATA}" | md5sum > ${CURRENT_IP_MD5}
echo "${DATA}" > ${CURRENT_IP_DATA}
echo "Initial data for IP allowlisting:"
echo "${DATA}"
echo
echo "Mailing recipients first data to test."
MESSAGE=$(cat <<-EOM
The Fastly allowlist IP json data are:
$DATA
Please ensure the firewalls allow these IPs.
EOM
)
echo "${MESSAGE}" | mail -E -s 'Fastly allowlist intial set' "${ADDRESSES}"
}
function fetchIPData () {
curl -s 'https://api.fastly.com/public-ip-list'
}
function getnum () {
out=${RANDOM}
let "out %= $1"
echo $out
}
function trim_sum_data () {
echo $1 | sed -e 's/^\([A-Za-z0-9]\+\)\s.*/\1/'
}
function run {
# We don't need to keep the actual data. Lets save disk space and just keep MD5s.
OLD_MD5=$( trim_sum_data $(cat ${CURRENT_IP_MD5}) )
NEW_DATA=$(fetchIPData)
NEW_MD5=$( trim_sum_data $(echo ${NEW_DATA} | md5sum ) )
if [ "${OLD_MD5}" == "${NEW_MD5}" ]; then
echo "No ip changes."
exit 0;
else
if [[ ${DEBUG} == "true" ]]; then
echo ${NEW_MD5} > ${CURRENT_IP_MD5}
echo ${NEW_DATA} > ${CURRENT_IP_DATA}
fi
UPDATED_MESSAGE=$(cat <<-EOM
The Fastly allowlist checksum did not match in the latest check. An update to the allowlisting
rules may be required.
The lastest json data is:
${NEW_DATA}
EOM
)
echo "${UPDATED_MESSAGE}" | mail -E -s 'Fastly allowlist updated' "${EMAIL_RECIPIENTS}"
exit $?
fi
}
function showhelp {
cat <<OEM
Usage: $(basename $0) <args>
Possible arguments are:
i install this script.
r run the script to verify the MD5 / email recipients of an update.
h show this message.
v show debug output.
N.B. This is a simple bash script, please read it for bug/pull request details.
OEM
}
function find_command () {
command -v $1 >/dev/null
}
function read_addresses () {
loop="true"
read email
list="${email}"
while ( "${loop}" == "true" ); do
read email
if [[ "${email}" == "" ]]; then
loop="false";
else
list="${list} ${email}"
fi
done
echo "${list}"
}
#
# Real script starts here
#
# Static variables for reuse later.
API_URL="https://api.fastly.com/public-ip-list"
SCRIPTNAME="/usr/local/sbin/fastly-ips.sh"
DATA_PATH="/var/spool/fastly"
CURRENT_IP_MD5="${DATA_PATH}/fastly-IP.md5"
CURRENT_IP_DATA="${DATA_PATH}/fastly-IP.json"
DEBUG="false"
if [[ $# -lt 1 ]]; then
echo "Not enough arguments."
showhelp
exit 1
fi
while getopts "irvh" opt; do
case "${opt}" in
h)
showhelp
exit 0
;;
v)
DEBUG="true"
set -e
set -x
;;
r)
run
;;
i)
install
;;
esac
done
# If we get here something went wrong....
# Insert non-obligatory quote