feat: guide user to run script as root to create temp admin user
Message text and comment optimized
This commit is contained in:
parent
bd48c99383
commit
744dea00ca
@ -39,7 +39,7 @@
|
|||||||
################################################################################
|
################################################################################
|
||||||
# Dependencies:
|
# Dependencies:
|
||||||
# - curl
|
# - curl
|
||||||
# - synouser & synogroup (When available and SYNO_USE_TEMP_ADMIN is set)
|
# - synouser & synogroup & synosetkeyvalue (Required for SYNO_USE_TEMP_ADMIN=1)
|
||||||
################################################################################
|
################################################################################
|
||||||
# Return value:
|
# Return value:
|
||||||
# 0 means success, otherwise error.
|
# 0 means success, otherwise error.
|
||||||
@ -66,14 +66,17 @@ synology_dsm_deploy() {
|
|||||||
_getdeployconf SYNO_DEVICE_NAME
|
_getdeployconf SYNO_DEVICE_NAME
|
||||||
|
|
||||||
# Prepare to use temp admin if SYNO_USE_TEMP_ADMIN is set
|
# Prepare to use temp admin if SYNO_USE_TEMP_ADMIN is set
|
||||||
_debug2 SYNO_USE_TEMP_ADMIN "$SYNO_USE_TEMP_ADMIN"
|
|
||||||
_getdeployconf SYNO_USE_TEMP_ADMIN
|
_getdeployconf SYNO_USE_TEMP_ADMIN
|
||||||
_check2cleardeployconfexp SYNO_USE_TEMP_ADMIN
|
_check2cleardeployconfexp SYNO_USE_TEMP_ADMIN
|
||||||
_debug2 SYNO_USE_TEMP_ADMIN "$SYNO_USE_TEMP_ADMIN"
|
_debug2 SYNO_USE_TEMP_ADMIN "$SYNO_USE_TEMP_ADMIN"
|
||||||
|
|
||||||
if [ -n "$SYNO_USE_TEMP_ADMIN" ]; then
|
if [ -n "$SYNO_USE_TEMP_ADMIN" ]; then
|
||||||
if ! _exists synouser || ! _exists synogroup; then
|
if ! _exists synouser || ! _exists synogroup || ! _exists synosetkeyvalue; then
|
||||||
_err "Tools are missing for creating temp admin user, please set SYNO_USERNAME and SYNO_PASSWORD instead."
|
_err "Missing required tools to creat temp admin user, please set SYNO_USERNAME and SYNO_PASSWORD instead."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
if synouser --help 2>&1 | grep -q 'Permission denied'; then
|
||||||
|
_err "For creating temp admin user, the deploy script must be run as root."
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -184,7 +187,7 @@ synology_dsm_deploy() {
|
|||||||
_debug SYNO_LOCAL_HOSTNAME "${SYNO_LOCAL_HOSTNAME:-}"
|
_debug SYNO_LOCAL_HOSTNAME "${SYNO_LOCAL_HOSTNAME:-}"
|
||||||
if [ "$SYNO_LOCAL_HOSTNAME" != "1" ] && [ "$SYNO_LOCAL_HOSTNAME" == "$SYNO_HOSTNAME" ]; then
|
if [ "$SYNO_LOCAL_HOSTNAME" != "1" ] && [ "$SYNO_LOCAL_HOSTNAME" == "$SYNO_HOSTNAME" ]; then
|
||||||
if [ "$SYNO_HOSTNAME" != "localhost" ] && [ "$SYNO_HOSTNAME" != "127.0.0.1" ]; then
|
if [ "$SYNO_HOSTNAME" != "localhost" ] && [ "$SYNO_HOSTNAME" != "127.0.0.1" ]; then
|
||||||
_err "SYNO_USE_TEMP_ADMIN=1 Only support locally deployment, if you are sure that hostname $SYNO_HOSTNAME is targeting to your **current local machine**, execute 'export SYNO_LOCAL_HOSTNAME=1' then rerun."
|
_err "SYNO_USE_TEMP_ADMIN=1 only support local deployment, though if you are sure that the hostname $SYNO_HOSTNAME is targeting to your **current local machine**, then execute 'export SYNO_LOCAL_HOSTNAME=1' then rerun."
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -201,7 +204,7 @@ synology_dsm_deploy() {
|
|||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
synogroup --member administrators $cur_admins $SYNO_USERNAME >/dev/null
|
synogroup --member administrators $cur_admins $SYNO_USERNAME >/dev/null
|
||||||
else
|
else
|
||||||
_err "Tool synogroup may be broken, please set SYNO_USERNAME and SYNO_PASSWORD instead."
|
_err "The tool synogroup may be broken, please set SYNO_USERNAME and SYNO_PASSWORD instead."
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
@ -212,7 +215,7 @@ synology_dsm_deploy() {
|
|||||||
otp_enforce_option=$(synogetkeyvalue /etc/synoinfo.conf otp_enforce_option)
|
otp_enforce_option=$(synogetkeyvalue /etc/synoinfo.conf otp_enforce_option)
|
||||||
if [ -n "$otp_enforce_option" ] && [ "${otp_enforce_option:-"none"}" != "none" ]; then
|
if [ -n "$otp_enforce_option" ] && [ "${otp_enforce_option:-"none"}" != "none" ]; then
|
||||||
synosetkeyvalue /etc/synoinfo.conf otp_enforce_option none
|
synosetkeyvalue /etc/synoinfo.conf otp_enforce_option none
|
||||||
_info "Temporary disabled enforce 2FA-OTP to complete authentication."
|
_info "Temporary disabled enforce 2FA-OTP to complete temp admin authentication."
|
||||||
_info "previous_otp_enforce_option" "$otp_enforce_option"
|
_info "previous_otp_enforce_option" "$otp_enforce_option"
|
||||||
else
|
else
|
||||||
otp_enforce_option=""
|
otp_enforce_option=""
|
||||||
@ -230,7 +233,7 @@ synology_dsm_deploy() {
|
|||||||
error_code=$(echo "$response" | grep '"error":' | grep -o '"code":[0-9]*' | grep -o '[0-9]*')
|
error_code=$(echo "$response" | grep '"error":' | grep -o '"code":[0-9]*' | grep -o '[0-9]*')
|
||||||
_debug2 error_code "$error_code"
|
_debug2 error_code "$error_code"
|
||||||
# Account has 2FA-OTP enabled, since error 403 reported.
|
# Account has 2FA-OTP enabled, since error 403 reported.
|
||||||
# https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_Administration_CLI_Guide.pdf
|
# https://global.download.synology.com/download/Document/Software/DeveloperGuide/Os/DSM/All/enu/DSM_Login_Web_API_Guide_enu.pdf
|
||||||
if [ "$error_code" == "403" ]; then
|
if [ "$error_code" == "403" ]; then
|
||||||
if [ -z "$SYNO_DEVICE_NAME" ]; then
|
if [ -z "$SYNO_DEVICE_NAME" ]; then
|
||||||
printf "Enter device name or leave empty for default (CertRenewal): "
|
printf "Enter device name or leave empty for default (CertRenewal): "
|
||||||
@ -274,12 +277,16 @@ synology_dsm_deploy() {
|
|||||||
_err "Failed to authenticate with provided 2FA-OTP code, please try again in a new terminal window."
|
_err "Failed to authenticate with provided 2FA-OTP code, please try again in a new terminal window."
|
||||||
elif [ "$error_code" == "406" ]; then
|
elif [ "$error_code" == "406" ]; then
|
||||||
if [ -n "$SYNO_USE_TEMP_ADMIN" ]; then
|
if [ -n "$SYNO_USE_TEMP_ADMIN" ]; then
|
||||||
_err "SYNO_USE_TEMP_ADMIN=1 is not supported if enforce auth with 2FA-OTP is enabled."
|
_err "Failed with unexcepted error, please report this by providing full log with '--debug 3'."
|
||||||
else
|
else
|
||||||
_err "Enforce auth with 2FA-OTP enabled, please configure the user to enable 2FA-OTP to continue."
|
_err "Enforce auth with 2FA-OTP enabled, please configure the user to enable 2FA-OTP to continue."
|
||||||
fi
|
fi
|
||||||
elif [ "$error_code" == "400" ] || [ "$error_code" == "401" ] || [ "$error_code" == "408" ] || [ "$error_code" == "409" ] || [ "$error_code" == "410" ]; then
|
elif [ "$error_code" == "400" ]; then
|
||||||
_err "Failed to authenticate with a non-existent or disabled account, or the account password is incorrect or has expired."
|
_err "Failed to authenticate, no such account or incorrect password."
|
||||||
|
elif [ "$error_code" == "401" ]; then
|
||||||
|
_err "Failed to authenticate with a non-existent account."
|
||||||
|
elif [ "$error_code" == "408" ] || [ "$error_code" == "409" ] || [ "$error_code" == "410" ]; then
|
||||||
|
_err "Failed to authenticate, the account password has expired or must be changed."
|
||||||
else
|
else
|
||||||
_err "Failed to authenticate with error: $error_code."
|
_err "Failed to authenticate with error: $error_code."
|
||||||
fi
|
fi
|
||||||
@ -293,7 +300,7 @@ synology_dsm_deploy() {
|
|||||||
_debug SynoToken "$token"
|
_debug SynoToken "$token"
|
||||||
if [ -z "$sid" ] || [ -z "$token" ]; then
|
if [ -z "$sid" ] || [ -z "$token" ]; then
|
||||||
# Still can't get necessary info even got no errors, may Synology have API updated?
|
# Still can't get necessary info even got no errors, may Synology have API updated?
|
||||||
_err "Unable to authenticate to $_base_url, you may report the full log to the community."
|
_err "Unable to authenticate to $_base_url, you may report this by providing full log with '--debug 3'."
|
||||||
_temp_admin_cleanup "$SYNO_USE_TEMP_ADMIN" "$SYNO_USERNAME"
|
_temp_admin_cleanup "$SYNO_USE_TEMP_ADMIN" "$SYNO_USERNAME"
|
||||||
return 1
|
return 1
|
||||||
fi
|
fi
|
||||||
@ -331,7 +338,7 @@ synology_dsm_deploy() {
|
|||||||
if [ "$error_code" -eq 105 ]; then
|
if [ "$error_code" -eq 105 ]; then
|
||||||
_err "Current user is not administrator and does not have sufficient permission for deploying."
|
_err "Current user is not administrator and does not have sufficient permission for deploying."
|
||||||
else
|
else
|
||||||
_err "Failed to fetch certificate info with error: $error_code, please try again or contact Synology to learn more."
|
_err "Failed to fetch certificate info: $error_code, please try again or contact Synology to learn more."
|
||||||
fi
|
fi
|
||||||
_temp_admin_cleanup "$SYNO_USE_TEMP_ADMIN" "$SYNO_USERNAME"
|
_temp_admin_cleanup "$SYNO_USE_TEMP_ADMIN" "$SYNO_USERNAME"
|
||||||
return 1
|
return 1
|
||||||
|
Loading…
Reference in New Issue
Block a user