Skip to content

Instantly share code, notes, and snippets.

@nathancatania
Last active September 30, 2022 08:12
Show Gist options
  • Save nathancatania/2c25ad1d663d25b5677d51bba3d1681c to your computer and use it in GitHub Desktop.
Save nathancatania/2c25ad1d663d25b5677d51bba3d1681c to your computer and use it in GitHub Desktop.
Netskope Tools to Configure Inspection for Developer Machines
# THIS SCRIPT IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
# BY USING THIS SCRIPT, YOU AGREE TO USE IT AT YOUR OWN RISK.
# This script is supposed to fix SSLError by assigning Netskope certificates to a list of tools.
# You can find this list under the main
# How to run:
<#
1. Open Start.
2. Search for PowerShell, right-click the top result, and select the Run as administrator option.
3. Type the following command to allow scripts to run and press Enter:
Set-ExecutionPolicy Unrestricted
4. Type A and press Enter (if applicable).
5. Type the correct path to the script in the following command and run it:
& "C:\PATH\TO\SCRIPT\first_script.ps1"
#>
# configures python-related tools
function configure_python{
if($Env:REQUESTS_CA_BUNDLE -ne "${bundle}") {
Write-Host "REQUESTS_CA_BUNDLE" -NoNewline
setx REQUESTS_CA_BUNDLE "${bundle}"
}
}
# OpenSSL CLI
function configure_openssl{
if($Env:SSL_CERT_FILE -ne "${bundle}") {
Write-Host "SSL_CERT_FILE" -NoNewline
setx SSL_CERT_FILE "${bundle}"
}
}
# Curl CLI
function configure_curl{
if($Env:CURL_CA_BUNDLE -ne "${bundle}") {
Write-Host "CURL_CA_BUNDLE" -NoNewline
setx CURL_CA_BUNDLE "${bundle}"
}
}
# Node.JS
function configure_node_js{
if($Env:NODE_EXTRA_CA_CERTS -ne "${bundle}") {
Write-Host "NODE_EXTRA_CA_CERTS" -NoNewline
setx NODE_EXTRA_CA_CERTS "${bundle}"
}
}
# Git CLI
function configure_git{
if($Env:GIT_SSL_CAPATH -ne "${bundle}") {
Write-Host "GIT_SSL_CAPATH" -NoNewline
setx GIT_SSL_CAPATH "${bundle}"
}
}
# Azure CLI
function configure_az{
# python-based
configure_python
}
# AWS CLI
function configure_aws{
if($Env:AWS_CA_BUNDLE -ne "${bundle}") {
Write-Host "AWS_CA_BUNDLE" -NoNewline
setx AWS_CA_BUNDLE "${bundle}"
}
}
function configure_gcloud{
gcloud config set core/custom_ca_certs_file "$bundle"
}
# Eclipse
# function configure_java{
# # get java version to specify the PATH
# $java_version = /usr/libexec/java_home -v 1.8
# # add cert to java keystore
# &"C:\Program Files\Java\jdk-$java_version\bin>/keytool \
# -import -alias netskope-cert-bundle \
# -storepass changeit \
# -file $bundle -noprompt
# "
# }
function configure_composer{
composer config --global cafile "$bundle"
}
function configure_nmp{
npm config set cafile "$bundle"
}
# function configure_Android_Studio{
# bash -c "
# # Add cert to Android keystore for Android Studio
# /Applications/Android\ Studio.app/Contents/jre/Contents/Home/bin/keytool \
# -import -alias netskope-cert-bundle -keystore \
# /Applications/Android\ Studio.app/Contents/jre/Contents/Home/lib/security/cacerts -storepass changeit \
# -file $bundle -noprompt
# "
# }
function tool_exists{
Param ($command)
$oldPreference = $ErrorActionPreference
$ErrorActionPreference = 'stop'
try {if(Get-Command $command){RETURN $true}}
Catch {RETURN $false}
Finally {$ErrorActionPreference=$oldPreference}
}
function generate_bundle{
((Get-ChildItem Cert: -Recurse | Where-Object { $_.RawData -ne $null } `
| Sort-Object -Property Thumbprint -Unique `
|% { "-----BEGIN CERTIFICATE-----", [System.Convert]::ToBase64String($_.RawData, "InsertLineBreaks"), "-----END CERTIFICATE-----", "" }) `
-replace "`r","") -join "`n" `
| Out-File -Encoding ascii "$bundle" -NoNewline
}
#################### MAIN ##########################
# first list of supported command line tools
$tools = @(
"aws"
"az"
"curl"
"openssl"
"git"
"python"
# "java"
"gcloud"
"composer"
# "nmp" # stands for aws_cdk
)
# the list of supported apps
$apps=@(
# "Android Studio"
# "Salesforce Apex Dataloader"
# "Node.JS"
)
# Netskope directory
$ns_data_dir="$env:ProgramData\Netskope\STAgent\download"
# path to the bundle
$bundle="$ns_data_dir\netskope-cert-bundle.pem"
# generate cert bundle
if (test-Path "$bundle" )
{
Write-Host "Certificate bundle already exists"
}
else
{
generate_bundle
}
Write-Host "Bundle location : $bundle"
# configure command line tools
foreach ($i in $tools)
{
if (tool_exists $i)
{
# Write-Host "$i : "
&"configure_$i"
}
}
# # configure apps
# foreach ($i in $apps)
# {
# if (app_exists $i)
# {
# Write-Host $1
# &"configure_$i"
# }
# }
# THIS SCRIPT IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
# BY USING THIS SCRIPT, YOU AGREE TO USE IT AT YOUR OWN RISK.
#!/bin/zsh
# ./configure_tools.sh
# check if the command returns the SSLError
test(){
source $shell
while read -r line; do
# echo $line
if [[ $line == *"SSL"* ]]; then
ssl_error_exists=true
fi
done < <($1 2>&1)
if [ "$ssl_error_exists" = true ] ; then
return 0
else
return 1
fi
}
export_env_var(){
# if environment variable is not defined to ns bundle
if [[ "$(printenv | grep $1)" != *${bundle//\\/$''}* ]]; then
# need to backup the shell startup script before editing
backup
# export variable to startup script
echo export $1="${bundle}" >> $shell
# export to the current window
export $1="${bundle}"
fi
}
backup(){
if [ "$have_backup" = false ] ; then
backup_file="$shell-$(date +%s)"
echo "Backing up $shell to $backup_file"
cp $shell $backup_file
have_backup=true
fi
}
configure_python(){
export_env_var REQUESTS_CA_BUNDLE
}
configure_openssl(){
export_env_var SSL_CERT_FILE
}
configure_curl(){
export_env_var CURL_CA_BUNDLE
}
configure_node_js(){
export_env_var NODE_EXTRA_CA_CERTS
}
configure_git(){
export_env_var GIT_SSL_CAPATH
}
configure_az(){
# python-based
if ! tool_exists python
then
export_env_var REQUESTS_CA_BUNDLE
fi
}
# AWS CLI
configure_aws(){
# aws configure set default.ca_bundle $bundle
export_env_var AWS_CA_BUNDLE
}
configure_gcloud(){
bash -c "gcloud config set core/custom_ca_certs_file $bundle"
}
configure_java(){
# Add cert to java keystore
bash -c "
/Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/keytool \
-import -alias netskope-cert-bundle \
-storepass changeit \
-file $bundle -noprompt
"
}
configure_composer(){
bash -c "composer config --global cafile $bundle"
}
# aws_cdk
configure_npm(){
bash -c "npm config set cafile $bundle"
}
configure_android_studio_app(){
# Add cert to Android keystore for Android Studio
bash -c "
/Applications/Android\ Studio.app/Contents/jre/Contents/Home/bin/keytool \
-import -alias netskope-cert-bundle -keystore \
/Applications/Android\ Studio.app/Contents/jre/Contents/Home/lib/security/cacerts -storepass changeit \
-file $bundle -noprompt
"
}
test(){
while read -r line; do
# echo $line
if [[ $line == *"SSL"* ]]; then
ssl_error_exists=true
fi
done < <($1 2>&1)
if [ "$ssl_error_exists" = true ] ; then
echo 'FAIL'
else
echo 'SUCCESS'
fi
}
tool_exists(){
# if it is app
if [[ ${1:(-4)} == ".app" ]]
then
# check for presence under Applications folder
if [[ "$(ls /Applications)" == *$1* ]]
then return 0
fi
return 1
fi
# if command not found
if ! command -v $1 &> /dev/null
# alternative:
# if ! [ -x "$(command -v $1)" ]
then
return 1 # false
fi
return 0
}
get_shell(){
my_shell=$(echo $SHELL)
echo $my_shell
if [[ $my_shell == *"bash"* ]]
then
shell=~/.bash_profile
else
shell=~/.zshrc
fi
}
################################# MAIN ###################################
ns_data_dir="/Library/Application\ Support/Netskope/STAgent/data"
# sudo sh -c "cat '/Library/Application Support/Netskope/STAgent/data/nscacert.pem' '/Library/Application Support/Netskope/STAgent/data/nstenantcert.pem' > '/Library/Application Support/Netskope/STAgent/data/netskope-cert-bundle.pem'"
bundle="$ns_data_dir/netskope-cert-bundle.pem"
# check if using bash or zsh
get_shell
echo "Bundle location : $bundle"
echo "Shell : $shell"
# generate cert bundle
if [ -f "$bundle" ]
then
echo "Certificate bundle already exists"
else
# generate bundle
eval cd $ns_data_dir
cacert="$ns_data_dir"/nscacert.pem
tenantcert="$ns_data_dir"/nstenantcert.pem
CA="https://ccadb-public.secure.force.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites"
sudo sh -c "cat $tenantcert $cacert > $bundle"
sudo sh -c "curl $CA >> ${bundle}"
fi
# list of supported tools
declare -a tools=(
"aws"
"az"
"curl"
"openssl"
"git"
"java"
"python"
"gcloud"
"npm"
"composer"
"Android Studio.app"
"Node.JS.app"
# "Salesforce Apex Dataloader"
)
have_backup=false # no backup created yet
# configure each tool
for tool in "${tools[@]}"
do
echo "Checking for presence of $tool"
if tool_exists $tool
then
echo "Configuring $tool for Netskope"
configure_"$(echo $tool | tr ' .' _ | tr '[:upper:]' '[:lower:]')"
else
>&2 echo "$tool not detected"
fi
done
echo "Done"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment