-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathsetup.sh
125 lines (107 loc) · 4.99 KB
/
setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#!/bin/bash
set -e
# build the filter regex for mitmproxy --allow-hosts
filter='\b('
first=true
IFS=',' read -ra args <<< "$@"
for arg in "${args[@]}"; do
if [ "$first" = true ] ; then
first=false
else
filter+='|'
fi
filter+=${arg//./\\.}
done
filter+=')(:\d+)?|$'
if [ "$RUNNER_OS" = "macOS" ]; then
echo "runner ALL=(ALL) NOPASSWD: ALL" | sudo tee -a /etc/sudoers
sudo sysadminctl -addUser mitmproxyuser -admin
sudo -u mitmproxyuser -H bash -e -c 'cd /Users/mitmproxyuser && \
python -m venv venv && \
venv/bin/pip install mitmproxy==11.1.3 requests==2.32.3'
# install requests for mitm plugin
sudo cp mitm_plugin.py /Users/mitmproxyuser/mitm_plugin.py
# start mitmdump in simple mode for now to generate CA certificate
sudo -u mitmproxyuser -H bash -e -c "cd /Users/mitmproxyuser && \
/Users/mitmproxyuser/venv/bin/mitmdump &"
# wait for mitmdump to start and generate CA certificate
counter=0
while [ ! -f /Users/mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.pem ]
do
echo "Mac: waiting for mitmdump to generate the certificate..."
sleep 1
counter=$((counter+1))
if [ $counter -gt 10 ]; then
echo "10 seconds passed..."
exit 1
fi
done
echo "kill mitmdump..."
# kill mitmdump, we'll start it again in transparent mode
pid=$(sudo lsof -i -P -n 2>/dev/null | sed -En "s/Python *([0-9]*) *mitmproxyuser *.*TCP \*:8080 \(LISTEN\)/\1/p" | head -1)
sudo kill $pid
echo "sudo security authorizationdb write com.apple.trust-settings.admin allow..."
# install mitmproxy certificate as CA
# disable any GUI prompts for certificate installation
sudo security authorizationdb write com.apple.trust-settings.admin allow
# the command itself may run https requests, this is why we didn't setup transparent proxy yet
# TODO: check if -r trustRoot is needed
echo "sudo security add-trusted-cert -d -p ssl -p basic -k /Library/Keychains/System.keychain /Users/mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.pem..."
sudo security add-trusted-cert -d -p ssl -p basic -k /Library/Keychains/System.keychain /Users/mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.pem
# sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.pem
# curl doesn't use the system keychain, so we need to add the certificate to the openssl keychain
echo "sudo cat /Users..."
sudo cat /Users/mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.pem >> `openssl version -d | awk '{ gsub(/"/, "", $2); print $2 }'`/cert.pem
# set environment variable for NodeJS to use the certificate
echo "NODE_EXTRA_CA_CERTS=/Users/mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.pem" >> $GITHUB_ENV
# set environment variable for the Python requests library to use the certificate
echo "REQUESTS_CA_BUNDLE=/Users/mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.pem" >> $GITHUB_ENV
# set environment variable for the Elixir Hex package manager to use the certificate
echo "HEX_CACERTS_PATH=/Users/mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.pem" >> $GITHUB_ENV
# set environment variable for AWS tools
echo "AWS_CA_BUNDLE=/Users/mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.pem" >> $GITHUB_ENV
echo "Enable IP forwarding."
# Enable IP forwarding.
sudo sysctl -w net.inet.ip.forwarding=1
# Configure pf with the rules and enable it
sudo pfctl -f pf.conf
sudo pfctl -e
# Configure sudoers to allow mitmproxy to access pfctl.
echo "ALL ALL=NOPASSWD: /sbin/pfctl -s state" | sudo tee -a /etc/sudoers
# finally, start mitmdump in transparent mode
sudo -u mitmproxyuser -H bash -e -c "cd /Users/mitmproxyuser && /Users/mitmproxyuser/venv/bin/mitmdump \
--mode transparent \
--showhost \
--allow-hosts '$filter' \
-q \
`#--set termlog_verbosity=debug` \
`#--set proxy_debug=true` \
-s /Users/mitmproxyuser/mitm_plugin.py \
--set output='/Users/mitmproxyuser/out.txt' \
--set token='$INPUT_TOKEN' \
--set hosts=$@ \
--set debug='$RUNNER_DEBUG' \
--set ACTIONS_ID_TOKEN_REQUEST_URL='$ACTIONS_ID_TOKEN_REQUEST_URL' \
--set ACTIONS_ID_TOKEN_REQUEST_TOKEN='$ACTIONS_ID_TOKEN_REQUEST_TOKEN' \
--set GITHUB_REPOSITORY_ID='$GITHUB_REPOSITORY_ID' \
--set GITHUB_REPOSITORY='$GITHUB_REPOSITORY' \
--set GITHUB_API_URL='$GITHUB_API_URL' \
&"
# >>/Users/mitmproxyuser/out.txt 2>&1
# wait for mitmdump to start
counter=0
while [ ! $(sudo lsof -i -P -n 2>/dev/null | sed -En "s/Python *([0-9]*) *mitmproxyuser *.*TCP \*:8080 \(LISTEN\)/\1/p" | head -1) ]
do
echo "waiting for mitmdump to start..."
sleep 1
counter=$((counter+1))
if [ $counter -gt 10 ]; then
exit 1
fi
done
echo "pid is $(sudo lsof -i -P -n 2>/dev/null | sed -En "s/Python *([0-9]*) *mitmproxyuser *.*/\1/p" | head -1)"
else
echo "Unknown OS: $RUNNER_OS"
exit 1
fi
echo "--all done--"