Skip to content
Snippets Groups Projects
main.go 11.2 KiB
Newer Older
Max Adamo's avatar
Max Adamo committed
package main

import (
Max Adamo's avatar
Max Adamo committed
	"crypto/x509"
	"encoding/pem"
Max Adamo's avatar
Max Adamo committed
	"fmt"
	"io/ioutil"
	"net/http"
	"os"
	"path/filepath"
Max Adamo's avatar
Max Adamo committed
	"strconv"
Max Adamo's avatar
Max Adamo committed
	"strings"
Max Adamo's avatar
Max Adamo committed
	"time"
Max Adamo's avatar
Max Adamo committed

	"github.com/docopt/docopt-go"
	"github.com/go-ini/ini"
	"github.com/tidwall/gjson"
)

var (
Max Adamo's avatar
Max Adamo committed
	appVersion             string
	buildTime              string
	CertBase               string
	KeyBase                string
	GroupName              string
	RedisBaseURL           string
	VaultBaseURL           string
	certificateDestination string
	fullchainDestination   string
	keyDestination         string
	caDestination          string
	Type                   string
Max Adamo's avatar
Max Adamo committed
)

Max Adamo's avatar
Max Adamo committed
// app clean and exit
Max Adamo's avatar
Max Adamo committed
func appExit(status int) {
Max Adamo's avatar
Max Adamo committed
	err := os.RemoveAll("/tmp/acme-downloader")
	if err != nil {
Max Adamo's avatar
Max Adamo committed
	}
	os.Exit(status)
}

Max Adamo's avatar
Max Adamo committed
// check certificates
func checkCerificates(dnsname string, certificate string, fullchain string, ca string, key string, days int, fail bool) bool {

Max Adamo's avatar
Max Adamo committed
	Seconds := days * 86400
Max Adamo's avatar
Max Adamo committed
	daysNumber := time.Now().Local().Add(time.Second * time.Duration(Seconds))

	certPEM, err := ioutil.ReadFile(certificate)
	if err != nil {
		if fail == true {
Max Adamo's avatar
Max Adamo committed
			fmt.Printf("[ERROR] %v\n", err)
Max Adamo's avatar
Max Adamo committed
			appExit(255)
Max Adamo's avatar
Max Adamo committed
		} else {
			return false
		}
	}

	certFullchainPEM, err := ioutil.ReadFile(fullchain)
	if err != nil {
		if fail == true {
Max Adamo's avatar
Max Adamo committed
			fmt.Printf("[ERROR] %v\n", err)
Max Adamo's avatar
Max Adamo committed
			appExit(255)
Max Adamo's avatar
Max Adamo committed
		} else {
			return false
		}
	}

	rootPEM, err := ioutil.ReadFile(ca)
	if err != nil {
		if fail == true {
Max Adamo's avatar
Max Adamo committed
			fmt.Printf("[ERROR] %v\n", err)
Max Adamo's avatar
Max Adamo committed
			appExit(255)
Max Adamo's avatar
Max Adamo committed
		} else {
			return false
		}
	}

	roots := x509.NewCertPool()
	ok := roots.AppendCertsFromPEM([]byte(rootPEM))
	if !ok {
		if fail == true {
Max Adamo's avatar
Max Adamo committed
			fmt.Printf("[ERROR] failed to parse root certificate\n")
Max Adamo's avatar
Max Adamo committed
			appExit(255)
Max Adamo's avatar
Max Adamo committed
		} else {
			return false
		}
	}

	block, _ := pem.Decode([]byte(certPEM))
	if block == nil {
		if fail == true {
Max Adamo's avatar
Max Adamo committed
			fmt.Printf("[ERROR] failed to parse certificate PEM\n")
Max Adamo's avatar
Max Adamo committed
			appExit(255)
Max Adamo's avatar
Max Adamo committed
		} else {
			return false
		}
	}
	cert, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
		if fail == true {
Max Adamo's avatar
Max Adamo committed
			fmt.Printf("[ERROR] failed to parse certificate %v\n", err)
Max Adamo's avatar
Max Adamo committed
			appExit(255)
Max Adamo's avatar
Max Adamo committed
		} else {
			return false
		}
	}

	fullchainBlock, _ := pem.Decode([]byte(certFullchainPEM))
	if fullchainBlock == nil {
		if fail == true {
Max Adamo's avatar
Max Adamo committed
			fmt.Printf("[ERROR] failed to parse certificate PEM\n")
Max Adamo's avatar
Max Adamo committed
			appExit(255)
Max Adamo's avatar
Max Adamo committed
		} else {
			return false
		}
	}
	fullchainCert, fullchainErr := x509.ParseCertificate(fullchainBlock.Bytes)
	if fullchainErr != nil {
		if fail == true {
Max Adamo's avatar
Max Adamo committed
			fmt.Printf("[ERROR] failed to parse certificate %v\n", fullchainErr)
Max Adamo's avatar
Max Adamo committed
			appExit(255)
Max Adamo's avatar
Max Adamo committed
		} else {
			return false
		}
	}

	opts := x509.VerifyOptions{
		Roots:         roots,
		DNSName:       dnsname,
		CurrentTime:   daysNumber,
		Intermediates: x509.NewCertPool(),
	}

	if _, err := cert.Verify(opts); err != nil {
		if fail == true {
Max Adamo's avatar
Max Adamo committed
			fmt.Printf("[ERROR] failed to parse certificate %v\n", err.Error())
Max Adamo's avatar
Max Adamo committed
			appExit(255)
Max Adamo's avatar
Max Adamo committed
		} else {
			return false
		}
	}
	if _, fullchainErr := fullchainCert.Verify(opts); fullchainErr != nil {
		if fail == true {
Max Adamo's avatar
Max Adamo committed
			fmt.Printf("[ERROR] failed to parse certificate %v\n", err.Error())
Max Adamo's avatar
Max Adamo committed
		} else {
			return false
		}
	}
	return true

}

Max Adamo's avatar
Max Adamo committed
// get redis key
func GetRedisKey(redisurl string, redistoken string) string {
	client := &http.Client{}
	req, err := http.NewRequest("GET", redisurl, nil)
Max Adamo's avatar
Max Adamo committed
	if err != nil {
		fmt.Printf("[ERROR] Fail to read %v: %v\n", redisurl, err)
		appExit(255)
	}
Max Adamo's avatar
Max Adamo committed
	req.SetBasicAuth("redis", redistoken)
	resp, err := client.Do(req)
	body, err := ioutil.ReadAll(resp.Body)
Max Adamo's avatar
Max Adamo committed
	if resp.StatusCode < 200 || resp.StatusCode > 299 {
		fmt.Printf("[ERROR] Fail to fetch %v\n", redisurl)
		appExit(255)
	}
Max Adamo's avatar
Max Adamo committed
	defer resp.Body.Close()
	if err != nil {
Max Adamo's avatar
Max Adamo committed
		fmt.Printf("[ERROR] Fail to read %v: %v\n", redisurl, err)
Max Adamo's avatar
Max Adamo committed
		appExit(255)
Max Adamo's avatar
Max Adamo committed
	}
	return fmt.Sprintf(string(body))
}

Max Adamo's avatar
Max Adamo committed
// get Vault key
func GetVaultKey(vaulturl string, vaulttoken string) string {
	vaultClient := &http.Client{}
	req, err := http.NewRequest("GET", vaulturl, nil)
Max Adamo's avatar
Max Adamo committed
	if err != nil {
		fmt.Printf("[ERROR] Fail to read %v: %v\n", vaulturl, err)
		appExit(255)
	}
Max Adamo's avatar
Max Adamo committed
	req.Header.Add("X-vault-token", vaulttoken)
	resp, err := vaultClient.Do(req)
	body, err := ioutil.ReadAll(resp.Body)
Max Adamo's avatar
Max Adamo committed
	if resp.StatusCode < 200 || resp.StatusCode > 299 {
		fmt.Printf("[ERROR] Fail to fetch %v\n", vaulturl)
		appExit(255)
	}
Max Adamo's avatar
Max Adamo committed
	defer resp.Body.Close()
	if err != nil {
		fmt.Printf("[ERROR] Fail to read %v: %v\n", vaulturl, err)
Max Adamo's avatar
Max Adamo committed
		appExit(255)
Max Adamo's avatar
Max Adamo committed
	}
	return gjson.Get(string(body), "data.value").String()
}

Max Adamo's avatar
Max Adamo committed
// create directory structure and write certificate to file
func WriteToFile(content string, destination string, groupname string, filemode os.FileMode, dirmode os.FileMode) {
	baseDir := filepath.Dir(destination)
	if _, err := os.Stat(baseDir); os.IsNotExist(err) {
		os.MkdirAll(baseDir, 0755)
	}
	os.Chmod(baseDir, dirmode)

	file, err := os.OpenFile(destination, os.O_WRONLY|os.O_CREATE, filemode)
	if err != nil {
Max Adamo's avatar
Max Adamo committed
		fmt.Printf("[ERROR] %v cannot be created\n", destination)
Max Adamo's avatar
Max Adamo committed
		appExit(255)
Max Adamo's avatar
Max Adamo committed
	}

	fmt.Fprintf(file, "%v\n", content)
	file.Close()
}

// ReadOSRelease from /etc/os-release
func ReadOSRelease(configfile string) map[string]string {
Max Adamo's avatar
Max Adamo committed
	ConfigParams := make(map[string]string)
Max Adamo's avatar
Max Adamo committed
	cfg, err := ini.Load(configfile)
	if err != nil {
Max Adamo's avatar
Max Adamo committed
		ConfigParams["ID"] = "unknown"
	} else {
		ConfigParams["ID"] = cfg.Section("").Key("ID").String()
Max Adamo's avatar
Max Adamo committed
	}

	return ConfigParams
}

func main() {

	OSInfo := ReadOSRelease("/etc/os-release")
	OSRelease := OSInfo["ID"]
	if OSRelease == "centos" || OSRelease == "rhel" {
		CertBase = "/etc/pki/tls/certs"
		KeyBase = "/etc/pki/tls/private"
		GroupName = "root"
	} else if OSRelease == "ubuntu" || OSRelease == "debian" {
		CertBase = "/etc/ssl/certs"
		KeyBase = "/etc/ssl/private"
		GroupName = "ssl-cert"
Max Adamo's avatar
Max Adamo committed
	} else if OSRelease == "arch" {
		CertBase = "/etc/ssl/certs"
		KeyBase = "/etc/ssl/private"
		GroupName = "root"
Max Adamo's avatar
Max Adamo committed
	} else if OSRelease == "unknown" {
		CertBase = "/PATH/TO/CERTIFICATE"
		KeyBase = "/PATH/TO/PRIV/KEY"
		GroupName = "root"
Max Adamo's avatar
Max Adamo committed
	}

	usage := fmt.Sprintf(`ACME Downloader:
  - fetches and stores a given Certificate, Full Chain, CA and Private Key

Usage:
  acme-downloader --redis-token=REDISTOKEN --vault-token=VAULTTOKEN --cert-name=CERTNAME --team-name=TEAMNAME [--days=DAYS] [--type=TYPE] [--cert-destination=CERTDESTINATION] [--fullchain-destination=FULLCHAINDESTINATION] [--key-destination=KEYDESTINATION] [--ca-destination=CADESTINATION]
  acme-downloader -v | --version
  acme-downloader -b | --build
  acme-downloader -h | --help

Options:
  -h --help                                     Show this screen
  -v --version                                  Print version exit
  -b --build                                    Print version and build information and exit
  --redis-token=REDISTOKEN                      Redis access token
  --vault-token=VAULTTOKEN                      Vault access token
  --cert-name=CERTNAME                          Certificate name
  --team-name=TEAMNAME                          Team name: swd, dream_team, it, ne, ti...
  --days=DAYS                                   Days before expiration [default: 30]
  --type=TYPE                                   Type, EV or OV [default: EV]
  --cert-destination=CERTDESTINATION            Cert Destination [default: %v/<cert-name>.crt]
  --fullchain-destination=FULLCHAINDESTINATION  Full Chain Destination[default: %v/<cert-name>_fullchain.crt]
  --key-destination=KEYDESTINATION              Key Destination [default: %v/<cert-name>.key]
  --ca-destination=CADESTINATION                CA Destination [default: %v/COMODO_<type>.crt]
`, CertBase, CertBase, KeyBase, CertBase)

	arguments, _ := docopt.Parse(usage, nil, true, appVersion, false)

	if arguments["--build"] == true {
		fmt.Printf("acme-downloader version: %v, built on: %v\n", appVersion, buildTime)
Max Adamo's avatar
Max Adamo committed
		appExit(0)
Max Adamo's avatar
Max Adamo committed
	}

	VaultToken := arguments["--vault-token"].(string)
	CertName := arguments["--cert-name"].(string)
	CertNameUndercored := strings.Replace(CertName, ".", "_", -1)
	TeamName := arguments["--team-name"].(string)
	RedisToken := arguments["--redis-token"].(string)
	Type = arguments["--type"].(string)
Max Adamo's avatar
Max Adamo committed
	DayString := arguments["--days"].(string)
	Days, daysErr := strconv.Atoi(DayString)
	if daysErr != nil {
Max Adamo's avatar
Max Adamo committed
		fmt.Printf("Days mut be an integer\n")
Max Adamo's avatar
Max Adamo committed
		appExit(255)
Max Adamo's avatar
Max Adamo committed
	}
Max Adamo's avatar
Max Adamo committed
	RedisBaseURL = "https://redis.geant.org/GET"
	VaultBaseURL = "https://vault.geant.org/v1"
	VaultURL := fmt.Sprintf("%v/%v/%v/vault_%v_key", VaultBaseURL, TeamName, CertName, CertNameUndercored)
	RedisCertURL := fmt.Sprintf("%v/%v:%v:redis_%v_pem.txt", RedisBaseURL, TeamName, CertName, CertNameUndercored)
	RedisCAURL := fmt.Sprintf("%v/%v:%v:redis_%v_chain_pem.txt", RedisBaseURL, TeamName, CertName, CertNameUndercored)
	RedisFullChainURL := fmt.Sprintf("%v/%v:%v:redis_%v_fullchain_pem.txt", RedisBaseURL, TeamName, CertName, CertNameUndercored)

	if arguments["--cert-destination"] == fmt.Sprintf("%v/<cert-name>.crt", CertBase) {
		certificateDestination = fmt.Sprintf("%v/%v.crt", CertBase, CertName)
	} else {
		certificateDestination = arguments["--cert-destination"].(string)
	}
	if arguments["--fullchain-destination"] == fmt.Sprintf("%v/<cert-name>_fullchain.crt", CertBase) {
		fullchainDestination = fmt.Sprintf("%v/%v_fullchain.crt", CertBase, CertName)
	} else {
		fullchainDestination = arguments["--fullchain-destination"].(string)
	}
Max Adamo's avatar
Max Adamo committed
	if arguments["--ca-destination"] == fmt.Sprintf("%v/COMODO_<type>.crt", CertBase) {
		caDestination = fmt.Sprintf("%v/COMODO_%v.crt", CertBase, Type)
	} else {
		caDestination = arguments["--ca-destination"].(string)
	}
Max Adamo's avatar
Max Adamo committed
	if arguments["--key-destination"] == fmt.Sprintf("%v/<cert-name>.key", KeyBase) {
		keyDestination = fmt.Sprintf("%v/%v.key", KeyBase, CertName)
	} else {
		keyDestination = arguments["--key-destination"].(string)
	}
Max Adamo's avatar
Max Adamo committed

	// check if there is a certificate installed and it is valid
	existingCert := checkCerificates(CertName, certificateDestination, fullchainDestination, caDestination, keyDestination, Days, false)
	if existingCert == true {
Max Adamo's avatar
Max Adamo committed
		fmt.Printf("the certificates are still valid\n")
Max Adamo's avatar
Max Adamo committed
		appExit(0)
Max Adamo's avatar
Max Adamo committed
	}
Max Adamo's avatar
Max Adamo committed
	certificate := GetRedisKey(RedisCertURL, RedisToken)
	ca := GetRedisKey(RedisCAURL, RedisToken)
	fullChain := GetRedisKey(RedisFullChainURL, RedisToken)
Max Adamo's avatar
Max Adamo committed
	privKey := GetVaultKey(VaultURL, VaultToken)
Max Adamo's avatar
Max Adamo committed

Max Adamo's avatar
Max Adamo committed
	// download and test certificates on a temporary location
	tmpCertificateDestination := "/tmp/acme-downloader/cert/amce_cert.pem"
	tmpFullchainDestination := "/tmp/acme-downloader/cert/amce_fullchain.pem"
	tmpCaDestination := "/tmp/acme-downloader/cert/amce_ca.pem"
	tmpKeyDestination := "/tmp/acme-downloader/key/amce_key.pem"
Max Adamo's avatar
Max Adamo committed
	WriteToFile(certificate, tmpCertificateDestination, GroupName, 0644, 0755)
	WriteToFile(fullChain, tmpFullchainDestination, GroupName, 0644, 0755)
	WriteToFile(ca, tmpCaDestination, GroupName, 0644, 0755)
	WriteToFile(privKey, tmpKeyDestination, GroupName, 0640, 0750)
Max Adamo's avatar
Max Adamo committed

	checkCerificates(CertName, tmpCertificateDestination, tmpFullchainDestination, tmpCaDestination, tmpKeyDestination, Days, true)
Max Adamo's avatar
Max Adamo committed

Max Adamo's avatar
Max Adamo committed
	WriteToFile(certificate, certificateDestination, GroupName, 0644, 0755)
	WriteToFile(fullChain, fullchainDestination, GroupName, 0644, 0755)
	WriteToFile(ca, caDestination, GroupName, 0644, 0755)
	WriteToFile(privKey, keyDestination, GroupName, 0640, 0750)

	fmt.Printf("installed: %v\n", certificateDestination)
	fmt.Printf("installed: %v\n", caDestination)
	fmt.Printf("installed: %v\n", fullchainDestination)
	fmt.Printf("installed: %v\n", keyDestination)

Max Adamo's avatar
Max Adamo committed
	// Exit 1 means application needs to be reloaded
Max Adamo's avatar
Max Adamo committed
	appExit(1)

Max Adamo's avatar
Max Adamo committed
}