From 339a2256cc832b2e27b3f2ec54c6c9302bd2a71a Mon Sep 17 00:00:00 2001
From: Massimiliano Adamo <maxadamo@gmail.com>
Date: Tue, 24 Nov 2020 13:08:28 +0100
Subject: [PATCH] try to use go get

---
 build.sh |   4 +-
 main.go  | 145 ++++++++++++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 140 insertions(+), 9 deletions(-)

diff --git a/build.sh b/build.sh
index 4bf468e..0f5fe97 100755
--- a/build.sh
+++ b/build.sh
@@ -15,8 +15,8 @@ PROG_VERSION="1.0"
 BUILDTIME=$(date -u '+%Y-%m-%d_%H:%M:%S')
 
 rm -rf ${GOPATH}/src/github.com/maxadamo/${BIN_NAME}
-#go get -ldflags "-s -w -X main.appVersion=${PROG_VERSION} -X main.buildTime=${BUILDTIME}" github.com/maxadamo/${BIN_NAME}
-go get -ldflags "-s -w -X main.appVersion=${PROG_VERSION} -X main.buildTime=${BUILDTIME}" .
+go get -ldflags "-s -w -X main.appVersion=${PROG_VERSION} -X main.buildTime=${BUILDTIME}" gitlab.geant.net/devops/${BIN_NAME}
+#go get -ldflags "-s -w -X main.appVersion=${PROG_VERSION} -X main.buildTime=${BUILDTIME}" .
 # upx --brute ${GOPATH}/bin/${BIN_NAME}
 
 if [ $? -gt 0 ]; then
diff --git a/main.go b/main.go
index 349a7c3..314f075 100644
--- a/main.go
+++ b/main.go
@@ -1,6 +1,8 @@
 package main
 
 import (
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"io/ioutil"
 	"log"
@@ -8,6 +10,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"time"
 
 	"github.com/docopt/docopt-go"
 	"github.com/go-ini/ini"
@@ -29,6 +32,109 @@ var (
 	Type                   string
 )
 
+// check certificates
+func checkCerificates(dnsname string, certificate string, fullchain string, ca string, key string, days int, fail bool) bool {
+	Seconds := days * 86400
+
+	daysNumber := time.Now().Local().Add(time.Second * time.Duration(Seconds))
+
+	//fmt.Printf(daysNumber)
+	certPEM, err := ioutil.ReadFile(certificate)
+	if err != nil {
+		if fail == true {
+			log.Fatal(err)
+		} else {
+			return false
+		}
+	}
+
+	certFullchainPEM, err := ioutil.ReadFile(fullchain)
+	if err != nil {
+		if fail == true {
+			log.Fatal(err)
+		} else {
+			return false
+		}
+	}
+
+	rootPEM, err := ioutil.ReadFile(ca)
+	if err != nil {
+		if fail == true {
+			log.Fatal(err)
+		} else {
+			return false
+		}
+	}
+
+	roots := x509.NewCertPool()
+	ok := roots.AppendCertsFromPEM([]byte(rootPEM))
+	if !ok {
+		if fail == true {
+			panic("failed to parse root certificate")
+		} else {
+			return false
+		}
+	}
+
+	block, _ := pem.Decode([]byte(certPEM))
+	if block == nil {
+		if fail == true {
+			panic("failed to parse certificate PEM")
+		} else {
+			return false
+		}
+	}
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		if fail == true {
+			panic("failed to parse certificate: " + err.Error())
+		} else {
+			return false
+		}
+	}
+
+	fullchainBlock, _ := pem.Decode([]byte(certFullchainPEM))
+	if fullchainBlock == nil {
+		if fail == true {
+			panic("failed to parse certificate PEM")
+		} else {
+			return false
+		}
+	}
+	fullchainCert, fullchainErr := x509.ParseCertificate(fullchainBlock.Bytes)
+	if fullchainErr != nil {
+		if fail == true {
+			panic("failed to parse certificate: " + fullchainErr.Error())
+		} else {
+			return false
+		}
+	}
+
+	opts := x509.VerifyOptions{
+		Roots:         roots,
+		DNSName:       dnsname,
+		CurrentTime:   daysNumber,
+		Intermediates: x509.NewCertPool(),
+	}
+
+	if _, err := cert.Verify(opts); err != nil {
+		if fail == true {
+			panic("failed to verify certificate: " + err.Error())
+		} else {
+			return false
+		}
+	}
+	if _, fullchainErr := fullchainCert.Verify(opts); fullchainErr != nil {
+		if fail == true {
+			panic("failed to verify certificate: " + fullchainErr.Error())
+		} else {
+			return false
+		}
+	}
+	return true
+
+}
+
 // get redis key
 func GetRedisKey(redisurl string, redistoken string) string {
 	client := &http.Client{}
@@ -135,6 +241,7 @@ Options:
 	TeamName := arguments["--team-name"].(string)
 	RedisToken := arguments["--redis-token"].(string)
 	Type = arguments["--type"].(string)
+	Days := arguments["--days"].(int)
 	RedisBaseURL = "https://redis.geant.org/GET"
 	VaultBaseURL = "https://vault.geant.org/v1"
 	VaultURL := fmt.Sprintf("%v/%v/%v/vault_%v_key", VaultBaseURL, TeamName, CertName, CertNameUndercored)
@@ -142,9 +249,10 @@ Options:
 	RedisCAURL := fmt.Sprintf("%v/%v:%v:redis_%v_chain_pem.txt", RedisBaseURL, TeamName, CertName, CertNameUndercored)
 	RedisFullChainURL := fmt.Sprintf("%v/%v:%v:redis_%v_fullchain_pem.txt", RedisBaseURL, TeamName, CertName, CertNameUndercored)
 
-	certificate := GetRedisKey(RedisCertURL, RedisToken)
-	ca := GetRedisKey(RedisCAURL, RedisToken)
-	fullChain := GetRedisKey(RedisFullChainURL, RedisToken)
+	tmpCertificateDestination := "/tmp/amce_cert.pem"
+	tmpFullchainDestination := "/tmp/amce_fullchain.pem"
+	tmpCaDestination := "/tmp/amce_ca.pem"
+	tmpKeyDestination := "/tmp/amce_key.pem"
 
 	if arguments["--cert-destination"] == fmt.Sprintf("%v/<cert-name>.crt", CertBase) {
 		certificateDestination = fmt.Sprintf("%v/%v.crt", CertBase, CertName)
@@ -156,16 +264,27 @@ Options:
 	} else {
 		fullchainDestination = arguments["--fullchain-destination"].(string)
 	}
+	if arguments["--ca-destination"] == fmt.Sprintf("%v/COMODO_<type>.crt", CertBase) {
+		caDestination = fmt.Sprintf("%v/COMODO_%v.crt", CertBase, Type)
+	} else {
+		caDestination = arguments["--ca-destination"].(string)
+	}
 	if arguments["--key-destination"] == fmt.Sprintf("%v/<cert-name>.key", KeyBase) {
 		keyDestination = fmt.Sprintf("%v/%v.key", KeyBase, CertName)
 	} else {
 		keyDestination = arguments["--key-destination"].(string)
 	}
-	if arguments["--ca-destination"] == fmt.Sprintf("%v/COMODO_<type>.crt", CertBase) {
-		caDestination = fmt.Sprintf("%v/COMODO_%v.crt", CertBase, Type)
-	} else {
-		caDestination = arguments["--ca-destination"].(string)
+
+	// checkCerificates(dnsname string, certificate string, fullchain string, ca string, key string, fail bool)
+	// check if there is a certificate installed and it is valid
+	existingCert := checkCerificates(CertName, certificateDestination, fullchainDestination, caDestination, keyDestination, Days, false)
+	if existingCert == true {
+		fmt.Printf("the certificates are still valid")
+		os.Exit(0)
 	}
+	certificate := GetRedisKey(RedisCertURL, RedisToken)
+	ca := GetRedisKey(RedisCAURL, RedisToken)
+	fullChain := GetRedisKey(RedisFullChainURL, RedisToken)
 
 	// get Vault key
 	vaultClient := &http.Client{}
@@ -179,6 +298,16 @@ Options:
 	}
 	privKey := gjson.Get(string(vaultBody), "data.value").String()
 
+	WriteToFile(certificate, tmpCertificateDestination, GroupName, 0644, 0755)
+	WriteToFile(fullChain, tmpFullchainDestination, GroupName, 0644, 0755)
+	WriteToFile(ca, tmpCaDestination, GroupName, 0644, 0755)
+	WriteToFile(privKey, tmpKeyDestination, GroupName, 0640, 0750)
+	newCert := checkCerificates(CertName, tmpCertificateDestination, tmpFullchainDestination, tmpCaDestination, tmpKeyDestination, Days, false)
+	if newCert == false {
+		log.Fatalf("the certificates are malformed. Skippping installation")
+		os.Exit(0)
+	}
+
 	WriteToFile(certificate, certificateDestination, GroupName, 0644, 0755)
 	WriteToFile(fullChain, fullchainDestination, GroupName, 0644, 0755)
 	WriteToFile(ca, caDestination, GroupName, 0644, 0755)
@@ -189,4 +318,6 @@ Options:
 	fmt.Printf("installed: %v\n", fullchainDestination)
 	fmt.Printf("installed: %v\n", keyDestination)
 
+	// check certificate
+
 }
-- 
GitLab