Skip to content
Snippets Groups Projects
Unverified Commit d5b32cc8 authored by Max Adamo's avatar Max Adamo
Browse files

minor

parent 25fd02a9
Branches
Tags
No related merge requests found
......@@ -5,7 +5,6 @@ import (
"encoding/pem"
"fmt"
"io/ioutil"
"log"
"net/http"
"os"
"path/filepath"
......@@ -43,7 +42,8 @@ func checkCerificates(dnsname string, certificate string, fullchain string, ca s
certPEM, err := ioutil.ReadFile(certificate)
if err != nil {
if fail == true {
log.Fatal(err)
fmt.Printf("[ERROR] %v\n", err)
os.Exit(255)
} else {
return false
}
......@@ -52,7 +52,8 @@ func checkCerificates(dnsname string, certificate string, fullchain string, ca s
certFullchainPEM, err := ioutil.ReadFile(fullchain)
if err != nil {
if fail == true {
log.Fatal(err)
fmt.Printf("[ERROR] %v\n", err)
os.Exit(255)
} else {
return false
}
......@@ -61,7 +62,8 @@ func checkCerificates(dnsname string, certificate string, fullchain string, ca s
rootPEM, err := ioutil.ReadFile(ca)
if err != nil {
if fail == true {
log.Fatal(err)
fmt.Printf("[ERROR] %v\n", err)
os.Exit(255)
} else {
return false
}
......@@ -71,7 +73,8 @@ func checkCerificates(dnsname string, certificate string, fullchain string, ca s
ok := roots.AppendCertsFromPEM([]byte(rootPEM))
if !ok {
if fail == true {
panic("failed to parse root certificate")
fmt.Printf("[ERROR] failed to parse root certificate\n")
os.Exit(255)
} else {
return false
}
......@@ -80,7 +83,8 @@ func checkCerificates(dnsname string, certificate string, fullchain string, ca s
block, _ := pem.Decode([]byte(certPEM))
if block == nil {
if fail == true {
panic("failed to parse certificate PEM")
fmt.Printf("[ERROR] failed to parse certificate PEM\n")
os.Exit(255)
} else {
return false
}
......@@ -88,7 +92,8 @@ func checkCerificates(dnsname string, certificate string, fullchain string, ca s
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
if fail == true {
panic("failed to parse certificate: " + err.Error())
fmt.Printf("[ERROR] failed to parse certificate %v\n", err)
os.Exit(255)
} else {
return false
}
......@@ -97,7 +102,8 @@ func checkCerificates(dnsname string, certificate string, fullchain string, ca s
fullchainBlock, _ := pem.Decode([]byte(certFullchainPEM))
if fullchainBlock == nil {
if fail == true {
panic("failed to parse certificate PEM")
fmt.Printf("[ERROR] failed to parse certificate PEM\n")
os.Exit(255)
} else {
return false
}
......@@ -105,7 +111,8 @@ func checkCerificates(dnsname string, certificate string, fullchain string, ca s
fullchainCert, fullchainErr := x509.ParseCertificate(fullchainBlock.Bytes)
if fullchainErr != nil {
if fail == true {
panic("failed to parse certificate: " + fullchainErr.Error())
fmt.Printf("[ERROR] failed to parse certificate %v\n", fullchainErr)
os.Exit(255)
} else {
return false
}
......@@ -120,14 +127,15 @@ func checkCerificates(dnsname string, certificate string, fullchain string, ca s
if _, err := cert.Verify(opts); err != nil {
if fail == true {
panic("failed to verify certificate: " + err.Error())
fmt.Printf("[ERROR] failed to parse certificate %v\n", err.Error())
os.Exit(255)
} else {
return false
}
}
if _, fullchainErr := fullchainCert.Verify(opts); fullchainErr != nil {
if fail == true {
panic("failed to verify certificate: " + fullchainErr.Error())
fmt.Printf("[ERROR] failed to parse certificate %v\n", err.Error())
} else {
return false
}
......@@ -139,19 +147,33 @@ func checkCerificates(dnsname string, certificate string, fullchain string, ca s
// get redis key
func GetRedisKey(redisurl string, redistoken string) string {
client := &http.Client{}
req, err := http.NewRequest("GET", redisurl, nil)
req.SetBasicAuth("redis", redistoken)
resp, err := client.Do(req)
body, err := ioutil.ReadAll(resp.Body)
defer resp.Body.Close()
if err != nil {
log.Fatalf("[ERROR] Fail to read %v: %v", redisurl, err)
fmt.Printf("[ERROR] Fail to read %v: %v\n", redisurl, err)
os.Exit(255)
}
return fmt.Sprintf(string(body))
}
// get Vault key
func GetVaultKey(vaulturl string, vaulttoken string) string {
vaultClient := &http.Client{}
req, err := http.NewRequest("GET", vaulturl, nil)
req.Header.Add("X-vault-token", vaulttoken)
resp, err := vaultClient.Do(req)
body, err := ioutil.ReadAll(resp.Body)
defer resp.Body.Close()
if err != nil {
fmt.Printf("[ERROR] Fail to read %v: %v\n", vaulturl, err)
os.Exit(255)
}
return gjson.Get(string(body), "data.value").String()
}
// create directory structure and write certificate to file
func WriteToFile(content string, destination string, groupname string, filemode os.FileMode, dirmode os.FileMode) {
baseDir := filepath.Dir(destination)
......@@ -162,7 +184,8 @@ func WriteToFile(content string, destination string, groupname string, filemode
file, err := os.OpenFile(destination, os.O_WRONLY|os.O_CREATE, filemode)
if err != nil {
log.Fatalf("[ERROR] %v cannot be created", destination)
fmt.Printf("[ERROR] %v cannot be created\n", destination)
os.Exit(255)
}
fmt.Fprintf(file, "%v\n", content)
......@@ -171,14 +194,14 @@ func WriteToFile(content string, destination string, groupname string, filemode
// ReadOSRelease from /etc/os-release
func ReadOSRelease(configfile string) map[string]string {
ConfigParams := make(map[string]string)
cfg, err := ini.Load(configfile)
if err != nil {
log.Fatal("[ERROR] Fail to read file: ", err)
ConfigParams["ID"] = "unknown"
} else {
ConfigParams["ID"] = cfg.Section("").Key("ID").String()
}
ConfigParams := make(map[string]string)
ConfigParams["ID"] = cfg.Section("").Key("ID").String()
return ConfigParams
}
......@@ -198,8 +221,10 @@ func main() {
CertBase = "/etc/ssl/certs"
KeyBase = "/etc/ssl/private"
GroupName = "root"
} else {
log.Fatalf("don't know what to do with OS: %v", OSRelease)
} else if OSRelease == "unknown" {
CertBase = "/PATH/TO/CERTIFICATE"
KeyBase = "/PATH/TO/PRIV/KEY"
GroupName = "root"
}
usage := fmt.Sprintf(`ACME Downloader:
......@@ -245,7 +270,8 @@ Options:
DayString := arguments["--days"].(string)
Days, daysErr := strconv.Atoi(DayString)
if daysErr != nil {
log.Fatal("Days mut be an integer")
fmt.Printf("Days mut be an integer\n")
os.Exit(255)
}
RedisBaseURL = "https://redis.geant.org/GET"
VaultBaseURL = "https://vault.geant.org/v1"
......@@ -280,37 +306,29 @@ Options:
keyDestination = arguments["--key-destination"].(string)
}
// checkCerificates(dnsname string, certificate string, fullchain string, ca string, key string, fail bool)
// check if there is a certificate installed and it is valid
existingCert := checkCerificates(CertName, certificateDestination, fullchainDestination, caDestination, keyDestination, Days, false)
if existingCert == true {
fmt.Printf("the certificates are still valid")
fmt.Printf("the certificates are still valid\n")
os.Exit(0)
}
certificate := GetRedisKey(RedisCertURL, RedisToken)
ca := GetRedisKey(RedisCAURL, RedisToken)
fullChain := GetRedisKey(RedisFullChainURL, RedisToken)
// get Vault key
vaultClient := &http.Client{}
vaultReq, err := http.NewRequest("GET", VaultURL, nil)
vaultReq.Header.Add("X-vault-token", VaultToken)
vaultResp, err := vaultClient.Do(vaultReq)
vaultBody, err := ioutil.ReadAll(vaultResp.Body)
defer vaultResp.Body.Close()
if err != nil {
log.Fatalf("Fail to read %v: %v", VaultURL, err)
}
privKey := gjson.Get(string(vaultBody), "data.value").String()
privKey := GetVaultKey(VaultURL, VaultToken)
WriteToFile(certificate, tmpCertificateDestination, GroupName, 0644, 0755)
WriteToFile(fullChain, tmpFullchainDestination, GroupName, 0644, 0755)
WriteToFile(ca, tmpCaDestination, GroupName, 0644, 0755)
WriteToFile(privKey, tmpKeyDestination, GroupName, 0640, 0750)
tempCertSlice := []string{tmpCertificateDestination, tmpFullchainDestination, tmpCaDestination, tmpKeyDestination}
newCert := checkCerificates(CertName, tmpCertificateDestination, tmpFullchainDestination, tmpCaDestination, tmpKeyDestination, Days, false)
if newCert == false {
log.Fatalf("the certificates are malformed. Skippping installation")
os.Exit(0)
fmt.Printf("the certificates are malformed. Skippping installation\n")
for _, element := range tempCertSlice {
os.Remove(element)
}
os.Exit(255)
}
WriteToFile(certificate, certificateDestination, GroupName, 0644, 0755)
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment