2018-06-12 10:09:47 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
2018-06-16 11:45:27 +00:00
|
|
|
"encoding/json"
|
|
|
|
"errors"
|
2018-06-12 10:09:47 +00:00
|
|
|
"io/ioutil"
|
|
|
|
"os"
|
2018-06-16 11:45:27 +00:00
|
|
|
"path/filepath"
|
2020-04-22 15:36:04 +00:00
|
|
|
"time"
|
2018-06-12 10:09:47 +00:00
|
|
|
|
2020-04-22 15:36:04 +00:00
|
|
|
"github.com/cloudflare/cfssl/certinfo"
|
2018-06-16 11:45:27 +00:00
|
|
|
"github.com/cloudflare/cfssl/config"
|
2019-01-21 22:44:11 +00:00
|
|
|
"github.com/cloudflare/cfssl/log"
|
2018-06-12 10:09:47 +00:00
|
|
|
)
|
|
|
|
|
2019-01-21 22:44:11 +00:00
|
|
|
var (
|
|
|
|
secretData *SecretData
|
2019-12-03 10:03:20 +00:00
|
|
|
DontSave = false
|
2019-01-21 22:44:11 +00:00
|
|
|
)
|
|
|
|
|
2018-06-16 11:45:27 +00:00
|
|
|
type SecretData struct {
|
|
|
|
clusters map[string]*ClusterSecrets
|
|
|
|
config *config.Config
|
|
|
|
}
|
|
|
|
|
|
|
|
type ClusterSecrets struct {
|
2019-12-03 10:03:20 +00:00
|
|
|
CAs map[string]*CA
|
|
|
|
Tokens map[string]string
|
|
|
|
Passwords map[string]string
|
|
|
|
SSHKeyPairs map[string][]SSHKeyPair
|
2018-06-16 11:45:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
type KeyCert struct {
|
2018-07-06 00:13:56 +00:00
|
|
|
Key []byte
|
|
|
|
Cert []byte
|
|
|
|
ReqHash string
|
2018-06-16 11:45:27 +00:00
|
|
|
}
|
|
|
|
|
2019-01-21 22:44:11 +00:00
|
|
|
func secretDataPath() string {
|
|
|
|
return filepath.Join(*dataDir, "secret-data.json")
|
|
|
|
}
|
|
|
|
|
|
|
|
func loadSecretData(config *config.Config) (err error) {
|
|
|
|
log.Info("Loading secret data")
|
|
|
|
|
2018-06-16 11:45:27 +00:00
|
|
|
sd := &SecretData{
|
|
|
|
clusters: make(map[string]*ClusterSecrets),
|
|
|
|
config: config,
|
|
|
|
}
|
|
|
|
|
2019-01-21 22:44:11 +00:00
|
|
|
ba, err := ioutil.ReadFile(secretDataPath())
|
2018-06-16 11:45:27 +00:00
|
|
|
if err != nil {
|
|
|
|
if os.IsNotExist(err) {
|
2019-01-21 22:44:11 +00:00
|
|
|
err = nil
|
|
|
|
secretData = sd
|
|
|
|
return
|
2018-06-16 11:45:27 +00:00
|
|
|
}
|
2019-01-21 22:44:11 +00:00
|
|
|
return
|
2018-06-16 11:45:27 +00:00
|
|
|
}
|
|
|
|
|
2019-01-21 22:44:11 +00:00
|
|
|
if err = json.Unmarshal(ba, &sd.clusters); err != nil {
|
|
|
|
return
|
2018-06-16 11:45:27 +00:00
|
|
|
}
|
|
|
|
|
2019-01-21 22:44:11 +00:00
|
|
|
secretData = sd
|
|
|
|
return
|
2018-06-16 11:45:27 +00:00
|
|
|
}
|
|
|
|
|
2020-04-22 15:36:04 +00:00
|
|
|
func checkCertUsable(certPEM []byte) error {
|
|
|
|
cert, err := certinfo.ParseCertificatePEM(certPEM)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
certDuration := cert.NotAfter.Sub(cert.NotBefore)
|
|
|
|
delayBeforeRegen := certDuration / 3 // TODO allow configuration
|
|
|
|
|
|
|
|
if cert.NotAfter.Sub(time.Now()) < delayBeforeRegen {
|
|
|
|
return errors.New("too old")
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|