local-server/cmd/dkl-local-server/secrets.go

84 lines
1.4 KiB
Go
Raw Normal View History

2018-06-12 10:09:47 +00:00
package main
import (
2018-06-16 11:45:27 +00:00
"encoding/json"
"errors"
2018-06-12 10:09:47 +00:00
"io/ioutil"
"os"
2018-06-16 11:45:27 +00:00
"path/filepath"
2020-04-22 15:36:04 +00:00
"time"
2018-06-12 10:09:47 +00:00
2020-04-22 15:36:04 +00:00
"github.com/cloudflare/cfssl/certinfo"
2018-06-16 11:45:27 +00:00
"github.com/cloudflare/cfssl/config"
2019-01-21 22:44:11 +00:00
"github.com/cloudflare/cfssl/log"
2018-06-12 10:09:47 +00:00
)
2019-01-21 22:44:11 +00:00
var (
secretData *SecretData
2019-12-03 10:03:20 +00:00
DontSave = false
2019-01-21 22:44:11 +00:00
)
2018-06-16 11:45:27 +00:00
type SecretData struct {
clusters map[string]*ClusterSecrets
config *config.Config
}
type ClusterSecrets struct {
2019-12-03 10:03:20 +00:00
CAs map[string]*CA
Tokens map[string]string
Passwords map[string]string
SSHKeyPairs map[string][]SSHKeyPair
2018-06-16 11:45:27 +00:00
}
type KeyCert struct {
Key []byte
Cert []byte
ReqHash string
2018-06-16 11:45:27 +00:00
}
2019-01-21 22:44:11 +00:00
func secretDataPath() string {
return filepath.Join(*dataDir, "secret-data.json")
}
func loadSecretData(config *config.Config) (err error) {
log.Info("Loading secret data")
2018-06-16 11:45:27 +00:00
sd := &SecretData{
clusters: make(map[string]*ClusterSecrets),
config: config,
}
2019-01-21 22:44:11 +00:00
ba, err := ioutil.ReadFile(secretDataPath())
2018-06-16 11:45:27 +00:00
if err != nil {
if os.IsNotExist(err) {
2019-01-21 22:44:11 +00:00
err = nil
secretData = sd
return
2018-06-16 11:45:27 +00:00
}
2019-01-21 22:44:11 +00:00
return
2018-06-16 11:45:27 +00:00
}
2019-01-21 22:44:11 +00:00
if err = json.Unmarshal(ba, &sd.clusters); err != nil {
return
2018-06-16 11:45:27 +00:00
}
2019-01-21 22:44:11 +00:00
secretData = sd
return
2018-06-16 11:45:27 +00:00
}
2020-04-22 15:36:04 +00:00
func checkCertUsable(certPEM []byte) error {
cert, err := certinfo.ParseCertificatePEM(certPEM)
if err != nil {
return err
}
certDuration := cert.NotAfter.Sub(cert.NotBefore)
delayBeforeRegen := certDuration / 3 // TODO allow configuration
if cert.NotAfter.Sub(time.Now()) < delayBeforeRegen {
return errors.New("too old")
}
return nil
}