secrets migration

cmd/dkl-local-server/secrets-migrate.go

@@ -40,7 +40,8 @@ func migrateSecrets() {
 		}
 	}
 
-	if err := loadSecretData(sslCfg); err != nil {
+	secretData, err := loadSecretData(sslCfg)
+	if err != nil {
 		log.Fatal(err)
 		return
 	}
@@ -66,10 +67,22 @@ func migrateSecrets() {
 			clusterCAs.Put(clusterName+"/"+caName, CA{Key: ca.Key, Cert: ca.Cert})
 
 			for signedName, signed := range ca.Signed {
-				clusterCASignedKeys.Put(clusterName+"/"+caName+"/"+signedName, *signed)
+				err = clusterCASignedKeys.Put(clusterName+"/"+caName+"/"+signedName, *signed)
+				if err != nil {
+					log.Fatal(err)
+				}
 			}
 		}
 
-		// TODO
+		for hostName, pairs := range cluster.SSHKeyPairs {
+			err = sshHostKeys.Put(hostName, pairs)
+			if err != nil {
+				log.Fatal(err)
+			}
+		}
+	}
+
+	if err := os.Rename(secretDataPath(), secretDataPath()+".migrated"); err != nil {
+		log.Fatal("failed to rename migrated secrets: ", err)
 	}
 }

cmd/dkl-local-server/secrets.go

@@ -13,11 +13,6 @@ import (
 	"github.com/cloudflare/cfssl/log"
 )
 
-var (
-	secretData *SecretData
-	DontSave   = false
-)
-
 type SecretData struct {
 	clusters map[string]*ClusterSecrets
 	config   *config.Config
@@ -40,10 +35,10 @@ func secretDataPath() string {
 	return filepath.Join(*dataDir, "secret-data.json")
 }
 
-func loadSecretData(config *config.Config) (err error) {
+func loadSecretData(config *config.Config) (sd *SecretData, err error) {
 	log.Info("Loading secret data")
 
-	sd := &SecretData{
+	sd = &SecretData{
 		clusters: make(map[string]*ClusterSecrets),
 		config:   config,
 	}
@@ -52,7 +47,6 @@ func loadSecretData(config *config.Config) (err error) {
 	if err != nil {
 		if os.IsNotExist(err) {
 			err = nil
-			secretData = sd
 			return
 		}
 		return
@@ -62,7 +56,6 @@ func loadSecretData(config *config.Config) (err error) {
 		return
 	}
 
-	secretData = sd
 	return
 }
 

cmd/dkl-local-server/ssh-secrets_test.go

@@ -2,10 +2,6 @@ package main
 
 import "testing"
 
-func init() {
-	DontSave = true
-}
-
 func TestSSHKeyGet(t *testing.T) {
 	// TODO needs fake secret store
 	// if _, err := getSSHKeyPairs("host"); err != nil {

cmd/dkl-local-server/ws-clusters.go

@@ -2,10 +2,12 @@ package main
 
 import (
 	"log"
-	"sort"
+	"net/url"
+	"strconv"
 
 	restful "github.com/emicklei/go-restful"
 
+	"novit.tech/direktil/local-server/pkg/mime"
 	"novit.tech/direktil/pkg/localconfig"
 )
 
@@ -83,53 +85,39 @@ func wsClusterAddons(req *restful.Request, resp *restful.Response) {
 }
 
 func wsClusterCACert(req *restful.Request, resp *restful.Response) {
-	cs := secretData.clusters[req.PathParameter("cluster-name")]
+	clusterName := req.PathParameter("cluster-name")
-	if cs == nil {
+	caName := req.PathParameter("ca-name")
-		wsNotFound(resp)
+
-		return
+	ca, found, err := clusterCAs.Get(clusterName + "/" + caName)
-	}
+	if err != nil {
-
+		wsError(resp, err)
-	ca := cs.CAs[req.PathParameter("ca-name")]
+		return
-	if ca == nil {
+	}
+	if !found {
 		wsNotFound(resp)
 		return
 	}
 
+	resp.Header().Set("Content-Type", mime.CERT)
 	resp.Write(ca.Cert)
 }
 
 func wsClusterSignedCert(req *restful.Request, resp *restful.Response) {
-	cs := secretData.clusters[req.PathParameter("cluster-name")]
+	clusterName := req.PathParameter("cluster-name")
-	if cs == nil {
+	caName := req.PathParameter("ca-name")
-		wsNotFound(resp)
-		return
-	}
-
-	ca := cs.CAs[req.PathParameter("ca-name")]
-	if ca == nil {
-		wsNotFound(resp)
-		return
-	}
-
 	name := req.QueryParameter("name")
 
-	if name == "" {
+	kc, found, err := clusterCASignedKeys.Get(clusterName + "/" + caName + "/" + name)
-		keys := make([]string, 0, len(ca.Signed))
+	if err != nil {
-		for k := range ca.Signed {
+		wsError(resp, err)
-			keys = append(keys, k)
-		}
-
-		sort.Strings(keys)
-
-		resp.WriteJson(keys, restful.MIME_JSON)
 		return
 	}
-
+	if !found {
-	kc := ca.Signed[name]
-	if kc == nil {
 		wsNotFound(resp)
 		return
 	}
 
+	resp.AddHeader("Content-Type", mime.CERT)
+	resp.AddHeader("Content-Disposition", "attachment; filename="+strconv.Quote(clusterName+"_"+caName+"_"+url.PathEscape(name)+".crt"))
 	resp.Write(kc.Cert)
 }

html/ui/app.css

@@ -18,6 +18,10 @@
     overflow: auto;
 }
 
+.cluster {
+    max-width: 50%;
+}
+
 #store-infos {
     display: flex;
     flex-flow: row wrap;

html/ui/js/Cluster.js

@@ -21,17 +21,15 @@ export default {
     <Downloads :token="token" :state="state" kind="cluster" :name="cluster.Name" />
   </section>
   <div class="section">CAs</div>
-  <section v-for="ca in cluster.CAs">
+  <table><tr><th>Name</th><th>Certificate</th><th>Signed certificates</th></tr>
-    {{ ca.Name }}:
+  <tr v-for="ca in cluster.CAs">
-        <GetCopy :token="token" name="cert" :href="'/clusters/'+cluster.Name+'/CAs/'+ca.Name+'/certificate'" />
+    <td>{{ ca.Name }}</td>
-        <template v-if="ca.Signed">
+    <td><GetCopy :token="token" name="cert" :href="'/clusters/'+cluster.Name+'/CAs/'+ca.Name+'/certificate'" /></td>
-          {{" "}}signed
+    <td><template v-for="signed in ca.Signed">
-          <template v-for="signed in ca.Signed">
       {{" "}}
       <GetCopy :token="token" :name="signed" :href="'/clusters/'+cluster.Name+'/CAs/'+ca.Name+'/signed?name='+signed" />
-          </template>
+    </template></td>
-        </template>
+  </tr></table>
-  </section>
 </div>
 `
 }

html/ui/style.css

@@ -124,6 +124,9 @@ header .utils > * {
 .sheets section {
     margin: 2pt 6pt 6pt 6pt;
 }
+.sheets > *:last-child > table:last-child > tr:last-child > td {
+    border-bottom: none;
+}
 
 .notif {
     display: inline-block;