ssh acls preliminary support

2021-11-14 15:28:40 +01:00 · 2021-11-14 15:28:40 +01:00 · 3673a2f361
commit 3673a2f361
parent 4d92925170
3 changed files with 98 additions and 12 deletions
--- a/cmd/dkl-local-server/ws-clusters.go
+++ b/cmd/dkl-local-server/ws-clusters.go
@ -2,8 +2,10 @@ package main

 import (
 	"log"
+	"sort"

 	restful "github.com/emicklei/go-restful"
+
 	"novit.nc/direktil/pkg/localconfig"
 )

@ -136,15 +138,33 @@ func wsClusterBootstrapPods(req *restful.Request, resp *restful.Response) {
 	wsRender(resp, cluster.BootstrapPods, cluster)
 }

-func wsClusterCACert(req *restful.Request, resp *restful.Response) {
-	cluster := wsReadCluster(req, resp)
-	if cluster == nil {
+func wsClusterCAs(req *restful.Request, resp *restful.Response) {
+	cs := secretData.clusters[req.PathParameter("cluster-name")]
+	if cs == nil {
+		wsNotFound(req, resp)
 		return
 	}

-	ca, err := secretData.CA(req.PathParameter("cluster"), req.PathParameter("ca-name"))
-	if err != nil {
-		wsError(resp, err)
+	keys := make([]string, 0, len(cs.CAs))
+	for k := range cs.CAs {
+		keys = append(keys, k)
+	}
+
+	sort.Strings(keys)
+
+	resp.WriteJson(keys, restful.MIME_JSON)
+}
+
+func wsClusterCACert(req *restful.Request, resp *restful.Response) {
+	cs := secretData.clusters[req.PathParameter("cluster-name")]
+	if cs == nil {
+		wsNotFound(req, resp)
+		return
+	}
+
+	ca := cs.CAs[req.PathParameter("ca-name")]
+	if ca == nil {
+		wsNotFound(req, resp)
 		return
 	}

@ -152,18 +172,33 @@ func wsClusterCACert(req *restful.Request, resp *restful.Response) {
 }

 func wsClusterSignedCert(req *restful.Request, resp *restful.Response) {
-	cluster := wsReadCluster(req, resp)
-	if cluster == nil {
+	cs := secretData.clusters[req.PathParameter("cluster-name")]
+	if cs == nil {
+		wsNotFound(req, resp)
 		return
 	}

-	ca, err := secretData.CA(req.PathParameter("cluster"), req.PathParameter("ca-name"))
-	if err != nil {
-		wsError(resp, err)
+	ca := cs.CAs[req.PathParameter("ca-name")]
+	if ca == nil {
+		wsNotFound(req, resp)
 		return
 	}

-	kc := ca.Signed[req.QueryParameter("name")]
+	name := req.QueryParameter("name")
+
+	if name == "" {
+		keys := make([]string, 0, len(ca.Signed))
+		for k := range ca.Signed {
+			keys = append(keys, k)
+		}
+
+		sort.Strings(keys)
+
+		resp.WriteJson(keys, restful.MIME_JSON)
+		return
+	}
+
+	kc := ca.Signed[name]
 	if kc == nil {
 		wsNotFound(req, resp)
 		return
--- a/cmd/dkl-local-server/ws-ssh-acls.go
+++ b/cmd/dkl-local-server/ws-ssh-acls.go
@ -0,0 +1,44 @@
+package main
+
+import (
+	"net/http"
+	"os"
+	"path/filepath"
+
+	restful "github.com/emicklei/go-restful"
+	yaml "gopkg.in/yaml.v2"
+)
+
+type SSH_ACL struct {
+	Keys     []string
+	Clusters []string
+	Groups   []string
+	Hosts    []string
+}
+
+func loadSSH_ACLs() (acls []SSH_ACL, err error) {
+	f, err := os.Open(filepath.Join(*dataDir, "ssh-acls.yaml"))
+	if err != nil {
+		return
+	}
+
+	defer f.Close()
+
+	err = yaml.NewDecoder(f).Decode(&acls)
+	return
+}
+
+func wsSSH_ACL_List(req *restful.Request, resp *restful.Response) {
+	// TODO
+	http.NotFound(resp.ResponseWriter, req.Request)
+}
+
+func wsSSH_ACL_Get(req *restful.Request, resp *restful.Response) {
+	// TODO
+	http.NotFound(resp.ResponseWriter, req.Request)
+}
+
+func wsSSH_ACL_Set(req *restful.Request, resp *restful.Response) {
+	// TODO
+	http.NotFound(resp.ResponseWriter, req.Request)
+}
--- a/cmd/dkl-local-server/ws.go
+++ b/cmd/dkl-local-server/ws.go
@ -9,6 +9,7 @@ import (
 	"text/template"

 	"github.com/emicklei/go-restful"
+
 	"novit.nc/direktil/local-server/pkg/mime"
 	"novit.nc/direktil/pkg/localconfig"
 )
@ -49,6 +50,8 @@ func registerWS(rest *restful.Container) {
 	ws.Route(ws.PUT("/clusters/{cluster-name}/passwords/{password-name}").To(wsClusterSetPassword).
 		Doc("Set cluster's password"))

+	ws.Route(ws.GET("/clusters/{cluster-name}/ca").To(wsClusterCAs).
+		Doc("Get cluster CAs"))
 	ws.Route(ws.GET("/clusters/{cluster-name}/ca/{ca-name}/certificate").To(wsClusterCACert).
 		Produces(mime.CACERT).
 		Doc("Get cluster CA's certificate"))
@ -72,6 +75,10 @@ func registerWS(rest *restful.Container) {
 	}).register(ws, func(rb *restful.RouteBuilder) {
 	})

+	ws.Route(ws.GET("/ssh-acls").To(wsSSH_ACL_List))
+	ws.Route(ws.GET("/ssh-acls/{acl-name}").To(wsSSH_ACL_Get))
+	ws.Route(ws.PUT("/ssh-acls/{acl-name}").To(wsSSH_ACL_Set))
+
 	rest.Add(ws)

 	// Hosts API