local-server/cmd/dkl-local-server/secrets.go

77 lines
1.3 KiB
Go

package main
import (
"encoding/json"
"errors"
"io/ioutil"
"os"
"path/filepath"
"time"
"github.com/cloudflare/cfssl/certinfo"
"github.com/cloudflare/cfssl/config"
"github.com/cloudflare/cfssl/log"
)
type SecretData struct {
clusters map[string]*ClusterSecrets
config *config.Config
}
type ClusterSecrets struct {
CAs map[string]*CA
Tokens map[string]string
Passwords map[string]string
SSHKeyPairs map[string][]SSHKeyPair
}
type KeyCert struct {
Key []byte
Cert []byte
ReqHash string
}
func secretDataPath() string {
return filepath.Join(*dataDir, "secret-data.json")
}
func loadSecretData(config *config.Config) (sd *SecretData, err error) {
log.Info("Loading secret data")
sd = &SecretData{
clusters: make(map[string]*ClusterSecrets),
config: config,
}
ba, err := ioutil.ReadFile(secretDataPath())
if err != nil {
if os.IsNotExist(err) {
err = nil
return
}
return
}
if err = json.Unmarshal(ba, &sd.clusters); err != nil {
return
}
return
}
func checkCertUsable(certPEM []byte) error {
cert, err := certinfo.ParseCertificatePEM(certPEM)
if err != nil {
return err
}
certDuration := cert.NotAfter.Sub(cert.NotBefore)
delayBeforeRegen := certDuration / 3 // TODO allow configuration
if cert.NotAfter.Sub(time.Now()) < delayBeforeRegen {
return errors.New("too old")
}
return nil
}