Minor fixups

Correct some flag strings and some format strings Don't fatal when the client config file is missing Make keysigner, certstore and authprovider package-level
author: Niall Sheridan <nsheridan@gmail.com> 2017-02-12 18:34:41 +0000
committer: Niall Sheridan <nsheridan@gmail.com> 2017-02-12 18:34:41 +0000
commit: 6e00d0000e54f21a4a393e67fd914bda4d394f4a (patch)
tree: b832e50c45aadc0bf4d0e0d8c45ca32754e8733c
parent: ed8bc523fd0d1a66acf3fa449c453508035efdfc (diff)
3 files changed, 33 insertions, 38 deletions
diff --git a/cmd/cashier/main.go b/cmd/cashier/main.go
index 53deffd..77a0b4b 100644
--- a/cmd/cashier/main.go
+++ b/cmd/cashier/main.go
@@ -19,9 +19,9 @@ var (
 	u, _             = user.Current()
 	cfg              = pflag.String("config", path.Join(u.HomeDir, ".cashier.conf"), "Path to config file")
 	ca               = pflag.String("ca", "http://localhost:10000", "CA server")
-	keysize          = pflag.Int("key_size", 2048, "Key size. Ignored for ed25519 keys")
-	validity         = pflag.Duration("validity", time.Hour*24, "Key validity")
-	keytype          = pflag.String("key_type", "rsa", "Type of private key to generate - rsa, ecdsa or ed25519")
+	keysize          = pflag.Int("key_size", 0, "Size of key to generate. Ignored for ed25519 keys. (default 2048 for rsa keys, 256 for ecdsa keys)")
+	validity         = pflag.Duration("validity", time.Hour*24, "Key lifetime. May be overridden by the CA at signing time")
+	keytype          = pflag.String("key_type", "", "Type of private key to generate - rsa, ecdsa or ed25519. (default \"rsa\")")
 	publicFilePrefix = pflag.String("public_file_prefix", "", "Prefix for filename for public key and cert (optional, no default)")
 )
 
@@ -30,7 +30,7 @@ func main() {
 
 	c, err := client.ReadConfig(*cfg)
 	if err != nil {
-		log.Fatalf("Error parsing config file: %v\n", err)
+		log.Printf("Error parsing config file: %v\n", err)
 	}
 	fmt.Printf("Your browser has been opened to visit %s\n", c.CA)
 	if err := browser.OpenURL(c.CA); err != nil {
@@ -52,7 +52,7 @@ func main() {
 	}
 	sock, err := net.Dial("unix", os.Getenv("SSH_AUTH_SOCK"))
 	if err != nil {
-		log.Fatalln("Error connecting to agent: %s", err)
+		log.Fatalf("Error connecting to agent: %v\n", err)
 	}
 	defer sock.Close()
 	a := agent.NewClient(sock)
diff --git a/cmd/cashierd/handlers_test.go b/cmd/cashierd/handlers_test.go
index a6bd113..934d5d0 100644
--- a/cmd/cashierd/handlers_test.go
+++ b/cmd/cashierd/handlers_test.go
@@ -34,19 +34,17 @@ func newContext(t *testing.T) *appContext {
 	defer os.Remove(f.Name())
 	f.Write(testdata.Priv)
 	f.Close()
-	signer, err := signer.New(&config.SSH{
+	if keysigner, err = signer.New(&config.SSH{
 		SigningKey: f.Name(),
 		MaxAge:     "1h",
-	})
-	if err != nil {
+	}); err != nil {
 		t.Error(err)
 	}
+	authprovider = testprovider.New()
+	certstore = store.NewMemoryStore()
 	return &appContext{
-		cookiestore:  sessions.NewCookieStore([]byte("secret")),
-		authprovider: testprovider.New(),
-		certstore:    store.NewMemoryStore(),
-		authsession:  &auth.Session{AuthURL: "https://www.example.com/auth"},
-		sshKeySigner: signer,
+		cookiestore: sessions.NewCookieStore([]byte("secret")),
+		authsession: &auth.Session{AuthURL: "https://www.example.com/auth"},
 	}
 }
 
diff --git a/cmd/cashierd/main.go b/cmd/cashierd/main.go
index 85c2d81..8164cf7 100644
--- a/cmd/cashierd/main.go
+++ b/cmd/cashierd/main.go
@@ -46,15 +46,16 @@ import (
 
 var (
 	cfg = flag.String("config_file", "cashierd.conf", "Path to configuration file.")
-)
 
-// appContext contains local context - cookiestore, authprovider, authsession etc.
-type appContext struct {
-	cookiestore  *sessions.CookieStore
 	authprovider auth.Provider
-	authsession  *auth.Session
-	sshKeySigner *signer.KeySigner
 	certstore    store.CertStorer
+	keysigner    *signer.KeySigner
+)
+
+// appContext contains local context - cookiestore, authsession etc.
+type appContext struct {
+	cookiestore *sessions.CookieStore
+	authsession *auth.Session
 }
 
 // getAuthTokenCookie retrieves a cookie from the request.
@@ -116,7 +117,7 @@ func (a *appContext) setCurrentURL(w http.ResponseWriter, r *http.Request) {
 
 func (a *appContext) isLoggedIn(w http.ResponseWriter, r *http.Request) bool {
 	tok := a.getAuthTokenCookie(r)
-	if !tok.Valid() || !a.authprovider.Valid(tok) {
+	if !tok.Valid() || !authprovider.Valid(tok) {
 		return false
 	}
 	return true
@@ -152,7 +153,7 @@ func signHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er
 	token := &oauth2.Token{
 		AccessToken: t,
 	}
-	ok := a.authprovider.Valid(token)
+	ok := authprovider.Valid(token)
 	if !ok {
 		return http.StatusUnauthorized, errors.New(http.StatusText(http.StatusUnauthorized))
 	}
@@ -162,13 +163,13 @@ func signHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er
 	if err != nil {
 		return http.StatusBadRequest, errors.Wrap(err, "unable to extract key from request")
 	}
-	username := a.authprovider.Username(token)
-	a.authprovider.Revoke(token) // We don't need this anymore.
-	cert, err := a.sshKeySigner.SignUserKey(req, username)
+	username := authprovider.Username(token)
+	authprovider.Revoke(token) // We don't need this anymore.
+	cert, err := keysigner.SignUserKey(req, username)
 	if err != nil {
 		return http.StatusInternalServerError, errors.Wrap(err, "error signing key")
 	}
-	if err := a.certstore.SetCert(cert); err != nil {
+	if err := certstore.SetCert(cert); err != nil {
 		log.Printf("Error recording cert: %v", err)
 	}
 	if err := json.NewEncoder(w).Encode(&lib.SignResponse{
@@ -184,7 +185,7 @@ func signHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er
 func loginHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, error) {
 	state := newState()
 	a.setAuthStateCookie(w, r, state)
-	a.authsession = a.authprovider.StartSession(state)
+	a.authsession = authprovider.StartSession(state)
 	http.Redirect(w, r, a.authsession.AuthURL, http.StatusFound)
 	return http.StatusFound, nil
 }
@@ -195,7 +196,7 @@ func callbackHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int
 		return http.StatusUnauthorized, errors.New(http.StatusText(http.StatusUnauthorized))
 	}
 	code := r.FormValue("code")
-	if err := a.authsession.Authorize(a.authprovider, code); err != nil {
+	if err := a.authsession.Authorize(authprovider, code); err != nil {
 		return http.StatusInternalServerError, err
 	}
 	a.setAuthTokenCookie(w, r, a.authsession.Token)
@@ -219,11 +220,11 @@ func rootHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er
 }
 
 func listRevokedCertsHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, error) {
-	revoked, err := a.certstore.GetRevoked()
+	revoked, err := certstore.GetRevoked()
 	if err != nil {
 		return http.StatusInternalServerError, err
 	}
-	rl, err := a.sshKeySigner.GenerateRevocationList(revoked)
+	rl, err := keysigner.GenerateRevocationList(revoked)
 	if err != nil {
 		return http.StatusInternalServerError, errors.Wrap(err, "unable to generate KRL")
 	}
@@ -248,7 +249,7 @@ func listCertsJSONHandler(a *appContext, w http.ResponseWriter, r *http.Request)
 		return http.StatusUnauthorized, errors.New(http.StatusText(http.StatusUnauthorized))
 	}
 	includeExpired, _ := strconv.ParseBool(r.URL.Query().Get("all"))
-	certs, err := a.certstore.List(includeExpired)
+	certs, err := certstore.List(includeExpired)
 	j, err := json.Marshal(certs)
 	if err != nil {
 		return http.StatusInternalServerError, errors.New(http.StatusText(http.StatusInternalServerError))
@@ -263,7 +264,7 @@ func revokeCertHandler(a *appContext, w http.ResponseWriter, r *http.Request) (i
 	}
 	r.ParseForm()
 	for _, id := range r.Form["cert_id"] {
-		if err := a.certstore.Revoke(id); err != nil {
+		if err := certstore.Revoke(id); err != nil {
 			return http.StatusInternalServerError, errors.Wrap(err, "unable to revoke")
 		}
 	}
@@ -326,7 +327,7 @@ func main() {
 	})
 	vaultfs.Register(conf.Vault)
 
-	signer, err := signer.New(conf.SSH)
+	keysigner, err = signer.New(conf.SSH)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -378,7 +379,6 @@ func main() {
 	// Unprivileged section
 	metrics.Register()
 
-	var authprovider auth.Provider
 	switch conf.Auth.Provider {
 	case "google":
 		authprovider, err = google.New(conf.Auth)
@@ -393,15 +393,12 @@ func main() {
 		log.Fatal(errors.Wrapf(err, "unable to use provider '%s'", conf.Auth.Provider))
 	}
 
-	certstore, err := store.New(conf.Server.Database)
+	certstore, err = store.New(conf.Server.Database)
 	if err != nil {
 		log.Fatal(err)
 	}
 	ctx := &appContext{
-		cookiestore:  sessions.NewCookieStore([]byte(conf.Server.CookieSecret)),
-		authprovider: authprovider,
-		sshKeySigner: signer,
-		certstore:    certstore,
+		cookiestore: sessions.NewCookieStore([]byte(conf.Server.CookieSecret)),
 	}
 	ctx.cookiestore.Options = &sessions.Options{
 		MaxAge:   900,
author	Niall Sheridan <nsheridan@gmail.com>	2017-02-12 18:34:41 +0000
committer	Niall Sheridan <nsheridan@gmail.com>	2017-02-12 18:34:41 +0000
commit	6e00d0000e54f21a4a393e67fd914bda4d394f4a (patch)
tree	b832e50c45aadc0bf4d0e0d8c45ca32754e8733c
parent	ed8bc523fd0d1a66acf3fa449c453508035efdfc (diff)