aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKevin Lyda <kevin@ie.suberic.net>2017-01-27 12:27:44 +0000
committerNiall Sheridan <nsheridan@gmail.com>2017-01-27 12:27:44 +0000
commit019891ab8b6709b2e3fb6be83d111fb73ec2bd32 (patch)
treedddc136afa5a1f425871b8da88041ca479d08cba
parent4993eae2d91d89840c75f6e0e3e01a76941c8534 (diff)
Remove datastore
-rw-r--r--README.md31
-rw-r--r--example-server.conf8
-rw-r--r--server/config/config.go48
3 files changed, 9 insertions, 78 deletions
diff --git a/README.md b/README.md
index 6f1ef23..9581761 100644
--- a/README.md
+++ b/README.md
@@ -13,7 +13,6 @@
- [Configuration](#configuration)
- [server](#server-1)
- [database](#database)
- - [datastore](#datastore) [DEPRECATED]
- [auth](#auth)
- [Provider-specific options](#provider-specific-options)
- [ssh](#ssh)
@@ -113,7 +112,6 @@ Exception to this: the `http_logfile` option **ONLY** writes to local files.
- `cookie_secret`: string. Authentication key for the session cookie. This can be a secret stored in a [vault](https://www.vaultproject.io/) using the form `/vault/path/key` e.g. `/vault/secret/cashier/cookie_secret`.
- `csrf_secret`: string. Authentication key for CSRF protection. This can be a secret stored in a [vault](https://www.vaultproject.io/) using the form `/vault/path/key` e.g. `/vault/secret/cashier/csrf_secret`.
- `http_logfile`: string. Path to the HTTP request log. Logs are written in the [Common Log Format](https://en.wikipedia.org/wiki/Common_Log_Format). The only valid destination for logs is a local file path.
-- `datastore`: string. Datastore connection string. See [Datastore](#datastore).
### database
@@ -146,35 +144,10 @@ server {
}
```
-Prior to using MySQL or SQLite you need to create the database and tables using [one of the provided files](db).
+Prior to using MySQL or SQLite you need to create the database and tables using [the provided seed file](db/seed.sql).
e.g. `mysql < db/seed.sql`.
Obviously you should setup a role user for running in prodution.
-### datastore
-
-## The datastore option is deprecated. Use the [database](#database) option instead
-
-~~Datastores contain a record of issued certificates for audit and revocation purposes. The connection string is of the form `engine:username:password:host[:port]`.~~
-
-~~Supported database providers: `mysql`, `sqlite` and `mem`.~~
-
-~~`mem` is an in-memory database intended for testing and takes no additional config options.~~
-~~`mysql` is the MySQL database and accepts `username`, `password` and `host` arguments. Only `username` and `host` arguments are required. `port` is assumed to be 3306 unless otherwise specified.~~
-~~`sqlite` is the SQLite database and accepts a `path` argument.~~
-
-~~If no datastore is specified the `mem` store is used by default.~~
-
-~~Examples:~~
-
-```
-server {
- datastore = "mem" # use the in-memory database.
- datastore = "mysql:root::localhost" # mysql running on localhost with the user 'root' and no password.
- datastore = "mysql:cashier:PaSsWoRd:mydbprovider.example.com:5150" # mysql running on a remote host on port 5150
- datastore = "sqlite:/data/certs.db"
-}
-```
-
## auth
- `provider` : string. Name of the oauth provider. Valid providers are currently "google", "github" and "gitlab".
- `oauth_client_id` : string. Oauth Client ID. This can be a secret stored in a [vault](https://www.vaultproject.io/) using the form `/vault/path/key` e.g. `/vault/secret/cashier/oauth_client_id`.
@@ -275,7 +248,7 @@ where `/etc/ssh/ca.pub` contains the public part of your signing key.
If you wish to use certificate revocation you need to set the `RevokedKeys` option in sshd_config - see the next section.
## Revoking certificates
-When a certificate is signed a record is kept in the configured datastore. You can view issued certs at `http(s)://<ca url>/admin/certs` and also revoke them.
+When a certificate is signed a record is kept in the configured database. You can view issued certs at `http(s)://<ca url>/admin/certs` and also revoke them.
The revocation list is served at `http(s)://<ca url>/revoked`. To use it your sshd_config must have `RevokedKeys` set:
```
RevokedKeys /etc/ssh/revoked_keys
diff --git a/example-server.conf b/example-server.conf
index 8d299fa..e0b3ea5 100644
--- a/example-server.conf
+++ b/example-server.conf
@@ -9,7 +9,13 @@ server {
cookie_secret = "supersecret" # Authentication key for the client cookie
csrf_secret = "supersecret" # Authentication key for the CSRF token
http_logfile = "http.log" # Logfile for HTTP requests
- datastore = "mysql:user:pass:host:3306" # engine:username:password:hostname:port
+}
+
+database {
+ type = "mysql"
+ address = "host:3306"
+ username = "user"
+ password = "pass"
}
# Oauth2 configuration
diff --git a/server/config/config.go b/server/config/config.go
index 573ae85..422a135 100644
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -1,9 +1,6 @@
package config
import (
- "bytes"
- "fmt"
- "log"
"os"
"strconv"
"strings"
@@ -40,7 +37,6 @@ type Server struct {
CSRFSecret string `hcl:"csrf_secret"`
HTTPLogFile string `hcl:"http_logfile"`
Database Database `hcl:"database"`
- Datastore string `hcl:"datastore"` // Deprecated. TODO: remove.
}
// Auth holds the configuration specific to the OAuth provider.
@@ -89,54 +85,11 @@ func verifyConfig(c *Config) error {
return err
}
-func convertDatastoreConfig(c *Config) {
- // Convert the deprecated 'datastore' config to the new 'database' config.
- if c.Server != nil && c.Server.Datastore != "" {
- conf := c.Server.Datastore
- engine := strings.Split(conf, ":")[0]
- switch engine {
- case "mysql":
- s := strings.SplitN(conf, ":", 4)
- engine, user, passwd, addrs := s[0], s[1], s[2], s[3]
- c.Server.Database = map[string]string{
- "type": engine,
- "username": user,
- "password": passwd,
- "address": addrs,
- }
- case "sqlite":
- s := strings.Split(conf, ":")
- c.Server.Database = map[string]string{"type": s[0], "filename": s[1]}
- case "mem":
- c.Server.Database = map[string]string{"type": "mem"}
- }
- var out bytes.Buffer
- out.WriteString("The `datastore` option has been deprecated in favour of the `database` option. You should update your config.\n")
- out.WriteString("The new config (passwords have been redacted) should look something like:\n")
- out.WriteString("server {\n database {\n")
- for k, v := range c.Server.Database {
- if v == "" {
- continue
- }
- if k == "password" {
- out.WriteString(" password = \"[ REDACTED ]\"\n")
- continue
- }
- out.WriteString(fmt.Sprintf(" %s = \"%s\"\n", k, v))
- }
- out.WriteString(" }\n}")
- log.Println(out.String())
- }
-}
-
func setFromEnvironment(c *Config) {
port, err := strconv.Atoi(os.Getenv("PORT"))
if err == nil {
c.Server.Port = port
}
- if os.Getenv("DATASTORE") != "" {
- c.Server.Datastore = os.Getenv("DATASTORE")
- }
if os.Getenv("OAUTH_CLIENT_ID") != "" {
c.Auth.OauthClientID = os.Getenv("OAUTH_CLIENT_ID")
}
@@ -194,7 +147,6 @@ func ReadConfig(f string) (*Config, error) {
return nil, err
}
setFromEnvironment(config)
- convertDatastoreConfig(config)
if err := verifyConfig(config); err != nil {
return nil, errors.Wrap(err, "unable to verify config")
}