diff options
author | Niall Sheridan <nsheridan@gmail.com> | 2017-02-12 18:34:41 +0000 |
---|---|---|
committer | Niall Sheridan <nsheridan@gmail.com> | 2017-02-12 18:34:41 +0000 |
commit | 6e00d0000e54f21a4a393e67fd914bda4d394f4a (patch) | |
tree | b832e50c45aadc0bf4d0e0d8c45ca32754e8733c /cmd | |
parent | ed8bc523fd0d1a66acf3fa449c453508035efdfc (diff) |
Minor fixups
Correct some flag strings and some format strings
Don't fatal when the client config file is missing
Make keysigner, certstore and authprovider package-level
Diffstat (limited to 'cmd')
-rw-r--r-- | cmd/cashier/main.go | 10 | ||||
-rw-r--r-- | cmd/cashierd/handlers_test.go | 14 | ||||
-rw-r--r-- | cmd/cashierd/main.go | 47 |
3 files changed, 33 insertions, 38 deletions
diff --git a/cmd/cashier/main.go b/cmd/cashier/main.go index 53deffd..77a0b4b 100644 --- a/cmd/cashier/main.go +++ b/cmd/cashier/main.go @@ -19,9 +19,9 @@ var ( u, _ = user.Current() cfg = pflag.String("config", path.Join(u.HomeDir, ".cashier.conf"), "Path to config file") ca = pflag.String("ca", "http://localhost:10000", "CA server") - keysize = pflag.Int("key_size", 2048, "Key size. Ignored for ed25519 keys") - validity = pflag.Duration("validity", time.Hour*24, "Key validity") - keytype = pflag.String("key_type", "rsa", "Type of private key to generate - rsa, ecdsa or ed25519") + keysize = pflag.Int("key_size", 0, "Size of key to generate. Ignored for ed25519 keys. (default 2048 for rsa keys, 256 for ecdsa keys)") + validity = pflag.Duration("validity", time.Hour*24, "Key lifetime. May be overridden by the CA at signing time") + keytype = pflag.String("key_type", "", "Type of private key to generate - rsa, ecdsa or ed25519. (default \"rsa\")") publicFilePrefix = pflag.String("public_file_prefix", "", "Prefix for filename for public key and cert (optional, no default)") ) @@ -30,7 +30,7 @@ func main() { c, err := client.ReadConfig(*cfg) if err != nil { - log.Fatalf("Error parsing config file: %v\n", err) + log.Printf("Error parsing config file: %v\n", err) } fmt.Printf("Your browser has been opened to visit %s\n", c.CA) if err := browser.OpenURL(c.CA); err != nil { @@ -52,7 +52,7 @@ func main() { } sock, err := net.Dial("unix", os.Getenv("SSH_AUTH_SOCK")) if err != nil { - log.Fatalln("Error connecting to agent: %s", err) + log.Fatalf("Error connecting to agent: %v\n", err) } defer sock.Close() a := agent.NewClient(sock) diff --git a/cmd/cashierd/handlers_test.go b/cmd/cashierd/handlers_test.go index a6bd113..934d5d0 100644 --- a/cmd/cashierd/handlers_test.go +++ b/cmd/cashierd/handlers_test.go @@ -34,19 +34,17 @@ func newContext(t *testing.T) *appContext { defer os.Remove(f.Name()) f.Write(testdata.Priv) f.Close() - signer, err := signer.New(&config.SSH{ + if keysigner, err = signer.New(&config.SSH{ SigningKey: f.Name(), MaxAge: "1h", - }) - if err != nil { + }); err != nil { t.Error(err) } + authprovider = testprovider.New() + certstore = store.NewMemoryStore() return &appContext{ - cookiestore: sessions.NewCookieStore([]byte("secret")), - authprovider: testprovider.New(), - certstore: store.NewMemoryStore(), - authsession: &auth.Session{AuthURL: "https://www.example.com/auth"}, - sshKeySigner: signer, + cookiestore: sessions.NewCookieStore([]byte("secret")), + authsession: &auth.Session{AuthURL: "https://www.example.com/auth"}, } } diff --git a/cmd/cashierd/main.go b/cmd/cashierd/main.go index 85c2d81..8164cf7 100644 --- a/cmd/cashierd/main.go +++ b/cmd/cashierd/main.go @@ -46,15 +46,16 @@ import ( var ( cfg = flag.String("config_file", "cashierd.conf", "Path to configuration file.") -) -// appContext contains local context - cookiestore, authprovider, authsession etc. -type appContext struct { - cookiestore *sessions.CookieStore authprovider auth.Provider - authsession *auth.Session - sshKeySigner *signer.KeySigner certstore store.CertStorer + keysigner *signer.KeySigner +) + +// appContext contains local context - cookiestore, authsession etc. +type appContext struct { + cookiestore *sessions.CookieStore + authsession *auth.Session } // getAuthTokenCookie retrieves a cookie from the request. @@ -116,7 +117,7 @@ func (a *appContext) setCurrentURL(w http.ResponseWriter, r *http.Request) { func (a *appContext) isLoggedIn(w http.ResponseWriter, r *http.Request) bool { tok := a.getAuthTokenCookie(r) - if !tok.Valid() || !a.authprovider.Valid(tok) { + if !tok.Valid() || !authprovider.Valid(tok) { return false } return true @@ -152,7 +153,7 @@ func signHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er token := &oauth2.Token{ AccessToken: t, } - ok := a.authprovider.Valid(token) + ok := authprovider.Valid(token) if !ok { return http.StatusUnauthorized, errors.New(http.StatusText(http.StatusUnauthorized)) } @@ -162,13 +163,13 @@ func signHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er if err != nil { return http.StatusBadRequest, errors.Wrap(err, "unable to extract key from request") } - username := a.authprovider.Username(token) - a.authprovider.Revoke(token) // We don't need this anymore. - cert, err := a.sshKeySigner.SignUserKey(req, username) + username := authprovider.Username(token) + authprovider.Revoke(token) // We don't need this anymore. + cert, err := keysigner.SignUserKey(req, username) if err != nil { return http.StatusInternalServerError, errors.Wrap(err, "error signing key") } - if err := a.certstore.SetCert(cert); err != nil { + if err := certstore.SetCert(cert); err != nil { log.Printf("Error recording cert: %v", err) } if err := json.NewEncoder(w).Encode(&lib.SignResponse{ @@ -184,7 +185,7 @@ func signHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er func loginHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, error) { state := newState() a.setAuthStateCookie(w, r, state) - a.authsession = a.authprovider.StartSession(state) + a.authsession = authprovider.StartSession(state) http.Redirect(w, r, a.authsession.AuthURL, http.StatusFound) return http.StatusFound, nil } @@ -195,7 +196,7 @@ func callbackHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int return http.StatusUnauthorized, errors.New(http.StatusText(http.StatusUnauthorized)) } code := r.FormValue("code") - if err := a.authsession.Authorize(a.authprovider, code); err != nil { + if err := a.authsession.Authorize(authprovider, code); err != nil { return http.StatusInternalServerError, err } a.setAuthTokenCookie(w, r, a.authsession.Token) @@ -219,11 +220,11 @@ func rootHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er } func listRevokedCertsHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, error) { - revoked, err := a.certstore.GetRevoked() + revoked, err := certstore.GetRevoked() if err != nil { return http.StatusInternalServerError, err } - rl, err := a.sshKeySigner.GenerateRevocationList(revoked) + rl, err := keysigner.GenerateRevocationList(revoked) if err != nil { return http.StatusInternalServerError, errors.Wrap(err, "unable to generate KRL") } @@ -248,7 +249,7 @@ func listCertsJSONHandler(a *appContext, w http.ResponseWriter, r *http.Request) return http.StatusUnauthorized, errors.New(http.StatusText(http.StatusUnauthorized)) } includeExpired, _ := strconv.ParseBool(r.URL.Query().Get("all")) - certs, err := a.certstore.List(includeExpired) + certs, err := certstore.List(includeExpired) j, err := json.Marshal(certs) if err != nil { return http.StatusInternalServerError, errors.New(http.StatusText(http.StatusInternalServerError)) @@ -263,7 +264,7 @@ func revokeCertHandler(a *appContext, w http.ResponseWriter, r *http.Request) (i } r.ParseForm() for _, id := range r.Form["cert_id"] { - if err := a.certstore.Revoke(id); err != nil { + if err := certstore.Revoke(id); err != nil { return http.StatusInternalServerError, errors.Wrap(err, "unable to revoke") } } @@ -326,7 +327,7 @@ func main() { }) vaultfs.Register(conf.Vault) - signer, err := signer.New(conf.SSH) + keysigner, err = signer.New(conf.SSH) if err != nil { log.Fatal(err) } @@ -378,7 +379,6 @@ func main() { // Unprivileged section metrics.Register() - var authprovider auth.Provider switch conf.Auth.Provider { case "google": authprovider, err = google.New(conf.Auth) @@ -393,15 +393,12 @@ func main() { log.Fatal(errors.Wrapf(err, "unable to use provider '%s'", conf.Auth.Provider)) } - certstore, err := store.New(conf.Server.Database) + certstore, err = store.New(conf.Server.Database) if err != nil { log.Fatal(err) } ctx := &appContext{ - cookiestore: sessions.NewCookieStore([]byte(conf.Server.CookieSecret)), - authprovider: authprovider, - sshKeySigner: signer, - certstore: certstore, + cookiestore: sessions.NewCookieStore([]byte(conf.Server.CookieSecret)), } ctx.cookiestore.Options = &sessions.Options{ MaxAge: 900, |