diff options
| -rw-r--r-- | README.md | 31 | ||||
| -rw-r--r-- | example-server.conf | 8 | ||||
| -rw-r--r-- | server/config/config.go | 48 |
3 files changed, 9 insertions, 78 deletions
@@ -13,7 +13,6 @@ - [Configuration](#configuration) - [server](#server-1) - [database](#database) - - [datastore](#datastore) [DEPRECATED] - [auth](#auth) - [Provider-specific options](#provider-specific-options) - [ssh](#ssh) @@ -113,7 +112,6 @@ Exception to this: the `http_logfile` option **ONLY** writes to local files. - `cookie_secret`: string. Authentication key for the session cookie. This can be a secret stored in a [vault](https://www.vaultproject.io/) using the form `/vault/path/key` e.g. `/vault/secret/cashier/cookie_secret`. - `csrf_secret`: string. Authentication key for CSRF protection. This can be a secret stored in a [vault](https://www.vaultproject.io/) using the form `/vault/path/key` e.g. `/vault/secret/cashier/csrf_secret`. - `http_logfile`: string. Path to the HTTP request log. Logs are written in the [Common Log Format](https://en.wikipedia.org/wiki/Common_Log_Format). The only valid destination for logs is a local file path. -- `datastore`: string. Datastore connection string. See [Datastore](#datastore). ### database @@ -146,35 +144,10 @@ server { } ``` -Prior to using MySQL or SQLite you need to create the database and tables using [one of the provided files](db). +Prior to using MySQL or SQLite you need to create the database and tables using [the provided seed file](db/seed.sql). e.g. `mysql < db/seed.sql`. Obviously you should setup a role user for running in prodution. -### datastore - -## The datastore option is deprecated. Use the [database](#database) option instead - -~~Datastores contain a record of issued certificates for audit and revocation purposes. The connection string is of the form `engine:username:password:host[:port]`.~~ - -~~Supported database providers: `mysql`, `sqlite` and `mem`.~~ - -~~`mem` is an in-memory database intended for testing and takes no additional config options.~~ -~~`mysql` is the MySQL database and accepts `username`, `password` and `host` arguments. Only `username` and `host` arguments are required. `port` is assumed to be 3306 unless otherwise specified.~~ -~~`sqlite` is the SQLite database and accepts a `path` argument.~~ - -~~If no datastore is specified the `mem` store is used by default.~~ - -~~Examples:~~ - -``` -server { - datastore = "mem" # use the in-memory database. - datastore = "mysql:root::localhost" # mysql running on localhost with the user 'root' and no password. - datastore = "mysql:cashier:PaSsWoRd:mydbprovider.example.com:5150" # mysql running on a remote host on port 5150 - datastore = "sqlite:/data/certs.db" -} -``` - ## auth - `provider` : string. Name of the oauth provider. Valid providers are currently "google", "github" and "gitlab". - `oauth_client_id` : string. Oauth Client ID. This can be a secret stored in a [vault](https://www.vaultproject.io/) using the form `/vault/path/key` e.g. `/vault/secret/cashier/oauth_client_id`. @@ -275,7 +248,7 @@ where `/etc/ssh/ca.pub` contains the public part of your signing key. If you wish to use certificate revocation you need to set the `RevokedKeys` option in sshd_config - see the next section. ## Revoking certificates -When a certificate is signed a record is kept in the configured datastore. You can view issued certs at `http(s)://<ca url>/admin/certs` and also revoke them. +When a certificate is signed a record is kept in the configured database. You can view issued certs at `http(s)://<ca url>/admin/certs` and also revoke them. The revocation list is served at `http(s)://<ca url>/revoked`. To use it your sshd_config must have `RevokedKeys` set: ``` RevokedKeys /etc/ssh/revoked_keys diff --git a/example-server.conf b/example-server.conf index 8d299fa..e0b3ea5 100644 --- a/example-server.conf +++ b/example-server.conf @@ -9,7 +9,13 @@ server { cookie_secret = "supersecret" # Authentication key for the client cookie csrf_secret = "supersecret" # Authentication key for the CSRF token http_logfile = "http.log" # Logfile for HTTP requests - datastore = "mysql:user:pass:host:3306" # engine:username:password:hostname:port +} + +database { + type = "mysql" + address = "host:3306" + username = "user" + password = "pass" } # Oauth2 configuration diff --git a/server/config/config.go b/server/config/config.go index 573ae85..422a135 100644 --- a/server/config/config.go +++ b/server/config/config.go @@ -1,9 +1,6 @@ package config import ( - "bytes" - "fmt" - "log" "os" "strconv" "strings" @@ -40,7 +37,6 @@ type Server struct { CSRFSecret string `hcl:"csrf_secret"` HTTPLogFile string `hcl:"http_logfile"` Database Database `hcl:"database"` - Datastore string `hcl:"datastore"` // Deprecated. TODO: remove. } // Auth holds the configuration specific to the OAuth provider. @@ -89,54 +85,11 @@ func verifyConfig(c *Config) error { return err } -func convertDatastoreConfig(c *Config) { - // Convert the deprecated 'datastore' config to the new 'database' config. - if c.Server != nil && c.Server.Datastore != "" { - conf := c.Server.Datastore - engine := strings.Split(conf, ":")[0] - switch engine { - case "mysql": - s := strings.SplitN(conf, ":", 4) - engine, user, passwd, addrs := s[0], s[1], s[2], s[3] - c.Server.Database = map[string]string{ - "type": engine, - "username": user, - "password": passwd, - "address": addrs, - } - case "sqlite": - s := strings.Split(conf, ":") - c.Server.Database = map[string]string{"type": s[0], "filename": s[1]} - case "mem": - c.Server.Database = map[string]string{"type": "mem"} - } - var out bytes.Buffer - out.WriteString("The `datastore` option has been deprecated in favour of the `database` option. You should update your config.\n") - out.WriteString("The new config (passwords have been redacted) should look something like:\n") - out.WriteString("server {\n database {\n") - for k, v := range c.Server.Database { - if v == "" { - continue - } - if k == "password" { - out.WriteString(" password = \"[ REDACTED ]\"\n") - continue - } - out.WriteString(fmt.Sprintf(" %s = \"%s\"\n", k, v)) - } - out.WriteString(" }\n}") - log.Println(out.String()) - } -} - func setFromEnvironment(c *Config) { port, err := strconv.Atoi(os.Getenv("PORT")) if err == nil { c.Server.Port = port } - if os.Getenv("DATASTORE") != "" { - c.Server.Datastore = os.Getenv("DATASTORE") - } if os.Getenv("OAUTH_CLIENT_ID") != "" { c.Auth.OauthClientID = os.Getenv("OAUTH_CLIENT_ID") } @@ -194,7 +147,6 @@ func ReadConfig(f string) (*Config, error) { return nil, err } setFromEnvironment(config) - convertDatastoreConfig(config) if err := verifyConfig(config); err != nil { return nil, errors.Wrap(err, "unable to verify config") } |