luzifer/vault-openvpn
1
0
Fork 0
mirror of https://github.com/Luzifer/vault-openvpn.git synced 2024-11-08 16:20:05 +00:00
Code Issues Releases Wiki Activity

Allow listing expired certificates for debugging purposes

Browse source 
Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2018-06-14 21:09:15 +02:00
parent 9d8003c88f
commit 3c822ae59a
Signed by: luzifer
GPG key ID: DC2729FDD34BE99E
4 changed files with 14 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
cmd/helpers.go
View file

@ -18,11 +18,11 @@ import (
"github.com/spf13/viper"
)
func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, error) {
func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, bool, error) {
path := strings.Join([]string{strings.Trim(viper.GetString("pki-mountpoint"), "/"), "cert", serial}, "/")
cs, err := client.Logical().Read(path)
if err != nil {
return nil, false, fmt.Errorf("Unable to read certificate: %s", err.Error())
return nil, false, false, fmt.Errorf("Unable to read certificate: %s", err.Error())
}
revoked := false
@ -37,12 +37,7 @@ func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, error) {
data, _ := pem.Decode([]byte(cs.Data["certificate"].(string)))
cert, err := x509.ParseCertificate(data.Bytes)
if cert.NotAfter.Before(time.Now()) {
// Hide expired certs (they will not get the revoke-timestamp set on revoke)
revoked = true
}
return cert, revoked, err
return cert, revoked, cert.NotAfter.Before(time.Now()), err
}
func fetchOVPNKey() (string, error) {
@ -65,7 +60,7 @@ func fetchOVPNKey() (string, error) {
return key.(string), nil
}
func fetchValidCertificatesFromVault() ([]*x509.Certificate, error) {
func fetchCertificatesFromVault(listExpired bool) ([]*x509.Certificate, error) {
res := []*x509.Certificate{}
path := strings.Join([]string{strings.Trim(viper.GetString("pki-mountpoint"), "/"), "certs"}, "/")
@ -83,7 +78,7 @@ func fetchValidCertificatesFromVault() ([]*x509.Certificate, error) {
}
for _, serial := range secret.Data["keys"].([]interface{}) {
cert, revoked, err := fetchCertificateBySerial(serial.(string))
cert, revoked, expired, err := fetchCertificateBySerial(serial.(string))
if err != nil {
return res, err
}
@ -92,6 +87,10 @@ func fetchValidCertificatesFromVault() ([]*x509.Certificate, error) {
continue
}
if !listExpired && expired {
continue
}
res = append(res, cert)
}

3
cmd/list.go
View file

@ -24,6 +24,7 @@ func init() {
RootCmd.AddCommand(listCmd)
listCmd.Flags().StringVar(&cfg.Sort, "sort", "fqdn", "How to sort list output (fqdn, issuedate, expiredate)")
listCmd.Flags().Bool("list-expired", false, "Also list expired certificates")
viper.BindPFlags(listCmd.Flags())
}
@ -34,7 +35,7 @@ func listCertificates() error {
lines := []listCertificatesTableRow{}
certs, err := fetchValidCertificatesFromVault()
certs, err := fetchCertificatesFromVault(viper.GetBool("list-expired"))
if err != nil {
return err
}

4
cmd/revoke-serial.go
View file

@ -29,11 +29,11 @@ func init() {
}
func revokeCertificateBySerial(serial string) error {
cert, revoked, err := fetchCertificateBySerial(serial)
cert, revoked, expired, err := fetchCertificateBySerial(serial)
if err != nil {
return err
}
if revoked {
if revoked || expired {
return nil
}

2
cmd/revoke.go
View file

@ -26,7 +26,7 @@ func init() {
}
func revokeCertificateByFQDN(fqdn string) error {
certs, err := fetchValidCertificatesFromVault()
certs, err := fetchCertificatesFromVault(false)
if err != nil {
return err
}