mirror of
https://github.com/Luzifer/vault-openvpn.git
synced 2024-12-25 06:11:21 +00:00
Allow listing expired certificates for debugging purposes
Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
parent
9d8003c88f
commit
3c822ae59a
4 changed files with 14 additions and 14 deletions
|
@ -18,11 +18,11 @@ import (
|
|||
"github.com/spf13/viper"
|
||||
)
|
||||
|
||||
func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, error) {
|
||||
func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, bool, error) {
|
||||
path := strings.Join([]string{strings.Trim(viper.GetString("pki-mountpoint"), "/"), "cert", serial}, "/")
|
||||
cs, err := client.Logical().Read(path)
|
||||
if err != nil {
|
||||
return nil, false, fmt.Errorf("Unable to read certificate: %s", err.Error())
|
||||
return nil, false, false, fmt.Errorf("Unable to read certificate: %s", err.Error())
|
||||
}
|
||||
|
||||
revoked := false
|
||||
|
@ -37,12 +37,7 @@ func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, error) {
|
|||
data, _ := pem.Decode([]byte(cs.Data["certificate"].(string)))
|
||||
cert, err := x509.ParseCertificate(data.Bytes)
|
||||
|
||||
if cert.NotAfter.Before(time.Now()) {
|
||||
// Hide expired certs (they will not get the revoke-timestamp set on revoke)
|
||||
revoked = true
|
||||
}
|
||||
|
||||
return cert, revoked, err
|
||||
return cert, revoked, cert.NotAfter.Before(time.Now()), err
|
||||
}
|
||||
|
||||
func fetchOVPNKey() (string, error) {
|
||||
|
@ -65,7 +60,7 @@ func fetchOVPNKey() (string, error) {
|
|||
return key.(string), nil
|
||||
}
|
||||
|
||||
func fetchValidCertificatesFromVault() ([]*x509.Certificate, error) {
|
||||
func fetchCertificatesFromVault(listExpired bool) ([]*x509.Certificate, error) {
|
||||
res := []*x509.Certificate{}
|
||||
|
||||
path := strings.Join([]string{strings.Trim(viper.GetString("pki-mountpoint"), "/"), "certs"}, "/")
|
||||
|
@ -83,7 +78,7 @@ func fetchValidCertificatesFromVault() ([]*x509.Certificate, error) {
|
|||
}
|
||||
|
||||
for _, serial := range secret.Data["keys"].([]interface{}) {
|
||||
cert, revoked, err := fetchCertificateBySerial(serial.(string))
|
||||
cert, revoked, expired, err := fetchCertificateBySerial(serial.(string))
|
||||
if err != nil {
|
||||
return res, err
|
||||
}
|
||||
|
@ -92,6 +87,10 @@ func fetchValidCertificatesFromVault() ([]*x509.Certificate, error) {
|
|||
continue
|
||||
}
|
||||
|
||||
if !listExpired && expired {
|
||||
continue
|
||||
}
|
||||
|
||||
res = append(res, cert)
|
||||
}
|
||||
|
||||
|
|
|
@ -24,6 +24,7 @@ func init() {
|
|||
RootCmd.AddCommand(listCmd)
|
||||
|
||||
listCmd.Flags().StringVar(&cfg.Sort, "sort", "fqdn", "How to sort list output (fqdn, issuedate, expiredate)")
|
||||
listCmd.Flags().Bool("list-expired", false, "Also list expired certificates")
|
||||
viper.BindPFlags(listCmd.Flags())
|
||||
}
|
||||
|
||||
|
@ -34,7 +35,7 @@ func listCertificates() error {
|
|||
|
||||
lines := []listCertificatesTableRow{}
|
||||
|
||||
certs, err := fetchValidCertificatesFromVault()
|
||||
certs, err := fetchCertificatesFromVault(viper.GetBool("list-expired"))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
@ -29,11 +29,11 @@ func init() {
|
|||
}
|
||||
|
||||
func revokeCertificateBySerial(serial string) error {
|
||||
cert, revoked, err := fetchCertificateBySerial(serial)
|
||||
cert, revoked, expired, err := fetchCertificateBySerial(serial)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if revoked {
|
||||
if revoked || expired {
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
@ -26,7 +26,7 @@ func init() {
|
|||
}
|
||||
|
||||
func revokeCertificateByFQDN(fqdn string) error {
|
||||
certs, err := fetchValidCertificatesFromVault()
|
||||
certs, err := fetchCertificatesFromVault(false)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue