1
0
Fork 0
mirror of https://github.com/Luzifer/vault-openvpn.git synced 2024-12-26 06:41:20 +00:00

Allow listing expired certificates for debugging purposes

Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2018-06-14 21:09:15 +02:00
parent 9d8003c88f
commit 3c822ae59a
Signed by: luzifer
GPG key ID: DC2729FDD34BE99E
4 changed files with 14 additions and 14 deletions

View file

@ -18,11 +18,11 @@ import (
"github.com/spf13/viper" "github.com/spf13/viper"
) )
func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, error) { func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, bool, error) {
path := strings.Join([]string{strings.Trim(viper.GetString("pki-mountpoint"), "/"), "cert", serial}, "/") path := strings.Join([]string{strings.Trim(viper.GetString("pki-mountpoint"), "/"), "cert", serial}, "/")
cs, err := client.Logical().Read(path) cs, err := client.Logical().Read(path)
if err != nil { if err != nil {
return nil, false, fmt.Errorf("Unable to read certificate: %s", err.Error()) return nil, false, false, fmt.Errorf("Unable to read certificate: %s", err.Error())
} }
revoked := false revoked := false
@ -37,12 +37,7 @@ func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, error) {
data, _ := pem.Decode([]byte(cs.Data["certificate"].(string))) data, _ := pem.Decode([]byte(cs.Data["certificate"].(string)))
cert, err := x509.ParseCertificate(data.Bytes) cert, err := x509.ParseCertificate(data.Bytes)
if cert.NotAfter.Before(time.Now()) { return cert, revoked, cert.NotAfter.Before(time.Now()), err
// Hide expired certs (they will not get the revoke-timestamp set on revoke)
revoked = true
}
return cert, revoked, err
} }
func fetchOVPNKey() (string, error) { func fetchOVPNKey() (string, error) {
@ -65,7 +60,7 @@ func fetchOVPNKey() (string, error) {
return key.(string), nil return key.(string), nil
} }
func fetchValidCertificatesFromVault() ([]*x509.Certificate, error) { func fetchCertificatesFromVault(listExpired bool) ([]*x509.Certificate, error) {
res := []*x509.Certificate{} res := []*x509.Certificate{}
path := strings.Join([]string{strings.Trim(viper.GetString("pki-mountpoint"), "/"), "certs"}, "/") path := strings.Join([]string{strings.Trim(viper.GetString("pki-mountpoint"), "/"), "certs"}, "/")
@ -83,7 +78,7 @@ func fetchValidCertificatesFromVault() ([]*x509.Certificate, error) {
} }
for _, serial := range secret.Data["keys"].([]interface{}) { for _, serial := range secret.Data["keys"].([]interface{}) {
cert, revoked, err := fetchCertificateBySerial(serial.(string)) cert, revoked, expired, err := fetchCertificateBySerial(serial.(string))
if err != nil { if err != nil {
return res, err return res, err
} }
@ -92,6 +87,10 @@ func fetchValidCertificatesFromVault() ([]*x509.Certificate, error) {
continue continue
} }
if !listExpired && expired {
continue
}
res = append(res, cert) res = append(res, cert)
} }

View file

@ -24,6 +24,7 @@ func init() {
RootCmd.AddCommand(listCmd) RootCmd.AddCommand(listCmd)
listCmd.Flags().StringVar(&cfg.Sort, "sort", "fqdn", "How to sort list output (fqdn, issuedate, expiredate)") listCmd.Flags().StringVar(&cfg.Sort, "sort", "fqdn", "How to sort list output (fqdn, issuedate, expiredate)")
listCmd.Flags().Bool("list-expired", false, "Also list expired certificates")
viper.BindPFlags(listCmd.Flags()) viper.BindPFlags(listCmd.Flags())
} }
@ -34,7 +35,7 @@ func listCertificates() error {
lines := []listCertificatesTableRow{} lines := []listCertificatesTableRow{}
certs, err := fetchValidCertificatesFromVault() certs, err := fetchCertificatesFromVault(viper.GetBool("list-expired"))
if err != nil { if err != nil {
return err return err
} }

View file

@ -29,11 +29,11 @@ func init() {
} }
func revokeCertificateBySerial(serial string) error { func revokeCertificateBySerial(serial string) error {
cert, revoked, err := fetchCertificateBySerial(serial) cert, revoked, expired, err := fetchCertificateBySerial(serial)
if err != nil { if err != nil {
return err return err
} }
if revoked { if revoked || expired {
return nil return nil
} }

View file

@ -26,7 +26,7 @@ func init() {
} }
func revokeCertificateByFQDN(fqdn string) error { func revokeCertificateByFQDN(fqdn string) error {
certs, err := fetchValidCertificatesFromVault() certs, err := fetchCertificatesFromVault(false)
if err != nil { if err != nil {
return err return err
} }