mirror of
https://github.com/Luzifer/vault-openvpn.git
synced 2024-12-25 14:21:21 +00:00
Allow listing expired certificates for debugging purposes
Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
parent
9d8003c88f
commit
3c822ae59a
4 changed files with 14 additions and 14 deletions
|
@ -18,11 +18,11 @@ import (
|
||||||
"github.com/spf13/viper"
|
"github.com/spf13/viper"
|
||||||
)
|
)
|
||||||
|
|
||||||
func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, error) {
|
func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, bool, error) {
|
||||||
path := strings.Join([]string{strings.Trim(viper.GetString("pki-mountpoint"), "/"), "cert", serial}, "/")
|
path := strings.Join([]string{strings.Trim(viper.GetString("pki-mountpoint"), "/"), "cert", serial}, "/")
|
||||||
cs, err := client.Logical().Read(path)
|
cs, err := client.Logical().Read(path)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, false, fmt.Errorf("Unable to read certificate: %s", err.Error())
|
return nil, false, false, fmt.Errorf("Unable to read certificate: %s", err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
revoked := false
|
revoked := false
|
||||||
|
@ -37,12 +37,7 @@ func fetchCertificateBySerial(serial string) (*x509.Certificate, bool, error) {
|
||||||
data, _ := pem.Decode([]byte(cs.Data["certificate"].(string)))
|
data, _ := pem.Decode([]byte(cs.Data["certificate"].(string)))
|
||||||
cert, err := x509.ParseCertificate(data.Bytes)
|
cert, err := x509.ParseCertificate(data.Bytes)
|
||||||
|
|
||||||
if cert.NotAfter.Before(time.Now()) {
|
return cert, revoked, cert.NotAfter.Before(time.Now()), err
|
||||||
// Hide expired certs (they will not get the revoke-timestamp set on revoke)
|
|
||||||
revoked = true
|
|
||||||
}
|
|
||||||
|
|
||||||
return cert, revoked, err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func fetchOVPNKey() (string, error) {
|
func fetchOVPNKey() (string, error) {
|
||||||
|
@ -65,7 +60,7 @@ func fetchOVPNKey() (string, error) {
|
||||||
return key.(string), nil
|
return key.(string), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func fetchValidCertificatesFromVault() ([]*x509.Certificate, error) {
|
func fetchCertificatesFromVault(listExpired bool) ([]*x509.Certificate, error) {
|
||||||
res := []*x509.Certificate{}
|
res := []*x509.Certificate{}
|
||||||
|
|
||||||
path := strings.Join([]string{strings.Trim(viper.GetString("pki-mountpoint"), "/"), "certs"}, "/")
|
path := strings.Join([]string{strings.Trim(viper.GetString("pki-mountpoint"), "/"), "certs"}, "/")
|
||||||
|
@ -83,7 +78,7 @@ func fetchValidCertificatesFromVault() ([]*x509.Certificate, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, serial := range secret.Data["keys"].([]interface{}) {
|
for _, serial := range secret.Data["keys"].([]interface{}) {
|
||||||
cert, revoked, err := fetchCertificateBySerial(serial.(string))
|
cert, revoked, expired, err := fetchCertificateBySerial(serial.(string))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return res, err
|
return res, err
|
||||||
}
|
}
|
||||||
|
@ -92,6 +87,10 @@ func fetchValidCertificatesFromVault() ([]*x509.Certificate, error) {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !listExpired && expired {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
res = append(res, cert)
|
res = append(res, cert)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -24,6 +24,7 @@ func init() {
|
||||||
RootCmd.AddCommand(listCmd)
|
RootCmd.AddCommand(listCmd)
|
||||||
|
|
||||||
listCmd.Flags().StringVar(&cfg.Sort, "sort", "fqdn", "How to sort list output (fqdn, issuedate, expiredate)")
|
listCmd.Flags().StringVar(&cfg.Sort, "sort", "fqdn", "How to sort list output (fqdn, issuedate, expiredate)")
|
||||||
|
listCmd.Flags().Bool("list-expired", false, "Also list expired certificates")
|
||||||
viper.BindPFlags(listCmd.Flags())
|
viper.BindPFlags(listCmd.Flags())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -34,7 +35,7 @@ func listCertificates() error {
|
||||||
|
|
||||||
lines := []listCertificatesTableRow{}
|
lines := []listCertificatesTableRow{}
|
||||||
|
|
||||||
certs, err := fetchValidCertificatesFromVault()
|
certs, err := fetchCertificatesFromVault(viper.GetBool("list-expired"))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
|
@ -29,11 +29,11 @@ func init() {
|
||||||
}
|
}
|
||||||
|
|
||||||
func revokeCertificateBySerial(serial string) error {
|
func revokeCertificateBySerial(serial string) error {
|
||||||
cert, revoked, err := fetchCertificateBySerial(serial)
|
cert, revoked, expired, err := fetchCertificateBySerial(serial)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if revoked {
|
if revoked || expired {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -26,7 +26,7 @@ func init() {
|
||||||
}
|
}
|
||||||
|
|
||||||
func revokeCertificateByFQDN(fqdn string) error {
|
func revokeCertificateByFQDN(fqdn string) error {
|
||||||
certs, err := fetchValidCertificatesFromVault()
|
certs, err := fetchCertificatesFromVault(false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue