mirror of
https://github.com/Luzifer/vault-openvpn.git
synced 2024-12-25 22:31:20 +00:00
Add more validation to input
Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
parent
29743cd411
commit
7c187aa126
1 changed files with 33 additions and 10 deletions
43
main.go
43
main.go
|
@ -144,16 +144,16 @@ func init() {
|
||||||
|
|
||||||
func main() {
|
func main() {
|
||||||
if len(rconfig.Args()) < 2 {
|
if len(rconfig.Args()) < 2 {
|
||||||
fmt.Println("Usage: vault-openvpn [options] <action> <FQDN>")
|
fmt.Println("Usage: vault-openvpn [options] <action>")
|
||||||
fmt.Println(" actions: client / server / list / revoke / revoke-serial")
|
fmt.Println(" client <fqdn> - Generate certificate and output client config")
|
||||||
|
fmt.Println(" server <fqdn> - Generate certificate and output server config")
|
||||||
|
fmt.Println(" list - List all valid (not expired, not revoked) certificates")
|
||||||
|
fmt.Println(" revoke <fqdn> - Revoke all certificates matching to FQDN")
|
||||||
|
fmt.Println(" revoke-serial <serial> - Revoke certificate by serial number")
|
||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
|
|
||||||
action := rconfig.Args()[1]
|
action := rconfig.Args()[1]
|
||||||
fqdn := ""
|
|
||||||
if len(rconfig.Args()) == 3 {
|
|
||||||
fqdn = rconfig.Args()[2]
|
|
||||||
}
|
|
||||||
|
|
||||||
var err error
|
var err error
|
||||||
|
|
||||||
|
@ -170,19 +170,31 @@ func main() {
|
||||||
|
|
||||||
switch action {
|
switch action {
|
||||||
case actionRevoke:
|
case actionRevoke:
|
||||||
if err := revokeCertificateByFQDN(fqdn); err != nil {
|
if len(rconfig.Args()) < 3 || !validateFQDN(rconfig.Args()[2]) {
|
||||||
|
log.Fatalf("You need to provide a valid FQDN")
|
||||||
|
}
|
||||||
|
if err := revokeCertificateByFQDN(rconfig.Args()[2]); err != nil {
|
||||||
log.Fatalf("Could not revoke certificate: %s", err)
|
log.Fatalf("Could not revoke certificate: %s", err)
|
||||||
}
|
}
|
||||||
case actionRevokeSerial:
|
case actionRevokeSerial:
|
||||||
if err := revokeCertificateBySerial(fqdn); err != nil {
|
if len(rconfig.Args()) < 3 || !validateSerial(rconfig.Args()[2]) {
|
||||||
|
log.Fatalf("You need to provide a valid serial")
|
||||||
|
}
|
||||||
|
if err := revokeCertificateBySerial(rconfig.Args()[2]); err != nil {
|
||||||
log.Fatalf("Could not revoke certificate: %s", err)
|
log.Fatalf("Could not revoke certificate: %s", err)
|
||||||
}
|
}
|
||||||
case actionMakeClientConfig:
|
case actionMakeClientConfig:
|
||||||
if err := generateCertificateConfig("client.conf", fqdn); err != nil {
|
if len(rconfig.Args()) < 3 || !validateFQDN(rconfig.Args()[2]) {
|
||||||
|
log.Fatalf("You need to provide a valid FQDN")
|
||||||
|
}
|
||||||
|
if err := generateCertificateConfig("client.conf", rconfig.Args()[2]); err != nil {
|
||||||
log.Fatalf("Unable to generate config file: %s", err)
|
log.Fatalf("Unable to generate config file: %s", err)
|
||||||
}
|
}
|
||||||
case actionMakeServerConfig:
|
case actionMakeServerConfig:
|
||||||
if err := generateCertificateConfig("server.conf", fqdn); err != nil {
|
if len(rconfig.Args()) < 3 || !validateFQDN(rconfig.Args()[2]) {
|
||||||
|
log.Fatalf("You need to provide a valid FQDN")
|
||||||
|
}
|
||||||
|
if err := generateCertificateConfig("server.conf", rconfig.Args()[2]); err != nil {
|
||||||
log.Fatalf("Unable to generate config file: %s", err)
|
log.Fatalf("Unable to generate config file: %s", err)
|
||||||
}
|
}
|
||||||
case actionList:
|
case actionList:
|
||||||
|
@ -195,6 +207,17 @@ func main() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func validateFQDN(fqdn string) bool {
|
||||||
|
// Very basic check: It should be delimited by "." and have at least 2 components
|
||||||
|
// Vault will do a more sophisticated check
|
||||||
|
return len(strings.Split(fqdn, ".")) > 1
|
||||||
|
}
|
||||||
|
|
||||||
|
func validateSerial(serial string) bool {
|
||||||
|
// Also very basic check, also here Vault does the real validation
|
||||||
|
return len(strings.Split(serial, ":")) > 1
|
||||||
|
}
|
||||||
|
|
||||||
func listCertificates() error {
|
func listCertificates() error {
|
||||||
table := tablewriter.NewWriter(os.Stdout)
|
table := tablewriter.NewWriter(os.Stdout)
|
||||||
table.SetHeader([]string{"FQDN", "Not Before", "Not After", "Serial"})
|
table.SetHeader([]string{"FQDN", "Not Before", "Not After", "Serial"})
|
||||||
|
|
Loading…
Reference in a new issue