1
0
Fork 0
mirror of https://github.com/Luzifer/vault-openvpn.git synced 2024-12-25 22:31:20 +00:00

Add more validation to input

Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2017-05-04 12:18:54 +02:00
parent 29743cd411
commit 7c187aa126
Signed by: luzifer
GPG key ID: DC2729FDD34BE99E

43
main.go
View file

@ -144,16 +144,16 @@ func init() {
func main() { func main() {
if len(rconfig.Args()) < 2 { if len(rconfig.Args()) < 2 {
fmt.Println("Usage: vault-openvpn [options] <action> <FQDN>") fmt.Println("Usage: vault-openvpn [options] <action>")
fmt.Println(" actions: client / server / list / revoke / revoke-serial") fmt.Println(" client <fqdn> - Generate certificate and output client config")
fmt.Println(" server <fqdn> - Generate certificate and output server config")
fmt.Println(" list - List all valid (not expired, not revoked) certificates")
fmt.Println(" revoke <fqdn> - Revoke all certificates matching to FQDN")
fmt.Println(" revoke-serial <serial> - Revoke certificate by serial number")
os.Exit(1) os.Exit(1)
} }
action := rconfig.Args()[1] action := rconfig.Args()[1]
fqdn := ""
if len(rconfig.Args()) == 3 {
fqdn = rconfig.Args()[2]
}
var err error var err error
@ -170,19 +170,31 @@ func main() {
switch action { switch action {
case actionRevoke: case actionRevoke:
if err := revokeCertificateByFQDN(fqdn); err != nil { if len(rconfig.Args()) < 3 || !validateFQDN(rconfig.Args()[2]) {
log.Fatalf("You need to provide a valid FQDN")
}
if err := revokeCertificateByFQDN(rconfig.Args()[2]); err != nil {
log.Fatalf("Could not revoke certificate: %s", err) log.Fatalf("Could not revoke certificate: %s", err)
} }
case actionRevokeSerial: case actionRevokeSerial:
if err := revokeCertificateBySerial(fqdn); err != nil { if len(rconfig.Args()) < 3 || !validateSerial(rconfig.Args()[2]) {
log.Fatalf("You need to provide a valid serial")
}
if err := revokeCertificateBySerial(rconfig.Args()[2]); err != nil {
log.Fatalf("Could not revoke certificate: %s", err) log.Fatalf("Could not revoke certificate: %s", err)
} }
case actionMakeClientConfig: case actionMakeClientConfig:
if err := generateCertificateConfig("client.conf", fqdn); err != nil { if len(rconfig.Args()) < 3 || !validateFQDN(rconfig.Args()[2]) {
log.Fatalf("You need to provide a valid FQDN")
}
if err := generateCertificateConfig("client.conf", rconfig.Args()[2]); err != nil {
log.Fatalf("Unable to generate config file: %s", err) log.Fatalf("Unable to generate config file: %s", err)
} }
case actionMakeServerConfig: case actionMakeServerConfig:
if err := generateCertificateConfig("server.conf", fqdn); err != nil { if len(rconfig.Args()) < 3 || !validateFQDN(rconfig.Args()[2]) {
log.Fatalf("You need to provide a valid FQDN")
}
if err := generateCertificateConfig("server.conf", rconfig.Args()[2]); err != nil {
log.Fatalf("Unable to generate config file: %s", err) log.Fatalf("Unable to generate config file: %s", err)
} }
case actionList: case actionList:
@ -195,6 +207,17 @@ func main() {
} }
} }
func validateFQDN(fqdn string) bool {
// Very basic check: It should be delimited by "." and have at least 2 components
// Vault will do a more sophisticated check
return len(strings.Split(fqdn, ".")) > 1
}
func validateSerial(serial string) bool {
// Also very basic check, also here Vault does the real validation
return len(strings.Split(serial, ":")) > 1
}
func listCertificates() error { func listCertificates() error {
table := tablewriter.NewWriter(os.Stdout) table := tablewriter.NewWriter(os.Stdout)
table.SetHeader([]string{"FQDN", "Not Before", "Not After", "Serial"}) table.SetHeader([]string{"FQDN", "Not Before", "Not After", "Serial"})