ssh-cert-authority/client/client.go at 4597f496145853fadeb0854d383c6e2b05909298 · cloudtools/ssh-cert-authority · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
package ssh_ca_client

import (
	"encoding/base64"
	"encoding/json"
	"fmt"
	"github.com/cloudtools/ssh-cert-authority/util"
	"golang.org/x/crypto/ssh"
	"io/ioutil"
	"net/http"
	"net/url"
	"strings"
	"time"
)

type CertRequest struct {
	environment string
	reason      string
	validAfter  uint64
	validBefore uint64
	principals  []string
	publicKey   ssh.PublicKey
	keyID       string
	config      ssh_ca_util.RequesterConfig
}

func MakeCertRequest() CertRequest {
	var request CertRequest
	return request
}

type SigningRequest struct {
	signedCert ssh.Certificate
	requestID  string
	config     ssh_ca_util.RequesterConfig
}

func MakeSigningRequest(cert ssh.Certificate, requestID string, config ssh_ca_util.RequesterConfig) SigningRequest {
	var request SigningRequest
	request.signedCert = cert
	request.requestID = requestID
	request.config = config
	return request
}

func (req *SigningRequest) BuildWebRequest() url.Values {
	signedRequest := req.signedCert.Marshal()
	requestParameters := make(url.Values)
	requestParameters["cert"] = make([]string, 1)
	requestParameters["cert"][0] = base64.StdEncoding.EncodeToString(signedRequest)
	return requestParameters
}

func (req *SigningRequest) PostToWeb(requestParameters url.Values) error {
	resp, err := http.PostForm(req.config.SignerUrl+"cert/requests/"+req.requestID, requestParameters)
	if err != nil {
		return err
	}
	defer resp.Body.Close()
	if resp.StatusCode != 200 {
		respBuf, _ := ioutil.ReadAll(resp.Body)
		return fmt.Errorf("HTTP %s: %s", resp.Status, string(respBuf))
	}
	return nil
}

func (req *SigningRequest) DeleteToWeb(requestParameters url.Values) error {
	var client http.Client
	encodedParameters := requestParameters.Encode()
	request, err := http.NewRequest("DELETE", req.config.SignerUrl+"cert/requests/"+req.requestID+"?"+encodedParameters, nil)
	if err != nil {
		return err
	}
	request.Header.Add("Content-Type", "application/x-www-form-urlencoded")
	resp, err := client.Do(request)
	if err != nil {
		return err
	}
	defer resp.Body.Close()
	if resp.StatusCode != 200 {
		respBuf, _ := ioutil.ReadAll(resp.Body)
		return fmt.Errorf("HTTP %s: %s", resp.Status, string(respBuf))
	}
	return nil
}

func (req *CertRequest) SetConfig(config ssh_ca_util.RequesterConfig) error {
	if config.SignerUrl == "" {
		return fmt.Errorf("Signer URL is empty. This isn't going to work")
	}
	req.config = config
	return nil
}

func (req *CertRequest) SetEnvironment(environment string) error {
	if environment == "" {
		return fmt.Errorf("Environment must be set.")
	}
	if len(environment) > 50 {
		return fmt.Errorf("Environment is too long.")
	}
	req.environment = environment
	return nil
}

func (req *CertRequest) SetReason(reason string) error {
	if reason == "" {
		return fmt.Errorf("You must specify a reason.")
	}
	if len(reason) > 255 {
		return fmt.Errorf("Reason is too long.")
	}
	req.reason = reason
	return nil
}

func (req *CertRequest) SetValidAfter(validAfter time.Duration) error {
	timeNow := time.Now().Unix()
	req.validAfter = uint64(timeNow + int64(validAfter.Seconds()))
	return nil
}

func (req *CertRequest) SetValidBefore(validBefore time.Duration) error {
	timeNow := time.Now().Unix()
	req.validBefore = uint64(timeNow + int64(validBefore.Seconds()))
	return nil
}

func (req *CertRequest) SetPrincipalsFromString(principalsStr string) error {
	principals := strings.Split(strings.TrimSpace(principalsStr), ",")
	if principalsStr == "" {
		return fmt.Errorf("You didn't specify any principals. This cert is worthless.")
	}
	req.principals = principals
	return nil
}

func (req *CertRequest) SetPublicKey(pubKey ssh.PublicKey, keyID string) error {
	req.publicKey = pubKey
	req.keyID = keyID
	return nil
}

func (req *CertRequest) Validate() error {
	if req.validAfter >= req.validBefore {
		return fmt.Errorf("valid-after (%v) >= valid-before (%v). Which does not make sense.\n",
			time.Unix(int64(req.validAfter), 0), time.Unix(int64(req.validBefore), 0))
	}
	return nil
}

func (req *CertRequest) EncodeAsCertificate() (*ssh.Certificate, error) {
	err := req.Validate()
	if err != nil {
		return nil, err
	}

	newCert := ssh_ca_util.MakeCertificate()
	newCert.Key = req.publicKey
	newCert.Serial = 0
	newCert.CertType = ssh.UserCert
	newCert.KeyId = req.keyID
	newCert.ValidPrincipals = req.principals
	newCert.ValidAfter = req.validAfter
	newCert.ValidBefore = req.validBefore
	newCert.Extensions = make(map[string]string)
	newCert.Extensions["permit-agent-forwarding"] = ""
	newCert.Extensions["permit-port-forwarding"] = ""
	newCert.Extensions["permit-pty"] = ""
	newCert.Extensions["reason@cloudtools.github.io"] = req.reason
	newCert.Extensions["environment@cloudtools.github.io"] = req.environment
	return &newCert, nil
}

func (req *CertRequest) BuildWebRequest(signedCert []byte) url.Values {
	requestParameters := make(url.Values)
	requestParameters["cert"] = make([]string, 1)
	requestParameters["cert"][0] = base64.StdEncoding.EncodeToString(signedCert)

	return requestParameters
}

func (req *CertRequest) PostToWeb(requestParameters url.Values) (string, bool, error) {
	resp, err := http.PostForm(req.config.SignerUrl+"cert/requests", requestParameters)
	if err != nil {
		return "", false, err
	}
	respBuf, err := ioutil.ReadAll(resp.Body)
	resp.Body.Close()
	if err != nil {
		return "", false, err
	}
	if resp.StatusCode == 201 || resp.StatusCode == 202 {
		signed := resp.StatusCode == 202
		return string(respBuf), signed, nil
	}
	return "", false, fmt.Errorf("Cert request rejected: %s", string(respBuf))
}

type SlackWebhookInput struct {
	Text    string `json:"text"`
	Channel string `json:"channel"`
}

func PostToSlack(slackUrl, slackChannel, msg string) error {
	if slackUrl == "" || slackChannel == "" {
		return nil
	}
	var webhookInput SlackWebhookInput
	webhookInput.Text = msg
	if slackChannel != "" {
		webhookInput.Channel = slackChannel
	}
	output, err := json.Marshal(webhookInput)
	if err != nil {
		return err
	}
	requestParameters := make(url.Values)
	requestParameters["payload"] = make([]string, 1)
	requestParameters["payload"][0] = string(output)

	resp, err := http.PostForm(slackUrl, requestParameters)
	if err != nil {
		return err
	}
	respBuf, err := ioutil.ReadAll(resp.Body)
	resp.Body.Close()
	if err != nil {
		return err
	}
	if resp.StatusCode == 200 {
		return nil
	}
	return fmt.Errorf("Slack post rejected: %s", string(respBuf))
}