-
Notifications
You must be signed in to change notification settings - Fork 1
/
users.go
166 lines (144 loc) · 3.8 KB
/
users.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
package operations
import (
"bytes"
"crypto/x509"
"encoding/pem"
"fmt"
"sort"
"strings"
"github.com/hashicorp/vault/api"
"github.com/pkg/errors"
)
// ListUsersRequest is the structure containing
// the required data to issue a new certificate
type ListUsersRequest struct {
Client *api.Client
VaultPKIPath string
ClientVPNEndpointID string
}
// ListUsers retrieves the list of all Client VPN users and certificates
func ListUsers(r *ListUsersRequest) (map[string][]Certificate, error) {
users := map[string][]Certificate{}
secret, err := r.Client.Logical().List(fmt.Sprintf("%s/certs", r.VaultPKIPath))
if err != nil {
return nil, err
}
// Get the updated CRL
crl, err := GetCRL(
&GetCRLRequest{
Client: r.Client,
VaultPKIPath: r.VaultPKIPath,
})
if err != nil {
return nil, err
}
for _, key := range secret.Data["keys"].([]interface{}) {
secret, err := r.Client.Logical().Read(fmt.Sprintf("%s/cert/%s", r.VaultPKIPath, key))
if err != nil {
return nil, err
}
rawCert := secret.Data["certificate"].(string)
block, _ := pem.Decode([]byte(rawCert))
if block == nil {
return nil, errors.Wrapf(err, "failed to parse certificate PEM")
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, errors.Wrapf(err, "failed to parse certificate")
}
if cert.IsCA == true || isServerCertificate(cert) == true {
// Do not list the CA
continue
}
notBefore := cert.NotBefore.Local()
notAfter := cert.NotAfter.Local()
serial := strings.TrimSpace(getHexFormatted(cert.SerialNumber.Bytes(), "-"))
revoked, err := isRevoked(serial, crl)
if err != nil {
return nil, err
}
username := strings.Split(cert.Subject.CommonName, "@")[0]
users[username] = append(users[username], Certificate{
serial,
cert.Issuer.CommonName,
cert.Subject.CommonName,
notBefore,
notAfter,
revoked,
rawCert,
})
}
// Sort the arrays but notBefore date (which should be the
// date the certificate was emitted at)
for _, crts := range users {
sort.Slice(crts, func(i, j int) bool {
return crts[i].NotBefore.Before(crts[j].NotBefore)
})
}
return users, nil
}
// RevokeUserRequest is the structure containing
// the required data to issue a new certificate
type RevokeUserRequest struct {
Client *api.Client
VaultPKIPath string
Username string
ClientVPNEndpointID string
}
// RevokeUser revokes all the issued certificates for a given user
func RevokeUser(r *RevokeUserRequest) error {
// Get the list of users
users, err := ListUsers(
&ListUsersRequest{
Client: r.Client,
VaultPKIPath: r.VaultPKIPath,
ClientVPNEndpointID: r.ClientVPNEndpointID,
})
if err != nil {
return err
}
err = revokeUserCertificates(r.Client, r.VaultPKIPath, users[r.Username], true)
if err != nil {
return err
}
// Call UpdateCRL to revoke all other certificates
_, err = UpdateCRL(
&UpdateCRLRequest{
Client: r.Client,
VaultPKIPath: r.VaultPKIPath,
ClientVPNEndpointID: r.ClientVPNEndpointID,
})
return nil
}
func getHexFormatted(buf []byte, sep string) string {
var ret bytes.Buffer
for _, cur := range buf {
if ret.Len() > 0 {
fmt.Fprintf(&ret, sep)
}
fmt.Fprintf(&ret, "%02x", cur)
}
return ret.String()
}
func isRevoked(serial string, crl []byte) (bool, error) {
parsed, err := x509.ParseCRL(crl)
if err != nil {
return false, err
}
list := parsed.TBSCertList.RevokedCertificates
for _, crt := range list {
if serial == strings.TrimSpace(getHexFormatted(crt.SerialNumber.Bytes(), "-")) {
return true, nil
}
}
return false, nil
}
func isServerCertificate(cert *x509.Certificate) bool {
flag := false
for _, use := range cert.ExtKeyUsage {
if use == x509.ExtKeyUsageServerAuth {
flag = true
}
}
return flag
}