forked from keybase/bot-sshca
-
Notifications
You must be signed in to change notification settings - Fork 0
/
keybaseca.go
360 lines (327 loc) · 10.1 KB
/
keybaseca.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
package main
import (
"encoding/json"
"fmt"
"io/ioutil"
"log"
"os"
"os/signal"
"path/filepath"
"strings"
"sync"
"syscall"
"github.com/atvenu/bot-sshca/src/keybaseca/constants"
"github.com/google/uuid"
"github.com/atvenu/bot-sshca/src/keybaseca/bot"
"github.com/atvenu/bot-sshca/src/keybaseca/config"
klog "github.com/atvenu/bot-sshca/src/keybaseca/log"
"github.com/atvenu/bot-sshca/src/keybaseca/sshutils"
"github.com/atvenu/bot-sshca/src/kssh"
"github.com/atvenu/bot-sshca/src/shared"
"github.com/sirupsen/logrus"
"github.com/urfave/cli"
)
var VersionNumber = "master"
func main() {
app := cli.NewApp()
app.Name = "keybaseca"
app.Usage = "An SSH CA built on top of Keybase"
app.Version = VersionNumber
app.Flags = []cli.Flag{
cli.BoolFlag{
Name: "debug",
Usage: "Log debug information",
},
cli.BoolFlag{
Name: "wipe-all-configs",
Hidden: true,
Usage: "Used in the integration tests to clean all client configs from KBFS",
},
cli.BoolFlag{
Name: "wipe-logs",
Hidden: true,
Usage: "Used in the integration tests to delete all CA logs",
},
}
app.Commands = []cli.Command{
{
Name: "backup",
Usage: "Print the current CA private key to stdout for backup purposes",
Action: backupAction,
Before: beforeAction,
},
{
Name: "generate",
Usage: "Generate a new CA key",
Action: generateAction,
Before: beforeAction,
},
{
Name: "service",
Usage: "Start the CA service in the foreground",
Action: serviceAction,
Before: beforeAction,
},
{
Name: "sign",
Usage: "Sign a given public key with all permissions without a dependency on Keybase",
Flags: []cli.Flag{
cli.StringFlag{
Name: "public-key",
Usage: "The path to the public key you wish to sign. Eg `~/.ssh/id_rsa.pub`",
Required: true,
},
cli.BoolFlag{
Name: "overwrite",
Usage: "Overwrite the existing certificate on the filesystem",
},
},
Action: signAction,
Before: beforeAction,
},
}
app.Action = mainAction
err := app.Run(os.Args)
if err != nil {
log.Fatal(err)
}
}
// The action for the `keybaseca backup` subcommand
func backupAction(c *cli.Context) error {
fmt.Println("Are you sure you want to export the CA private key? If this key is compromised, an " +
"attacker could access every server that you have configured with this bot. Type \"yes\" to confirm.")
var response string
_, err := fmt.Scanln(&response)
if err != nil {
return err
}
if response != "yes" {
return fmt.Errorf("Did not get confirmation of key export, aborting")
}
conf, err := loadServerConfig()
if err != nil {
return err
}
bytes, err := ioutil.ReadFile(conf.GetCAKeyLocation())
if err != nil {
return fmt.Errorf("Failed to load the CA key from %s: %v", conf.GetCAKeyLocation(), err)
}
klog.Log(conf, "Exported CA key to stdout")
fmt.Println("\nKeep this key somewhere very safe. We recommend keeping a physical copy of it in a secure place.")
fmt.Println("")
fmt.Println(string(bytes))
return nil
}
// The action for the `keybaseca generate` subcommand
func generateAction(c *cli.Context) error {
conf, err := loadServerConfig()
if err != nil {
return err
}
captureControlCToDeleteClientConfig(conf)
err = sshutils.Generate(conf, strings.ToLower(os.Getenv("FORCE_WRITE")) == "true")
if err != nil {
return fmt.Errorf("Failed to generate a new key: %v", err)
}
return nil
}
// The action for the `keybaseca service` subcommand
func serviceAction(c *cli.Context) error {
conf, err := loadServerConfigAndWriteClientConfig()
if err != nil {
return err
}
captureControlCToDeleteClientConfig(conf)
err = bot.StartBot(conf)
if err != nil {
return fmt.Errorf("CA chatbot crashed: %v", err)
}
return deleteClientConfig(conf)
}
// The action for the `keybaseca sign` subcommand
func signAction(c *cli.Context) error {
// Skip validation of the config since that relies on Keybase's servers
conf := config.EnvConfig{}
err := config.ValidateConfig(conf, true)
if err != nil {
return fmt.Errorf("Invalid config: %v", err)
}
principals := strings.Join(conf.GetTeams(), ",")
expiration := conf.GetKeyExpiration()
randomUUID, err := uuid.NewRandom()
if err != nil {
return fmt.Errorf("Failed to generate unique key ID: %v", err)
}
// Read the public key from the specified file
filename := c.String("public-key")
pubKey, err := ioutil.ReadFile(filename)
if err != nil {
return fmt.Errorf("Failed to read file at %s to get the public key: %v", filename, err)
}
// Sign the public key
signature, err := sshutils.SignKey(conf.GetCAKeyLocation(), randomUUID.String()+":keybaseca-sign", principals, expiration, string(pubKey))
if err != nil {
return fmt.Errorf("Failed to sign key: %v", err)
}
// Either store it in a file or print it to stdout
certPath := shared.KeyPathToCert(shared.PubKeyPathToKeyPath(filename))
_, err = os.Stat(certPath)
if os.IsNotExist(err) || c.Bool("overwrite") {
err = ioutil.WriteFile(certPath, []byte(signature), 0600)
if err != nil {
return fmt.Errorf("Failed to write certificate to file: %v", err)
}
fmt.Printf("Provisioned new certificate in %s\n", certPath)
} else {
fmt.Printf("Provisioned new certificate. Place this in %s in order to use it with ssh.\n", certPath)
fmt.Printf("\n```\n%s```\n", signature)
}
return nil
}
// A global before action that handles the --debug flag by setting the logrus logging level
func beforeAction(c *cli.Context) error {
if c.GlobalBool("debug") {
logrus.SetLevel(logrus.DebugLevel)
}
return nil
}
// The action for the `keybaseca` command. Only used for hidden and unlisted flags.
func mainAction(c *cli.Context) error {
switch {
case c.Bool("wipe-all-configs"):
teams, err := constants.GetDefaultKBFSOperationsStruct().KBFSList("/keybase/team/")
if err != nil {
return err
}
semaphore := sync.WaitGroup{}
semaphore.Add(len(teams))
boundChan := make(chan interface{}, shared.BoundedParallelismLimit)
for _, team := range teams {
go func(team string) {
// Blocks until there is room in boundChan
boundChan <- 0
filename := fmt.Sprintf("/keybase/team/%s/%s", team, shared.ConfigFilename)
exists, _ := constants.GetDefaultKBFSOperationsStruct().KBFSFileExists(filename)
if exists {
err = constants.GetDefaultKBFSOperationsStruct().KBFSDelete(filename)
if err != nil {
fmt.Printf("%v\n", err)
}
}
semaphore.Done()
// Make room in boundChan
<-boundChan
}(team)
}
semaphore.Wait()
case c.Bool("wipe-logs"):
conf, err := loadServerConfig()
if err != nil {
return err
}
logLocation := conf.GetLogLocation()
if strings.HasPrefix(logLocation, "/keybase/") {
err = constants.GetDefaultKBFSOperationsStruct().KBFSDelete(logLocation)
if err != nil {
return fmt.Errorf("Failed to delete log file at %s: %v", logLocation, err)
}
} else {
err = os.Remove(logLocation)
if err != nil {
return fmt.Errorf("Failed to delete log file at %s: %v", logLocation, err)
}
}
fmt.Println("Wiped existing log file at " + logLocation)
default:
cli.ShowAppHelpAndExit(c, 1)
}
return nil
}
// Write a kssh config file such that kssh will find it and use it
func writeClientConfig(conf config.Config) error {
username, err := bot.GetUsername(conf)
if err != nil {
return err
}
teams := conf.GetTeams()
if conf.GetChatTeam() != "" {
// Make sure we place a client config file in the chat team which may not be in the list of teams
teams = append(teams, conf.GetChatTeam())
}
for _, team := range teams {
filename := filepath.Join("/keybase/team/", team, shared.ConfigFilename)
var content []byte
if conf.GetChatTeam() == "" {
// If they didn't configure a chat team, messages should be sent to any channel. This is done by having each
// client config reference the team it is found in
content, err = json.Marshal(kssh.ConfigFile{TeamName: team, BotName: username, ChannelName: ""})
} else {
// If they configured a chat team, have messages go there
content, err = json.Marshal(kssh.ConfigFile{TeamName: conf.GetChatTeam(), BotName: username, ChannelName: conf.GetChannelName()})
}
if err != nil {
return err
}
err = constants.GetDefaultKBFSOperationsStruct().KBFSWrite(filename, string(content), false)
if err != nil {
return err
}
}
logrus.Debugf("Wrote kssh client config files for the teams: %v", teams)
return nil
}
// Delete the client config file. Run when the CA bot is terminating so that KBFS does not contain any stale
// client config files
func deleteClientConfig(conf config.Config) error {
teams := conf.GetTeams()
if conf.GetChatTeam() != "" {
// Make sure we delete the client config file in the chat team which may not be in the list of teams
teams = append(teams, conf.GetChatTeam())
}
for _, team := range teams {
filename := filepath.Join("/keybase/team/", team, shared.ConfigFilename)
err := constants.GetDefaultKBFSOperationsStruct().KBFSDelete(filename)
if err != nil {
return err
}
}
logrus.Debugf("Deleted kssh client config files for the teams: %v", teams)
return nil
}
// Set up a signal handler in order to catch SIGTERMS that will delete all client config files
// when it receives a sigterm. This ensures that a simple Control-C does not create stale
// client config files
func captureControlCToDeleteClientConfig(conf config.Config) {
signalChan := make(chan os.Signal)
signal.Notify(signalChan, os.Interrupt, syscall.SIGTERM)
go func() {
<-signalChan
fmt.Println("losing CA bot...")
err := deleteClientConfig(conf)
if err != nil {
fmt.Printf("Failed to delete client config: %v", err)
os.Exit(1)
}
os.Exit(0)
}()
}
// Load and validate a server config object from the environment
func loadServerConfig() (config.Config, error) {
conf := config.EnvConfig{}
err := config.ValidateConfig(conf, false)
if err != nil {
return nil, fmt.Errorf("Failed to validate config: %v", err)
}
return &conf, nil
}
func loadServerConfigAndWriteClientConfig() (config.Config, error) {
conf, err := loadServerConfig()
if err != nil {
return nil, err
}
err = writeClientConfig(conf)
if err != nil {
return nil, fmt.Errorf("Failed to write the client config: %v", err)
}
return conf, nil
}