/
ca_list.go
92 lines (83 loc) · 2.45 KB
/
ca_list.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
package service
import (
"crypto/x509"
"encoding/pem"
"fmt"
"path"
"sort"
"time"
humanize "github.com/dustin/go-humanize"
"github.com/ryanuber/columnize"
)
// ListETCDCertificates issues a new certificate for a specific service.
func (c *ca) ListETCDCertificates(clusterID string) error {
if err := c.ListCertificates(clusterID, "etcd"); err != nil {
return maskAny(err)
}
return nil
}
// ListK8sCertificates issues a new certificate for a specific service.
func (c *ca) ListK8sCertificates(clusterID string) error {
if err := c.ListCertificates(clusterID, "k8s"); err != nil {
return maskAny(err)
}
return nil
}
// ListCertificates issues a new certificate for a specific service.
func (c *ca) ListCertificates(clusterID, service string) error {
mountPoint := c.createMountPoint(clusterID, service)
listPath := path.Join(mountPoint, "certs")
secret, err := c.vaultClient.Logical().List(listPath)
if err != nil {
return maskAny(err)
}
if secret == nil {
return maskAny(fmt.Errorf("No secret returned"))
}
keys, ok := secret.Data["keys"].([]interface{})
if !ok {
return maskAny(fmt.Errorf("keys is not an []interface{}"))
}
lines := []string{"CommonName | Expiration | Serial"}
for _, k := range keys {
key := k.(string)
if line, err := c.showCertificate(clusterID, service, key); err != nil {
c.log.Errorf("Cannot show certificate %s: %#v", key, err)
} else {
lines = append(lines, line)
}
}
sort.Strings(lines[1:])
fmt.Println(columnize.SimpleFormat(lines))
return nil
}
func (c *ca) showCertificate(clusterID, service, serial string) (string, error) {
mountPoint := c.createMountPoint(clusterID, service)
certPath := path.Join(mountPoint, "cert", serial)
secret, err := c.vaultClient.Logical().Read(certPath)
if err != nil {
return "", maskAny(err)
}
if secret == nil {
return "", maskAny(fmt.Errorf("No secret returned"))
}
certPem, ok := secret.Data["certificate"].(string)
if !ok {
return "", maskAny(fmt.Errorf("certificate is not string"))
}
block, _ := pem.Decode([]byte(certPem))
if block == nil {
return "", maskAny(fmt.Errorf("Failed to parse certificate (PEM) data"))
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return "", maskAny(err)
}
var infoExp string
if time.Now().After(cert.NotAfter) {
infoExp = "expired"
} else {
infoExp = fmt.Sprintf("expires %s", humanize.Time(cert.NotAfter))
}
return fmt.Sprintf("%s | %s | %s", cert.Subject.CommonName, infoExp, serial), nil
}