/
checkHost.go
112 lines (97 loc) 路 2.77 KB
/
checkHost.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
package ssh
import (
"fmt"
"net/http"
"os"
"time"
"github.com/pkg/errors"
"github.com/smallstep/certificates/ca"
caErrs "github.com/smallstep/certificates/errs"
"github.com/smallstep/cli/command"
"github.com/smallstep/cli/errs"
"github.com/smallstep/cli/flags"
"github.com/smallstep/cli/jose"
"github.com/smallstep/cli/token"
"github.com/smallstep/cli/utils/cautils"
"github.com/urfave/cli"
)
func checkHostCommand() cli.Command {
return cli.Command{
Name: "check-host",
Action: command.ActionFunc(checkHostAction),
Usage: "checks if a certificate has been issued for a host",
UsageText: `**step ssh check-host** <hostname>
[**--ca-url**=<uri>] [**--root**=<file>]
[**--offline**] [**--ca-config**=<path>] [**--verbose,-v**]`,
Description: `**step ssh check-host** checks if a certificate has been issued for a host.
This command returns a zero exit status if the host has a certificate.
Otherwise, it returns 1.
## POSITIONAL ARGUMENTS
<hostname>
: The hostname of the server to check.
## EXAMPLES
Check that internal.example.com exists:
'''
$ step ssh check-host internal.smallstep.com
'''`,
Flags: []cli.Flag{
flags.CaURL,
flags.Root,
flags.Offline,
flags.CaConfig,
cli.BoolFlag{
Name: "verbose, v",
Usage: `Return "true" or "false" in the terminal.`,
},
},
}
}
func checkHostAction(ctx *cli.Context) error {
isVerbose := ctx.Bool("verbose")
if err := errs.NumberOfArguments(ctx, 1); err != nil {
return err
}
client, err := cautils.NewClient(ctx)
if err != nil {
return contactAdminErr(errors.Wrap(err, "error generating ca client"))
}
version, err := client.Version()
if err != nil {
return contactAdminErr(errors.Wrap(err, "error retrieving client version info"))
}
var (
tok string
hostname = ctx.Args().First()
)
if version.RequireClientAuthentication {
id, err := ca.LoadDefaultIdentity()
if err != nil {
return sshConfigErr(errors.Wrap(err, "error loading the default x5c identity"))
}
if id != nil {
// Get private key from given key file.
jwk, err := jose.ParseKey(id.Key)
if err != nil {
return debugErr(errors.Wrap(err, "error parsing x5c key from identity file"))
}
tokenGen := cautils.NewTokenGenerator(jwk.KeyID, "x5c-identity",
"/ssh/check-host", "", time.Time{}, time.Time{}, jwk)
tok, err = tokenGen.Token(hostname, token.WithX5CInsecureFile(id.Certificate, jwk.Key))
if err != nil {
return sshConfigErr(errors.Wrap(err, "error generating identity x5c token for /ssh/check-host request"))
}
}
}
resp, err := client.SSHCheckHost(hostname, tok)
if err != nil {
return caErrs.Wrap(http.StatusInternalServerError, err,
"error checking ssh host eligibility")
}
if isVerbose {
fmt.Println(resp.Exists)
}
if !resp.Exists {
os.Exit(1)
}
return nil
}