initial commit: certmanager
migrate from python to golang
This commit is contained in:
@@ -0,0 +1,60 @@
|
||||
package pki
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"git.unkin.net/unkin/certmanager/internal/vault"
|
||||
)
|
||||
|
||||
// CertificateResponse is the JSON-serialisable output returned to callers.
|
||||
type CertificateResponse struct {
|
||||
Certificate string `json:"certificate"`
|
||||
PrivateKey string `json:"private_key"`
|
||||
FullChain string `json:"full_chain"`
|
||||
CACertificate string `json:"ca_certificate"`
|
||||
}
|
||||
|
||||
type issueRequest struct {
|
||||
CommonName string `json:"common_name"`
|
||||
AltNames string `json:"alt_names,omitempty"`
|
||||
IPSans string `json:"ip_sans,omitempty"`
|
||||
TTL string `json:"ttl"`
|
||||
}
|
||||
|
||||
type issueResponse struct {
|
||||
Data struct {
|
||||
Certificate string `json:"certificate"`
|
||||
PrivateKey string `json:"private_key"`
|
||||
IssuingCA string `json:"issuing_ca"`
|
||||
} `json:"data"`
|
||||
}
|
||||
|
||||
// IssueCert requests a PKI certificate from Vault.
|
||||
func IssueCert(client *vault.Client, mountPoint, roleName, commonName string, altNames, ipSans []string, expiryDays int) (*CertificateResponse, error) {
|
||||
req := issueRequest{
|
||||
CommonName: commonName,
|
||||
TTL: fmt.Sprintf("%dd", expiryDays),
|
||||
}
|
||||
if len(altNames) > 0 {
|
||||
req.AltNames = strings.Join(altNames, ",")
|
||||
}
|
||||
if len(ipSans) > 0 {
|
||||
req.IPSans = strings.Join(ipSans, ",")
|
||||
}
|
||||
|
||||
var resp issueResponse
|
||||
path := fmt.Sprintf("%s/issue/%s", mountPoint, roleName)
|
||||
if err := client.Post(path, req, &resp); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
fullChain := resp.Data.IssuingCA + "\n" + resp.Data.Certificate
|
||||
|
||||
return &CertificateResponse{
|
||||
Certificate: resp.Data.Certificate,
|
||||
PrivateKey: resp.Data.PrivateKey,
|
||||
FullChain: fullChain,
|
||||
CACertificate: resp.Data.IssuingCA,
|
||||
}, nil
|
||||
}
|
||||
@@ -0,0 +1,84 @@
|
||||
package pki_test
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"git.unkin.net/unkin/certmanager/internal/config"
|
||||
"git.unkin.net/unkin/certmanager/internal/pki"
|
||||
"git.unkin.net/unkin/certmanager/internal/vault"
|
||||
)
|
||||
|
||||
func newVaultClient(t *testing.T, mux *http.ServeMux) *vault.Client {
|
||||
t.Helper()
|
||||
const token = "test-token"
|
||||
mux.HandleFunc("/v1/auth/approle/login", func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
json.NewEncoder(w).Encode(map[string]any{
|
||||
"auth": map[string]any{"client_token": token},
|
||||
})
|
||||
})
|
||||
srv := httptest.NewTLSServer(mux)
|
||||
t.Cleanup(srv.Close)
|
||||
|
||||
client, err := vault.New(config.VaultConfig{
|
||||
Addr: srv.URL,
|
||||
AuthMethod: config.AuthMethodAppRole,
|
||||
RoleID: "role",
|
||||
ApprolePath: "approle",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("vault.New: %v", err)
|
||||
}
|
||||
return client
|
||||
}
|
||||
|
||||
func TestIssueCert(t *testing.T) {
|
||||
mux := http.NewServeMux()
|
||||
mux.HandleFunc("/v1/pki_int/issue/servers_default", func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("Content-Type", "application/json")
|
||||
json.NewEncoder(w).Encode(map[string]any{
|
||||
"data": map[string]any{
|
||||
"certificate": "CERT",
|
||||
"private_key": "KEY",
|
||||
"issuing_ca": "CA",
|
||||
},
|
||||
})
|
||||
})
|
||||
|
||||
client := newVaultClient(t, mux)
|
||||
cert, err := pki.IssueCert(client, "pki_int", "servers_default", "host.example.com",
|
||||
[]string{"host", "host.example.com"}, []string{"127.0.0.1"}, 90)
|
||||
if err != nil {
|
||||
t.Fatalf("IssueCert: %v", err)
|
||||
}
|
||||
|
||||
if cert.Certificate != "CERT" {
|
||||
t.Errorf("certificate = %q", cert.Certificate)
|
||||
}
|
||||
if cert.PrivateKey != "KEY" {
|
||||
t.Errorf("private_key = %q", cert.PrivateKey)
|
||||
}
|
||||
if cert.CACertificate != "CA" {
|
||||
t.Errorf("ca_certificate = %q", cert.CACertificate)
|
||||
}
|
||||
if !strings.Contains(cert.FullChain, "CA") || !strings.Contains(cert.FullChain, "CERT") {
|
||||
t.Errorf("full_chain = %q", cert.FullChain)
|
||||
}
|
||||
}
|
||||
|
||||
func TestIssueCert_VaultError(t *testing.T) {
|
||||
mux := http.NewServeMux()
|
||||
mux.HandleFunc("/v1/pki_int/issue/servers_default", func(w http.ResponseWriter, r *http.Request) {
|
||||
http.Error(w, "permission denied", http.StatusForbidden)
|
||||
})
|
||||
|
||||
client := newVaultClient(t, mux)
|
||||
_, err := pki.IssueCert(client, "pki_int", "servers_default", "host.example.com", nil, nil, 90)
|
||||
if err == nil {
|
||||
t.Error("expected error, got nil")
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user