initial commit: certmanager

migrate from python to golang
This commit is contained in:
2026-03-24 19:38:24 +11:00
commit 00f5b4a246
15 changed files with 1449 additions and 0 deletions
+52
View File
@@ -0,0 +1,52 @@
package ssh
import (
"fmt"
"strings"
"git.unkin.net/unkin/certmanager/internal/vault"
)
// SignedCertResponse is the JSON-serialisable output returned to callers.
type SignedCertResponse struct {
SignedKey string `json:"signed_key"`
}
type signRequest struct {
CertType string `json:"cert_type"`
PublicKey string `json:"public_key"`
ValidPrincipals string `json:"valid_principals"`
TTL string `json:"ttl"`
}
type signResponse struct {
Data struct {
SignedKey string `json:"signed_key"`
} `json:"data"`
}
// SignHostCert signs an SSH host public key via the Vault SSH secrets engine.
func SignHostCert(client *vault.Client, mountPoint, roleName, publicKey string, principals []string, ttl string) (*SignedCertResponse, error) {
if ttl == "" {
ttl = "87600h"
}
req := signRequest{
CertType: "host",
PublicKey: publicKey,
ValidPrincipals: strings.Join(principals, ","),
TTL: ttl,
}
var resp signResponse
path := fmt.Sprintf("%s/sign/%s", mountPoint, roleName)
if err := client.Post(path, req, &resp); err != nil {
return nil, err
}
if resp.Data.SignedKey == "" {
return nil, fmt.Errorf("vault returned empty signed_key")
}
return &SignedCertResponse{SignedKey: resp.Data.SignedKey}, nil
}
+96
View File
@@ -0,0 +1,96 @@
package ssh_test
import (
"encoding/json"
"net/http"
"net/http/httptest"
"testing"
"git.unkin.net/unkin/certmanager/internal/config"
"git.unkin.net/unkin/certmanager/internal/ssh"
"git.unkin.net/unkin/certmanager/internal/vault"
)
func newVaultClient(t *testing.T, mux *http.ServeMux) *vault.Client {
t.Helper()
const token = "test-token"
mux.HandleFunc("/v1/auth/approle/login", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]any{
"auth": map[string]any{"client_token": token},
})
})
srv := httptest.NewTLSServer(mux)
t.Cleanup(srv.Close)
client, err := vault.New(config.VaultConfig{
Addr: srv.URL,
AuthMethod: config.AuthMethodAppRole,
RoleID: "role",
ApprolePath: "approle",
})
if err != nil {
t.Fatalf("vault.New: %v", err)
}
return client
}
func TestSignHostCert(t *testing.T) {
mux := http.NewServeMux()
mux.HandleFunc("/v1/ssh-host-signer/sign/hostrole", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]any{
"data": map[string]any{
"signed_key": "ssh-rsa-cert-v01@openssh.com AAAA...",
},
})
})
client := newVaultClient(t, mux)
resp, err := ssh.SignHostCert(client, "ssh-host-signer", "hostrole",
"ssh-rsa AAAA...", []string{"host.example.com", "host"}, "87600h")
if err != nil {
t.Fatalf("SignHostCert: %v", err)
}
if resp.SignedKey != "ssh-rsa-cert-v01@openssh.com AAAA..." {
t.Errorf("signed_key = %q", resp.SignedKey)
}
}
func TestSignHostCert_DefaultTTL(t *testing.T) {
mux := http.NewServeMux()
mux.HandleFunc("/v1/ssh-host-signer/sign/hostrole", func(w http.ResponseWriter, r *http.Request) {
var body map[string]string
json.NewDecoder(r.Body).Decode(&body)
if body["ttl"] != "87600h" {
t.Errorf("expected default ttl 87600h, got %q", body["ttl"])
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]any{
"data": map[string]any{"signed_key": "CERT"},
})
})
client := newVaultClient(t, mux)
_, err := ssh.SignHostCert(client, "ssh-host-signer", "hostrole", "ssh-rsa AAAA...", []string{"host"}, "")
if err != nil {
t.Fatalf("SignHostCert: %v", err)
}
}
func TestSignHostCert_EmptySignedKey(t *testing.T) {
mux := http.NewServeMux()
mux.HandleFunc("/v1/ssh-host-signer/sign/hostrole", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]any{
"data": map[string]any{"signed_key": ""},
})
})
client := newVaultClient(t, mux)
_, err := ssh.SignHostCert(client, "ssh-host-signer", "hostrole", "ssh-rsa AAAA...", []string{"host"}, "87600h")
if err == nil {
t.Error("expected error for empty signed_key, got nil")
}
}