2019-01-24 20:15:10 +00:00
|
|
|
// Copyright (C) 2019 Storj Labs, Inc.
|
2018-08-27 23:23:48 +01:00
|
|
|
// See LICENSE for copying information.
|
|
|
|
|
|
|
|
|
|
package main
|
|
|
|
|
|
|
|
|
|
import (
|
2018-12-18 11:55:55 +00:00
|
|
|
"crypto/x509/pkix"
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"fmt"
|
2019-01-26 14:59:53 +00:00
|
|
|
"os"
|
2019-01-18 10:36:58 +00:00
|
|
|
"path/filepath"
|
2018-12-18 11:55:55 +00:00
|
|
|
|
2018-08-27 23:23:48 +01:00
|
|
|
"github.com/spf13/cobra"
|
2019-01-18 10:36:58 +00:00
|
|
|
"github.com/zeebo/errs"
|
2019-07-31 15:38:44 +01:00
|
|
|
"go.uber.org/zap"
|
2018-08-27 23:23:48 +01:00
|
|
|
|
2019-12-27 11:48:47 +00:00
|
|
|
"storj.io/common/fpath"
|
|
|
|
|
"storj.io/common/identity"
|
|
|
|
|
"storj.io/common/peertls/extensions"
|
|
|
|
|
"storj.io/common/peertls/tlsopts"
|
|
|
|
|
"storj.io/common/pkcrypto"
|
|
|
|
|
"storj.io/common/rpc"
|
2020-03-23 19:18:20 +00:00
|
|
|
"storj.io/private/cfgstruct"
|
|
|
|
|
"storj.io/private/process"
|
2020-03-23 19:30:31 +00:00
|
|
|
"storj.io/private/version"
|
2019-09-26 17:11:05 +01:00
|
|
|
"storj.io/storj/certificate/certificateclient"
|
2021-04-23 14:13:51 +01:00
|
|
|
"storj.io/storj/private/revocation"
|
2020-04-01 08:12:26 +01:00
|
|
|
_ "storj.io/storj/private/version" // This attaches version information during release builds.
|
2019-11-14 19:46:15 +00:00
|
|
|
"storj.io/storj/private/version/checker"
|
2018-08-27 23:23:48 +01:00
|
|
|
)
|
|
|
|
|
|
2019-01-24 17:23:45 +00:00
|
|
|
const (
|
|
|
|
|
defaultSignerAddress = "certs.alpha.storj.io:8888"
|
|
|
|
|
)
|
|
|
|
|
|
2018-08-27 23:23:48 +01:00
|
|
|
var (
|
|
|
|
|
rootCmd = &cobra.Command{
|
|
|
|
|
Use: "identity",
|
|
|
|
|
Short: "Identity management",
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-18 10:36:58 +00:00
|
|
|
newServiceCmd = &cobra.Command{
|
2019-01-24 15:41:16 +00:00
|
|
|
Use: "create <service>",
|
2019-01-18 10:36:58 +00:00
|
|
|
Short: "Create a new full identity for a service",
|
|
|
|
|
Args: cobra.ExactArgs(1),
|
|
|
|
|
RunE: cmdNewService,
|
|
|
|
|
Annotations: map[string]string{"type": "setup"},
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-25 16:55:45 +00:00
|
|
|
authorizeCmd = &cobra.Command{
|
2019-01-24 15:41:16 +00:00
|
|
|
Use: "authorize <service> <auth-token>",
|
2019-01-18 10:36:58 +00:00
|
|
|
Short: "Send a certificate signing request for a service's CA certificate",
|
2019-01-24 15:41:16 +00:00
|
|
|
Args: cobra.ExactArgs(2),
|
2019-01-25 16:55:45 +00:00
|
|
|
RunE: cmdAuthorize,
|
2019-01-18 10:36:58 +00:00
|
|
|
Annotations: map[string]string{"type": "setup"},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
config struct {
|
2019-10-31 15:49:24 +00:00
|
|
|
Difficulty uint64 `default:"36" help:"minimum difficulty for identity generation"`
|
2019-01-18 10:36:58 +00:00
|
|
|
Concurrency uint `default:"4" help:"number of concurrent workers for certificate authority generation"`
|
|
|
|
|
ParentCertPath string `help:"path to the parent authority's certificate chain"`
|
|
|
|
|
ParentKeyPath string `help:"path to the parent authority's private key"`
|
2019-09-05 16:11:21 +01:00
|
|
|
Signer certificateclient.Config
|
2019-04-22 11:58:57 +01:00
|
|
|
// TODO: ideally the default is the latest version; can't interpolate struct tags
|
2019-07-08 15:45:20 +01:00
|
|
|
IdentityVersion uint `default:"0" help:"identity version to use when creating an identity or CA"`
|
|
|
|
|
|
2019-10-20 08:56:23 +01:00
|
|
|
Version checker.Config
|
2019-01-18 10:36:58 +00:00
|
|
|
}
|
|
|
|
|
|
2019-02-06 16:40:55 +00:00
|
|
|
identityDir, configDir string
|
|
|
|
|
defaultIdentityDir = fpath.ApplicationDir("storj", "identity")
|
2019-02-22 12:56:13 +00:00
|
|
|
defaultConfigDir = fpath.ApplicationDir("storj", "identity")
|
2018-08-27 23:23:48 +01:00
|
|
|
)
|
|
|
|
|
|
2019-01-18 10:36:58 +00:00
|
|
|
func init() {
|
|
|
|
|
rootCmd.AddCommand(newServiceCmd)
|
2019-01-25 16:55:45 +00:00
|
|
|
rootCmd.AddCommand(authorizeCmd)
|
2019-01-18 10:36:58 +00:00
|
|
|
|
Command line flags features and cleanup (#2068)
* change BindSetup to be an option to Bind
* add process.Bind to allow composite structures
* hack fix for noprefix flags
* used tagged version of structs
Before this PR, some flags were created by calling `cfgstruct.Bind` and having their fields create a flag. Once the flags were parsed, `viper` was used to acquire all the values from them and config files, and the fields in the struct were set through the flag interface.
This doesn't work for slices of things on config structs very well, since it can only set strings, and for a string slice, it turns out that the implementation in `pflag` appends an entry rather than setting it.
This changes three things:
1. Only have a `Bind` call instead of `Bind` and `BindSetup`, and make `BindSetup` an option instead.
2. Add a `process.Bind` call that takes in a `*cobra.Cmd`, binds the struct to the command's flags, and keeps track of that struct in a global map keyed by the command.
3. Use `viper` to get the values and load them into the bound configuration structs instead of using the flags to propagate the changes.
In this way, we can support whatever rich configuration we want in the config yaml files, while still getting command like flags when important.
2019-05-29 18:56:22 +01:00
|
|
|
process.Bind(newServiceCmd, &config, defaults, cfgstruct.ConfDir(defaultConfigDir), cfgstruct.IdentityDir(defaultIdentityDir))
|
|
|
|
|
process.Bind(authorizeCmd, &config, defaults, cfgstruct.ConfDir(defaultConfigDir), cfgstruct.IdentityDir(defaultIdentityDir))
|
2019-01-18 10:36:58 +00:00
|
|
|
}
|
|
|
|
|
|
2018-08-27 23:23:48 +01:00
|
|
|
func main() {
|
|
|
|
|
process.Exec(rootCmd)
|
|
|
|
|
}
|
2018-12-18 11:55:55 +00:00
|
|
|
|
2019-01-18 10:36:58 +00:00
|
|
|
func serviceDirectory(serviceName string) string {
|
2019-01-22 12:35:48 +00:00
|
|
|
return filepath.Join(identityDir, serviceName)
|
2019-01-18 10:36:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func cmdNewService(cmd *cobra.Command, args []string) error {
|
2019-09-19 17:37:40 +01:00
|
|
|
ctx, _ := process.Ctx(cmd)
|
2019-04-04 16:40:07 +01:00
|
|
|
|
2019-10-20 08:56:23 +01:00
|
|
|
err := checker.CheckProcessVersion(ctx, zap.L(), config.Version, version.Build, "Identity")
|
2019-04-04 16:40:07 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-18 10:36:58 +00:00
|
|
|
serviceDir := serviceDirectory(args[0])
|
|
|
|
|
|
|
|
|
|
caCertPath := filepath.Join(serviceDir, "ca.cert")
|
|
|
|
|
caKeyPath := filepath.Join(serviceDir, "ca.key")
|
|
|
|
|
identCertPath := filepath.Join(serviceDir, "identity.cert")
|
|
|
|
|
identKeyPath := filepath.Join(serviceDir, "identity.key")
|
|
|
|
|
|
|
|
|
|
caConfig := identity.CASetupConfig{
|
|
|
|
|
CertPath: caCertPath,
|
|
|
|
|
KeyPath: caKeyPath,
|
|
|
|
|
Difficulty: config.Difficulty,
|
|
|
|
|
Concurrency: config.Concurrency,
|
|
|
|
|
ParentCertPath: config.ParentCertPath,
|
|
|
|
|
ParentKeyPath: config.ParentKeyPath,
|
2019-07-08 15:45:20 +01:00
|
|
|
VersionNumber: config.IdentityVersion,
|
2019-01-18 10:36:58 +00:00
|
|
|
}
|
|
|
|
|
|
2019-03-12 14:42:38 +00:00
|
|
|
status, err := caConfig.Status()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if status != identity.NoCertNoKey {
|
|
|
|
|
return errs.New("CA certificate and/or key already exists, NOT overwriting!")
|
2019-01-18 10:36:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
identConfig := identity.SetupConfig{
|
|
|
|
|
CertPath: identCertPath,
|
|
|
|
|
KeyPath: identKeyPath,
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-12 14:42:38 +00:00
|
|
|
status, err = identConfig.Status()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if status != identity.NoCertNoKey {
|
|
|
|
|
return errs.New("Identity certificate and/or key already exists, NOT overwriting!")
|
2019-01-18 10:36:58 +00:00
|
|
|
}
|
|
|
|
|
|
2019-04-04 16:40:07 +01:00
|
|
|
ca, caerr := caConfig.Create(ctx, os.Stdout)
|
2019-02-01 03:57:14 +00:00
|
|
|
if caerr != nil {
|
|
|
|
|
return caerr
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-18 10:36:58 +00:00
|
|
|
_, iderr := identConfig.Create(ca)
|
2019-01-24 17:23:45 +00:00
|
|
|
if iderr != nil {
|
|
|
|
|
return iderr
|
|
|
|
|
}
|
2019-01-18 10:36:58 +00:00
|
|
|
|
2019-01-24 17:23:45 +00:00
|
|
|
fmt.Printf("Unsigned identity is located in %q\n", serviceDir)
|
2020-04-03 12:00:45 +01:00
|
|
|
fmt.Println("Please *move* CA key to secure storage - it is only needed for identity management and isn't needed to run a storage node!")
|
2019-02-07 17:54:46 +00:00
|
|
|
fmt.Printf("\t%s\n", caConfig.KeyPath)
|
2019-01-24 17:23:45 +00:00
|
|
|
return nil
|
2019-01-18 10:36:58 +00:00
|
|
|
}
|
|
|
|
|
|
2019-09-10 17:24:41 +01:00
|
|
|
func cmdAuthorize(cmd *cobra.Command, args []string) (err error) {
|
2019-09-19 17:37:40 +01:00
|
|
|
ctx, _ := process.Ctx(cmd)
|
2019-01-18 10:36:58 +00:00
|
|
|
|
2019-10-20 08:56:23 +01:00
|
|
|
err = checker.CheckProcessVersion(ctx, zap.L(), config.Version, version.Build, "Identity")
|
2019-04-04 16:40:07 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-18 10:36:58 +00:00
|
|
|
serviceDir := serviceDirectory(args[0])
|
2019-03-12 14:42:38 +00:00
|
|
|
|
2019-01-24 15:41:16 +00:00
|
|
|
authToken := args[1]
|
2019-01-18 10:36:58 +00:00
|
|
|
|
|
|
|
|
caCertPath := filepath.Join(serviceDir, "ca.cert")
|
2019-02-06 16:40:55 +00:00
|
|
|
caConfig := identity.PeerCAConfig{
|
2019-01-18 10:36:58 +00:00
|
|
|
CertPath: caCertPath,
|
|
|
|
|
}
|
|
|
|
|
identCertPath := filepath.Join(serviceDir, "identity.cert")
|
|
|
|
|
identKeyPath := filepath.Join(serviceDir, "identity.key")
|
|
|
|
|
identConfig := identity.Config{
|
|
|
|
|
CertPath: identCertPath,
|
|
|
|
|
KeyPath: identKeyPath,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ca, err := caConfig.Load()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
ident, err := identConfig.Load()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-24 17:23:45 +00:00
|
|
|
if config.Signer.Address == "" {
|
|
|
|
|
config.Signer.Address = defaultSignerAddress
|
|
|
|
|
}
|
|
|
|
|
|
2019-07-25 07:57:21 +01:00
|
|
|
// Ensure we dont enforce a signed Peer Identity
|
|
|
|
|
config.Signer.TLS.UsePeerCAWhitelist = false
|
|
|
|
|
|
2020-10-28 14:01:41 +00:00
|
|
|
revocationDB, err := revocation.OpenDBFromCfg(ctx, config.Signer.TLS)
|
2019-08-19 23:10:38 +01:00
|
|
|
if err != nil {
|
2019-09-05 16:11:21 +01:00
|
|
|
return errs.New("error creating revocation database: %+v", err)
|
2019-08-19 23:10:38 +01:00
|
|
|
}
|
2019-08-20 16:04:17 +01:00
|
|
|
defer func() {
|
|
|
|
|
err = errs.Combine(err, revocationDB.Close())
|
|
|
|
|
}()
|
2019-08-19 23:10:38 +01:00
|
|
|
|
2019-09-19 05:46:39 +01:00
|
|
|
tlsOptions, err := tlsopts.NewOptions(ident, config.Signer.TLS, nil)
|
2019-09-05 16:11:21 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2019-09-19 05:46:39 +01:00
|
|
|
|
|
|
|
|
client, err := certificateclient.New(ctx, rpc.NewDefaultDialer(tlsOptions), config.Signer.Address)
|
2019-09-05 16:11:21 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2019-09-19 05:46:39 +01:00
|
|
|
defer func() { err = errs.Combine(err, client.Close()) }()
|
2019-09-05 16:11:21 +01:00
|
|
|
|
|
|
|
|
signedChainBytes, err := client.Sign(ctx, authToken)
|
2019-01-18 10:36:58 +00:00
|
|
|
if err != nil {
|
2019-11-13 10:07:21 +00:00
|
|
|
return err
|
2019-01-18 10:36:58 +00:00
|
|
|
}
|
|
|
|
|
|
2019-02-07 18:40:28 +00:00
|
|
|
signedChain, err := pkcrypto.CertsFromDER(signedChainBytes)
|
2019-01-18 10:36:58 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = caConfig.SaveBackup(ca)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-08 19:15:19 +01:00
|
|
|
// NB: signedChain is this identity's CA + signer chain.
|
2019-01-18 10:36:58 +00:00
|
|
|
ca.Cert = signedChain[0]
|
|
|
|
|
ca.RestChain = signedChain[1:]
|
2019-02-06 16:40:55 +00:00
|
|
|
err = caConfig.Save(ca)
|
2019-01-18 10:36:58 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 16:40:55 +00:00
|
|
|
err = identConfig.PeerConfig().SaveBackup(ident.PeerIdentity())
|
2019-01-18 10:36:58 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ident.RestChain = signedChain[1:]
|
|
|
|
|
ident.CA = ca.Cert
|
2019-02-06 16:40:55 +00:00
|
|
|
err = identConfig.PeerConfig().Save(ident.PeerIdentity())
|
2019-01-18 10:36:58 +00:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2019-01-24 15:41:16 +00:00
|
|
|
|
2019-01-25 16:55:45 +00:00
|
|
|
fmt.Println("Identity successfully authorized using single use authorization token.")
|
|
|
|
|
fmt.Printf("Please back-up \"%s\" to a safe location.\n", serviceDir)
|
2019-01-18 10:36:58 +00:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-18 11:55:55 +00:00
|
|
|
func printExtensions(cert []byte, exts []pkix.Extension) error {
|
2019-02-07 17:08:52 +00:00
|
|
|
hash := pkcrypto.SHA256Hash(cert)
|
2018-12-18 11:55:55 +00:00
|
|
|
b64Hash, err := json.Marshal(hash)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
fmt.Printf("Cert hash: %s\n", b64Hash)
|
|
|
|
|
fmt.Println("Extensions:")
|
|
|
|
|
for _, e := range exts {
|
|
|
|
|
var data interface{}
|
2019-03-25 21:52:12 +00:00
|
|
|
if e.Id.Equal(extensions.RevocationExtID) {
|
|
|
|
|
var rev extensions.Revocation
|
2018-12-18 11:55:55 +00:00
|
|
|
if err := rev.Unmarshal(e.Value); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
data = rev
|
2019-03-25 21:52:12 +00:00
|
|
|
} else {
|
2018-12-18 11:55:55 +00:00
|
|
|
data = e.Value
|
|
|
|
|
}
|
|
|
|
|
out, err := json.MarshalIndent(data, "", " ")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
fmt.Printf("\t%s: %s\n", e.Id, out)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
