2019-01-24 20:15:10 +00:00
|
|
|
// Copyright (C) 2019 Storj Labs, Inc.
|
2018-08-27 23:23:48 +01:00
|
|
|
// See LICENSE for copying information.
|
|
|
|
|
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
2019-02-06 16:40:55 +00:00
|
|
|
"crypto/x509"
|
2018-08-27 23:23:48 +01:00
|
|
|
"fmt"
|
2019-01-26 14:59:53 +00:00
|
|
|
"os"
|
2019-02-06 16:40:55 +00:00
|
|
|
"path/filepath"
|
2018-08-27 23:23:48 +01:00
|
|
|
|
|
|
|
"github.com/spf13/cobra"
|
|
|
|
|
2019-12-27 11:48:47 +00:00
|
|
|
"storj.io/common/identity"
|
|
|
|
"storj.io/common/peertls/extensions"
|
2020-03-23 19:18:20 +00:00
|
|
|
"storj.io/private/cfgstruct"
|
|
|
|
"storj.io/private/process"
|
2021-04-23 14:13:51 +01:00
|
|
|
"storj.io/storj/private/revocation"
|
2018-08-27 23:23:48 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
caCmd = &cobra.Command{
|
2019-01-24 15:41:16 +00:00
|
|
|
Use: "certificate-authority",
|
2019-01-18 10:36:58 +00:00
|
|
|
Short: "Manage certificate authorities",
|
|
|
|
Annotations: map[string]string{"type": "setup"},
|
2018-08-27 23:23:48 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
newCACmd = &cobra.Command{
|
2019-01-24 15:41:16 +00:00
|
|
|
Use: "create",
|
2019-01-18 10:36:58 +00:00
|
|
|
Short: "Create a new certificate authority",
|
|
|
|
RunE: cmdNewCA,
|
|
|
|
Annotations: map[string]string{"type": "setup"},
|
2018-08-27 23:23:48 +01:00
|
|
|
}
|
2018-12-18 11:55:55 +00:00
|
|
|
|
2018-08-27 23:23:48 +01:00
|
|
|
getIDCmd = &cobra.Command{
|
2019-01-18 10:36:58 +00:00
|
|
|
Use: "id",
|
|
|
|
Short: "Get the id of a CA",
|
|
|
|
RunE: cmdGetID,
|
|
|
|
Annotations: map[string]string{"type": "setup"},
|
2018-08-27 23:23:48 +01:00
|
|
|
}
|
|
|
|
|
2018-12-18 11:55:55 +00:00
|
|
|
caExtCmd = &cobra.Command{
|
2019-02-06 16:40:55 +00:00
|
|
|
Use: "extensions [service]",
|
2019-01-18 10:36:58 +00:00
|
|
|
Short: "Prints the extensions attached to the identity CA certificate",
|
|
|
|
RunE: cmdCAExtensions,
|
2019-02-06 16:40:55 +00:00
|
|
|
Args: cobra.MaximumNArgs(1),
|
2019-01-18 10:36:58 +00:00
|
|
|
Annotations: map[string]string{"type": "setup"},
|
2018-12-18 11:55:55 +00:00
|
|
|
}
|
|
|
|
revokeCACmd = &cobra.Command{
|
2019-01-18 10:36:58 +00:00
|
|
|
Use: "revoke",
|
|
|
|
Short: "Revoke the identity's CA certificate (creates backup)",
|
|
|
|
RunE: cmdRevokeCA,
|
|
|
|
Annotations: map[string]string{"type": "setup"},
|
2018-12-18 11:55:55 +00:00
|
|
|
}
|
2019-02-06 16:40:55 +00:00
|
|
|
revokePeerCACmd = &cobra.Command{
|
|
|
|
Use: "revoke-peer [service] [revoked cert path]",
|
|
|
|
Short: "Revoke a peer identity's CA certificate and add to local revocation database",
|
|
|
|
Args: cobra.MaximumNArgs(2),
|
|
|
|
RunE: cmdRevokePeerCA,
|
|
|
|
Annotations: map[string]string{"type": "setup"},
|
|
|
|
}
|
2018-12-18 11:55:55 +00:00
|
|
|
|
2018-08-27 23:23:48 +01:00
|
|
|
newCACfg struct {
|
2019-01-30 20:47:21 +00:00
|
|
|
CA identity.CASetupConfig
|
2018-08-27 23:23:48 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
getIDCfg struct {
|
2019-01-30 20:47:21 +00:00
|
|
|
CA identity.PeerCAConfig
|
2018-08-27 23:23:48 +01:00
|
|
|
}
|
2018-12-18 11:55:55 +00:00
|
|
|
|
|
|
|
caExtCfg struct {
|
2019-01-30 20:47:21 +00:00
|
|
|
CA identity.FullCAConfig
|
2018-12-18 11:55:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
revokeCACfg struct {
|
2019-01-30 20:47:21 +00:00
|
|
|
CA identity.FullCAConfig
|
2018-12-18 11:55:55 +00:00
|
|
|
// TODO: add "broadcast" option to send revocation to network nodes
|
|
|
|
}
|
2019-02-06 16:40:55 +00:00
|
|
|
|
|
|
|
revokePeerCACfg struct {
|
|
|
|
CA identity.FullCAConfig
|
|
|
|
PeerCA identity.PeerCAConfig
|
|
|
|
RevocationDBURL string
|
|
|
|
}
|
2018-08-27 23:23:48 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
func init() {
|
2019-02-06 16:40:55 +00:00
|
|
|
// NB: init functions are executed in lexicographical order of filename
|
|
|
|
identityDirParam := cfgstruct.FindIdentityDirParam()
|
|
|
|
if identityDirParam != "" {
|
|
|
|
defaultIdentityDir = identityDirParam
|
|
|
|
}
|
|
|
|
|
|
|
|
confDirParam := cfgstruct.FindConfigDirParam()
|
|
|
|
if confDirParam != "" {
|
|
|
|
defaultConfigDir = confDirParam
|
|
|
|
}
|
|
|
|
|
|
|
|
rootCmd.PersistentFlags().StringVar(&configDir, "config-dir", defaultConfigDir, "service config directory")
|
|
|
|
rootCmd.PersistentFlags().StringVar(&identityDir, "identity-dir", defaultIdentityDir, "root directory for identity output")
|
|
|
|
|
2018-08-27 23:23:48 +01:00
|
|
|
rootCmd.AddCommand(caCmd)
|
2019-01-18 10:36:58 +00:00
|
|
|
|
2018-08-27 23:23:48 +01:00
|
|
|
caCmd.AddCommand(newCACmd)
|
2018-12-18 11:55:55 +00:00
|
|
|
caCmd.AddCommand(getIDCmd)
|
|
|
|
caCmd.AddCommand(caExtCmd)
|
|
|
|
caCmd.AddCommand(revokeCACmd)
|
2019-02-06 16:40:55 +00:00
|
|
|
caCmd.AddCommand(revokePeerCACmd)
|
2019-01-18 10:36:58 +00:00
|
|
|
|
Command line flags features and cleanup (#2068)
* change BindSetup to be an option to Bind
* add process.Bind to allow composite structures
* hack fix for noprefix flags
* used tagged version of structs
Before this PR, some flags were created by calling `cfgstruct.Bind` and having their fields create a flag. Once the flags were parsed, `viper` was used to acquire all the values from them and config files, and the fields in the struct were set through the flag interface.
This doesn't work for slices of things on config structs very well, since it can only set strings, and for a string slice, it turns out that the implementation in `pflag` appends an entry rather than setting it.
This changes three things:
1. Only have a `Bind` call instead of `Bind` and `BindSetup`, and make `BindSetup` an option instead.
2. Add a `process.Bind` call that takes in a `*cobra.Cmd`, binds the struct to the command's flags, and keeps track of that struct in a global map keyed by the command.
3. Use `viper` to get the values and load them into the bound configuration structs instead of using the flags to propagate the changes.
In this way, we can support whatever rich configuration we want in the config yaml files, while still getting command like flags when important.
2019-05-29 18:56:22 +01:00
|
|
|
process.Bind(newCACmd, &newCACfg, defaults, cfgstruct.IdentityDir(defaultIdentityDir))
|
|
|
|
process.Bind(getIDCmd, &getIDCfg, defaults, cfgstruct.IdentityDir(defaultIdentityDir))
|
|
|
|
process.Bind(caExtCmd, &caExtCfg, defaults, cfgstruct.IdentityDir(defaultIdentityDir))
|
|
|
|
process.Bind(revokeCACmd, &revokeCACfg, defaults, cfgstruct.IdentityDir(defaultIdentityDir))
|
|
|
|
process.Bind(revokePeerCACmd, &revokePeerCACfg, defaults, cfgstruct.ConfDir(defaultConfigDir), cfgstruct.IdentityDir(defaultIdentityDir))
|
2018-08-27 23:23:48 +01:00
|
|
|
}
|
|
|
|
|
2018-08-28 16:00:18 +01:00
|
|
|
func cmdNewCA(cmd *cobra.Command, args []string) error {
|
2019-09-19 17:37:40 +01:00
|
|
|
ctx, _ := process.Ctx(cmd)
|
|
|
|
_, err := newCACfg.CA.Create(ctx, os.Stdout)
|
2018-08-27 23:23:48 +01:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
func cmdGetID(cmd *cobra.Command, args []string) (err error) {
|
|
|
|
p, err := getIDCfg.CA.Load()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-04-09 18:01:45 +01:00
|
|
|
fmt.Printf("base58-check node ID:\t%s\n", p.ID)
|
|
|
|
fmt.Printf("hex node ID:\t\t%x\n", p.ID)
|
|
|
|
fmt.Printf("node ID bytes:\t\t%v\n", p.ID[:])
|
|
|
|
|
|
|
|
difficulty, err := p.ID.Difficulty()
|
2021-05-14 16:05:42 +01:00
|
|
|
if err == nil {
|
|
|
|
fmt.Printf("difficulty:\t\t%d\n", difficulty)
|
2019-04-09 18:01:45 +01:00
|
|
|
}
|
2018-08-27 23:23:48 +01:00
|
|
|
return nil
|
|
|
|
}
|
2018-12-18 11:55:55 +00:00
|
|
|
|
|
|
|
func cmdRevokeCA(cmd *cobra.Command, args []string) (err error) {
|
|
|
|
ca, err := revokeCACfg.CA.Load()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// NB: backup original cert
|
2019-01-11 14:59:35 +00:00
|
|
|
if err := revokeCACfg.CA.SaveBackup(ca); err != nil {
|
2018-12-18 11:55:55 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-04-03 16:03:53 +01:00
|
|
|
if err := ca.Revoke(); err != nil {
|
2018-12-18 11:55:55 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-01-30 20:47:21 +00:00
|
|
|
updateCfg := identity.FullCAConfig{
|
2018-12-18 11:55:55 +00:00
|
|
|
CertPath: revokeCACfg.CA.CertPath,
|
|
|
|
}
|
|
|
|
if err := updateCfg.Save(ca); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-02-06 16:40:55 +00:00
|
|
|
func cmdRevokePeerCA(cmd *cobra.Command, args []string) (err error) {
|
2019-09-19 17:37:40 +01:00
|
|
|
ctx, _ := process.Ctx(cmd)
|
2019-08-22 12:40:15 +01:00
|
|
|
if len(args) > 0 {
|
2019-02-06 16:40:55 +00:00
|
|
|
revokePeerCACfg.CA = identity.FullCAConfig{
|
|
|
|
CertPath: filepath.Join(identityDir, args[0], "ca.cert"),
|
|
|
|
KeyPath: filepath.Join(identityDir, args[0], "ca.key"),
|
|
|
|
}
|
|
|
|
|
|
|
|
revokePeerCACfg.RevocationDBURL = "bolt://" + filepath.Join(configDir, args[0], "revocations.db")
|
2019-08-22 12:40:15 +01:00
|
|
|
}
|
|
|
|
if len(args) > 1 {
|
2019-02-06 16:40:55 +00:00
|
|
|
revokePeerCACfg.PeerCA = identity.PeerCAConfig{
|
|
|
|
CertPath: args[1],
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
ca, err := revokePeerCACfg.CA.Load()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
peerCA, err := revokePeerCACfg.PeerCA.Load()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-03-25 21:52:12 +00:00
|
|
|
ext, err := extensions.NewRevocationExt(ca.Key, peerCA.Cert)
|
2019-02-06 16:40:55 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2020-10-28 14:01:41 +00:00
|
|
|
revDB, err := revocation.OpenDB(ctx, revokePeerCACfg.RevocationDBURL)
|
2019-02-06 16:40:55 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-06-04 12:36:27 +01:00
|
|
|
if err = revDB.Put(ctx, []*x509.Certificate{ca.Cert, peerCA.Cert}, ext); err != nil {
|
2019-02-06 16:40:55 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-12-18 11:55:55 +00:00
|
|
|
func cmdCAExtensions(cmd *cobra.Command, args []string) (err error) {
|
2019-02-06 16:40:55 +00:00
|
|
|
if len(args) > 0 {
|
|
|
|
caExtCfg.CA = identity.FullCAConfig{
|
|
|
|
CertPath: filepath.Join(identityDir, args[0], "ca.cert"),
|
|
|
|
KeyPath: filepath.Join(identityDir, args[0], "ca.key"),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-12-18 11:55:55 +00:00
|
|
|
ca, err := caExtCfg.CA.Load()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-04-03 16:03:53 +01:00
|
|
|
return printExtensions(ca.Cert.Raw, ca.Cert.Extensions)
|
2018-12-18 11:55:55 +00:00
|
|
|
}
|