diff --git a/cmd/cashier/main.go b/cmd/cashier/main.go
index 53deffd2ab1a8f04b156460f5f9ee99ec80cf021..77a0b4b8babbc7693683114480031f5c8f5967a2 100644
--- a/cmd/cashier/main.go
+++ b/cmd/cashier/main.go
@@ -19,9 +19,9 @@ var (
u, _ = user.Current()
cfg = pflag.String("config", path.Join(u.HomeDir, ".cashier.conf"), "Path to config file")
ca = pflag.String("ca", "http://localhost:10000", "CA server")
- keysize = pflag.Int("key_size", 2048, "Key size. Ignored for ed25519 keys")
- validity = pflag.Duration("validity", time.Hour*24, "Key validity")
- keytype = pflag.String("key_type", "rsa", "Type of private key to generate - rsa, ecdsa or ed25519")
+ keysize = pflag.Int("key_size", 0, "Size of key to generate. Ignored for ed25519 keys. (default 2048 for rsa keys, 256 for ecdsa keys)")
+ validity = pflag.Duration("validity", time.Hour*24, "Key lifetime. May be overridden by the CA at signing time")
+ keytype = pflag.String("key_type", "", "Type of private key to generate - rsa, ecdsa or ed25519. (default \"rsa\")")
publicFilePrefix = pflag.String("public_file_prefix", "", "Prefix for filename for public key and cert (optional, no default)")
)
@@ -30,7 +30,7 @@ func main() {
c, err := client.ReadConfig(*cfg)
if err != nil {
- log.Fatalf("Error parsing config file: %v\n", err)
+ log.Printf("Error parsing config file: %v\n", err)
}
fmt.Printf("Your browser has been opened to visit %s\n", c.CA)
if err := browser.OpenURL(c.CA); err != nil {
@@ -52,7 +52,7 @@ func main() {
}
sock, err := net.Dial("unix", os.Getenv("SSH_AUTH_SOCK"))
if err != nil {
- log.Fatalln("Error connecting to agent: %s", err)
+ log.Fatalf("Error connecting to agent: %v\n", err)
}
defer sock.Close()
a := agent.NewClient(sock)
diff --git a/cmd/cashierd/handlers_test.go b/cmd/cashierd/handlers_test.go
index a6bd113644fe7777457078e84b881db80d770f6e..934d5d07ae601b4b688b0eeb121be0988390d8dd 100644
--- a/cmd/cashierd/handlers_test.go
+++ b/cmd/cashierd/handlers_test.go
@@ -34,19 +34,17 @@ func newContext(t *testing.T) *appContext {
defer os.Remove(f.Name())
f.Write(testdata.Priv)
f.Close()
- signer, err := signer.New(&config.SSH{
+ if keysigner, err = signer.New(&config.SSH{
SigningKey: f.Name(),
MaxAge: "1h",
- })
- if err != nil {
+ }); err != nil {
t.Error(err)
}
+ authprovider = testprovider.New()
+ certstore = store.NewMemoryStore()
return &appContext{
- cookiestore: sessions.NewCookieStore([]byte("secret")),
- authprovider: testprovider.New(),
- certstore: store.NewMemoryStore(),
- authsession: &auth.Session{AuthURL: "https://www.example.com/auth"},
- sshKeySigner: signer,
+ cookiestore: sessions.NewCookieStore([]byte("secret")),
+ authsession: &auth.Session{AuthURL: "https://www.example.com/auth"},
}
}
diff --git a/cmd/cashierd/main.go b/cmd/cashierd/main.go
index 85c2d8164e599e648c670e3d0049e9fd1807026f..8164cf78caa307a37cda0d8c5c8273a1afc676e3 100644
--- a/cmd/cashierd/main.go
+++ b/cmd/cashierd/main.go
@@ -46,15 +46,16 @@ import (
var (
cfg = flag.String("config_file", "cashierd.conf", "Path to configuration file.")
-)
-// appContext contains local context - cookiestore, authprovider, authsession etc.
-type appContext struct {
- cookiestore *sessions.CookieStore
authprovider auth.Provider
- authsession *auth.Session
- sshKeySigner *signer.KeySigner
certstore store.CertStorer
+ keysigner *signer.KeySigner
+)
+
+// appContext contains local context - cookiestore, authsession etc.
+type appContext struct {
+ cookiestore *sessions.CookieStore
+ authsession *auth.Session
}
// getAuthTokenCookie retrieves a cookie from the request.
@@ -116,7 +117,7 @@ func (a *appContext) setCurrentURL(w http.ResponseWriter, r *http.Request) {
func (a *appContext) isLoggedIn(w http.ResponseWriter, r *http.Request) bool {
tok := a.getAuthTokenCookie(r)
- if !tok.Valid() || !a.authprovider.Valid(tok) {
+ if !tok.Valid() || !authprovider.Valid(tok) {
return false
}
return true
@@ -152,7 +153,7 @@ func signHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er
token := &oauth2.Token{
AccessToken: t,
}
- ok := a.authprovider.Valid(token)
+ ok := authprovider.Valid(token)
if !ok {
return http.StatusUnauthorized, errors.New(http.StatusText(http.StatusUnauthorized))
}
@@ -162,13 +163,13 @@ func signHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er
if err != nil {
return http.StatusBadRequest, errors.Wrap(err, "unable to extract key from request")
}
- username := a.authprovider.Username(token)
- a.authprovider.Revoke(token) // We don't need this anymore.
- cert, err := a.sshKeySigner.SignUserKey(req, username)
+ username := authprovider.Username(token)
+ authprovider.Revoke(token) // We don't need this anymore.
+ cert, err := keysigner.SignUserKey(req, username)
if err != nil {
return http.StatusInternalServerError, errors.Wrap(err, "error signing key")
}
- if err := a.certstore.SetCert(cert); err != nil {
+ if err := certstore.SetCert(cert); err != nil {
log.Printf("Error recording cert: %v", err)
}
if err := json.NewEncoder(w).Encode(&lib.SignResponse{
@@ -184,7 +185,7 @@ func signHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er
func loginHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, error) {
state := newState()
a.setAuthStateCookie(w, r, state)
- a.authsession = a.authprovider.StartSession(state)
+ a.authsession = authprovider.StartSession(state)
http.Redirect(w, r, a.authsession.AuthURL, http.StatusFound)
return http.StatusFound, nil
}
@@ -195,7 +196,7 @@ func callbackHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int
return http.StatusUnauthorized, errors.New(http.StatusText(http.StatusUnauthorized))
}
code := r.FormValue("code")
- if err := a.authsession.Authorize(a.authprovider, code); err != nil {
+ if err := a.authsession.Authorize(authprovider, code); err != nil {
return http.StatusInternalServerError, err
}
a.setAuthTokenCookie(w, r, a.authsession.Token)
@@ -219,11 +220,11 @@ func rootHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er
}
func listRevokedCertsHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, error) {
- revoked, err := a.certstore.GetRevoked()
+ revoked, err := certstore.GetRevoked()
if err != nil {
return http.StatusInternalServerError, err
}
- rl, err := a.sshKeySigner.GenerateRevocationList(revoked)
+ rl, err := keysigner.GenerateRevocationList(revoked)
if err != nil {
return http.StatusInternalServerError, errors.Wrap(err, "unable to generate KRL")
}
@@ -248,7 +249,7 @@ func listCertsJSONHandler(a *appContext, w http.ResponseWriter, r *http.Request)
return http.StatusUnauthorized, errors.New(http.StatusText(http.StatusUnauthorized))
}
includeExpired, _ := strconv.ParseBool(r.URL.Query().Get("all"))
- certs, err := a.certstore.List(includeExpired)
+ certs, err := certstore.List(includeExpired)
j, err := json.Marshal(certs)
if err != nil {
return http.StatusInternalServerError, errors.New(http.StatusText(http.StatusInternalServerError))
@@ -263,7 +264,7 @@ func revokeCertHandler(a *appContext, w http.ResponseWriter, r *http.Request) (i
}
r.ParseForm()
for _, id := range r.Form["cert_id"] {
- if err := a.certstore.Revoke(id); err != nil {
+ if err := certstore.Revoke(id); err != nil {
return http.StatusInternalServerError, errors.Wrap(err, "unable to revoke")
}
}
@@ -326,7 +327,7 @@ func main() {
})
vaultfs.Register(conf.Vault)
- signer, err := signer.New(conf.SSH)
+ keysigner, err = signer.New(conf.SSH)
if err != nil {
log.Fatal(err)
}
@@ -378,7 +379,6 @@ func main() {
// Unprivileged section
metrics.Register()
- var authprovider auth.Provider
switch conf.Auth.Provider {
case "google":
authprovider, err = google.New(conf.Auth)
@@ -393,15 +393,12 @@ func main() {
log.Fatal(errors.Wrapf(err, "unable to use provider '%s'", conf.Auth.Provider))
}
- certstore, err := store.New(conf.Server.Database)
+ certstore, err = store.New(conf.Server.Database)
if err != nil {
log.Fatal(err)
}
ctx := &appContext{
- cookiestore: sessions.NewCookieStore([]byte(conf.Server.CookieSecret)),
- authprovider: authprovider,
- sshKeySigner: signer,
- certstore: certstore,
+ cookiestore: sessions.NewCookieStore([]byte(conf.Server.CookieSecret)),
}
ctx.cookiestore.Options = &sessions.Options{
MaxAge: 900,