dnscontrol/pkg/acme/vaultStorage.go

package acme

import (
	"crypto/ecdsa"
	"crypto/x509"
	"encoding/json"
	"encoding/pem"
	"fmt"
	"strings"

	"github.com/go-acme/lego/certificate"

	"github.com/hashicorp/vault/api"
)

type vaultStorage struct {
	path   string
	client *api.Logical
}

func makeVaultStorage(vaultPath string) (Storage, error) {
	if !strings.HasSuffix(vaultPath, "/") {
		vaultPath += "/"
	}
	client, err := api.NewClient(api.DefaultConfig())
	if err != nil {
		return nil, err
	}
	storage := &vaultStorage{
		path:   vaultPath,
		client: client.Logical(),
	}
	return storage, nil
}

func (v *vaultStorage) GetCertificate(name string) (*certificate.Resource, error) {
	var err error

	path := v.certPath(name)
	secret, err := v.client.Read(path)
	if err != nil {
		return nil, err
	}
	if secret == nil {
		return nil, nil
	}
	cert := &certificate.Resource{}
	if dat, err := v.getString("meta", secret.Data, path); err != nil {
		return nil, err
	} else if err = json.Unmarshal(dat, cert); err != nil {
		return nil, err
	}

	var dat []byte
	if dat, err = v.getString("tls.cert", secret.Data, path); err != nil {
		return nil, err
	}
	cert.Certificate = dat

	if dat, err = v.getString("tls.key", secret.Data, path); err != nil {
		return nil, err
	}
	cert.PrivateKey = dat

	return cert, nil
}

func (v *vaultStorage) getString(key string, data map[string]interface{}, path string) ([]byte, error) {
	dat, ok := data[key]
	if !ok {
		return nil, fmt.Errorf("secret at %s does not have key %s", path, key)
	}
	str, ok := dat.(string)
	if !ok {
		return nil, fmt.Errorf("secret at %s is not string", path)
	}
	return []byte(str), nil
}

func (v *vaultStorage) StoreCertificate(name string, cert *certificate.Resource) error {
	jDat, err := json.MarshalIndent(cert, "", "  ")
	if err != nil {
		return err
	}
	pub := string(cert.Certificate)
	key := string(cert.PrivateKey)
	data := map[string]interface{}{
		"tls.cert":     pub,
		"tls.key":      key,
		"tls.combined": pub + "\n" + key,
		"meta":         string(jDat),
	}
	_, err = v.client.Write(v.certPath(name), data)
	return err
}

func (v *vaultStorage) registrationPath(acmeHost string) string {
	return v.path + ".letsencrypt/" + acmeHost
}

func (v *vaultStorage) certPath(name string) string {
	return v.path + name
}

func (v *vaultStorage) GetAccount(acmeHost string) (*Account, error) {
	path := v.registrationPath(acmeHost)
	secret, err := v.client.Read(path)
	if err != nil {
		return nil, err
	}
	if secret == nil {
		return nil, nil
	}
	acct := &Account{}
	if dat, err := v.getString("registration", secret.Data, path); err != nil {
		return nil, err
	} else if err = json.Unmarshal(dat, acct); err != nil {
		return nil, err
	}

	var key *ecdsa.PrivateKey
	var dat []byte
	var block *pem.Block
	if dat, err = v.getString("tls.key", secret.Data, path); err != nil {
		return nil, err
	} else if block, _ = pem.Decode(dat); block == nil {
		return nil, fmt.Errorf("error decoding account private key")
	} else if key, err = x509.ParseECPrivateKey(block.Bytes); err != nil {
		return nil, err
	}
	acct.key = key
	return acct, nil
}

func (v *vaultStorage) StoreAccount(acmeHost string, account *Account) error {
	acctBytes, err := json.MarshalIndent(account, "", "  ")
	if err != nil {
		return err
	}
	keyBytes, err := x509.MarshalECPrivateKey(account.key)
	if err != nil {
		return err
	}
	pemKey := &pem.Block{Type: "EC PRIVATE KEY", Bytes: keyBytes}
	pemBytes := pem.EncodeToMemory(pemKey)

	_, err = v.client.Write(v.registrationPath(acmeHost), map[string]interface{}{
		"registration": string(acctBytes),
		"tls.key":      string(pemBytes),
	})
	return err
}
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`package acme`

			`import (`
linting (#777) 2020-07-07 08:18:24 +08:00			`"crypto/ecdsa"`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`"crypto/x509"`
			`"encoding/json"`
			`"encoding/pem"`
			`"fmt"`
			`"strings"`

switch to new go-acme imports from xenolf. Fix api changes (#540) * switch to new go-acme imports from xenolf. Fix api changes * update many vault related dependencies 2019-07-29 22:54:32 +08:00			`"github.com/go-acme/lego/certificate"`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00
			`"github.com/hashicorp/vault/api"`
			`)`

			`type vaultStorage struct {`
			`path string`
			`client *api.Logical`
			`}`

			`func makeVaultStorage(vaultPath string) (Storage, error) {`
			`if !strings.HasSuffix(vaultPath, "/") {`
			`vaultPath += "/"`
			`}`
			`client, err := api.NewClient(api.DefaultConfig())`
			`if err != nil {`
			`return nil, err`
			`}`
			`storage := &vaultStorage{`
			`path: vaultPath,`
			`client: client.Logical(),`
			`}`
			`return storage, nil`
			`}`

switch to new go-acme imports from xenolf. Fix api changes (#540) * switch to new go-acme imports from xenolf. Fix api changes * update many vault related dependencies 2019-07-29 22:54:32 +08:00			`func (v vaultStorage) GetCertificate(name string) (certificate.Resource, error) {`
Linting (#767) What could possibly go wrong? 2020-06-18 21:37:57 +08:00			`var err error`

Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`path := v.certPath(name)`
			`secret, err := v.client.Read(path)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if secret == nil {`
			`return nil, nil`
			`}`
switch to new go-acme imports from xenolf. Fix api changes (#540) * switch to new go-acme imports from xenolf. Fix api changes * update many vault related dependencies 2019-07-29 22:54:32 +08:00			`cert := &certificate.Resource{}`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`if dat, err := v.getString("meta", secret.Data, path); err != nil {`
			`return nil, err`
			`} else if err = json.Unmarshal(dat, cert); err != nil {`
			`return nil, err`
			`}`

Linting (#767) What could possibly go wrong? 2020-06-18 21:37:57 +08:00			`var dat []byte`
			`if dat, err = v.getString("tls.cert", secret.Data, path); err != nil {`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`return nil, err`
			`}`
Linting (#767) What could possibly go wrong? 2020-06-18 21:37:57 +08:00			`cert.Certificate = dat`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00
Linting (#767) What could possibly go wrong? 2020-06-18 21:37:57 +08:00			`if dat, err = v.getString("tls.key", secret.Data, path); err != nil {`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`return nil, err`
			`}`
Linting (#767) What could possibly go wrong? 2020-06-18 21:37:57 +08:00			`cert.PrivateKey = dat`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00
			`return cert, nil`
			`}`

			`func (v *vaultStorage) getString(key string, data map[string]interface{}, path string) ([]byte, error) {`
			`dat, ok := data[key]`
			`if !ok {`
Lint: Fix ST1005: error strings should not be capitalized (#834) 2020-08-31 07:52:37 +08:00			`return nil, fmt.Errorf("secret at %s does not have key %s", path, key)`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`}`
			`str, ok := dat.(string)`
			`if !ok {`
Lint: Fix ST1005: error strings should not be capitalized (#834) 2020-08-31 07:52:37 +08:00			`return nil, fmt.Errorf("secret at %s is not string", path)`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`}`
			`return []byte(str), nil`
			`}`

switch to new go-acme imports from xenolf. Fix api changes (#540) * switch to new go-acme imports from xenolf. Fix api changes * update many vault related dependencies 2019-07-29 22:54:32 +08:00			`func (v vaultStorage) StoreCertificate(name string, cert certificate.Resource) error {`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`jDat, err := json.MarshalIndent(cert, "", " ")`
			`if err != nil {`
			`return err`
			`}`
add tls.combined field to vault cert backend 2019-02-07 04:21:08 +08:00			`pub := string(cert.Certificate)`
			`key := string(cert.PrivateKey)`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`data := map[string]interface{}{`
add tls.combined field to vault cert backend 2019-02-07 04:21:08 +08:00			`"tls.cert": pub,`
			`"tls.key": key,`
			`"tls.combined": pub + "\n" + key,`
			`"meta": string(jDat),`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`}`
			`_, err = v.client.Write(v.certPath(name), data)`
			`return err`
			`}`

			`func (v *vaultStorage) registrationPath(acmeHost string) string {`
			`return v.path + ".letsencrypt/" + acmeHost`
			`}`

			`func (v *vaultStorage) certPath(name string) string {`
			`return v.path + name`
			`}`

			`func (v vaultStorage) GetAccount(acmeHost string) (Account, error) {`
			`path := v.registrationPath(acmeHost)`
			`secret, err := v.client.Read(path)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if secret == nil {`
			`return nil, nil`
			`}`
			`acct := &Account{}`
			`if dat, err := v.getString("registration", secret.Data, path); err != nil {`
			`return nil, err`
			`} else if err = json.Unmarshal(dat, acct); err != nil {`
			`return nil, err`
			`}`

linting (#777) 2020-07-07 08:18:24 +08:00			`var key *ecdsa.PrivateKey`
			`var dat []byte`
			`var block *pem.Block`
			`if dat, err = v.getString("tls.key", secret.Data, path); err != nil {`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`return nil, err`
linting (#777) 2020-07-07 08:18:24 +08:00			`} else if block, _ = pem.Decode(dat); block == nil {`
Lint: Fix ST1005: error strings should not be capitalized (#834) 2020-08-31 07:52:37 +08:00			`return nil, fmt.Errorf("error decoding account private key")`
linting (#777) 2020-07-07 08:18:24 +08:00			`} else if key, err = x509.ParseECPrivateKey(block.Bytes); err != nil {`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`return nil, err`
			`}`
linting (#777) 2020-07-07 08:18:24 +08:00			`acct.key = key`
Abstraction for Certificate Storage (+ vault storage) (#406) * new abstraction around storage * re-work completely to fit new acme package pre-solving paradigm * vault storage plugin * add some vendor * delete old vendor pinning mechanism 2018-10-09 04:11:19 +08:00			`return acct, nil`
			`}`

			`func (v vaultStorage) StoreAccount(acmeHost string, account Account) error {`
			`acctBytes, err := json.MarshalIndent(account, "", " ")`
			`if err != nil {`
			`return err`
			`}`
			`keyBytes, err := x509.MarshalECPrivateKey(account.key)`
			`if err != nil {`
			`return err`
			`}`
			`pemKey := &pem.Block{Type: "EC PRIVATE KEY", Bytes: keyBytes}`
			`pemBytes := pem.EncodeToMemory(pemKey)`

			`_, err = v.client.Write(v.registrationPath(acmeHost), map[string]interface{}{`
			`"registration": string(acctBytes),`
			`"tls.key": string(pemBytes),`
			`})`
			`return err`
			`}`