Steven/certman
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Wiki Activity

Major Refactoring, Client can now be used as a library
Some checks failed
Build (artifact) / build (push) Failing after 1m3s
Details

Browse Source
This commit is contained in:
Steven Tracey
2026-03-16 21:48:32 +01:00
parent e6a2ba2f8b
commit e0f68788c0
45 changed files with 1359 additions and 1245 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
common/buildinfo.go Normal file
View File

@@ -0,0 +1,6 @@
package common
var (
Version = "dev"
Build = "local"
)

71
common/config.go Normal file
View File

@@ -0,0 +1,71 @@
package common
// ---------------------------------------------------------------------------
// Default config templates
// ---------------------------------------------------------------------------
type AppConfig struct {
App App `mapstructure:"app" toml:"app"`
Certificates Certificates `mapstructure:"certificates" toml:"certificates"`
Cloudflare Cloudflare `mapstructure:"cloudflare" toml:"cloudflare"`
Git Git `mapstructure:"git" toml:"git"`
}
type App struct {
Mode string `mapstructure:"mode" toml:"mode"`
TickRate int `mapstructure:"tick_rate" toml:"tick_rate"`
UUID string `mapstructure:"uuid" toml:"uuid"`
}
type Git struct {
Host string `mapstructure:"host" toml:"host"`
Server string `mapstructure:"server" toml:"server"`
Username string `mapstructure:"username" toml:"username"`
APIToken string `mapstructure:"api_token" toml:"api_token"`
OrgName string `mapstructure:"org_name" toml:"org_name"`
}
type Certificates struct {
DataRoot string `mapstructure:"data_root" toml:"data_root"`
Email string `mapstructure:"email" toml:"email"`
CADirURL string `mapstructure:"ca_dir_url" toml:"ca_dir_url"`
}
type Cloudflare struct {
CFEmail string `mapstructure:"cf_email" toml:"cf_email"`
CFAPIKey string `mapstructure:"cf_api_key" toml:"cf_api_key"`
}
type DomainConfig struct {
Domain DomainCfg `mapstructure:"domain" toml:"domain"`
Certificates DomainCerts `mapstructure:"certificates" toml:"certificates"`
Repo Repo `mapstructure:"repo" toml:"repo"`
Internal Internal `mapstructure:"shared" toml:"shared"`
}
type DomainCfg struct {
DomainName string `mapstructure:"domain_name" toml:"domain_name"`
Enabled bool `mapstructure:"enabled" toml:"enabled"`
DNSServer string `mapstructure:"dns_server" toml:"dns_server"`
}
type DomainCerts struct {
DataRoot string `mapstructure:"data_root" toml:"data_root"`
RequestMethod string `mapstructure:"request_method" toml:"request_method"`
CryptoKey string `mapstructure:"crypto_key" toml:"crypto_key"`
Expiry int `mapstructure:"expiry" toml:"expiry"`
RenewPeriod int `mapstructure:"renew_period" toml:"renew_period"`
SubDomains []string `mapstructure:"sub_domains" toml:"sub_domains"`
CertSymlinks []string `mapstructure:"cert_symlinks" toml:"cert_symlinks"`
KeySymlinks []string `mapstructure:"key_symlinks" toml:"key_symlinks"`
}
type Repo struct {
RepoSuffix string `mapstructure:"repo_suffix" toml:"repo_suffix"`
}
type Internal struct {
LastIssued int64 `mapstructure:"last_issued" toml:"last_issued"`
RepoExists bool `mapstructure:"repo_exists" toml:"repo_exists"`
Status string `mapstructure:"status" toml:"status"`
}

98
common/crypto.go Normal file
View File

@@ -0,0 +1,98 @@
package common
import (
"crypto/rand"
"encoding/base64"
"errors"
"fmt"
"io"
"os"
"golang.org/x/crypto/chacha20poly1305"
)
// GenerateKey returns a base64-encoded 32-byte random key suitable to use as the
// symmetric passphrase for age scrypt mode. Store this securely (never in Git).
func GenerateKey() (string, error) {
k := make([]byte, 32)
if _, err := rand.Read(k); err != nil {
return "", err
}
out := make([]byte, base64.StdEncoding.EncodedLen(len(k)))
base64.StdEncoding.Encode(out, k)
return string(out), nil
}
func decodeKey(b64 string) ([]byte, error) {
key, err := base64.StdEncoding.DecodeString(b64) // standard padded
if err != nil {
return nil, err
}
if len(key) != chacha20poly1305.KeySize {
return nil, fmt.Errorf("bad key length: got %d, want %d", len(key), chacha20poly1305.KeySize)
}
return key, nil
}
func EncryptFileXChaCha(keyB64, inPath, outPath string, aad []byte) error {
key, err := decodeKey(keyB64)
if err != nil {
return err
}
aead, err := chacha20poly1305.NewX(key)
if err != nil {
return fmt.Errorf("new aead: %w", err)
}
plaintext, err := os.ReadFile(inPath)
if err != nil {
return fmt.Errorf("read input: %w", err)
}
nonce := make([]byte, chacha20poly1305.NonceSizeX) // 24 bytes
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
return fmt.Errorf("nonce: %w", err)
}
ciphertext := aead.Seal(nil, nonce, plaintext, aad)
// Write: nonce || ciphertext
out := make([]byte, 0, len(nonce)+len(ciphertext))
out = append(out, nonce...)
out = append(out, ciphertext...)
if err := os.WriteFile(outPath, out, 0600); err != nil {
return fmt.Errorf("write output: %w", err)
}
return nil
}
func DecryptFileFromBytes(keyB64 string, inBytes []byte, outPath string, aad []byte) error {
key, err := decodeKey(keyB64)
if err != nil {
return err
}
aead, err := chacha20poly1305.NewX(key)
if err != nil {
return fmt.Errorf("new aead: %w", err)
}
if len(inBytes) < chacha20poly1305.NonceSizeX {
return errors.New("ciphertext too short")
}
nonce := inBytes[:chacha20poly1305.NonceSizeX]
ciphertext := inBytes[chacha20poly1305.NonceSizeX:]
plaintext, err := aead.Open(nil, nonce, ciphertext, aad)
if err != nil {
return fmt.Errorf("decrypt/auth failed: %w", err)
}
if err := os.WriteFile(outPath, plaintext, 0640); err != nil {
return fmt.Errorf("write output: %w", err)
}
return nil
}

311
common/git.go Normal file
View File

@@ -0,0 +1,311 @@
package common
import (
"errors"
"fmt"
"io"
"os"
"path/filepath"
"strings"
"time"
"code.gitea.io/sdk/gitea"
"github.com/go-git/go-billy/v5"
"github.com/go-git/go-git/v5"
gitconf "github.com/go-git/go-git/v5/config"
"github.com/go-git/go-git/v5/plumbing/object"
"github.com/go-git/go-git/v5/plumbing/transport/http"
"github.com/go-git/go-git/v5/storage/memory"
)
type CertManMode int
const (
Server CertManMode = iota
Client
)
type GitWorkspace struct {
Domain string
Repo *git.Repository
Storage *memory.Storage
FS billy.Filesystem
WorkTree *git.Worktree
}
type GitSource int
const (
Github GitSource = iota
Gitlab
Gitea
Gogs
Bitbucket
CodeCommit
)
var GitSourceName = map[GitSource]string{
Github: "github",
Gitlab: "gitlab",
Gitea: "gitea",
Gogs: "gogs",
Bitbucket: "bitbucket",
CodeCommit: "code-commit",
}
func StrToGitSource(s string) (GitSource, error) {
for k, v := range GitSourceName {
if v == s {
return k, nil
}
}
return GitSource(0), errors.New("invalid gitsource name")
}
//func createGithubClient() *github.Client {
// return github.NewClient(nil).WithAuthToken(config.GetString("Git.api_token"))
//}
func CreateGiteaClient(config *AppConfig) *gitea.Client {
client, err := gitea.NewClient(config.Git.Server, gitea.SetToken(config.Git.APIToken))
if err != nil {
fmt.Printf("Error connecting to gitea instance: %v\n", err)
return nil
}
return client
}
//func createGithubRepo(domain *Domain, Client *github.Client) string {
// name := domain.name
// owner := domain.config.GetString("Repo.owner")
// description := domain.description
// private := true
// includeAllBranches := false
//
// ctx := context.Background()
// template := &github.TemplateRepoRequest{
// Name: name,
// Owner: &owner,
// Description: description,
// Private: &private,
// IncludeAllBranches: &includeAllBranches,
// }
// repo, _, err := Client.Repositories.CreateFromTemplate(ctx, config.GetString("Git.org_name"), config.GetString("Git.template_name"), template)
// if err != nil {
// fmt.Println("Error creating repository from template,", err)
// return ""
// }
// return *repo.CloneURL
//}
func CreateGiteaRepo(domain string, giteaClient *gitea.Client, config *AppConfig, domainConfig *DomainConfig) string {
options := gitea.CreateRepoOption{
Name: domain + domainConfig.Repo.RepoSuffix,
Description: "Certificate storage for " + domain,
Private: true,
IssueLabels: "",
AutoInit: false,
Template: false,
Gitignores: "",
License: "",
Readme: "",
DefaultBranch: "master",
TrustModel: gitea.TrustModelDefault,
}
giteaRepo, _, err := giteaClient.CreateOrgRepo(config.Git.OrgName, options)
if err != nil {
fmt.Printf("Error creating repo: %v\n", err)
return ""
}
return giteaRepo.CloneURL
}
func InitRepo(url string, ws *GitWorkspace) error {
var err error
ws.Repo, err = git.Init(ws.Storage, ws.FS)
if err != nil {
fmt.Printf("Error initializing local repo: %v\n", err)
return err
}
_, err = ws.Repo.CreateRemote(&gitconf.RemoteConfig{
Name: "origin",
URLs: []string{url},
})
if err != nil && !errors.Is(err, git.ErrRemoteExists) {
fmt.Printf("Error creating remote origin repo: %v\n", err)
return err
}
ws.WorkTree, err = ws.Repo.Worktree()
if err != nil {
fmt.Printf("Error getting worktree from local repo: %v\n", err)
return err
}
return nil
}
func CloneRepo(url string, ws *GitWorkspace, certmanMode CertManMode, config *AppConfig) error {
creds := &http.BasicAuth{
Username: config.Git.Username,
Password: config.Git.APIToken,
}
var err error
ws.Repo, err = git.Clone(ws.Storage, ws.FS, &git.CloneOptions{URL: url, Auth: creds})
if err != nil {
fmt.Printf("Error cloning repo: %v\n", err)
}
ws.WorkTree, err = ws.Repo.Worktree()
if err != nil {
fmt.Printf("Error getting worktree from cloned repo: %v\n", err)
return err
}
if certmanMode == Server {
serverIdFile, err := ws.FS.OpenFile("/SERVER_ID", os.O_RDWR, 0640)
if err != nil {
if os.IsNotExist(err) {
fmt.Printf("server ID file not found for %s, adopting domain\n", url)
return nil
}
return err
}
serverIdBytes, err := io.ReadAll(serverIdFile)
if err != nil {
return err
}
serverId := strings.TrimSpace(string(serverIdBytes))
if serverId != config.App.UUID {
return fmt.Errorf("domain is already managed by server with uuid %s", serverId)
}
}
return nil
}
func AddAndPushCerts(domain string, ws *GitWorkspace, config *AppConfig, domainConfig *DomainConfig) error {
var dataRoot string
if domainConfig.Certificates.DataRoot == "" {
dataRoot = config.Certificates.DataRoot
} else {
dataRoot = domainConfig.Certificates.DataRoot
}
certFiles, err := os.ReadDir(dataRoot)
if err != nil {
fmt.Printf("Error reading from directory: %v\n", err)
return err
}
for _, entry := range certFiles {
if strings.HasSuffix(entry.Name(), ".crpt") {
file, err := ws.FS.Create(entry.Name())
if err != nil {
fmt.Printf("Error copying file to memfs: %v\n", err)
return err
}
certFile, err := os.ReadFile(filepath.Join(dataRoot, entry.Name()))
if err != nil {
fmt.Printf("Error reading file to memfs: %v\n", err)
file.Close()
return err
}
_, err = file.Write(certFile)
if err != nil {
fmt.Printf("Error writing to memfs: %v\n", err)
file.Close()
return err
}
_, err = ws.WorkTree.Add(file.Name())
if err != nil {
fmt.Printf("Error adding file %v: %v\n", file.Name(), err)
file.Close()
return err
}
err = file.Close()
if err != nil {
fmt.Printf("Error closing file: %v\n", err)
}
}
file, err := ws.FS.Create("/SERVER_ID")
if err != nil {
fmt.Printf("Error creating file in memfs: %v\n", err)
return err
}
_, err = file.Write([]byte(config.App.UUID))
if err != nil {
fmt.Printf("Error writing to memfs: %v\n", err)
file.Close()
return err
}
_, err = ws.WorkTree.Add(file.Name())
if err != nil {
fmt.Printf("Error adding file %v: %v\n", file.Name(), err)
file.Close()
return err
}
err = file.Close()
if err != nil {
fmt.Printf("Error closing file: %v\n", err)
}
}
status, err := ws.WorkTree.Status()
if err != nil {
fmt.Printf("Error getting repo status: %v\n", err)
return err
}
if status.IsClean() {
fmt.Printf("Repository is clean, skipping commit...\n")
return nil
}
fmt.Println("Work Tree Status:\n" + status.String())
signature := &object.Signature{
Name: "Cert Manager",
Email: config.Certificates.Email,
When: time.Now(),
}
_, err = ws.WorkTree.Commit("Update "+domain+" @ "+time.Now().Format("Mon Jan _2 2006 15:04:05 MST"), &git.CommitOptions{Author: signature, Committer: signature})
if err != nil {
fmt.Printf("Error committing certs: %v\n", err)
return err
}
creds := &http.BasicAuth{
Username: config.Git.Username,
Password: config.Git.APIToken,
}
err = ws.Repo.Push(&git.PushOptions{
Auth: creds,
Force: true,
RemoteName: "origin",
RefSpecs: []gitconf.RefSpec{
"refs/heads/master:refs/heads/master",
},
})
if err != nil {
fmt.Printf("Error pushing to origin: %v\n", err)
return err
}
fmt.Println("Successfully uploaded to " + config.Git.Server + "/" + config.Git.OrgName + "/" + domain + domainConfig.Repo.RepoSuffix + ".git")
return nil
}
func WriteCommitHash(hash string, config *AppConfig, domainConfig *DomainConfig) error {
var dataRoot string
if domainConfig.Certificates.DataRoot == "" {
dataRoot = config.Certificates.DataRoot
} else {
dataRoot = domainConfig.Certificates.DataRoot
}
err := os.WriteFile(filepath.Join(dataRoot, "hash"), []byte(hash), 0644)
if err != nil {
return err
}
return nil
}

321
common/util.go Normal file
View File

@@ -0,0 +1,321 @@
package common
import (
"errors"
"fmt"
"io/fs"
"os"
"os/user"
"path/filepath"
"regexp"
"strconv"
"strings"
"syscall"
"code.gitea.io/sdk/gitea"
)
var (
ErrorPIDInUse = errors.New("daemon is already running")
ErrLockFailed = errors.New("failed to acquire a lock on the PID file")
ErrBlankCert = errors.New("cert is blank")
)
type Domain struct {
name *string
config *AppConfig
description *string
gtClient *gitea.Client
}
// 0x01
func createPIDFile() {
file, err := os.Create("/var/run/certman.pid")
if err != nil {
fmt.Printf("0x01: Error creating PID file: %v\n", err)
return
}
err = file.Close()
if err != nil {
fmt.Printf("0x01: Error closing PID file: %v\n", err)
return
}
}
// 0x02
func ClearPIDFile() {
file, err := os.OpenFile("/var/run/certman.pid", os.O_RDWR|os.O_CREATE, 0644)
if err != nil {
fmt.Printf("0x02: Error opening PID file: %v\n", err)
return
}
defer file.Close()
err = file.Truncate(0)
if err != nil {
fmt.Printf("0x02: Error writing PID file: %v\n", err)
return
}
}
// 0x03
func CreateOrUpdatePIDFile(filename string) error {
pidBytes, err := os.ReadFile(filename)
if err != nil {
fmt.Printf("0x03: Error reading PID file: %v\n", err)
return err
}
pidStr := strings.TrimSpace(string(pidBytes))
isPidFileEmpty := pidStr == ""
if !isPidFileEmpty {
pid, err := strconv.Atoi(pidStr)
if err != nil {
fmt.Printf("0x03: Error parsing PID file: %v\n", err)
return err
}
isProcActive, err := isProcessActive(pid)
if err != nil {
fmt.Printf("0x03: Error checking if process is active: %v\n", err)
return err
}
if isProcActive {
return ErrorPIDInUse
}
}
pidFile, err := os.OpenFile(filename, os.O_RDWR|os.O_CREATE, 0644)
if err != nil {
if os.IsNotExist(err) {
createPIDFile()
} else {
fmt.Printf("0x03: Error opening PID file: %v\n", err)
return err
}
}
defer pidFile.Close()
if err := syscall.Flock(int(pidFile.Fd()), syscall.LOCK_EX|syscall.LOCK_NB); err != nil {
if errors.Is(err, syscall.EWOULDBLOCK) {
return ErrLockFailed
}
return fmt.Errorf("error locking PID file: %w", err)
}
curPid := os.Getpid()
if _, err := pidFile.Write([]byte(strconv.Itoa(curPid))); err != nil {
return fmt.Errorf("error writing pid to PID file: %w", err)
}
return nil
}
// 0x04
// isProcessActive checks whether the process with the provided PID is running.
func isProcessActive(pid int) (bool, error) {
if pid <= 0 {
return false, errors.New("invalid process ID")
}
process, err := os.FindProcess(pid)
if err != nil {
// On Unix systems, os.FindProcess always succeeds and returns a process with the given pid, irrespective of whether the process exists.
return false, nil
}
err = process.Signal(syscall.Signal(0))
if err != nil {
if errors.Is(err, syscall.ESRCH) {
// The process does not exist
return false, nil
} else if errors.Is(err, os.ErrProcessDone) {
return false, nil
}
// Some other unexpected error
return false, err
}
// The process exists and is active
return true, nil
}
// 0x05
func DaemonProcess() (*os.Process, error) {
pidBytes, err := os.ReadFile("/var/run/certman.pid")
if err != nil {
fmt.Printf("0x05: Error getting PID from /var/run/certman.pid: %v\n", err)
return nil, err
}
pidStr := strings.TrimSpace(string(pidBytes))
daemonPid, err := strconv.Atoi(pidStr)
if err != nil {
fmt.Printf("0x05: Error converting PID string to int (%s): %v\n", pidStr, err)
return nil, err
}
isProcActive, err := isProcessActive(daemonPid)
if err != nil {
fmt.Printf("0x05: Error checking if process is active: %v\n", err)
}
if !isProcActive {
return nil, errors.New("process is not active")
}
proc, err := os.FindProcess(daemonPid)
if err != nil {
fmt.Printf("0x05: Error finding process with PID %d: %v\n", daemonPid, err)
return nil, err
}
return proc, nil
}
func LinkFile(source, target, domain, extension string) error {
if target == "" {
return ErrBlankCert
}
linkInfo, err := os.Stat(target)
if err != nil {
if os.IsNotExist(err) {
err = os.Symlink(source, target)
if err != nil {
return err
}
return nil
}
return err
}
if linkInfo.IsDir() {
target = filepath.Join(target, domain+extension)
err = os.Symlink(source, target)
if err != nil {
return err
}
}
return nil
}
func FileExists(path string) bool {
_, err := os.Stat(path)
return err == nil
}
func contains(slice []string, value string) (sliceHas bool, index int) {
for i, entry := range slice {
if entry == value {
return true, i
}
}
return false, -1
}
func insert(a []string, index int, value string) []string {
last := len(a) - 1
a = append(a, a[last])
copy(a[index+1:], a[index:last])
a[index] = value
return a
}
func SanitizeDomainKey(s string) string {
s = strings.TrimSpace(strings.ToLower(s))
r := strings.NewReplacer("/", "_", "\\", "_", " ", "_", ":", "_")
return r.Replace(s)
}
func ChownRecursive(path string, uid, gid int) error {
return filepath.WalkDir(path, func(name string, d fs.DirEntry, err error) error {
if err != nil {
return err // Stop if we encounter a permission error on a specific file
}
// Apply ownership change to the current item
return os.Chown(name, uid, gid)
})
}
func LookupGID(group string) (int, error) {
g, err := user.LookupGroup(group)
if err != nil {
return 0, err
}
return strconv.Atoi(g.Gid)
}
// MakeCredential resolves username/groupname to uid/gid for syscall.Credential.
// Note: actually *using* different credentials typically requires the server
// process to have appropriate privileges (often root).
func MakeCredential(username, groupname string) (*syscall.Credential, error) {
var uid, gid uint32
var haveUID, haveGID bool
if username != "" {
u, err := user.Lookup(username)
if err != nil {
return nil, fmt.Errorf("unknown user")
}
parsed, err := strconv.ParseUint(u.Uid, 10, 32)
if err != nil {
return nil, fmt.Errorf("bad uid")
}
uid = uint32(parsed)
haveUID = true
// If group not explicitly provided, default to user's primary group.
if groupname == "" && u.Gid != "" {
parsedG, err := strconv.ParseUint(u.Gid, 10, 32)
if err == nil {
gid = uint32(parsedG)
haveGID = true
}
}
}
if groupname != "" {
g, err := user.LookupGroup(groupname)
if err != nil {
return nil, fmt.Errorf("unknown group")
}
parsed, err := strconv.ParseUint(g.Gid, 10, 32)
if err != nil {
return nil, fmt.Errorf("bad gid")
}
gid = uint32(parsed)
haveGID = true
}
// If only group was provided, keep current uid.
if !haveUID {
uid = uint32(os.Getuid())
}
if !haveGID {
gid = uint32(os.Getgid())
}
return &syscall.Credential{Uid: uid, Gid: gid}, nil
}
func CertsDir(config *AppConfig, domainConfig *DomainConfig) string {
if config == nil {
return ""
}
if domainConfig == nil {
return ""
}
if domainConfig.Certificates.DataRoot == "" {
if config.Certificates.DataRoot == "" {
workDir, err := os.Getwd()
if err != nil {
return "./"
}
return workDir
}
return config.Certificates.DataRoot
}
return domainConfig.Certificates.DataRoot
}
var fqdnRegex = regexp.MustCompile(`^(?i:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z]{2,}$`)
func IsValidFQDN(domain string) bool {
return len(domain) <= 253 && fqdnRegex.MatchString(domain)
}