fetchcert/buildcert.go

package main

import (
	"context"
	"encoding/pem"
	"fmt"
	"os"
	"os/exec"
	"os/user"
	"strconv"
	"strings"
	"syscall"
	"time"
	"unicode/utf8"

	"github.com/sirupsen/logrus"
)

// Max supported CA chain length
const MAX_CA_CHAIN_LENGTH = 8

type (
	// Structure that describes the existing file for a certificate.
	tExistingFileInfo struct {
		owner uint32
		group uint32
		mode  os.FileMode
	}

	// Certificate building, including the configuration, LDAP connection,
	// and the array of chunks that's being built.
	tCertificateBuilder struct {
		// The certificate file's current configuration
		Config *tCertificateFileConfig
		// The LDAP connection to read data from
		conn *tLdapConn
		// The logger to use
		logger *logrus.Entry
		// The list of DNs that are involved in generating this certificate. If the
		// command has a non-'*' selector, the list will be checked for a value
		// matching the selector befor anything else is done.
		dnList []string
		// The various chunks of data that will be written to the resulting PEM file.
		// Each chunk corresponds to a PEM block.
		data [][]byte
		// The output text
		text []byte
		// Information about the current file, if it exists.
		existing *tExistingFileInfo
		// Was the certificate file replaced?
		changed bool
	}
)

// Initialize a certificate file building using a LDAP connection and
// certificate file configuration.
func NewCertificateBuilder(conn *tLdapConn, config *tCertificateFileConfig) *tCertificateBuilder {
	return &tCertificateBuilder{
		Config: config,
		conn:   conn,
		logger: log.WithField("file", config.Path),
		data:   make([][]byte, 0),
	}
}

// Build the certificate file's data, returning any error that occurs while
// reading the source data.
func (b *tCertificateBuilder) Build() error {
	b.logger.Debug("Checking for updates")
	err := b.appendPemFiles(b.Config.PrependFiles)
	if err != nil {
		return err
	}
	err = b.appendCertificate()
	if err != nil {
		return err
	}
	err = b.appendCaCertificates()
	if err != nil {
		return err
	}
	err = b.appendPemFiles(b.Config.AppendFiles)
	if err != nil {
		return err
	}
	if b.Config.Reverse {
		b.reverseChunks()
	}
	b.generateText()
	return nil
}

// Check whether a selector matches one of the current certificate file's DNs.
func (b *tCertificateBuilder) SelectorMatches(selector string) bool {
	if selector == "*" {
		return true
	}
	sel := strings.ToLower(selector)
	for _, v := range b.dnList {
		if strings.ToLower(v) == sel {
			return true
		}
	}
	b.logger.WithField("selector", selector).Debug("Selector does not match.")
	return false
}

// Check whether the data should be written to disk. This also caches the
// file's owner, group and mode. If the update is being forced it will return
// `true` even if nothing changed.
//
// Note: file information will be read even when updates are forced, because
// it is used later to set file privileges.
func (b *tCertificateBuilder) MustWrite(force bool) bool {
	info, err := os.Lstat(b.Config.Path)
	if err != nil {
		return true
	}

	sys_stat := info.Sys().(*syscall.Stat_t)
	eif := &tExistingFileInfo{}
	eif.mode = info.Mode()
	eif.owner = sys_stat.Uid
	eif.group = sys_stat.Gid
	b.existing = eif

	if force || sys_stat.Size != int64(len(b.text)) {
		return true
	}
	existing, err := os.ReadFile(b.Config.Path)
	if err != nil {
		return true
	}
	for i, ch := range b.text {
		if ch != existing[i] {
			return true
		}
	}
	return false
}

// Write the file's data
func (b *tCertificateBuilder) WriteFile() error {
	log.WithField("file", b.Config.Path).Info("Writing certificate data to file")
	err := os.WriteFile(b.Config.Path, b.text, b.Config.FileMode())
	if err == nil {
		b.changed = true
	}
	return err
}

// Update the file's owner and group
func (b *tCertificateBuilder) UpdatePrivileges() error {
	update_mode := b.existing != nil && b.existing.mode != b.Config.FileMode()
	if update_mode {
		log.WithField("mode", b.Config.FileMode).Info("Updating file mode")
		err := os.Chmod(b.Config.Path, b.Config.FileMode())
		if err != nil {
			return err
		}
	}

	log := b.logger
	set_uid, set_gid := -1, -1
	if b.Config.Owner != "" {
		usr, err := user.Lookup(b.Config.Owner)
		if err != nil {
			return err
		}
		// Uid has already been validated when reading the config file
		uid, _ := strconv.Atoi(usr.Uid)
		if b.changed || b.existing == nil || b.existing.owner != uint32(uid) {
			set_uid = uid
			log = log.WithField("uid", set_uid)
		}
	}
	if b.Config.Group != "" {
		group, err := user.LookupGroup(b.Config.Group)
		if err != nil {
			return err
		}
		// Gid has already been validated when reading the config file
		gid, _ := strconv.Atoi(group.Gid)
		if b.changed || b.existing == nil || b.existing.group != uint32(gid) {
			set_gid = gid
			log = log.WithField("gid", set_gid)
		}
	}
	if set_gid != -1 || set_uid != -1 {
		log.Info("Updating file owner/group")
		err := os.Chown(b.Config.Path, set_uid, set_gid)
		if err == nil {
			b.changed = true
		}
		return err
	} else {
		b.changed = b.changed || update_mode
		if !update_mode {
			log.Debug("No update to privileges")
		}
		return nil
	}
}

// Did this certificate change in any way?
func (b *tCertificateBuilder) Changed() bool {
	return b.changed
}

// Run the commands from the pre_commands section of the configuration.
// This is only called if the certificate file has been modified in
// any way. Execution will stop at the first failure.
func (b *tCertificateBuilder) RunPreCommands() error {
	for i := range b.Config.AfterUpdate.PreCommands {
		err := b.RunCommand(i)
		if err != nil {
			return fmt.Errorf(
				"Failed while executing command '%s': %w",
				b.Config.AfterUpdate.PreCommands[i],
				err,
			)
		}
	}
	return nil
}

// Run a command through the `sh` shell.
func (b *tCertificateBuilder) RunCommand(pos int) error {
	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
	defer cancel()

	log := b.logger.WithField("command", b.Config.AfterUpdate.PreCommands[pos])
	log.Debug("Executing command")
	cmd := exec.CommandContext(ctx, "sh", "-c", b.Config.AfterUpdate.PreCommands[pos])
	output, err := cmd.CombinedOutput()
	if len(output) != 0 {
		if utf8.Valid(output) {
			log = log.WithField("output", string(output))
		} else {
			log = log.WithField("output", string(output))
		}
	}
	if err == nil {
		log.Info("Command executed")
	} else {
		log.WithField("error", err).Error("Command failed")
	}
	return err
}

// Append PEM files from a list.
func (b *tCertificateBuilder) appendPemFiles(files []string) error {
	for _, path := range files {
		var err error
		b.logger.WithField("source", path).Debug("Adding PEM file")
		err = b.appendPem(path)
		if err != nil {
			return err
		}
	}
	return nil
}

// Append a PEM file to the current list of data chunks
func (b *tCertificateBuilder) appendPem(input string) error {
	data, err := os.ReadFile(input)
	if err != nil {
		return fmt.Errorf("Could not load '%s': %w", input, err)
	}
	rest := data
	hadBlock := false
	for {
		var block *pem.Block
		block, rest = pem.Decode(rest)
		if block == nil {
			break
		}
		hadBlock = true
		b.data = append(b.data, pem.EncodeToMemory(block))
	}
	if hadBlock {
		return nil
	} else {
		return fmt.Errorf("No PEM blocks found in '%s'", input)
	}
}

// Append the main, end-entity certificate from the LDAP
func (b *tCertificateBuilder) appendCertificate() error {
	if b.Config.Certificate != "" {
		dn := b.conn.BaseDN()
		if dn != "" {
			dn = "," + dn
		}
		dn = b.Config.Certificate + dn
		b.dnList = append(b.dnList, strings.ToLower(dn))
		b.logger.WithField("dn", dn).Debug("Adding EE certificate from LDAP")
		data, err := b.conn.GetEndEntityCertificate(dn)
		if err != nil {
			return err
		}
		b.data = append(b.data, data)
	}
	return nil
}

// Append all CA certificates, reading the list from the LDAP or from the
// configuration.
func (b *tCertificateBuilder) appendCaCertificates() error {
	if len(b.Config.CACertificates) != 0 {
		return b.appendListedCaCerts()
	} else if b.Config.CAChainOf != "" {
		return b.appendChainedCaCerts()
	} else {
		return nil
	}
}

// Append CA certificates based on a list of DNs
func (b *tCertificateBuilder) appendListedCaCerts() error {
	bdn := b.conn.BaseDN()
	if bdn != "" {
		bdn = "," + bdn
	}
	for _, dn := range b.Config.CACertificates {
		full_dn := dn + bdn
		b.dnList = append(b.dnList, strings.ToLower(full_dn))
		b.logger.WithField("dn", full_dn).Debug("Adding CA certificate from LDAP")
		data, _, err := b.conn.GetCaCertificate(full_dn)
		if err != nil {
			return err
		}
		if data == nil {
			return fmt.Errorf("No CA certificate at DN '%s'", full_dn)
		}
		b.data = append(b.data, data)
	}
	return nil
}

// Append CA certificates by following a chain starting at some DN
func (b *tCertificateBuilder) appendChainedCaCerts() error {
	nFound := 0
	dn := b.Config.CAChainOf
	if b.conn.BaseDN() != "" {
		dn = dn + "," + b.conn.BaseDN()
	}
	for {
		b.dnList = append(b.dnList, strings.ToLower(dn))
		data, nextDn, err := b.conn.GetCaCertificate(dn)
		if err != nil {
			return err
		}
		if nFound != 0 {
			if data == nil {
				return fmt.Errorf("No CA certificate at DN '%s'", dn)
			}
			b.logger.WithField("dn", dn).Debug("Adding CA certificate from LDAP chain")
			b.data = append(b.data, data)
		}
		if nextDn == "" {
			return nil
		}
		dn = nextDn
		nFound += 1
		if nFound == MAX_CA_CHAIN_LENGTH {
			return fmt.Errorf("DN '%s': CA chain length exceeded", dn)
		}
	}
}

// Reverse the chunks in the list
func (b *tCertificateBuilder) reverseChunks() {
	b.logger.Debug("Reversing PEM list")
	l := len(b.data) / 2
	for i := 0; i < l/2; i++ {
		j := l - i - 1
		b.data[i], b.data[j] = b.data[j], b.data[i]
	}
}

// Generate the final text of the file
func (b *tCertificateBuilder) generateText() {
	size := int64(0)
	for i := range b.data {
		size += int64(len(b.data[i]))
		if i != 0 && b.data[i-1][len(b.data[i-1])-1] != '\n' {
			size++
		}
	}
	b.text = make([]byte, size)
	pos := 0
	for i := range b.data {
		copied := copy(b.text[pos:], b.data[i])
		pos += copied
		if i != 0 && b.data[i-1][len(b.data[i-1])-1] != '\n' {
			b.text[pos] = '\n'
			pos++
		}
	}
	b.logger.WithField("size", size).Debug("Data generated")
}