Emmanuel BENOîT
3b7757b1d9
This PR seeks to solve #2. It adds a Makefile that can build, test, lint and package the code and the Forgejo workflows needed to automate the build. In addition, it resolves various issues highlighted by the linter. Reviewed-on: #5 Co-authored-by: Emmanuel BENOÎT <tseeker@nocternity.net> Co-committed-by: Emmanuel BENOÎT <tseeker@nocternity.net> |
||
|---|---|---|
| .forgejo/workflows | ||
| tools | ||
| .gitignore | ||
| buildcert.go | ||
| client.go | ||
| config.go | ||
| COPYING | ||
| fetch-certificates.example.yml | ||
| go.mod | ||
| go.sum | ||
| ldap.go | ||
| logging.go | ||
| main.go | ||
| Makefile | ||
| README.md | ||
| server.go | ||
| update.go | ||
| version.go | ||
fetchcert
fetchcert is a somewhat overengineered program that fetches certificates from
LDAP servers, installs them if they are new or have changed, and runs commands
after that.
It can be used as a standalone program (e.g. from a cron) or as a server which uses a UNIX socket to receive commands. This ability could be used to connect the server to a message bus, for example.
Configuration
fetchcert reads its configuration from a YAML file. The
fetch-certificates.yml.example file in this repository contains information
about the specific structure of the file; this section describes the principles
behind it.
Certificates
that lists PEM files that must be maintained. Each PEM file can be generated by:
- prepending and/or appending local PEM files,
- adding an end-entity certificate from the LDAP server,
- adding CA certificates from the LDAP server.
CA certificate chains can be specified directly as a list of LDAP DNs. However
it is also possible to use some LDAP attribute (e.g. seeAlso) to represent the
next CA certificate in the chain. fetchcert is capable of following these
links.
Commands and handlers
When a PEM file is replaced by the program, it is capable of running various commands. Each PEM file section can configure:
- pre-commands, which will be executed right after the certificate is replaced ;
- handlers; a handler is only executed once, even if multiple certificates triggered it. Handlers are defined as lists of command in another section of the configuration file.
- post-commands are executed for each PEM file after handlers have run.
Execution of commands is interrupted for a given file if a command fails.
Other configuration elements
In addition to the certificate files and handlers, the configuration file must also contain the LDAP server(s) configuration, and the configuration for the UNIX socket if the program is used in client/server mode.
Usage
Common options
The following options are available in all modes:
-c <file>/--config <file>specifies the path to the configuration file; by default/etc/fetch-certificates.ymlwill be used.-F <log-file>/--log-file <log-file>specifies the path to a log file. By default, logs are not written to a file.-g <server>:<port>/--log-graylog <server>:<port>sends logs to a Graylog server using GELF over UDP.-l <log-level>/--log-level <log-level>can be used to change the log level, which defaults toinfo.-q/--quietprevents logging to the standard error stream.-s/--syslogsend logs to syslog. Logs will be sent with thefetchcertapplication name.
The -h / --help can be used to display command line help. Finally, the
-m / --mode option can be used to specify the execution mode (standalone,
client or server). See below for more information.
Standalone mode
If the -m standalone option is specified (or if no -m option is used), the
program runs in standalone mode, updating certificate files and running commands
directly.
-f/--forceforces the program to replace all certificate files and execute the commands and handlers.-u <dn>/--update <dn>specifies a LDAP DN which will act as a selector. Only files which use the certificate from that DN will be considered for update.
Client mode
If the -m client option is specified, the program runs in client mode. In this
mode, it will send commands and update requests to the server based on the
command line arguments below.
-C <command>/--command <command>sends the command to the server. The command may be eitherQ(which will cause the server to stop) orR(which will force the server to reload its configuration file). If this command line option is used, the client will not send an update request.-f/--forcesends a flag that forces the server to replace all certificate files and execute the commands and handlers.-u <dn>/--update <dn>specifies a LDAP DN which will act as a selector. The server will only replace files which use the certificate from that DN.
Server mode
If the -m server command line option is specified, the program starts and
runs in server mode. No additional options are needed.