File: checkHost.go

package info (click to toggle)
golang-github-smallstep-cli 0.15.16%2Bds-3
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 4,404 kB
  • sloc: sh: 512; makefile: 99
file content (112 lines) | stat: -rw-r--r-- 2,832 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
 
package ssh

import (
	"fmt"
	"net/http"
	"os"
	"time"

	"github.com/pkg/errors"
	"github.com/smallstep/certificates/ca"
	caErrs "github.com/smallstep/certificates/errs"
	"github.com/smallstep/cli/command"
	"github.com/smallstep/cli/errs"
	"github.com/smallstep/cli/flags"
	"github.com/smallstep/cli/jose"
	"github.com/smallstep/cli/token"
	"github.com/smallstep/cli/utils/cautils"
	"github.com/urfave/cli"
)

func checkHostCommand() cli.Command {
	return cli.Command{
		Name:   "check-host",
		Action: command.ActionFunc(checkHostAction),
		Usage:  "checks if a certificate has been issued for a host",
		UsageText: `**step ssh check-host** <hostname>
[**--ca-url**=<uri>] [**--root**=<file>]
[**--offline**] [**--ca-config**=<path>] [**--verbose,-v**]`,
		Description: `**step ssh check-host** checks if a certificate has been issued for a host.

This command returns a zero exit status if the host has a certificate.
Otherwise, it returns 1.

## POSITIONAL ARGUMENTS

<hostname>
:  The hostname of the server to check.

## EXAMPLES

Check that internal.example.com exists:
'''
$ step ssh check-host internal.smallstep.com
'''`,
		Flags: []cli.Flag{
			flags.CaURL,
			flags.Root,
			flags.Offline,
			flags.CaConfig,
			cli.BoolFlag{
				Name:  "verbose, v",
				Usage: `Return "true" or "false" in the terminal.`,
			},
		},
	}
}

func checkHostAction(ctx *cli.Context) error {
	isVerbose := ctx.Bool("verbose")

	if err := errs.NumberOfArguments(ctx, 1); err != nil {
		return err
	}

	client, err := cautils.NewClient(ctx)
	if err != nil {
		return contactAdminErr(errors.Wrap(err, "error generating ca client"))
	}
	version, err := client.Version()
	if err != nil {
		return contactAdminErr(errors.Wrap(err, "error retrieving client version info"))
	}

	var (
		tok      string
		hostname = ctx.Args().First()
	)
	if version.RequireClientAuthentication {
		id, err := ca.LoadDefaultIdentity()
		if err != nil {
			return sshConfigErr(errors.Wrap(err, "error loading the default x5c identity"))
		}

		if id != nil {
			// Get private key from given key file.
			jwk, err := jose.ParseKey(id.Key)
			if err != nil {
				return debugErr(errors.Wrap(err, "error parsing x5c key from identity file"))
			}
			tokenGen := cautils.NewTokenGenerator(jwk.KeyID, "x5c-identity",
				"/ssh/check-host", "", time.Time{}, time.Time{}, jwk)
			tok, err = tokenGen.Token(hostname, token.WithX5CInsecureFile(id.Certificate, jwk.Key))
			if err != nil {
				return sshConfigErr(errors.Wrap(err, "error generating identity x5c token for /ssh/check-host request"))
			}
		}
	}

	resp, err := client.SSHCheckHost(hostname, tok)
	if err != nil {
		return caErrs.Wrap(http.StatusInternalServerError, err,
			"error checking ssh host eligibility")
	}

	if isVerbose {
		fmt.Println(resp.Exists)
	}
	if !resp.Exists {
		os.Exit(1)
	}
	return nil
}