You've already forked step-ca-cli
mirror of
https://github.com/smallstep/cli.git
synced 2025-07-31 08:24:22 +03:00
116 lines
2.8 KiB
Go
116 lines
2.8 KiB
Go
package ssh
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"os"
|
|
"time"
|
|
|
|
"github.com/pkg/errors"
|
|
"github.com/urfave/cli"
|
|
|
|
"github.com/smallstep/certificates/ca"
|
|
caErrs "github.com/smallstep/certificates/errs"
|
|
"github.com/smallstep/cli-utils/command"
|
|
"github.com/smallstep/cli-utils/errs"
|
|
"go.step.sm/crypto/jose"
|
|
|
|
"github.com/smallstep/cli/flags"
|
|
"github.com/smallstep/cli/token"
|
|
"github.com/smallstep/cli/utils/cautils"
|
|
)
|
|
|
|
func checkHostCommand() cli.Command {
|
|
return cli.Command{
|
|
Name: "check-host",
|
|
Action: command.ActionFunc(checkHostAction),
|
|
Usage: "checks if a certificate has been issued for a host",
|
|
UsageText: `**step ssh check-host** <hostname> [**--verbose,-v**]
|
|
[**--offline**] [**--ca-config**=<file>]
|
|
[**--ca-url**=<uri>] [**--root**=<file>] [**--context**=<name>]`,
|
|
Description: `**step ssh check-host** checks if a certificate has been issued for a host.
|
|
|
|
This command returns a zero exit status if the host has a certificate.
|
|
Otherwise, it returns 1.
|
|
|
|
## POSITIONAL ARGUMENTS
|
|
|
|
<hostname>
|
|
: The hostname of the server to check.
|
|
|
|
## EXAMPLES
|
|
|
|
Check that internal.example.com exists:
|
|
'''
|
|
$ step ssh check-host internal.smallstep.com
|
|
'''`,
|
|
Flags: []cli.Flag{
|
|
cli.BoolFlag{
|
|
Name: "verbose, v",
|
|
Usage: `Return "true" or "false" in the terminal.`,
|
|
},
|
|
flags.CaConfig,
|
|
flags.Offline,
|
|
flags.CaURL,
|
|
flags.Root,
|
|
flags.Context,
|
|
},
|
|
}
|
|
}
|
|
|
|
func checkHostAction(ctx *cli.Context) error {
|
|
isVerbose := ctx.Bool("verbose")
|
|
|
|
if err := errs.NumberOfArguments(ctx, 1); err != nil {
|
|
return err
|
|
}
|
|
|
|
client, err := cautils.NewClient(ctx)
|
|
if err != nil {
|
|
return contactAdminErr(errors.Wrap(err, "error generating ca client"))
|
|
}
|
|
version, err := client.Version()
|
|
if err != nil {
|
|
return contactAdminErr(errors.Wrap(err, "error retrieving client version info"))
|
|
}
|
|
|
|
var (
|
|
tok string
|
|
hostname = ctx.Args().First()
|
|
)
|
|
if version.RequireClientAuthentication {
|
|
id, err := ca.LoadDefaultIdentity()
|
|
if err != nil {
|
|
return sshConfigErr(errors.Wrap(err, "error loading the default x5c identity"))
|
|
}
|
|
|
|
if id != nil {
|
|
// Get private key from given key file.
|
|
jwk, err := jose.ReadKey(id.Key)
|
|
if err != nil {
|
|
return debugErr(errors.Wrap(err, "error parsing x5c key from identity file"))
|
|
}
|
|
tokenGen := cautils.NewTokenGenerator(jwk.KeyID, "x5c-identity",
|
|
"/ssh/check-host", "", time.Time{}, time.Time{}, jwk)
|
|
tok, err = tokenGen.Token(hostname, token.WithX5CInsecureFile(id.Certificate, jwk.Key))
|
|
if err != nil {
|
|
return sshConfigErr(errors.Wrap(err, "error generating identity x5c token for /ssh/check-host request"))
|
|
}
|
|
}
|
|
}
|
|
|
|
resp, err := client.SSHCheckHost(hostname, tok)
|
|
if err != nil {
|
|
return caErrs.Wrap(http.StatusInternalServerError, err,
|
|
"error checking ssh host eligibility")
|
|
}
|
|
|
|
if isVerbose {
|
|
fmt.Println(resp.Exists)
|
|
}
|
|
if !resp.Exists {
|
|
os.Exit(1)
|
|
}
|
|
return nil
|
|
}
|