Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / de4e841682bb0afbd4865f9e24239f3e228e643f / . / metropolis / cli / metroctl / credentials.go
blob: 2160bead1f44587fc003e7152f2a6569ab7238f1 [file] [log] [blame]
Lorenz Brun705a4022021-12-23 11:51:06 +0100[diff] [blame]1package main
2
3import (
4 "crypto/ed25519"
5 "crypto/x509"
6 "encoding/pem"
7 "errors"
8 "fmt"
9 "os"
10 "path/filepath"
Lorenz Brun705a4022021-12-23 11:51:06 +0100[diff] [blame]11)
12
13var noCredentialsError = errors.New("owner certificate or key does not exist")
14
Mateusz Zalega18464502022-07-14 16:18:26 +0200[diff] [blame]15// getOwnerKey returns the cluster owner's key, if one exists, from the current
Lorenz Brun705a4022021-12-23 11:51:06 +0100[diff] [blame]16// metroctl config directory.
Mateusz Zalega18464502022-07-14 16:18:26 +0200[diff] [blame]17func getOwnerKey() (ed25519.PrivateKey, error) {
Mateusz Zalega8234c162022-07-08 17:05:50 +0200[diff] [blame]18 ownerPrivateKeyPEM, err := os.ReadFile(filepath.Join(flags.configPath, "owner-key.pem"))
Lorenz Brun705a4022021-12-23 11:51:06 +0100[diff] [blame]19 if os.IsNotExist(err) {
Mateusz Zalega18464502022-07-14 16:18:26 +0200[diff] [blame]20 return nil, noCredentialsError
Lorenz Brun705a4022021-12-23 11:51:06 +0100[diff] [blame]21 } else if err != nil {
Mateusz Zalega18464502022-07-14 16:18:26 +0200[diff] [blame]22 return nil, fmt.Errorf("failed to load owner private key: %w", err)
Lorenz Brun705a4022021-12-23 11:51:06 +0100[diff] [blame]23 }
24 block, _ := pem.Decode(ownerPrivateKeyPEM)
25 if block == nil {
Mateusz Zalega18464502022-07-14 16:18:26 +0200[diff] [blame]26 return nil, errors.New("owner-key.pem contains invalid PEM armoring")
Lorenz Brun705a4022021-12-23 11:51:06 +0100[diff] [blame]27 }
28 if block.Type != ownerKeyType {
Mateusz Zalega18464502022-07-14 16:18:26 +0200[diff] [blame]29 return nil, fmt.Errorf("owner-key.pem contains a PEM block that's not a %v", ownerKeyType)
Lorenz Brun705a4022021-12-23 11:51:06 +0100[diff] [blame]30 }
31 if len(block.Bytes) != ed25519.PrivateKeySize {
Mateusz Zalega18464502022-07-14 16:18:26 +0200[diff] [blame]32 return nil, errors.New("owner-key.pem contains a non-Ed25519 key")
Lorenz Brun705a4022021-12-23 11:51:06 +0100[diff] [blame]33 }
Mateusz Zalega18464502022-07-14 16:18:26 +0200[diff] [blame]34 return block.Bytes, nil
35}
36
37// getCredentials returns Metropolis credentials (if any) from the current
38// metroctl config directory.
39func getCredentials() (cert *x509.Certificate, key ed25519.PrivateKey, err error) {
40 key, err = getOwnerKey()
41 if err != nil {
42 return nil, nil, err
43 }
44
Mateusz Zalega8234c162022-07-08 17:05:50 +0200[diff] [blame]45 ownerCertPEM, err := os.ReadFile(filepath.Join(flags.configPath, "owner.pem"))
Lorenz Brun705a4022021-12-23 11:51:06 +0100[diff] [blame]46 if os.IsNotExist(err) {
47 return nil, nil, noCredentialsError
48 } else if err != nil {
49 return nil, nil, fmt.Errorf("failed to load owner certificate: %w", err)
50 }
Mateusz Zalega18464502022-07-14 16:18:26 +0200[diff] [blame]51 block, _ := pem.Decode(ownerCertPEM)
Lorenz Brun705a4022021-12-23 11:51:06 +0100[diff] [blame]52 if block == nil {
53 return nil, nil, errors.New("owner.pem contains invalid PEM armoring")
54 }
55 if block.Type != "CERTIFICATE" {
56 return nil, nil, fmt.Errorf("owner.pem contains a PEM block that's not a CERTIFICATE")
57 }
58 cert, err = x509.ParseCertificate(block.Bytes)
59 if err != nil {
60 return nil, nil, fmt.Errorf("owner.pem contains an invalid X.509 certificate: %w", err)
61 }
62 return
63}