0.1.0, add examples, add license

.gitignore

@@ -25,7 +25,7 @@ bin/
 
 examples/testing/
 
-*.toml
+*.yaml
-!examples/*.toml
+!examples/*.yaml
 
 test/

LICENSE

@@ -1 +1,9 @@
-Copyright © 2024 Laura Kalb <dev@lauka.net>
+MIT License
+
+Copyright © 2024 Adora Laura Kalb <dev@lauka.net>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,2 @@
+# certwarden-deploy
+This is a tool to deploy certificates from a [CertWarden](https://www.certwarden.com/) instance.

cmd/certwarden-deploy/root.go

@@ -29,5 +29,6 @@ func init() {
 	cli.RootCmd.PersistentFlags().BoolVarP(&configuration.DryRun, "dry-run", "d", false, "Just show the would-be changes without changing the file system (turns on verbose logging)")
 	cli.RootCmd.PersistentFlags().BoolVarP(&configuration.QuietLogging, "quiet", "q", false, "Disable any logging (if both -q and -v are set, quiet wins)")
 	cli.RootCmd.PersistentFlags().StringVarP(&configuration.ConfigFile, "config", "c", "/etc/certwarden-deploy/config.yaml", "Path to config file (default is /etc/certwarden-deploy/config.yaml)")
+	cli.RootCmd.PersistentFlags().BoolVarP(&configuration.Force, "force", "f", false, "Force overwriting and execution action to occur, regardless if certificate already exists")
 
 }

config.yaml

@@ -1,8 +0,0 @@
-base_path: "https://certs.lauka-home.net"
-disable_certificate_validation: true
-
-
-certificates:
-  - name: test.laura.ovh
-    api_key: CiwnqR3rF1KZhGCRMsydSHkKksdeeFPA
-    action: ""

examples/config.yaml

@@ -0,0 +1,28 @@
+# Base URL of the CertWarden instance
+# required
+base_url: "https://certwarden.example.com"
+
+# Set this to true if your CertWarden instance does not have a publicly trusted 
+# TLS certificate (e.g. it has a self signed one)
+# default is false
+disable_certificate_validation: false
+
+# define all managed certificates here
+certificates:
+
+    # name is a unique identifier that must start and end with an alphanumeric character, 
+    # and can contain the following characters: a-zA-Z0-9._-
+    # required
+  - name: test-certificate.example.com
+
+    # Contains the API-Key to fetch the certificate from the server
+    # required
+
+    api_key: examplekey_notvalid_hrzjGDDw8z
+
+    # action to run when certificate was updated or --force is on
+    action: "/usr/bin/systemd reload caddy"
+
+    # path where to save the certificate
+    # required
+    file_path: "/path/to/test-certificate.example.com-cert.pem"

internal/certificates/certificates.go

@@ -11,6 +11,8 @@ import (
 	"log/slog"
 	"net/http"
 	"os"
+	"os/exec"
+	"strings"
 	"time"
 
 	"code.lila.network/adoralaura/certwarden-deploy/internal/configuration"
@@ -38,25 +40,51 @@ func HandleCertificates(logger *slog.Logger, config *configuration.ConfigFileDat
 			return
 		}
 
-		if certIsDifferent {
+		if certIsDifferent || configuration.Force {
+			if configuration.Force {
+				logger.Info("Forcing file system change due to --force", "cert-id", cert.Name)
+			}
+
 			err = updateCertOnFS(logger, cert.FilePath, certBytes)
 			if err != nil {
 				logger.Error("failed to handle certificate", "cert-id", cert.Name, "error", err)
 				return
 			}
+
+			if configuration.Force {
+				logger.Info("Forcing file system change due to --force", "cert-id", cert.Name)
+			}
+			err = handleCertificateAction(cert)
+			if err != nil {
+				logger.Error("post certificate change command failed", "cert-id", cert.Name, "error", err)
+			}
 		}
 
 		logger.Info("Certificate updated successfully", "cert-id", cert.Name)
+
 	}
 }
 
-func checkCertIsDifferent(logger *slog.Logger, path string, data []byte) (bool, error) {
+func getCertFromFile(path string) ([]byte, error) {
 	filebytes, err := os.ReadFile(path)
+	if err != nil {
+		if errors.Is(err, fs.ErrNotExist) {
+			return []byte{}, err
+		} else {
+			return []byte{}, fmt.Errorf("failed to read certificate file on disk: %w", err)
+		}
+	}
+	return filebytes, nil
+}
+
+func checkCertIsDifferent(logger *slog.Logger, path string, data []byte) (bool, error) {
+	filebytes, err := getCertFromFile(path)
+
 	if err != nil {
 		if errors.Is(err, fs.ErrNotExist) {
 			return true, nil
 		} else {
-			return false, fmt.Errorf("failed to read certificate file on disk: %w", err)
+			return false, fmt.Errorf("failed to compare certificates: %w", err)
 		}
 	}
 
@@ -159,3 +187,18 @@ func getCertFromServer(logger *slog.Logger, certName string, certKey string, bas
 
 	return body, nil
 }
+
+func handleCertificateAction(cert configuration.CertificateData) error {
+	if cert.Action == "" {
+		return nil
+	}
+
+	action := strings.ReplaceAll(cert.Action, "{name}", cert.Name)
+	action = strings.ReplaceAll(action, "{path}", cert.FilePath)
+
+	sargs := strings.Split(action, " ")
+
+	cmd := exec.Command(sargs[0], sargs...)
+	err := cmd.Run()
+	return err
+}

internal/certificates/certificates_test.go

@@ -0,0 +1 @@
+package certificates

internal/cli/root.go

@@ -37,5 +37,7 @@ func handleRootCmd(cmd *cobra.Command, args []string) {
 		slog.Error("failed to initialize sentry", "error", err)
 	}
 
+	configuration.ValidateConfig(log, *config)
+
 	certificates.HandleCertificates(log, config)
 }

internal/configuration/models.go

@@ -1,14 +1,24 @@
 package configuration
 
-import "log/slog"
+// Config file gets read into here
-
 var Config *ConfigFileData
+
+// ConfigFile contains the path to the config file on disk
 var ConfigFile string
-var Logger *slog.Logger
+
+// Flag to show that the user wants a dry run
 var DryRun bool
+
+// Flag to show that the user wants quiet logging
 var QuietLogging bool
+
+// Flag to show that the user wants verbose logging
 var VerboseLogging bool
 
+// Flag to show that the user wants to force certificate update
+var Force bool
+
+// Struct to read the config file into when reading from disk
 type ConfigFileData struct {
 	BaseURL                      string            `yaml:"base_url"`
 	DisableCertificateValidation bool              `yaml:"disable_certificate_validation"`
@@ -16,6 +26,7 @@ type ConfigFileData struct {
 	Certificates                 []CertificateData `yaml:"certificates"`
 }
 
+// Struct that holds the details of a single managed certificate
 type CertificateData struct {
 	Name     string `yaml:"name"`
 	ApiKey   string `yaml:"api_key"`

internal/configuration/validation.go

@@ -0,0 +1,45 @@
+package configuration
+
+import (
+	"log/slog"
+	"os"
+	"regexp"
+)
+
+func ValidateConfig(logger *slog.Logger, config ConfigFileData) {
+	validationFailed := false
+
+	if config.BaseURL == "" {
+		logger.Error(`Field 'base_url' in config file is required!`)
+		validationFailed = true
+	}
+
+	for _, cert := range config.Certificates {
+		if cert.Name == "" {
+			cert.Name = "unnamed_certificate"
+			logger.Error(`Field 'name' for certificates cannot be blank!`)
+			validationFailed = true
+		}
+
+		if cert.ApiKey == "" {
+			logger.Error(`Field 'api_key' for certificate ` + cert.Name + " cannot be blank!")
+			validationFailed = true
+		}
+
+		if cert.FilePath == "" {
+			logger.Error(`Field 'file_path' for certificate ` + cert.Name + " cannot be blank!")
+			validationFailed = true
+		}
+
+		re := regexp.MustCompile(`^[a-zA-Z0-9._-]+$`)
+		if !re.MatchString(cert.Name) {
+			logger.Error(`Field 'name' for certificate may only contain -_. and alphanumeric characters!`)
+			validationFailed = true
+		}
+	}
+
+	if validationFailed {
+		logger.Error("Config file has errors! Please fix errors above! Exiting...", "config-path", ConfigFile)
+		os.Exit(1)
+	}
+}

internal/constants/constants.go

@@ -1,6 +1,6 @@
 package constants
 
-const Version = "0.0.1"
+const Version = "0.1.0"
 const CertificateApiPath = "/certwarden/api/v1/download/certificates/"
 const ApiKeyHeaderName = "X-API-Key"
-const UserAgent = "certwarden-deploy/" + Version + " +code.lila.network/adoralaura/certwarden-deploy"
+const UserAgent = "certwarden-deploy/" + Version + " +https://code.lila.network/adoralaura/certwarden-deploy"

internal/logger/logger.go

@@ -10,9 +10,11 @@ import (
 
 func InitializeLogger() *slog.Logger {
 	logLevel := slog.LevelInfo
+	sourceLogging := false
 
 	if configuration.VerboseLogging {
 		logLevel = slog.LevelDebug
+		sourceLogging = true
 	}
 	if configuration.QuietLogging {
 		logLevel = slog.LevelError
@@ -23,6 +25,7 @@ func InitializeLogger() *slog.Logger {
 
 	opts := &slog.HandlerOptions{
 		Level:     logLevel,
+		AddSource: sourceLogging,
 	}
 
 	handler := slog.NewTextHandler(os.Stdout, opts)