apc-p15-tool/pkg/app/cmd_install.go

package app

import (
	"apc-p15-tool/pkg/apcssh"
	"bytes"
	"context"
	"crypto/tls"
	"encoding/pem"
	"errors"
	"fmt"
	"strconv"
	"time"
)

// cmdInstall is the app's command to create apc p15 file content from key and cert
// pem files and upload the p15 to the specified APC UPS
func (app *app) cmdInstall(cmdCtx context.Context, args []string) error {
	// extra args == error
	if len(args) != 0 {
		return fmt.Errorf("install: failed, %w (%d)", ErrExtraArgs, len(args))
	}

	// must have username
	if app.config.install.username == nil || *app.config.install.username == "" {
		return errors.New("install: failed, username not specified")
	}

	// must have password
	if app.config.install.password == nil || *app.config.install.password == "" {
		return errors.New("install: failed, password not specified")
	}

	// must have fingerprint
	if app.config.install.fingerprint == nil || *app.config.install.fingerprint == "" {
		return errors.New("install: failed, fingerprint not specified")
	}

	keyPem, certPem, err := app.config.install.keyCertPemCfg.GetPemBytes("install")
	if err != nil {
		return err
	}

	// host to install on must be specified
	if app.config.install.hostname == nil || *app.config.install.hostname == "" ||
		app.config.install.sshport == nil || *app.config.install.sshport == 0 {

		return errors.New("install: failed, apc host not specified")
	}

	// validation done

	// make p15 file
	keyP15, keyCertP15, err := app.pemToAPCP15(keyPem, certPem, "install")
	if err != nil {
		return err
	}

	// log warning if insecure cipher
	if app.config.install.insecureCipher != nil && *app.config.install.insecureCipher {
		app.stdLogger.Println("WARNING: install: insecure ciphers are enabled (--insecurecipher). SSH with an insecure cipher is NOT secure and should NOT be used.")
	}

	// make APC SSH client
	cfg := &apcssh.Config{
		Hostname:          *app.config.install.hostname + ":" + strconv.Itoa(*app.config.install.sshport),
		Username:          *app.config.install.username,
		Password:          *app.config.install.password,
		ServerFingerprint: *app.config.install.fingerprint,
		InsecureCipher:    *app.config.install.insecureCipher,
	}

	client, err := apcssh.New(cfg)
	if err != nil {
		return fmt.Errorf("install: failed to connect to host (%w)", err)
	}
	app.stdLogger.Println("install: connected to ups ssh, installing ssl key and cert...")

	// install SSL Cert
	err = client.InstallSSLCert(keyP15, certPem, keyCertP15)
	if err != nil {
		return fmt.Errorf("install: %w", err)
	}

	// installed
	app.stdLogger.Printf("install: apc p15 file installed on %s", *app.config.install.hostname)

	// restart UPS webUI
	if app.config.install.restartWebUI != nil && *app.config.install.restartWebUI {
		app.stdLogger.Println("install: sending restart command")

		err = client.RestartWebUI()
		if err != nil {
			return fmt.Errorf("install: failed to send webui restart command (%w)", err)
		}

		app.stdLogger.Println("install: sent webui restart command")
	}

	// check the new certificate is installed
	if app.config.install.skipVerify != nil && !*app.config.install.skipVerify &&
		app.config.install.webUISSLPort != nil && *app.config.install.webUISSLPort != 0 {

		app.stdLogger.Println("install: attempting to verify certificate install...")

		// sleep for UPS to finish anything it might be doing
		time.Sleep(5 * time.Second)

		// if UPS web UI was restarted, sleep longer
		if app.config.install.restartWebUI != nil && *app.config.install.restartWebUI {
			app.stdLogger.Println("install: waiting for ups webui restart...")
			time.Sleep(25 * time.Second)
		}

		// connect to the web UI to get the current certificate
		conf := &tls.Config{
			InsecureSkipVerify: true,
		}
		conn, err := tls.Dial("tcp", *app.config.install.hostname+":"+strconv.Itoa(*app.config.install.webUISSLPort), conf)
		if err != nil {
			return fmt.Errorf("install: failed to dial webui for verification (%s)", err)
		}
		defer conn.Close()

		// get top cert
		leafCert := conn.ConnectionState().PeerCertificates[0]
		if leafCert == nil {
			return fmt.Errorf("install: failed to get web ui leaf cert for verification (%s)", err)
		}

		// convert pem to DER for comparison
		pemBlock, _ := pem.Decode(certPem)

		// verify cert is the correct one
		certVerified := bytes.Equal(leafCert.Raw, pemBlock.Bytes)
		if !certVerified {
			return errors.New("install: web ui leaf cert does not match new cert")
		}

		app.stdLogger.Println("install: ups web ui cert verified")
	}

	return nil
}
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`package app`

			`import (`
ssh: breakout ups ssh to its own package This was done for clearer separation of function. A subsequent update will (hopefully) make the SSL command more robust so it works for both NMC2 and NMC3. The method for sending shell commands was also updated to use an interactive shell instead. This allows capturing responses of the commands which will be needed to deduce if devices are NMC2 or NMC3. 2024-06-07 02:51:12 +00:00			`"apc-p15-tool/pkg/apcssh"`
install: add web ui cert verification * connect to the ups web ui after install and verify the proper certificate is being served * rename `apchost` flag to `hostname` * separate ports to additional flags (`sshport` `sslport`) with sane defaults 2024-09-17 22:44:34 +00:00			`"bytes"`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`"context"`
install: add web ui cert verification * connect to the ups web ui after install and verify the proper certificate is being served * rename `apchost` flag to `hostname` * separate ports to additional flags (`sshport` `sslport`) with sane defaults 2024-09-17 22:44:34 +00:00			`"crypto/tls"`
			`"encoding/pem"`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`"errors"`
			`"fmt"`
install: add web ui cert verification * connect to the ups web ui after install and verify the proper certificate is being served * rename `apchost` flag to `hostname` * separate ports to additional flags (`sshport` `sslport`) with sane defaults 2024-09-17 22:44:34 +00:00			`"strconv"`
			`"time"`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`)`

			`// cmdInstall is the app's command to create apc p15 file content from key and cert`
			`// pem files and upload the p15 to the specified APC UPS`
			`func (app *app) cmdInstall(cmdCtx context.Context, args []string) error {`
			`// extra args == error`
			`if len(args) != 0 {`
			`return fmt.Errorf("install: failed, %w (%d)", ErrExtraArgs, len(args))`
			`}`

			`// must have username`
			`if app.config.install.username == nil \|\| *app.config.install.username == "" {`
			`return errors.New("install: failed, username not specified")`
			`}`

			`// must have password`
			`if app.config.install.password == nil \|\| *app.config.install.password == "" {`
			`return errors.New("install: failed, password not specified")`
			`}`

			`// must have fingerprint`
			`if app.config.install.fingerprint == nil \|\| *app.config.install.fingerprint == "" {`
			`return errors.New("install: failed, fingerprint not specified")`
			`}`

create/install: add support for key pem in args 2024-02-02 23:35:22 +00:00			`keyPem, certPem, err := app.config.install.keyCertPemCfg.GetPemBytes("install")`
			`if err != nil {`
			`return err`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`}`

			`// host to install on must be specified`
install: add web ui cert verification * connect to the ups web ui after install and verify the proper certificate is being served * rename `apchost` flag to `hostname` * separate ports to additional flags (`sshport` `sslport`) with sane defaults 2024-09-17 22:44:34 +00:00			`if app.config.install.hostname == nil \|\| *app.config.install.hostname == "" \|\|`
			`app.config.install.sshport == nil \|\| *app.config.install.sshport == 0 {`

add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`return errors.New("install: failed, apc host not specified")`
			`}`

			`// validation done`

			`// make p15 file`
install: add support for native ssl command The code should auto-select the native ssl method if the ssl command is available on the UPS. If this fails, install will drop back to the original install method used by this tool (which works on NMC2). 2024-06-07 02:51:12 +00:00			`keyP15, keyCertP15, err := app.pemToAPCP15(keyPem, certPem, "install")`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`if err != nil {`
			`return err`
			`}`

apcssh: remove logging For sanity and consistency, centralize logging in the app with the app's loggers. 2024-06-07 02:51:13 +00:00			`// log warning if insecure cipher`
			`if app.config.install.insecureCipher != nil && *app.config.install.insecureCipher {`
			`app.stdLogger.Println("WARNING: install: insecure ciphers are enabled (--insecurecipher). SSH with an insecure cipher is NOT secure and should NOT be used.")`
			`}`

ssh: breakout ups ssh to its own package This was done for clearer separation of function. A subsequent update will (hopefully) make the SSL command more robust so it works for both NMC2 and NMC3. The method for sending shell commands was also updated to use an interactive shell instead. This allows capturing responses of the commands which will be needed to deduce if devices are NMC2 or NMC3. 2024-06-07 02:51:12 +00:00			`// make APC SSH client`
			`cfg := &apcssh.Config{`
install: add web ui cert verification * connect to the ups web ui after install and verify the proper certificate is being served * rename `apchost` flag to `hostname` * separate ports to additional flags (`sshport` `sslport`) with sane defaults 2024-09-17 22:44:34 +00:00			`Hostname: app.config.install.hostname + ":" + strconv.Itoa(app.config.install.sshport),`
ssh: breakout ups ssh to its own package This was done for clearer separation of function. A subsequent update will (hopefully) make the SSL command more robust so it works for both NMC2 and NMC3. The method for sending shell commands was also updated to use an interactive shell instead. This allows capturing responses of the commands which will be needed to deduce if devices are NMC2 or NMC3. 2024-06-07 02:51:12 +00:00			`Username: *app.config.install.username,`
			`Password: *app.config.install.password,`
			`ServerFingerprint: *app.config.install.fingerprint,`
			`InsecureCipher: *app.config.install.insecureCipher,`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`}`

ssh: breakout ups ssh to its own package This was done for clearer separation of function. A subsequent update will (hopefully) make the SSL command more robust so it works for both NMC2 and NMC3. The method for sending shell commands was also updated to use an interactive shell instead. This allows capturing responses of the commands which will be needed to deduce if devices are NMC2 or NMC3. 2024-06-07 02:51:12 +00:00			`client, err := apcssh.New(cfg)`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`if err != nil {`
			`return fmt.Errorf("install: failed to connect to host (%w)", err)`
			`}`
install: add ssh connect log message 2024-06-19 01:30:38 +00:00			`app.stdLogger.Println("install: connected to ups ssh, installing ssl key and cert...")`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00
ssh: breakout ups ssh to its own package This was done for clearer separation of function. A subsequent update will (hopefully) make the SSL command more robust so it works for both NMC2 and NMC3. The method for sending shell commands was also updated to use an interactive shell instead. This allows capturing responses of the commands which will be needed to deduce if devices are NMC2 or NMC3. 2024-06-07 02:51:12 +00:00			`// install SSL Cert`
install: add support for native ssl command The code should auto-select the native ssl method if the ssl command is available on the UPS. If this fails, install will drop back to the original install method used by this tool (which works on NMC2). 2024-06-07 02:51:12 +00:00			`err = client.InstallSSLCert(keyP15, certPem, keyCertP15)`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`if err != nil {`
apcssh: minor log and logic clarity 2024-06-19 23:56:16 +00:00			`return fmt.Errorf("install: %w", err)`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`}`

add optional webui restart 2024-02-05 23:25:55 +00:00			`// installed`
install: add web ui cert verification * connect to the ups web ui after install and verify the proper certificate is being served * rename `apchost` flag to `hostname` * separate ports to additional flags (`sshport` `sslport`) with sane defaults 2024-09-17 22:44:34 +00:00			`app.stdLogger.Printf("install: apc p15 file installed on %s", *app.config.install.hostname)`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00
add optional webui restart 2024-02-05 23:25:55 +00:00			`// restart UPS webUI`
			`if app.config.install.restartWebUI != nil && *app.config.install.restartWebUI {`
			`app.stdLogger.Println("install: sending restart command")`

ssh: breakout ups ssh to its own package This was done for clearer separation of function. A subsequent update will (hopefully) make the SSL command more robust so it works for both NMC2 and NMC3. The method for sending shell commands was also updated to use an interactive shell instead. This allows capturing responses of the commands which will be needed to deduce if devices are NMC2 or NMC3. 2024-06-07 02:51:12 +00:00			`err = client.RestartWebUI()`
add optional webui restart 2024-02-05 23:25:55 +00:00			`if err != nil {`
			`return fmt.Errorf("install: failed to send webui restart command (%w)", err)`
			`}`

			`app.stdLogger.Println("install: sent webui restart command")`
			`}`

install: add web ui cert verification * connect to the ups web ui after install and verify the proper certificate is being served * rename `apchost` flag to `hostname` * separate ports to additional flags (`sshport` `sslport`) with sane defaults 2024-09-17 22:44:34 +00:00			`// check the new certificate is installed`
			`if app.config.install.skipVerify != nil && !*app.config.install.skipVerify &&`
			`app.config.install.webUISSLPort != nil && *app.config.install.webUISSLPort != 0 {`

			`app.stdLogger.Println("install: attempting to verify certificate install...")`

			`// sleep for UPS to finish anything it might be doing`
			`time.Sleep(5 * time.Second)`

			`// if UPS web UI was restarted, sleep longer`
			`if app.config.install.restartWebUI != nil && *app.config.install.restartWebUI {`
			`app.stdLogger.Println("install: waiting for ups webui restart...")`
			`time.Sleep(25 * time.Second)`
			`}`

			`// connect to the web UI to get the current certificate`
			`conf := &tls.Config{`
			`InsecureSkipVerify: true,`
			`}`
			`conn, err := tls.Dial("tcp", app.config.install.hostname+":"+strconv.Itoa(app.config.install.webUISSLPort), conf)`
			`if err != nil {`
			`return fmt.Errorf("install: failed to dial webui for verification (%s)", err)`
			`}`
			`defer conn.Close()`

			`// get top cert`
			`leafCert := conn.ConnectionState().PeerCertificates[0]`
			`if leafCert == nil {`
			`return fmt.Errorf("install: failed to get web ui leaf cert for verification (%s)", err)`
			`}`

			`// convert pem to DER for comparison`
			`pemBlock, _ := pem.Decode(certPem)`

			`// verify cert is the correct one`
			`certVerified := bytes.Equal(leafCert.Raw, pemBlock.Bytes)`
			`if !certVerified {`
			`return errors.New("install: web ui leaf cert does not match new cert")`
			`}`

			`app.stdLogger.Println("install: ups web ui cert verified")`
			`}`

add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`return nil`
			`}`