apc-p15-tool/pkg/app/config.go

package app

import (
	"errors"
	"fmt"
	"os"

	"github.com/peterbourgon/ff/v4"
)

var (
	ErrExtraArgs = errors.New("extra args present")

	environmentVarPrefix = "APC_P15_TOOL"
)

// keyCertPemCfg contains values common to subcommands that need to use key
// and cert pem
type keyCertPemCfg struct {
	keyPemFilePath  *string
	certPemFilePath *string
	keyPem          *string
	certPem         *string
}

// app's config options from user
type config struct {
	debugLogging *bool
	create       struct {
		keyCertPemCfg
		outFilePath    *string
		outKeyFilePath *string
	}
	install struct {
		keyCertPemCfg
		hostname       *string
		sshport        *int
		fingerprint    *string
		username       *string
		password       *string
		restartWebUI   *bool
		webUISSLPort   *int
		skipVerify     *bool
		insecureCipher *bool
	}
}

// getConfig returns the app's configuration from either command line args,
// or environment variables
func (app *app) getConfig(args []string) error {
	// make config
	cfg := &config{}

	// commands:
	// create
	// install
	// TODO:
	// unpack (both key & key+cert)

	// apc-p15-tool -- root command
	rootFlags := ff.NewFlagSet("apc-p15-tool")

	cfg.debugLogging = rootFlags.BoolLong("debug", "set this flag to enable additional debug logging messages and files")

	rootCmd := &ff.Command{
		Name:  "apc-p15-tool",
		Usage: "apc-p15-tool [FLAGS] SUBCOMMAND ...",
		Flags: rootFlags,
	}

	// create -- subcommand
	createFlags := ff.NewFlagSet("create").SetParent(rootFlags)

	cfg.create.keyPemFilePath = createFlags.StringLong("keyfile", "", "path and filename of the key in pem format")
	cfg.create.certPemFilePath = createFlags.StringLong("certfile", "", "path and filename of the certificate in pem format")
	cfg.create.keyPem = createFlags.StringLong("keypem", "", "string of the key in pem format")
	cfg.create.certPem = createFlags.StringLong("certpem", "", "string of the certificate in pem format")
	cfg.create.outFilePath = createFlags.StringLong("outfile", createDefaultOutFilePath, "path and filename to write the key+cert p15 file to")
	cfg.create.outKeyFilePath = createFlags.StringLong("outkeyfile", createDefaultOutKeyFilePath, "path and filename to write the key p15 file to")

	createCmd := &ff.Command{
		Name:      "create",
		Usage:     "apc-p15-tool create --keyfile key.pem --certfile cert.pem [--outfile apctool.p15]",
		ShortHelp: "create an apc p15 file from the specified key and cert pem files",
		Flags:     createFlags,
		Exec:      app.cmdCreate,
	}

	rootCmd.Subcommands = append(rootCmd.Subcommands, createCmd)

	// install -- subcommand
	installFlags := ff.NewFlagSet("install").SetParent(rootFlags)

	cfg.install.keyPemFilePath = installFlags.StringLong("keyfile", "", "path and filename of the key in pem format")
	cfg.install.certPemFilePath = installFlags.StringLong("certfile", "", "path and filename of the certificate in pem format")
	cfg.install.keyPem = installFlags.StringLong("keypem", "", "string of the key in pem format")
	cfg.install.certPem = installFlags.StringLong("certpem", "", "string of the certificate in pem format")
	cfg.install.hostname = installFlags.StringLong("hostname", "", "hostname of the apc ups to install the certificate on")
	cfg.install.sshport = installFlags.IntLong("sshport", 22, "apc ups ssh port number")
	cfg.install.fingerprint = installFlags.StringLong("fingerprint", "", "the SHA256 fingerprint value of the ups' ssh server")
	cfg.install.username = installFlags.StringLong("username", "", "username to login to the apc ups")
	cfg.install.password = installFlags.StringLong("password", "", "password to login to the apc ups")
	cfg.install.restartWebUI = installFlags.BoolLong("restartwebui", "some devices may need a webui restart to begin using the new cert, enabling this option sends the restart command after the p15 is installed")
	cfg.install.webUISSLPort = installFlags.IntLong("sslport", 443, "apc ups ssl webui port number")
	cfg.install.skipVerify = installFlags.BoolLong("skipverify", "the tool will try to connect to the UPS web UI to verify install success; this flag disables that check")
	cfg.install.insecureCipher = installFlags.BoolLong("insecurecipher", "allows the use of insecure ssh ciphers (NOT recommended)")

	installCmd := &ff.Command{
		Name:      "install",
		Usage:     "apc-p15-tool install --keyfile key.pem --certfile cert.pem --hostname example.com --fingerprint 123abc --username apc --password test",
		ShortHelp: "install the specified key and cert pem files on an apc ups (they will be converted to a comaptible p15 file)",
		Flags:     installFlags,
		Exec:      app.cmdInstall,
	}

	rootCmd.Subcommands = append(rootCmd.Subcommands, installCmd)

	// set cfg & parse
	app.config = cfg
	app.cmd = rootCmd
	err := app.cmd.Parse(args[1:], ff.WithEnvVarPrefix(environmentVarPrefix))
	if err != nil {
		return err
	}

	return nil
}

// GetPemBytes returns the key and cert pem bytes as specified in keyCertPemCfg
// or an error if it cant get the bytes of both
func (kcCfg *keyCertPemCfg) GetPemBytes(subcommand string) (keyPem, certPem []byte, err error) {
	// key pem (from arg or file)
	if kcCfg.keyPem != nil && *kcCfg.keyPem != "" {
		// error if filename is also set
		if kcCfg.keyPemFilePath != nil && *kcCfg.keyPemFilePath != "" {
			return nil, nil, fmt.Errorf("%s: failed, both key pem and key file specified", subcommand)
		}

		// use pem
		keyPem = []byte(*kcCfg.keyPem)
	} else {
		// pem wasn't specified, try reading file
		if kcCfg.keyPemFilePath == nil || *kcCfg.keyPemFilePath == "" {
			return nil, nil, fmt.Errorf("%s: failed, neither key pem nor key file specified", subcommand)
		}

		// read file to get pem
		keyPem, err = os.ReadFile(*kcCfg.keyPemFilePath)
		if err != nil {
			return nil, nil, fmt.Errorf("%s: failed to read key file (%w)", subcommand, err)
		}
	}

	// cert pem (repeat same process)
	if kcCfg.certPem != nil && *kcCfg.certPem != "" {
		// error if filename is also set
		if kcCfg.certPemFilePath != nil && *kcCfg.certPemFilePath != "" {
			return nil, nil, fmt.Errorf("%s: failed, both cert pem and cert file specified", subcommand)
		}

		// use pem
		certPem = []byte(*kcCfg.certPem)
	} else {
		// pem wasn't specified, try reading file
		if kcCfg.certPemFilePath == nil || *kcCfg.certPemFilePath == "" {
			return nil, nil, fmt.Errorf("%s: failed, neither cert pem nor cert file specified", subcommand)
		}

		// read file to get pem
		certPem, err = os.ReadFile(*kcCfg.certPemFilePath)
		if err != nil {
			return nil, nil, fmt.Errorf("%s: failed to read cert file (%w)", subcommand, err)
		}
	}

	return keyPem, certPem, nil
}
app: minor reorg * add version number * add more logging * add command/subcommand 2024-01-28 16:16:26 +00:00			`package app`

			`import (`
			`"errors"`
create/install: add support for key pem in args 2024-02-02 23:35:22 +00:00			`"fmt"`
			`"os"`
app: minor reorg * add version number * add more logging * add command/subcommand 2024-01-28 16:16:26 +00:00
			`"github.com/peterbourgon/ff/v4"`
			`)`

			`var (`
			`ErrExtraArgs = errors.New("extra args present")`
move env var prefix to config 2024-02-03 15:34:42 +00:00
			`environmentVarPrefix = "APC_P15_TOOL"`
app: minor reorg * add version number * add more logging * add command/subcommand 2024-01-28 16:16:26 +00:00			`)`

create/install: add support for key pem in args 2024-02-02 23:35:22 +00:00			`// keyCertPemCfg contains values common to subcommands that need to use key`
			`// and cert pem`
			`type keyCertPemCfg struct {`
			`keyPemFilePath *string`
			`certPemFilePath *string`
			`keyPem *string`
			`certPem *string`
			`}`

app: minor reorg * add version number * add more logging * add command/subcommand 2024-01-28 16:16:26 +00:00			`// app's config options from user`
			`type config struct {`
simplify logging 2024-02-03 16:38:31 +00:00			`debugLogging *bool`
			`create struct {`
create/install: add support for key pem in args 2024-02-02 23:35:22 +00:00			`keyCertPemCfg`
add p15 key output file The NMC Security Wizard can also produce .p15 files that contain just a private key. Add this ability to this tool. When the `create` function is used, both files will be outputted. 2024-06-04 22:59:36 +00:00			`outFilePath *string`
			`outKeyFilePath *string`
app: minor reorg * add version number * add more logging * add command/subcommand 2024-01-28 16:16:26 +00:00			`}`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`install struct {`
create/install: add support for key pem in args 2024-02-02 23:35:22 +00:00			`keyCertPemCfg`
install: add web ui cert verification * connect to the ups web ui after install and verify the proper certificate is being served * rename `apchost` flag to `hostname` * separate ports to additional flags (`sshport` `sslport`) with sane defaults 2024-09-17 22:44:34 +00:00			`hostname *string`
			`sshport *int`
install: add insecure cipher options for older devices/firmwares Requires explicit choice via flag fixes: https://github.com/gregtwallace/apc-p15-tool/issues/1 2024-02-04 22:09:23 +00:00			`fingerprint *string`
			`username *string`
			`password *string`
add optional webui restart 2024-02-05 23:25:55 +00:00			`restartWebUI *bool`
install: add web ui cert verification * connect to the ups web ui after install and verify the proper certificate is being served * rename `apchost` flag to `hostname` * separate ports to additional flags (`sshport` `sslport`) with sane defaults 2024-09-17 22:44:34 +00:00			`webUISSLPort *int`
			`skipVerify *bool`
install: add insecure cipher options for older devices/firmwares Requires explicit choice via flag fixes: https://github.com/gregtwallace/apc-p15-tool/issues/1 2024-02-04 22:09:23 +00:00			`insecureCipher *bool`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`}`
app: minor reorg * add version number * add more logging * add command/subcommand 2024-01-28 16:16:26 +00:00			`}`

			`// getConfig returns the app's configuration from either command line args,`
			`// or environment variables`
add install only version 2024-02-02 23:35:21 +00:00			`func (app *app) getConfig(args []string) error {`
app: minor reorg * add version number * add more logging * add command/subcommand 2024-01-28 16:16:26 +00:00			`// make config`
			`cfg := &config{}`

			`// commands:`
			`// create`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`// install`
app: minor reorg * add version number * add more logging * add command/subcommand 2024-01-28 16:16:26 +00:00			`// TODO:`
			`// unpack (both key & key+cert)`

			`// apc-p15-tool -- root command`
			`rootFlags := ff.NewFlagSet("apc-p15-tool")`

debug: add base64 encoded debug files When troubleshooting it is helpful to put the generated files into an asn1 decoder. The files can be copy/pasted easily in b64 format. This change creates b64 files when the debug flag is set to make this process easier. 2024-06-04 22:59:36 +00:00			`cfg.debugLogging = rootFlags.BoolLong("debug", "set this flag to enable additional debug logging messages and files")`
app: minor reorg * add version number * add more logging * add command/subcommand 2024-01-28 16:16:26 +00:00
			`rootCmd := &ff.Command{`
			`Name: "apc-p15-tool",`
			`Usage: "apc-p15-tool [FLAGS] SUBCOMMAND ...",`
			`Flags: rootFlags,`
			`}`

			`// create -- subcommand`
			`createFlags := ff.NewFlagSet("create").SetParent(rootFlags)`

add ecdsa key support and enable 4,092 RSA * apcssh: add descriptive error when required file(s) not passed * create: dont create key+cert file when key isn't supported by NMC2 * config: fix usage messages re: key types * p15 files: dont generate key+cert when it isn't needed (aka NMC2 doesn't support key) * pkcs15: pre-calculate envelope when making the p15 struct * pkcs15: omit key ID 8 & 9 from EC keys * pkcs15: update key decode logic * pkcs15: add key type value for easy determination of compatibility * pkcs15: add ec key support * pkcs15: separate functions for key and key+cert p15 files * update README see: https://github.com/gregtwallace/apc-p15-tool/issues/6 2024-09-17 22:44:33 +00:00			`cfg.create.keyPemFilePath = createFlags.StringLong("keyfile", "", "path and filename of the key in pem format")`
fix flag description 2024-02-02 23:35:21 +00:00			`cfg.create.certPemFilePath = createFlags.StringLong("certfile", "", "path and filename of the certificate in pem format")`
add ecdsa key support and enable 4,092 RSA * apcssh: add descriptive error when required file(s) not passed * create: dont create key+cert file when key isn't supported by NMC2 * config: fix usage messages re: key types * p15 files: dont generate key+cert when it isn't needed (aka NMC2 doesn't support key) * pkcs15: pre-calculate envelope when making the p15 struct * pkcs15: omit key ID 8 & 9 from EC keys * pkcs15: update key decode logic * pkcs15: add key type value for easy determination of compatibility * pkcs15: add ec key support * pkcs15: separate functions for key and key+cert p15 files * update README see: https://github.com/gregtwallace/apc-p15-tool/issues/6 2024-09-17 22:44:33 +00:00			`cfg.create.keyPem = createFlags.StringLong("keypem", "", "string of the key in pem format")`
create/install: add support for key pem in args 2024-02-02 23:35:22 +00:00			`cfg.create.certPem = createFlags.StringLong("certpem", "", "string of the certificate in pem format")`
add p15 key output file The NMC Security Wizard can also produce .p15 files that contain just a private key. Add this ability to this tool. When the `create` function is used, both files will be outputted. 2024-06-04 22:59:36 +00:00			`cfg.create.outFilePath = createFlags.StringLong("outfile", createDefaultOutFilePath, "path and filename to write the key+cert p15 file to")`
			`cfg.create.outKeyFilePath = createFlags.StringLong("outkeyfile", createDefaultOutKeyFilePath, "path and filename to write the key p15 file to")`
app: minor reorg * add version number * add more logging * add command/subcommand 2024-01-28 16:16:26 +00:00
			`createCmd := &ff.Command{`
			`Name: "create",`
			`Usage: "apc-p15-tool create --keyfile key.pem --certfile cert.pem [--outfile apctool.p15]",`
			`ShortHelp: "create an apc p15 file from the specified key and cert pem files",`
			`Flags: createFlags,`
			`Exec: app.cmdCreate,`
			`}`

			`rootCmd.Subcommands = append(rootCmd.Subcommands, createCmd)`

add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`// install -- subcommand`
			`installFlags := ff.NewFlagSet("install").SetParent(rootFlags)`

add ecdsa key support and enable 4,092 RSA * apcssh: add descriptive error when required file(s) not passed * create: dont create key+cert file when key isn't supported by NMC2 * config: fix usage messages re: key types * p15 files: dont generate key+cert when it isn't needed (aka NMC2 doesn't support key) * pkcs15: pre-calculate envelope when making the p15 struct * pkcs15: omit key ID 8 & 9 from EC keys * pkcs15: update key decode logic * pkcs15: add key type value for easy determination of compatibility * pkcs15: add ec key support * pkcs15: separate functions for key and key+cert p15 files * update README see: https://github.com/gregtwallace/apc-p15-tool/issues/6 2024-09-17 22:44:33 +00:00			`cfg.install.keyPemFilePath = installFlags.StringLong("keyfile", "", "path and filename of the key in pem format")`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`cfg.install.certPemFilePath = installFlags.StringLong("certfile", "", "path and filename of the certificate in pem format")`
add ecdsa key support and enable 4,092 RSA * apcssh: add descriptive error when required file(s) not passed * create: dont create key+cert file when key isn't supported by NMC2 * config: fix usage messages re: key types * p15 files: dont generate key+cert when it isn't needed (aka NMC2 doesn't support key) * pkcs15: pre-calculate envelope when making the p15 struct * pkcs15: omit key ID 8 & 9 from EC keys * pkcs15: update key decode logic * pkcs15: add key type value for easy determination of compatibility * pkcs15: add ec key support * pkcs15: separate functions for key and key+cert p15 files * update README see: https://github.com/gregtwallace/apc-p15-tool/issues/6 2024-09-17 22:44:33 +00:00			`cfg.install.keyPem = installFlags.StringLong("keypem", "", "string of the key in pem format")`
create/install: add support for key pem in args 2024-02-02 23:35:22 +00:00			`cfg.install.certPem = installFlags.StringLong("certpem", "", "string of the certificate in pem format")`
install: add web ui cert verification * connect to the ups web ui after install and verify the proper certificate is being served * rename `apchost` flag to `hostname` * separate ports to additional flags (`sshport` `sslport`) with sane defaults 2024-09-17 22:44:34 +00:00			`cfg.install.hostname = installFlags.StringLong("hostname", "", "hostname of the apc ups to install the certificate on")`
			`cfg.install.sshport = installFlags.IntLong("sshport", 22, "apc ups ssh port number")`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`cfg.install.fingerprint = installFlags.StringLong("fingerprint", "", "the SHA256 fingerprint value of the ups' ssh server")`
			`cfg.install.username = installFlags.StringLong("username", "", "username to login to the apc ups")`
			`cfg.install.password = installFlags.StringLong("password", "", "password to login to the apc ups")`
add optional webui restart 2024-02-05 23:25:55 +00:00			`cfg.install.restartWebUI = installFlags.BoolLong("restartwebui", "some devices may need a webui restart to begin using the new cert, enabling this option sends the restart command after the p15 is installed")`
install: add web ui cert verification * connect to the ups web ui after install and verify the proper certificate is being served * rename `apchost` flag to `hostname` * separate ports to additional flags (`sshport` `sslport`) with sane defaults 2024-09-17 22:44:34 +00:00			`cfg.install.webUISSLPort = installFlags.IntLong("sslport", 443, "apc ups ssl webui port number")`
			`cfg.install.skipVerify = installFlags.BoolLong("skipverify", "the tool will try to connect to the UPS web UI to verify install success; this flag disables that check")`
install: add insecure cipher options for older devices/firmwares Requires explicit choice via flag fixes: https://github.com/gregtwallace/apc-p15-tool/issues/1 2024-02-04 22:09:23 +00:00			`cfg.install.insecureCipher = installFlags.BoolLong("insecurecipher", "allows the use of insecure ssh ciphers (NOT recommended)")`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00
			`installCmd := &ff.Command{`
			`Name: "install",`
install: add web ui cert verification * connect to the ups web ui after install and verify the proper certificate is being served * rename `apchost` flag to `hostname` * separate ports to additional flags (`sshport` `sslport`) with sane defaults 2024-09-17 22:44:34 +00:00			`Usage: "apc-p15-tool install --keyfile key.pem --certfile cert.pem --hostname example.com --fingerprint 123abc --username apc --password test",`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`ShortHelp: "install the specified key and cert pem files on an apc ups (they will be converted to a comaptible p15 file)",`
			`Flags: installFlags,`
			`Exec: app.cmdInstall,`
			`}`

			`rootCmd.Subcommands = append(rootCmd.Subcommands, installCmd)`

			`// set cfg & parse`
app: minor reorg * add version number * add more logging * add command/subcommand 2024-01-28 16:16:26 +00:00			`app.config = cfg`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`app.cmd = rootCmd`
add install only version 2024-02-02 23:35:21 +00:00			`err := app.cmd.Parse(args[1:], ff.WithEnvVarPrefix(environmentVarPrefix))`
add install function install pem files directly to an apc ups 2024-02-02 23:35:21 +00:00			`if err != nil {`
			`return err`
			`}`

			`return nil`
app: minor reorg * add version number * add more logging * add command/subcommand 2024-01-28 16:16:26 +00:00			`}`
create/install: add support for key pem in args 2024-02-02 23:35:22 +00:00
			`// GetPemBytes returns the key and cert pem bytes as specified in keyCertPemCfg`
			`// or an error if it cant get the bytes of both`
			`func (kcCfg *keyCertPemCfg) GetPemBytes(subcommand string) (keyPem, certPem []byte, err error) {`
			`// key pem (from arg or file)`
			`if kcCfg.keyPem != nil && *kcCfg.keyPem != "" {`
			`// error if filename is also set`
			`if kcCfg.keyPemFilePath != nil && *kcCfg.keyPemFilePath != "" {`
			`return nil, nil, fmt.Errorf("%s: failed, both key pem and key file specified", subcommand)`
			`}`

			`// use pem`
			`keyPem = []byte(*kcCfg.keyPem)`
			`} else {`
			`// pem wasn't specified, try reading file`
			`if kcCfg.keyPemFilePath == nil \|\| *kcCfg.keyPemFilePath == "" {`
			`return nil, nil, fmt.Errorf("%s: failed, neither key pem nor key file specified", subcommand)`
			`}`

			`// read file to get pem`
			`keyPem, err = os.ReadFile(*kcCfg.keyPemFilePath)`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("%s: failed to read key file (%w)", subcommand, err)`
			`}`
			`}`

			`// cert pem (repeat same process)`
			`if kcCfg.certPem != nil && *kcCfg.certPem != "" {`
			`// error if filename is also set`
			`if kcCfg.certPemFilePath != nil && *kcCfg.certPemFilePath != "" {`
			`return nil, nil, fmt.Errorf("%s: failed, both cert pem and cert file specified", subcommand)`
			`}`

			`// use pem`
			`certPem = []byte(*kcCfg.certPem)`
			`} else {`
			`// pem wasn't specified, try reading file`
			`if kcCfg.certPemFilePath == nil \|\| *kcCfg.certPemFilePath == "" {`
			`return nil, nil, fmt.Errorf("%s: failed, neither cert pem nor cert file specified", subcommand)`
			`}`

			`// read file to get pem`
			`certPem, err = os.ReadFile(*kcCfg.certPemFilePath)`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("%s: failed to read cert file (%w)", subcommand, err)`
			`}`
			`}`

			`return keyPem, certPem, nil`
			`}`