{-# LANGUAGE DataKinds #-}{-# LANGUAGE DeriveGeneric #-}{-# LANGUAGE DuplicateRecordFields #-}{-# LANGUAGE FlexibleInstances #-}{-# LANGUAGE OverloadedStrings #-}{-# LANGUAGE TypeOperators #-}module Main whereimport Data.Aesonimport qualified Data.ByteString.Char8 as B8import Data.List (intercalate)import Data.Time.Clock.POSIXimport Data.Time.Formatimport Network.HTTP.Simpleimport Network.HTTP.Types.Header (hAuthorization)import Options.Genericimport RIOimport qualified RIO.ByteString.Lazy as BLimport RIO.FilePathimport System.Environmentimport System.IO.Error (isDoesNotExistError)import System.Posixdata Args w = Args{ role :: w ::: String <?> "Vault role to assume" <#> "r",commonName :: w ::: String <?> "Common name to create certificate for" <#> "c",ipAddress :: w ::: String <?> "IP Address to associate with the certificate" <#> "i",outputDirectory :: w ::: FilePath <?> "Directory to write certificate and key to" <#> "o",url :: w ::: String <?> "Base URL of Vault" <#> "u",mount :: w ::: String <?> "Mount point of the CA to create certificate from" <#> "m"}deriving (Generic)instance ParseRecord (Args Wrapped) whereparseRecord = parseRecordWithModifiers lispCaseModifiersdata Metadata = Metadata{ expiration :: POSIXTime,generated :: POSIXTime}deriving (Generic, Show)instance ToJSON Metadata wheretoEncoding = genericToEncoding defaultOptionsinstance FromJSON Metadatadata AppEnv = AppEnv{ appLogger :: !LogFunc,args :: Args Unwrapped}instance HasLogFunc AppEnv wherelogFuncL = lens appLogger (\x y -> x {appLogger = y})main :: IO ()main = dologOptions <- logOptionsHandle stderr FalsewithLogFunc logOptions $ \logFunc -> doappArgs <- unwrapRecord "certificate-updater"runRIO AppEnv {appLogger = logFunc, args = appArgs} createCertificatecreateCertificate :: RIO AppEnv ()createCertificate = dorefreshNeeded <- certificateRequiresRefreshwhen refreshNeeded $ dovaultToken <- liftIO $ lookupEnv "VAULT_TOKEN"let (clientForRenew, clientForGenerate) = setupVaultClient (fromMaybe "" vaultToken)vaultRenewSelf clientForRenewgenerateAndSaveCertificate clientForGenerategenerateAndSaveCertificate :: (String -> VaultIssueCertificate -> RIO AppEnv VaultIssueCertificateResponse) -> RIO AppEnv ()generateAndSaveCertificate clientForGenerate = doout <- vaultGenerateCertificate clientForGeneratemetadata <- buildNewMetadata (certExpiration out)outDir <- asks (outputDirectory . args)liftIO $ do_ <- setFileCreationMask 0o007writeFile (outDir </> "ca-chain.crt") (intercalate "\n" (caChain out))writeFile (outDir </> "cert.crt") (certificate out)writeFile (outDir </> "key.pem") (privateKey out)BL.writeFile (outDir </> "metadata") (encode metadata)logSuccessfulRegeneratedCertificate outbuildNewMetadata :: POSIXTime -> RIO AppEnv MetadatabuildNewMetadata expr = dogen <- liftIO getPOSIXTimereturn Metadata {expiration = expr, generated = gen}setupVaultClient :: (ToJSON a, FromJSON b, ToJSON c, FromJSON d) => String -> (String -> a -> RIO AppEnv b, String -> c -> RIO AppEnv d)setupVaultClient vaultToken =let clientForRenew = vaultHttpRequest vaultTokenclientForGenerate = vaultHttpRequest vaultTokenin (clientForRenew, clientForGenerate)vaultHttpRequest :: (ToJSON a, FromJSON b) => String -> String -> a -> RIO AppEnv bvaultHttpRequest token endpoint payload = dobase <- asks (url . args)let finalUrl = base <> "/v1/" <> endpointlogInfo $ fromString $ "Sending request to " <> finalUrllet request =setRequestBodyLBS (encode payload) $setRequestHeaders headers $setRequestMethod "POST" $parseRequestThrow_ finalUrlresponse <- httpJSON requestunless (getResponseStatusCode response == 200) $ dothrowString "Got non-200 response from Vault"return (getResponseBody response)whereheaders = [(hAuthorization, B8.pack $ "Bearer " ++ token), ("Content-Type", "application/json")]vaultRenewSelf :: (String -> Value -> RIO AppEnv ()) -> RIO AppEnv ()vaultRenewSelf client = doclient "auth/token/renew-self" (object [])logInfo "Successfully renewed Vault token"data VaultIssueCertificate = VaultIssueCertificate{ common_name :: String,ip_sans :: String}deriving (Generic, Show)instance ToJSON VaultIssueCertificate wheretoEncoding = genericToEncoding defaultOptionsnewtype VaultIssueCertificateResponse = VaultIssueCertificateResponse {data_ :: VaultIssueCertificateResponseData} deriving (Generic, Show)instance FromJSON VaultIssueCertificateResponse whereparseJSON = withObject "VaultIssueCertificateResponse" $ \v ->VaultIssueCertificateResponse <$> v .: "data"data VaultIssueCertificateResponseData = VaultIssueCertificateResponseData{ caChain :: [String],certificate :: String,privateKey :: String,serialNumber :: String,privateKeyType :: String,certExpiration :: POSIXTime}deriving (Generic, Show)instance FromJSON VaultIssueCertificateResponseData whereparseJSON = withObject "VaultIssueCertificateResponseData" $ \v ->VaultIssueCertificateResponseData<$> v .: "ca_chain"<*> v .: "certificate"<*> v .: "private_key"<*> v .: "serial_number"<*> v .: "private_key_type"<*> v .: "expiration"vaultGenerateCertificate :: (String -> VaultIssueCertificate -> RIO AppEnv VaultIssueCertificateResponse) -> RIO AppEnv VaultIssueCertificateResponseDatavaultGenerateCertificate client = dopayload <-VaultIssueCertificate<$> asks (commonName . args)<*> asks (ipAddress . args)roleArg <- asks (role . args)mountPoint <- asks (mount . args)client (mountPoint <> "/issue/" <> roleArg) payload <&> data_certificateRequiresRefresh :: RIO AppEnv BoolcertificateRequiresRefresh = dopath <- asks (outputDirectory . args)result <- fetchCurrentMetadata pathcurrentTime <- liftIO getPOSIXTimecase result ofJust metadata| hasPassedSafeRefreshInterval currentTime metadata -> logPassedTtlMessage currentTime metadata >> return True| otherwise -> logNotYetReadyMessage currentTime metadata >> return FalseNothing -> dologInfo "Metadata does not exist, assuming this is our first run, continuing"return TruefetchCurrentMetadata :: FilePath -> RIO AppEnv (Maybe Metadata)fetchCurrentMetadata path = doresult <- try $ liftIO $ BL.readFile (path </> "metadata")case result ofLeft e| isDoesNotExistError e -> return Nothing| otherwise -> throwIO eRight content -> case decode content ofJust metadata -> return (Just metadata)Nothing -> throwString "Failed to decode metadata"hasPassedSafeRefreshInterval :: POSIXTime -> Metadata -> BoolhasPassedSafeRefreshInterval currentTime (Metadata expr gen) =let expires = expr - currentTimetotalTtl = expr - genin expr < gen || (totalTtl - expires) / totalTtl >= 0.75logPassedTtlMessage :: POSIXTime -> Metadata -> RIO AppEnv ()logPassedTtlMessage currentTime (Metadata expr _) = dologInfo $display $"More than 3/4s through certificate TTL ("<> tshow (round (expr - currentTime) :: Integer)<> " seconds remaining), continuing"logNotYetReadyMessage :: POSIXTime -> Metadata -> RIO AppEnv ()logNotYetReadyMessage currentTime (Metadata expr gen) = dologWarn $display $"Not yet reached threshold for regeneration, "<> tshow (round (expr - currentTime) :: Integer)<> " seconds left of TTL "<> tshow (round (expr - gen) :: Integer)<> " seconds. "<> tshow (round ((expr - currentTime) - ((expr - gen) * 0.25)) :: Integer)<> " seconds until threshold is reached"logSuccessfulRegeneratedCertificate :: VaultIssueCertificateResponseData -> RIO AppEnv ()logSuccessfulRegeneratedCertificate d = dologInfo $fromString $"Successfully regenerated "<> privateKeyType d<> " certificate, new serial number is "<> serialNumber d<> " expiring at "<> formatTime defaultTimeLocale "%Y-%m-%d %H:%M:%S %Z" (posixSecondsToUTCTime (certExpiration d))