func (c *Client) UserAuthServerCert(name string, acceptCert bool) error {
if !c.scertDigestSet {
if err := c.Finger(); err != nil {
return err
}
if !c.scertDigestSet {
return fmt.Errorf(i18n.G("No certificate on this connection"))
}
}
if c.scert != nil {
return nil
}
_, err := c.scertWire.Verify(x509.VerifyOptions{
DNSName: name,
Intermediates: c.scertIntermediates,
})
if err == nil {
// Server trusted by system certificate
return nil
}
if acceptCert == false {
fmt.Printf(i18n.G("Certificate fingerprint: %x")+"\n", c.scertDigest)
fmt.Printf(i18n.G("ok (y/n)?") + " ")
line, err := shared.ReadStdin()
if err != nil {
return err
}
if len(line) < 1 || line[0] != 'y' && line[0] != 'Y' {
return fmt.Errorf(i18n.G("Server certificate NACKed by user"))
}
}
// User acked the cert, now add it to our store
dnam := c.Config.ConfigPath("servercerts")
err = os.MkdirAll(dnam, 0750)
if err != nil {
return fmt.Errorf(i18n.G("Could not create server cert dir"))
}
certf := fmt.Sprintf("%s/%s.crt", dnam, c.Name)
certOut, err := os.Create(certf)
if err != nil {
return err
}
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: c.scertWire.Raw})
certOut.Close()
return err
}
func addServer(config *lxd.Config, server string, addr string, acceptCert bool, password string, public bool) error {
var r_scheme string
var r_host string
var r_port string
/* Complex remote URL parsing */
remote_url, err := url.Parse(addr)
if err != nil {
return err
}
if remote_url.Scheme != "" {
if remote_url.Scheme != "unix" && remote_url.Scheme != "https" {
r_scheme = "https"
} else {
r_scheme = remote_url.Scheme
}
} else if addr[0] == '/' {
r_scheme = "unix"
} else {
if !shared.PathExists(addr) {
r_scheme = "https"
} else {
r_scheme = "unix"
}
}
if remote_url.Host != "" {
r_host = remote_url.Host
} else {
r_host = addr
}
host, port, err := net.SplitHostPort(r_host)
if err == nil {
r_host = host
r_port = port
} else {
r_port = shared.DefaultPort
}
if r_scheme == "unix" {
if addr[0:5] == "unix:" {
if addr[0:7] == "unix://" {
if len(addr) > 8 {
r_host = addr[8:]
} else {
r_host = ""
}
} else {
r_host = addr[6:]
}
}
r_port = ""
}
if strings.Contains(r_host, ":") && !strings.HasPrefix(r_host, "[") {
r_host = fmt.Sprintf("[%s]", r_host)
}
if r_port != "" {
addr = r_scheme + "://" + r_host + ":" + r_port
} else {
addr = r_scheme + "://" + r_host
}
if config.Remotes == nil {
config.Remotes = make(map[string]lxd.RemoteConfig)
}
/* Actually add the remote */
config.Remotes[server] = lxd.RemoteConfig{Addr: addr}
remote := config.ParseRemote(server)
c, err := lxd.NewClient(config, remote)
if err != nil {
return err
}
if len(addr) > 5 && addr[0:5] == "unix:" {
// NewClient succeeded so there was a lxd there (we fingered
// it) so just accept it
return nil
}
/* grab the server's cert */
err = c.Finger()
if err != nil {
return err
}
if !acceptCert {
// Try to use the CAs on localhost to verify the cert so we
// don't have to bother the user.
digest, err := c.TryVerifyServerCert(host)
if err != nil {
fmt.Printf(i18n.G("Certificate fingerprint: %x")+"\n", digest)
fmt.Printf(i18n.G("ok (y/n)?") + " ")
line, err := shared.ReadStdin()
if err != nil {
return err
}
if len(line) < 1 || line[0] != 'y' && line[0] != 'Y' {
return fmt.Errorf(i18n.G("Server certificate NACKed by user"))
}
}
}
err = c.SaveCert(host)
if err != nil {
return err
}
if c.IsPublic() || public {
config.Remotes[server] = lxd.RemoteConfig{Addr: addr, Public: true}
if err := c.Finger(); err != nil {
return err
}
return nil
}
if c.AmTrusted() {
// server already has our cert, so we're done
return nil
}
if password == "" {
fmt.Printf(i18n.G("Admin password for %s: "), server)
pwd, err := terminal.ReadPassword(0)
if err != nil {
/* We got an error, maybe this isn't a terminal, let's try to
* read it as a file */
pwd, err = shared.ReadStdin()
if err != nil {
return err
}
}
fmt.Println("")
password = string(pwd)
}
err = c.AddMyCertToServer(password)
if err != nil {
return err
}
if !c.AmTrusted() {
return fmt.Errorf(i18n.G("Server doesn't trust us after adding our cert"))
}
fmt.Println(i18n.G("Client certificate stored at server: "), server)
return nil
}
func (c *remoteCmd) addServer(config *lxd.Config, server string, addr string, acceptCert bool, password string, public bool, protocol string) error {
var rScheme string
var rHost string
var rPort string
// Setup the remotes list
if config.Remotes == nil {
config.Remotes = make(map[string]lxd.RemoteConfig)
}
// Fast track simplestreams
if protocol == "simplestreams" {
config.Remotes[server] = lxd.RemoteConfig{Addr: addr, Public: true, Protocol: protocol}
return nil
}
/* Complex remote URL parsing */
remoteURL, err := url.Parse(addr)
if err != nil {
return err
}
if remoteURL.Scheme != "" {
if remoteURL.Scheme != "unix" && remoteURL.Scheme != "https" {
rScheme = "https"
} else {
rScheme = remoteURL.Scheme
}
} else if addr[0] == '/' {
rScheme = "unix"
} else {
if !shared.PathExists(addr) {
rScheme = "https"
} else {
rScheme = "unix"
}
}
if remoteURL.Host != "" {
rHost = remoteURL.Host
} else {
rHost = addr
}
host, port, err := net.SplitHostPort(rHost)
if err == nil {
rHost = host
rPort = port
} else {
rPort = shared.DefaultPort
}
if rScheme == "unix" {
if addr[0:5] == "unix:" {
if addr[0:7] == "unix://" {
if len(addr) > 8 {
rHost = addr[8:]
} else {
rHost = ""
}
} else {
rHost = addr[6:]
}
}
rPort = ""
}
if strings.Contains(rHost, ":") && !strings.HasPrefix(rHost, "[") {
rHost = fmt.Sprintf("[%s]", rHost)
}
if rPort != "" {
addr = rScheme + "://" + rHost + ":" + rPort
} else {
addr = rScheme + "://" + rHost
}
/* Actually add the remote */
config.Remotes[server] = lxd.RemoteConfig{Addr: addr, Protocol: protocol}
remote := config.ParseRemote(server)
d, err := lxd.NewClient(config, remote)
if err != nil {
return err
}
if len(addr) > 5 && addr[0:5] == "unix:" {
// NewClient succeeded so there was a lxd there (we fingered
// it) so just accept it
return nil
}
var certificate *x509.Certificate
/* Attempt to connect using the system root CA */
err = d.Finger()
if err != nil {
// Failed to connect using the system CA, so retrieve the remote certificate
certificate, err = getRemoteCertificate(addr)
if err != nil {
return err
}
}
if certificate != nil {
if !acceptCert {
digest := sha256.Sum256(certificate.Raw)
fmt.Printf(i18n.G("Certificate fingerprint: %x")+"\n", digest)
fmt.Printf(i18n.G("ok (y/n)?") + " ")
line, err := shared.ReadStdin()
if err != nil {
return err
}
if len(line) < 1 || line[0] != 'y' && line[0] != 'Y' {
return fmt.Errorf(i18n.G("Server certificate NACKed by user"))
}
}
dnam := d.Config.ConfigPath("servercerts")
err := os.MkdirAll(dnam, 0750)
if err != nil {
return fmt.Errorf(i18n.G("Could not create server cert dir"))
}
certf := fmt.Sprintf("%s/%s.crt", dnam, d.Name)
certOut, err := os.Create(certf)
if err != nil {
return err
}
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: certificate.Raw})
certOut.Close()
// Setup a new connection, this time with the remote certificate
d, err = lxd.NewClient(config, remote)
if err != nil {
return err
}
}
if d.IsPublic() || public {
config.Remotes[server] = lxd.RemoteConfig{Addr: addr, Public: true}
if err := d.Finger(); err != nil {
return err
}
return nil
}
if d.AmTrusted() {
// server already has our cert, so we're done
return nil
}
if password == "" {
fmt.Printf(i18n.G("Admin password for %s: "), server)
pwd, err := terminal.ReadPassword(0)
if err != nil {
/* We got an error, maybe this isn't a terminal, let's try to
* read it as a file */
pwd, err = shared.ReadStdin()
if err != nil {
return err
}
}
fmt.Println("")
password = string(pwd)
}
err = d.AddMyCertToServer(password)
if err != nil {
return err
}
if !d.AmTrusted() {
return fmt.Errorf(i18n.G("Server doesn't trust us after adding our cert"))
}
fmt.Println(i18n.G("Client certificate stored at server: "), server)
return nil
}
func addServer(config *lxd.Config, server string, addr string, acceptCert bool, password string) error {
var r_scheme string
var r_host string
var r_port string
remote_url, err := url.Parse(addr)
if err != nil {
return err
}
if remote_url.Scheme != "" {
if remote_url.Scheme != "unix" && remote_url.Scheme != "https" {
r_scheme = "https"
} else {
r_scheme = remote_url.Scheme
}
} else if addr[0] == '/' {
r_scheme = "unix"
} else {
if !shared.PathExists(addr) {
r_scheme = "https"
} else {
r_scheme = "unix"
}
}
if remote_url.Host != "" {
r_host = remote_url.Host
} else {
r_host = addr
}
host, port, err := net.SplitHostPort(r_host)
if err == nil {
r_host = host
r_port = port
} else {
r_port = shared.DefaultPort
}
if r_scheme == "unix" {
if addr[0:5] == "unix:" {
if addr[0:7] == "unix://" {
r_host = addr[8:]
} else {
r_host = addr[6:]
}
}
r_port = ""
}
if strings.Contains(r_host, ":") && !strings.HasPrefix(r_host, "[") {
r_host = fmt.Sprintf("[%s]", r_host)
}
if r_port != "" {
addr = r_scheme + "://" + r_host + ":" + r_port
} else {
addr = r_scheme + "://" + r_host
}
if config.Remotes == nil {
config.Remotes = make(map[string]lxd.RemoteConfig)
}
config.Remotes[server] = lxd.RemoteConfig{Addr: addr}
remote := config.ParseRemote(server)
c, err := lxd.NewClient(config, remote)
if err != nil {
return err
}
if len(addr) > 5 && addr[0:5] == "unix:" {
// NewClient succeeded so there was a lxd there (we fingered
// it) so just accept it
return nil
}
err = c.UserAuthServerCert(host, acceptCert)
if err != nil {
return err
}
if c.AmTrusted() {
// server already has our cert, so we're done
return nil
}
if password == "" {
fmt.Printf(gettext.Gettext("Admin password for %s: "), server)
pwd, err := terminal.ReadPassword(0)
if err != nil {
/* We got an error, maybe this isn't a terminal, let's try to
* read it as a file */
pwd, err = shared.ReadStdin()
if err != nil {
return err
}
}
fmt.Printf("\n")
password = string(pwd)
}
err = c.AddMyCertToServer(password)
if err != nil {
return err
}
if !c.AmTrusted() {
return fmt.Errorf(gettext.Gettext("Server doesn't trust us after adding our cert"))
}
fmt.Println(gettext.Gettext("Client certificate stored at server: "), server)
return nil
}
