Add command for base TLS Certificates regeneration

94cec121 · Tomasz Maczukin · a6084657 · 94cec121 · 94cec121 · 94cec121
Unverified Commit 94cec121 authored Nov 15, 2021 by Tomasz Maczukin
--- a/commands/commands.go
+++ b/commands/commands.go
@@ -7,6 +7,7 @@ import (
 	"strings"
 	"github.com/codegangsta/cli"
 	"github.com/docker/machine/commands/mcndirs"
 	"github.com/docker/machine/libmachine"
 	"github.com/docker/machine/libmachine/crashreport"
@@ -320,6 +321,23 @@ var Commands = []cli.Command{
 			},
 		},
 	},
+	{
+		Name:        "regenerate-base-certs",
+		Usage:       "Regenerate the base TLS Certificates only",
+		Description: "No arguments expected",
+		Action:      runCommand(cmdRegenerateBaseCerts),
+		Flags: []cli.Flag{
+			cli.BoolFlag{
+				Name:  "force, f",
+				Usage: "Force rebuild and do not prompt",
+			},
+			cli.IntFlag{
+				Name:  "regenerate-before",
+				Usage: "Number of hours defining regeneration window. Existing certificates will be regenerated if current time exceeds `notAfter - regenerate-before`",
+				Value: 672, // 4 weeks * 7 days * 24 hours
+			},
+		},
+	},
 	{
 		Name:        "restart",
 		Usage:       "Restart a machine",

--- a/commands/regeneratecerts.go
+++ b/commands/regeneratecerts.go
 package commands
 import (
+	"errors"
+	"time"
 	"github.com/docker/machine/libmachine"
+	"github.com/docker/machine/libmachine/auth"
+	"github.com/docker/machine/libmachine/cert"
 	"github.com/docker/machine/libmachine/log"
 )
@@ -24,3 +29,32 @@ func cmdRegenerateCerts(c CommandLine, api libmachine.API) error {
 	}
 	return runAction("configureAuth", c, api)
 }
+type authOptionsProvider interface {
+	AuthOptions() *auth.Options
+}
+func cmdRegenerateBaseCerts(c CommandLine, api libmachine.API) error {
+	if !c.Bool("force") {
+		ok, err := confirmInput("Regenerate base TLS certificates?  Warning: this is irreversible.")
+		if err != nil {
+			return err
+		}
+		if !ok {
+			return nil
+		}
+	}
+	log.Infof("Regenerating base TLS certificates")
+	aop, ok := api.(authOptionsProvider)
+	if !ok {
+		return errors.New("can't typecast API to authOptionsProvider")
+	}
+	regenerateBeforeHours := c.Int("regenerate-before")
+	regenerateWindow := time.Duration(-1*regenerateBeforeHours) * time.Hour
+	return cert.BootstrapCertificatesWithRegenerationWindow(aop.AuthOptions(), regenerateWindow)
+}
--- a/libmachine/cert/bootstrap.go
+++ b/libmachine/cert/bootstrap.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"time"
 	"github.com/docker/machine/libmachine/auth"
 	"github.com/docker/machine/libmachine/log"
@@ -72,6 +73,14 @@ func createCert(authOptions *auth.Options, org string, bits int) error {
 }
 func BootstrapCertificates(authOptions *auth.Options) error {
+	return bootstrapCertificates(authOptions, time.Duration(0))
+}
+func BootstrapCertificatesWithRegenerationWindow(authOptions *auth.Options, regenerationWindow time.Duration) error {
+	return bootstrapCertificates(authOptions, regenerationWindow)
+}
+func bootstrapCertificates(authOptions *auth.Options, regenerationWindow time.Duration) error {
 	certDir := authOptions.CertDir
 	caCertPath := authOptions.CaCertPath
 	clientCertPath := authOptions.ClientCertPath
@@ -101,7 +110,7 @@ func BootstrapCertificates(authOptions *auth.Options) error {
 			return err
 		}
 	} else {
-		current, err := CheckCertificateDate(caCertPath)
+		current, err := CheckCertificateDate(caCertPath, regenerationWindow)
 		if err != nil {
 			return err
 		}
@@ -119,7 +128,7 @@ func BootstrapCertificates(authOptions *auth.Options) error {
 			return err
 		}
 	} else {
-		current, err := CheckCertificateDate(clientCertPath)
+		current, err := CheckCertificateDate(clientCertPath, regenerationWindow)
 		if err != nil {
 			return err
 		}

--- a/libmachine/cert/cert.go
+++ b/libmachine/cert/cert.go
@@ -7,14 +7,13 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
+	"errors"
 	"io/ioutil"
 	"math/big"
 	"net"
 	"os"
 	"time"
-	"errors"
 	"github.com/docker/machine/libmachine/auth"
 	"github.com/docker/machine/libmachine/log"
 )
@@ -268,7 +267,7 @@ func (xcg *X509CertGenerator) ValidateCertificate(addr string, authOptions *auth
 	return true, nil
 }
-func CheckCertificateDate(certPath string) (bool, error) {
+func CheckCertificateDate(certPath string, regenerationWindow time.Duration) (bool, error) {
 	log.Debugf("Reading certificate data from %s", certPath)
 	certBytes, err := ioutil.ReadFile(certPath)
 	if err != nil {
@@ -286,7 +285,14 @@ func CheckCertificateDate(certPath string) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	if time.Now().After(cert.NotAfter) {
+	notAfter := cert.NotAfter
+	log.Debugf("Valid Not After: %s", notAfter)
+	log.Debugf("Regeneration window: %s", regenerationWindow)
+	regenerationTime := notAfter.Add(regenerationWindow)
+	log.Debugf("Regeneration time: %s", regenerationTime)
+	if time.Now().After(regenerationTime) {
 		return false, nil
 	}

--- a/libmachine/libmachine.go
+++ b/libmachine/libmachine.go
@@ -2,9 +2,8 @@ package libmachine
 import (
 	"fmt"
-	"path/filepath"
 	"io"
+	"path/filepath"
 	"github.com/docker/machine/drivers/errdriver"
 	"github.com/docker/machine/libmachine/auth"
@@ -65,15 +64,7 @@ func (api *Client) NewHost(driverName string, rawDriver []byte) (*host.Host, err
 		Driver:        driver,
 		DriverName:    driver.DriverName(),
 		HostOptions: &host.Options{
-			AuthOptions: &auth.Options{
+			AuthOptions: api.AuthOptions(),
-				CertDir:          api.certsDir,
-				CaCertPath:       filepath.Join(api.certsDir, "ca.pem"),
-				CaPrivateKeyPath: filepath.Join(api.certsDir, "ca-key.pem"),
-				ClientCertPath:   filepath.Join(api.certsDir, "cert.pem"),
-				ClientKeyPath:    filepath.Join(api.certsDir, "key.pem"),
-				ServerCertPath:   filepath.Join(api.GetMachinesDir(), "server.pem"),
-				ServerKeyPath:    filepath.Join(api.GetMachinesDir(), "server-key.pem"),
-			},
 			EngineOptions: &engine.Options{
 				InstallURL:    drivers.DefaultEngineInstallURL,
 				StorageDriver: "overlay2",
@@ -88,6 +79,18 @@ func (api *Client) NewHost(driverName string, rawDriver []byte) (*host.Host, err
 	}, nil
 }
+func (api *Client) AuthOptions() *auth.Options {
+	return &auth.Options{
+		CertDir:          api.certsDir,
+		CaCertPath:       filepath.Join(api.certsDir, "ca.pem"),
+		CaPrivateKeyPath: filepath.Join(api.certsDir, "ca-key.pem"),
+		ClientCertPath:   filepath.Join(api.certsDir, "cert.pem"),
+		ClientKeyPath:    filepath.Join(api.certsDir, "key.pem"),
+		ServerCertPath:   filepath.Join(api.GetMachinesDir(), "server.pem"),
+		ServerKeyPath:    filepath.Join(api.GetMachinesDir(), "server-key.pem"),
+	}
+}
 func (api *Client) Load(name string) (*host.Host, error) {
 	h, err := api.Filestore.Load(name)
 	if err != nil {