commit 4d95a03: [Project] Improve keys creation in rspamadm vault

Vsevolod Stakhov vsevolod at highsecure.ru
Mon Apr 29 17:14:03 UTC 2019 

Author: Vsevolod Stakhov
Date: 2019-04-29 18:12:08 +0100
URL: https://github.com/rspamd/rspamd/commit/4d95a0327becd78123212a2adf0138e08c4fac7d (HEAD -> master)

[Project] Improve keys creation in rspamadm vault

---
 lualib/rspamadm/vault.lua | 134 ++++++++++++++++++++++++++++++----------------
 1 file changed, 88 insertions(+), 46 deletions(-)

diff --git a/lualib/rspamadm/vault.lua b/lualib/rspamadm/vault.lua
index 98f0fef99..9c01624fc 100644
--- a/lualib/rspamadm/vault.lua
+++ b/lualib/rspamadm/vault.lua
@@ -121,20 +121,28 @@ local function is_http_error(err, data)
   return err or (math.floor(data.code / 100) ~= 2)
 end
 
+local function parse_vault_reply(data)
+  local p = ucl.parser()
+  local res,parser_err = p:parse_string(data)
+
+  if not res then
+    return nil,parser_err
+  else
+    return p:get_object(),nil
+  end
+end
+
 local function maybe_print_vault_data(opts, data, func)
   if data then
-    local p = ucl.parser()
-    local res,parser_err = p:parse_string(data)
+    local res,parser_err = parse_vault_reply(data)
 
     if not res then
       printf('vault reply for cannot be parsed: %s', parser_err)
     else
-      local obj = p:get_object()
-
       if func then
-        printf(ucl.to_format(func(obj), opts.output))
+        printf(ucl.to_format(func(res), opts.output))
       else
-        printf(ucl.to_format(obj, opts.output))
+        printf(ucl.to_format(res, opts.output))
       end
     end
   else
@@ -149,7 +157,7 @@ local function print_dkim_txt_record(b64, selector, alg)
   if #b64 < 255 then
     labels = {'"' .. b64 .. '"'}
   else
-    for sl=1,#b64,255 do
+    for sl=1,#b64,256 do
       table.insert(labels, '"' .. b64:sub(sl, sl + 255) .. '"')
     end
   end
@@ -234,6 +242,60 @@ local function genkey(opts)
   return cr.gen_dkim_keypair(opts.algorithm, opts.bits)
 end
 
+local function create_and_push_key(opts, domain, existing)
+  local uri = vault_url(opts, domain)
+  local sk,pk = genkey(opts)
+
+  local res = {
+    selectors = {
+      [1] = {
+        selector = opts.selector,
+        domain = domain,
+        key = tostring(sk),
+        alg = opts.algorithm,
+      }
+    }
+  }
+
+  for _,sel in ipairs(existing) do
+    res.selectors[#res.selectors + 1] = sel
+  end
+
+  if opts.expire then
+    res.selectors[1].valid_end = os.time() + opts.expire * 3600 * 24
+  end
+
+  local err,data = rspamd_http.request{
+    config = rspamd_config,
+    ev_base = rspamadm_ev_base,
+    session = rspamadm_session,
+    resolver = rspamadm_dns_resolver,
+    url = uri,
+    method = 'put',
+    headers = {
+      ['X-Vault-Token'] = opts.token
+    },
+    body = {
+      ucl.to_format(res, 'json-compact')
+    },
+  }
+
+  if is_http_error(err, data) then
+    printf('cannot get request to the vault (%s), HTTP error code %s', uri, data.code)
+    maybe_print_vault_data(opts, data.content)
+    os.exit(1)
+  else
+    maybe_printf(opts,'stored key for: %s, selector: %s', domain, opts.selector)
+    maybe_printf(opts, 'please place the corresponding public key as following:')
+
+    if opts.silent then
+      printf('%s', pk)
+    else
+      print_dkim_txt_record(tostring(pk), opts.selector, opts.algorithm)
+    end
+  end
+end
+
 local function newkey_handler(opts, domain)
   local uri = vault_url(opts, domain)
 
@@ -254,51 +316,31 @@ local function newkey_handler(opts, domain)
     }
   }
 
-  if is_http_error(err, data) or not data.content.data then
-    local sk,pk = genkey(opts)
-
-    local res = {
-      selectors = {
-        [1] = {
-          selector = opts.selector,
-          domain = domain,
-          key = tostring(sk),
-          alg = opts.algorithm,
-        }
-      }
-    }
+  if is_http_error(err, data) or not data.content then
+    create_and_push_key(opts, domain,{})
+  else
+    -- Key exists
+    local rep = parse_vault_reply(data.content)
 
-    if opts.expire then
-      res.selectors[1].valid_end = os.time() + opts.expire * 3600 * 24
+    if not rep or not rep.data then
+      printf('cannot parse reply for %s: %s', uri, data.content)
+      os.exit(1)
     end
 
-    err,data = rspamd_http.request{
-      config = rspamd_config,
-      ev_base = rspamadm_ev_base,
-      session = rspamadm_session,
-      resolver = rspamadm_dns_resolver,
-      url = uri,
-      method = 'put',
-      headers = {
-        ['X-Vault-Token'] = opts.token
-      },
-      body = {
-        ucl.to_format(res, 'json-compact')
-      },
-    }
+    local elts = rep.data.selectors
 
-    if is_http_error(err, data) then
-      printf('cannot get request to the vault (%s), HTTP error code %s', uri, data.code)
-      maybe_print_vault_data(opts, data.content)
-      os.exit(1)
-    else
-      maybe_printf(opts,'stored key for: %s, selector: %s', domain, opts.selector)
-      maybe_printf(opts, 'please place the corresponding public key as following:')
+    if not elts then
+      create_and_push_key(opts, domain,{})
+      os.exit(0)
+    end
 
-      if opts.silent then
-        printf('%s', pk)
+    for _,sel in ipairs(elts) do
+      if sel.alg == opts.algorithm then
+        printf('key with the specific algorithm %s is already presented at %s selector for %s domain',
+            opts.algorithm, sel.selector, domain)
+        os.exit(1)
       else
-        print_dkim_txt_record(tostring(pk), opts.selector, opts.algorithm)
+        create_and_push_key(opts, domain, elts)
       end
     end
   end

More information about the Commits mailing list