cleaning up caserver launch

brianm · brianm · commit a511f62c9997 · 2025-10-25T14:52:21.000-07:00
diff --git a/Makefile b/Makefile
@@ -4,11 +4,8 @@ all: test build		## run tests and build binaries
 epithet:
 	go build ./cmd/epithet
 
-epithet-ca:
-	go build ./cmd/epithet-ca
-
 .PHONY: build
-build: epithet epithet-ca
+build: epithet
 
 .PHONY: test
 test:	## run all tests
@@ -18,7 +15,6 @@ test:	## run all tests
 clean:			## clean all local resources
 	go clean ./...
 	go clean -testcache
-	rm -f epithet-*
 	rm -rf epithet
 	rm -rf dist
 
diff --git a/cmd/epithet-ca/epithet-ca.go b/cmd/epithet-ca/epithet-ca.go
diff --git a/cmd/epithet/ca.go b/cmd/epithet/ca.go
@@ -0,0 +1,59 @@
+package main
+
+import (
+	"fmt"
+	"log/slog"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/epithet-ssh/epithet/pkg/ca"
+	"github.com/epithet-ssh/epithet/pkg/caserver"
+	"github.com/epithet-ssh/epithet/pkg/sshcert"
+	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/middleware"
+)
+
+type CACLI struct {
+	Policy  string `help:"URL for policy service" short:"p" env:"POLICY_URL" required:"true"`
+	Key     string `help:"Path to ca private key" short:"k" default:"/etc/epithet/ca.key"`
+	Address string `help:"Address to bind to" short:"a" env:"PORT" default:"0.0.0.0:8080"`
+}
+
+func (c *CACLI) Run(logger *slog.Logger) error {
+	logger.Debug("ca command called", "ca", c)
+
+	// Read CA private key
+	privKey, err := os.ReadFile(c.Key)
+	if err != nil {
+		return fmt.Errorf("unable to load ca key: %w", err)
+	}
+	logger.Info("ca_key", "path", c.Key)
+	logger.Info("policy_url", "url", c.Policy)
+
+	// Create CA
+	caInstance, err := ca.New(sshcert.RawPrivateKey(string(privKey)), c.Policy)
+	if err != nil {
+		return fmt.Errorf("unable to create CA: %w", err)
+	}
+
+	// Set up HTTP router
+	r := chi.NewRouter()
+
+	// Middleware stack
+	r.Use(middleware.RequestID)
+	r.Use(middleware.RealIP)
+	r.Use(middleware.Logger)
+	r.Use(middleware.Recoverer)
+	r.Use(middleware.Timeout(60 * time.Second))
+
+	r.Handle("/", caserver.New(caInstance, logger, nil))
+
+	logger.Info("listening", "address", c.Address)
+	err = http.ListenAndServe(c.Address, r)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/cmd/epithet/main.go b/cmd/epithet/main.go
@@ -17,6 +17,7 @@ var cli struct {
 
 	Agent AgentCLI `cmd:"agent" help:"start the epithet agent"`
 	Match MatchCLI `cmd:"match" help:"Invoked during ssh invocation in a 'Match exec ...'"`
+	CA    CACLI    `cmd:"ca" help:"Run the epithet CA server"`
 }
 
 func main() {
diff --git a/pkg/caserver/caserver.go b/pkg/caserver/caserver.go
@@ -4,30 +4,29 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"log/slog"
 	"net/http"
 	"time"
 
 	"github.com/epithet-ssh/epithet/pkg/ca"
 	"github.com/epithet-ssh/epithet/pkg/policy"
 	"github.com/epithet-ssh/epithet/pkg/sshcert"
-	"github.com/sirupsen/logrus"
 )
 
 type caServer struct {
 	c          *ca.CA
 	httpClient *http.Client
+	log        *slog.Logger
 }
 
 // New creates a new CA Server which needs to then
-// be atatched to some http server, a la
+// be attached to some http server, a la
 // `http.ListenAndServeTLS(...)`
-func New(c *ca.CA, options ...Option) http.Handler {
+func New(c *ca.CA, log *slog.Logger, httpClient *http.Client) http.Handler {
 	cas := &caServer{
-		c: c,
-	}
-
-	for _, o := range options {
-		o.apply(cas)
+		c:          c,
+		log:        log,
+		httpClient: httpClient,
 	}
 
 	if cas.httpClient == nil {
@@ -39,24 +38,6 @@ func New(c *ca.CA, options ...Option) http.Handler {
 	return cas
 }
 
-// Option configures the agent
-type Option interface {
-	apply(*caServer)
-}
-
-type optionFunc func(*caServer)
-
-func (f optionFunc) apply(a *caServer) {
-	f(a)
-}
-
-// WithHTTPClient specifies the http client to use
-func WithHTTPClient(httpClient *http.Client) Option {
-	return optionFunc(func(s *caServer) {
-		s.httpClient = httpClient
-	})
-}
-
 func (s *caServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	switch r.Method {
 	case "GET":
@@ -98,7 +79,10 @@ func (s *caServer) createCert(w http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		w.Header().Add("Content-type", "text/plain")
 		w.WriteHeader(400)
-		w.Write([]byte(fmt.Sprintf("unable to parse body: %s", err)))
+		_, err := w.Write([]byte(fmt.Sprintf("unable to parse body: %s", err)))
+		if err != nil {
+
+		}
 		return
 	}
 
@@ -125,15 +109,15 @@ func (s *caServer) createCert(w http.ResponseWriter, r *http.Request) {
 	out, err := json.Marshal(&resp)
 	if err != nil {
 		w.WriteHeader(500)
-		logrus.Warn("unable to jsonify response: %w", err)
+		s.log.Warn("unable to jsonify response", "error", err)
 		return
 	}
 
 	w.Header().Add("Content-type", "application/json")
 	w.WriteHeader(200)
 	_, err = w.Write(out)
 	if err != nil {
-		logrus.Warn("unable to write response: %w", err)
+		s.log.Warn("unable to write response", "error", err)
 		return
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ var cli struct {`
`17`	`17`
`18`	`18`	Agent AgentCLI `cmd:"agent" help:"start the epithet agent"`
`19`	`19`	Match MatchCLI `cmd:"match" help:"Invoked during ssh invocation in a 'Match exec ...'"`
	`20`	+ CA CACLI `cmd:"ca" help:"Run the epithet CA server"`
`20`	`21`	`}`
`21`	`22`
`22`	`23`	`func main() {`