in src/vtok_agent/src/agent/mngtok.rs [298:400]
fn satisfy_target(&self) -> Result<Option<PostSyncAction>, Error> {
let (key_id, key_label) = self
.db
.to_schema_keys()
.iter()
.map(|k| (k.id, k.label.clone()))
.next()
.ok_or(Error::SourceDbEmpty)?;
let key_uri = format!(
"pkcs11:model={};manufacturer={};token={};id=%{:02x};object={};type=private?pin-value={}",
"p11ne-token",
"Amazon",
self.label.as_str(),
key_id,
key_label.as_str(),
self.pin.as_str(),
);
match self.target {
None => Ok(None),
Some(config::Target::NginxStanza {
ref user,
ref group,
ref path,
}) => {
let uid = match user.as_ref() {
Some(name) => Some(
unistd::User::from_name(name)
.map_err(Error::NixError)?
.ok_or(Error::BadUser(name.to_string()))?
.uid,
),
None => None,
};
let gid = match group.as_ref() {
Some(name) => Some(
unistd::Group::from_name(name)
.map_err(Error::NixError)?
.ok_or(Error::BadGroup(name.to_string()))?
.gid,
),
None => None,
};
let cert_path = match self.db.cert_pem() {
None => None,
Some(cert_pem) => {
let cert_path = format!(
"{}/nginx-cert-{}.pem",
defs::RUN_DIR,
util::bytes_to_hex(self.label.as_bytes())
);
debug!("Writing {}", &cert_path);
OpenOptions::new()
.create(true)
.truncate(true)
.write(true)
.open(cert_path.as_str())
.and_then(|mut file| {
file.write_all(cert_pem.as_bytes())?;
if let Some(chain_pem) = self.db.cert_chain_pem() {
file.write_all(chain_pem.as_bytes())?;
}
Ok(())
})
.map_err(Error::TargetIoError)?;
debug!("Done writing {}", &cert_path);
Some(cert_path)
}
};
debug!("Ensuring dirs for file: {}", path);
util::create_dirs_for_file(path).map_err(Error::TargetIoError)?;
debug!("Writing {}", &path);
OpenOptions::new()
.write(true)
.create(true)
.truncate(true)
.mode(0o440)
.open(path)
.map_err(Error::TargetIoError)
.and_then(|mut file| {
unistd::fchown(file.as_raw_fd(), uid, gid).map_err(Error::NixError)?;
nix::sys::stat::fchmod(
file.as_raw_fd(),
// Safe becase 0o440 is valid.
unsafe { nix::sys::stat::Mode::from_bits_unchecked(0o440) },
)
.map_err(Error::NixError)?;
write!(file, "ssl_certificate_key \"engine:pkcs11:{}\";\n", key_uri)
.map_err(Error::TargetIoError)?;
if let Some(cp) = cert_path {
write!(file, "ssl_certificate \"{}\";\n", cp)
.map_err(Error::TargetIoError)?;
}
Ok(())
})?;
debug!("Done writing {}", &path);
Ok(Some(PostSyncAction::ReloadNginx))
}
}
}