-
Notifications
You must be signed in to change notification settings - Fork 282
/
ztsclient.go
98 lines (89 loc) · 2.33 KB
/
ztsclient.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
// Copyright 2018 Yahoo Holdings, Inc.
// Licensed under the terms of the Apache version 2.0 license. See LICENSE file for terms.
package athenzutils
import (
"crypto/tls"
"crypto/x509"
"io/ioutil"
"net/http"
"net/url"
"strconv"
"strings"
"github.com/AthenZ/athenz/clients/go/zts"
)
// ZtsClient creates and returns a ZTS client instance.
func ZtsClient(ztsURL, keyFile, certFile, caCertFile string, proxy bool) (*zts.ZTSClient, error) {
keypem, err := ioutil.ReadFile(keyFile)
if err != nil {
return nil, err
}
certpem, err := ioutil.ReadFile(certFile)
if err != nil {
return nil, err
}
var cacertpem []byte
if caCertFile != "" {
cacertpem, err = ioutil.ReadFile(caCertFile)
if err != nil {
return nil, err
}
}
config, err := tlsConfiguration(keypem, certpem, cacertpem)
if err != nil {
return nil, err
}
tr := &http.Transport{
TLSClientConfig: config,
}
if proxy {
tr.Proxy = http.ProxyFromEnvironment
}
client := zts.NewClient(ztsURL, tr)
return &client, nil
}
func tlsConfiguration(keypem, certpem, cacertpem []byte) (*tls.Config, error) {
config := &tls.Config{}
if certpem != nil && keypem != nil {
mycert, err := tls.X509KeyPair(certpem, keypem)
if err != nil {
return nil, err
}
config.Certificates = make([]tls.Certificate, 1)
config.Certificates[0] = mycert
}
if cacertpem != nil {
certPool := x509.NewCertPool()
certPool.AppendCertsFromPEM(cacertpem)
config.RootCAs = certPool
}
return config, nil
}
// GenerateAccessTokenRequestString generates and urlencodes an access token string.
func GenerateAccessTokenRequestString(domain, service, roles, authzDetails, proxyPrincipalSpiffeUris string, expiryTime int) string {
params := url.Values{}
params.Add("grant_type", "client_credentials")
params.Add("expires_in", strconv.Itoa(expiryTime))
var scope string
if roles == "" {
scope = domain + ":domain"
} else {
roleList := strings.Split(roles, ",")
for idx, role := range roleList {
if idx != 0 {
scope += " "
}
scope += domain + ":role." + role
}
}
if service != "" {
scope += " openid " + domain + ":service." + service
}
params.Add("scope", scope)
if authzDetails != "" {
params.Add("authorization_details", authzDetails)
}
if proxyPrincipalSpiffeUris != "" {
params.Add("proxy_principal_spiffe_uris", proxyPrincipalSpiffeUris)
}
return params.Encode()
}