-
Notifications
You must be signed in to change notification settings - Fork 0
/
auth.go
102 lines (94 loc) · 2.27 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
package auth
import (
"bytes"
"context"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"fmt"
"io"
"net/http"
"time"
)
type Auth struct {
RootCAs *x509.CertPool
URL string
APIToken string
}
func NewAuth(rootCAs *x509.CertPool, authUrl string, apiToken string) *Auth {
return &Auth{
RootCAs: rootCAs,
URL: authUrl,
APIToken: apiToken,
}
}
func (a *Auth) GenerateCertificate(envName string) (string, string, error) {
key, err := rsa.GenerateKey(rand.Reader, 4096)
if err != nil {
return "", "", err
}
csrPEM, err := createCertificateRequest(key, envName)
if err != nil {
return "", "", err
}
certPEM, err := do(context.Background(), &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: a.RootCAs,
},
},
Timeout: time.Minute,
}, fmt.Sprintf("%s/sign", a.URL), a.APIToken, csrPEM)
if err != nil {
return "", "", err
}
keyPEM, err := EncodeRSAPrivateKey(key)
if err != nil {
return "", "", err
}
return string(certPEM), string(keyPEM), nil
}
func createCertificateRequest(pk interface{}, envName string) (csrPEM []byte, err error) {
req := x509.CertificateRequest{
SignatureAlgorithm: x509.SHA256WithRSA,
Subject: pkix.Name{
CommonName: envName,
},
}
csrDER, err := x509.CreateCertificateRequest(rand.Reader, &req, pk)
if err != nil {
return nil, err
}
return EncodeCertificateRequestDER(csrDER)
}
func do(ctx context.Context, httpClient *http.Client, url, apiToken string, csrPEM []byte) (certPEM []byte, err error) {
req, err := http.NewRequestWithContext(ctx, http.MethodPost,
url, bytes.NewReader(csrPEM))
if err != nil {
return nil, err
}
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", apiToken))
res, err := httpClient.Do(req)
if err != nil {
return nil, err
}
defer func() {
_, _ = io.Copy(io.Discard, res.Body) // keep-alive
_ = res.Body.Close()
}()
body, err := io.ReadAll(res.Body)
if err != nil {
return nil, err
}
if res.StatusCode != http.StatusOK {
return nil, fmt.Errorf("POST %s resulted in %s %s", url, res.Status,
string(body))
}
// Check response body is PEM-encoded.
if _, err := DecodeCertificate(body); err != nil {
return nil, fmt.Errorf("POST %s: parse body %q: %v", url, string(body), err)
}
return body, nil
}