-
Notifications
You must be signed in to change notification settings - Fork 56
/
cert_inspector.go
58 lines (48 loc) · 1.47 KB
/
cert_inspector.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
package authorization
import (
"context"
"crypto/x509"
"encoding/pem"
"errors"
"fmt"
"code.cloudfoundry.org/korifi/api/apierrors"
rbacv1 "k8s.io/api/rbac/v1"
"k8s.io/client-go/rest"
"sigs.k8s.io/controller-runtime/pkg/client"
)
type CertInspector struct {
restConfig *rest.Config
}
func NewCertInspector(restConfig *rest.Config) *CertInspector {
return &CertInspector{
restConfig: restConfig,
}
}
func (c *CertInspector) WhoAmI(ctx context.Context, certPEM []byte) (Identity, error) {
certBlock, rst := pem.Decode(certPEM)
if certBlock == nil {
return Identity{}, apierrors.NewInvalidAuthError(errors.New("failed to decode cert PEM"))
}
cert, err := x509.ParseCertificate(certBlock.Bytes)
if err != nil {
return Identity{}, apierrors.NewInvalidAuthError(fmt.Errorf("failed to parse certificate: %w", err))
}
keyBlock, _ := pem.Decode(rst)
if keyBlock == nil {
return Identity{}, apierrors.NewInvalidAuthError(errors.New("failed to decode key PEM"))
}
config := rest.AnonymousClientConfig(c.restConfig)
config.CertData = pem.EncodeToMemory(certBlock)
config.KeyData = pem.EncodeToMemory(keyBlock)
// This does an API call within the controller-runtime code and is
// sufficient to determine whether the certificate is valid and accepted by
// the cluster
_, err = client.New(config, client.Options{})
if err != nil {
return Identity{}, apierrors.FromK8sError(err, "")
}
return Identity{
Name: cert.Subject.CommonName,
Kind: rbacv1.UserKind,
}, nil
}