-
Notifications
You must be signed in to change notification settings - Fork 80
/
tls_config_provider.go
156 lines (137 loc) · 4.84 KB
/
tls_config_provider.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
// Copyright (c) 2016, 2018, 2024, Oracle and/or its affiliates. All rights reserved.
// This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
package common
import (
"crypto/tls"
"crypto/x509"
"fmt"
"os"
"sync"
)
// GetTLSConfigTemplateForTransport returns the TLSConfigTemplate to used depending on whether any additional
// CA Bundle or client side certs have been configured
func GetTLSConfigTemplateForTransport() TLSConfigProvider {
certPath := os.Getenv(ociDefaultClientCertsPath)
keyPath := os.Getenv(ociDefaultClientCertsPrivateKeyPath)
caBundlePath := os.Getenv(ociDefaultCertsPath)
if certPath != "" && keyPath != "" {
return &DefaultMTLSConfigProvider{
caBundlePath: caBundlePath,
clientCertPath: certPath,
clientKeyPath: keyPath,
watchedFilesStatsMap: make(map[string]os.FileInfo),
}
}
return &DefaultTLSConfigProvider{
caBundlePath: caBundlePath,
}
}
// TLSConfigProvider is an interface the defines a function that creates a new *tls.Config.
type TLSConfigProvider interface {
NewOrDefault() (*tls.Config, error)
WatchedFilesModified() bool
}
// DefaultTLSConfigProvider is a provider that provides a TLS tls.config for the HTTPTransport
type DefaultTLSConfigProvider struct {
caBundlePath string
mux sync.Mutex
currentStat os.FileInfo
}
// NewOrDefault returns a default tls.Config which
// sets its RootCAs to be a *x509.CertPool from caBundlePath.
func (t *DefaultTLSConfigProvider) NewOrDefault() (*tls.Config, error) {
if t.caBundlePath == "" {
return &tls.Config{}, nil
}
// Keep the current Stat info from the ca bundle in a map
Debugf("Getting Initial Stats for file: %s", t.caBundlePath)
caBundleStat, err := os.Stat(t.caBundlePath)
if err != nil {
return nil, err
}
t.mux.Lock()
defer t.mux.Unlock()
t.currentStat = caBundleStat
rootCAs, err := CertPoolFrom(t.caBundlePath)
if err != nil {
return nil, err
}
return &tls.Config{
RootCAs: rootCAs,
}, nil
}
// WatchedFilesModified returns true if any files in the watchedFilesStatsMap has been modified else returns false
func (t *DefaultTLSConfigProvider) WatchedFilesModified() bool {
modified := false
if t.caBundlePath != "" {
newStat, err := os.Stat(t.caBundlePath)
if err == nil && (t.currentStat.Size() != newStat.Size() || t.currentStat.ModTime() != newStat.ModTime()) {
Logf("Modification detected in cert/ca-bundle file: %s", t.caBundlePath)
modified = true
t.mux.Lock()
defer t.mux.Unlock()
t.currentStat = newStat
}
}
return modified
}
// DefaultMTLSConfigProvider is a provider that provides a MTLS tls.config for the HTTPTransport
type DefaultMTLSConfigProvider struct {
caBundlePath string
clientCertPath string
clientKeyPath string
mux sync.Mutex
watchedFilesStatsMap map[string]os.FileInfo
}
// NewOrDefault returns a default tls.Config which sets its RootCAs
// to be a *x509.CertPool from caBundlePath and calls
// tls.LoadX509KeyPair(clientCertPath, clientKeyPath) to set mtls client certs.
func (t *DefaultMTLSConfigProvider) NewOrDefault() (*tls.Config, error) {
rootCAs, err := CertPoolFrom(t.caBundlePath)
if err != nil {
return nil, err
}
cert, err := tls.LoadX509KeyPair(t.clientCertPath, t.clientKeyPath)
if err != nil {
return nil, err
}
// Configure the initial certs file stats, error skipped because we error out before this if the files don't exist
t.mux.Lock()
defer t.mux.Unlock()
t.watchedFilesStatsMap[t.caBundlePath], _ = os.Stat(t.caBundlePath)
t.watchedFilesStatsMap[t.clientCertPath], _ = os.Stat(t.clientCertPath)
t.watchedFilesStatsMap[t.clientKeyPath], _ = os.Stat(t.clientKeyPath)
return &tls.Config{
RootCAs: rootCAs,
Certificates: []tls.Certificate{cert},
}, nil
}
// WatchedFilesModified returns true if any files in the watchedFilesStatsMap has been modified else returns false
func (t *DefaultMTLSConfigProvider) WatchedFilesModified() bool {
modified := false
t.mux.Lock()
defer t.mux.Unlock()
for k, v := range t.watchedFilesStatsMap {
if k != "" {
currentStat, err := os.Stat(k)
if err == nil && (v.Size() != currentStat.Size() || v.ModTime() != currentStat.ModTime()) {
modified = true
Logf("Modification detected in cert/ca-bundle file: %s", k)
t.watchedFilesStatsMap[k] = currentStat
}
}
}
return modified
}
// CertPoolFrom creates a new x509.CertPool from a given file.
func CertPoolFrom(caBundleFile string) (*x509.CertPool, error) {
pemCerts, err := os.ReadFile(caBundleFile)
if err != nil {
return nil, err
}
trust := x509.NewCertPool()
if !trust.AppendCertsFromPEM(pemCerts) {
return nil, fmt.Errorf("creating a new x509.CertPool from %s: no certs added", caBundleFile)
}
return trust, nil
}