-
Notifications
You must be signed in to change notification settings - Fork 66
/
build.go
143 lines (110 loc) · 3.26 KB
/
build.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
package client
import (
"crypto/tls"
"crypto/x509"
"net/http"
"os"
"sync"
"time"
"github.com/rs/zerolog/log"
"github.com/pkg/errors"
"github.com/portainer/agent"
"github.com/portainer/agent/crypto"
"github.com/portainer/agent/edge/revoke"
)
type edgeHTTPClient struct {
httpClient *http.Client
options *agent.Options
revokeService *revoke.Service
certMTime time.Time
keyMTime time.Time
caMTime time.Time
mu sync.RWMutex
}
func BuildHTTPClient(timeout float64, options *agent.Options) *edgeHTTPClient {
revokeService := revoke.NewService()
c := &edgeHTTPClient{
httpClient: &http.Client{
Timeout: time.Duration(timeout) * time.Second,
},
options: options,
revokeService: revokeService,
}
c.mu.Lock()
c.httpClient.Transport = c.buildTransport()
c.mu.Unlock()
return c
}
func (c *edgeHTTPClient) Do(req *http.Request) (*http.Response, error) {
if c.certsNeedsRotation() {
log.Debug().Msg("reloading certificates")
c.mu.Lock()
c.httpClient.Transport = c.buildTransport()
c.mu.Unlock()
}
c.mu.RLock()
defer c.mu.RUnlock()
return c.httpClient.Do(req)
}
func fileModified(filename string, mtime time.Time) bool {
stat, err := os.Stat(filename)
return err == nil && stat.ModTime() != mtime
}
func (c *edgeHTTPClient) certsNeedsRotation() bool {
if c.options.EdgeInsecurePoll || c.options.SSLCert == "" || c.options.SSLKey == "" || c.options.SSLCACert == "" {
return false
}
return fileModified(c.options.SSLCert, c.certMTime) ||
fileModified(c.options.SSLKey, c.keyMTime) ||
fileModified(c.options.SSLCACert, c.caMTime)
}
func (c *edgeHTTPClient) buildTransport() *http.Transport {
transport := http.DefaultTransport.(*http.Transport).Clone()
transport.TLSClientConfig = crypto.CreateTLSConfiguration()
transport.TLSClientConfig.ClientSessionCache = tls.NewLRUClientSessionCache(0)
if c.options.EdgeInsecurePoll {
transport.TLSClientConfig.InsecureSkipVerify = true
return transport
}
if c.options.SSLCert == "" || c.options.SSLKey == "" {
return transport
}
if certStat, err := os.Stat(c.options.SSLCert); err == nil {
c.certMTime = certStat.ModTime()
}
if keyStat, err := os.Stat(c.options.SSLKey); err == nil {
c.keyMTime = keyStat.ModTime()
}
// Create a CA certificate pool and add cert.pem to it
if c.options.SSLCACert != "" {
caCert, err := os.ReadFile(c.options.SSLCACert)
if err != nil {
log.Fatal().Err(err).Msg("")
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
transport.TLSClientConfig.RootCAs = caCertPool
if caStat, err := os.Stat(c.options.SSLCACert); err == nil {
c.caMTime = caStat.ModTime()
}
}
transport.TLSClientConfig.GetClientCertificate = func(cri *tls.CertificateRequestInfo) (*tls.Certificate, error) {
cert, err := tls.LoadX509KeyPair(c.options.SSLCert, c.options.SSLKey)
return &cert, err
}
transport.TLSClientConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
for _, chain := range verifiedChains {
for _, cert := range chain {
revoked, err := c.revokeService.VerifyCertificate(cert)
if err != nil {
return err
}
if revoked {
return errors.New("certificate has been revoked")
}
}
}
return nil
}
return transport
}