/
flag_types.go
106 lines (90 loc) · 2.54 KB
/
flag_types.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package cmd
import (
"bytes"
"crypto/x509"
"flag"
"fmt"
"os"
"strings"
"github.com/spf13/pflag"
configv1alpha1 "go.pinniped.dev/generated/latest/apis/concierge/config/v1alpha1"
)
// conciergeModeFlag represents the method by which we should connect to the Concierge on a cluster during login.
// this is meant to be a valid flag.Value implementation.
type conciergeModeFlag int
var _ flag.Value = new(conciergeModeFlag)
const (
modeUnknown conciergeModeFlag = iota
modeTokenCredentialRequestAPI
modeImpersonationProxy
)
func (f *conciergeModeFlag) String() string {
switch *f {
case modeImpersonationProxy:
return "ImpersonationProxy"
case modeTokenCredentialRequestAPI:
return "TokenCredentialRequestAPI"
case modeUnknown:
fallthrough
default:
return "TokenCredentialRequestAPI"
}
}
func (f *conciergeModeFlag) Set(s string) error {
if strings.EqualFold(s, "") {
*f = modeUnknown
return nil
}
if strings.EqualFold(s, "TokenCredentialRequestAPI") {
*f = modeTokenCredentialRequestAPI
return nil
}
if strings.EqualFold(s, "ImpersonationProxy") {
*f = modeImpersonationProxy
return nil
}
return fmt.Errorf("invalid mode %q, valid modes are TokenCredentialRequestAPI and ImpersonationProxy", s)
}
func (f *conciergeModeFlag) Type() string {
return "mode"
}
// MatchesFrontend returns true iff the flag matches the type of the provided frontend.
func (f *conciergeModeFlag) MatchesFrontend(frontend *configv1alpha1.CredentialIssuerFrontend) bool {
switch *f {
case modeImpersonationProxy:
return frontend.Type == configv1alpha1.ImpersonationProxyFrontendType
case modeTokenCredentialRequestAPI:
return frontend.Type == configv1alpha1.TokenCredentialRequestAPIFrontendType
case modeUnknown:
fallthrough
default:
return true
}
}
// caBundlePathsVar represents a list of CA bundle paths, which load from disk when the flag is populated.
type caBundleFlag []byte
var _ pflag.Value = new(caBundleFlag)
func (f *caBundleFlag) String() string {
return string(*f)
}
func (f *caBundleFlag) Set(path string) error {
pem, err := os.ReadFile(path)
if err != nil {
return fmt.Errorf("could not read CA bundle path: %w", err)
}
pool := x509.NewCertPool()
if !pool.AppendCertsFromPEM(pem) {
return fmt.Errorf("failed to load any CA certificates from %q", path)
}
if len(*f) == 0 {
*f = pem
return nil
}
*f = bytes.Join([][]byte{*f, pem}, []byte("\n"))
return nil
}
func (f *caBundleFlag) Type() string {
return "path"
}