Use Identity::from_pem (#2054)

* Switch to `from_pem` Signed-off-by: Michael Pankov <work@michaelpankov.com> * Remove authority certificate from identity Signed-off-by: Michael Pankov <work@michaelpankov.com> * Remove unnecessary features Signed-off-by: Michael Pankov <work@michaelpankov.com> * Remove unnecessary PFX and path_exists Signed-off-by: Michael Pankov <work@michaelpankov.com> * Fix documentation Signed-off-by: Michael Pankov <work@michaelpankov.com> * Try not accepting invalid certificates Signed-off-by: Michael Pankov <work@michaelpankov.com> * Revert "Try not accepting invalid certificates" This reverts commit 4914eee. Signed-off-by: Michael Pankov <work@michaelpankov.com> * Handle review comments Signed-off-by: Michael Pankov <work@michaelpankov.com> Co-authored-by: Joe Grund <jgrund@whamcloud.io>
whamcloud · Jul 16, 2020 · 4905f9e · 4905f9e
1 parent 0f0736c
commit 4905f9e
Show file tree

Hide file tree

Showing 6 changed files with 126 additions and 60 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/iml-agent/Cargo.toml b/iml-agent/Cargo.toml
@@ -33,8 +33,8 @@ liblustreapi = {path = "../liblustreapi", version = "0.3"}
 lustre_collector = "0.2.13"
 native-tls = "0.2"
 prettytable-rs = "0.8"
-reqwest = {version = "0.10", features = ["default-tls", "native-tls", "json", "stream"]}
-serde = {version = "1", features = ["derive"]}
+reqwest = { version = "0.10", features = ["rustls-tls", "json", "stream"] }
+serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 spinners = "1.2"
 stream-cancel = "0.6"

diff --git a/iml-agent/src/env.rs b/iml-agent/src/env.rs
@@ -3,18 +3,9 @@
 // license that can be found in the LICENSE file.
 
 use lazy_static::lazy_static;
-use std::{env, path::Path, process::Command};
+use std::{env, fs::File, io::Read};
 use url::Url;
 
-/// Checks if the given path exists in the FS
-///
-/// # Arguments
-///
-/// * `name` - The path to check
-fn path_exists(name: &str) -> bool {
-    Path::new(name).exists()
-}
-
 /// Gets the environment variable or panics
 /// # Arguments
 ///
@@ -41,14 +32,6 @@ fn get_cert_path() -> String {
     get_var("CRT_PATH")
 }
 
-fn get_pfx_path() -> String {
-    get_var("PFX_PATH")
-}
-
-fn get_authority_cert_path() -> String {
-    get_var("AUTHORITY_CRT_PATH")
-}
-
 pub fn sock_dir() -> String {
     get_var("SOCK_DIR")
 }
@@ -65,43 +48,24 @@ pub fn mailbox_sock(mailbox: &str) -> String {
 }
 
 lazy_static! {
-    // Gets the pfx file.
-    // If pfx is not found it will be created.
-    pub static ref PFX: Vec<u8> = {
+    pub static ref PEM: Vec<u8> = {
+        let mut result = Vec::new();
+
         let private_pem_path = get_private_pem_path();
 
-        if !path_exists(&private_pem_path) {
-            panic!("{} does not exist", private_pem_path)
-        };
+        let mut private_pem = File::open(private_pem_path)
+            .unwrap_or_else(|e| panic!("Error opening {}: {}", get_private_pem_path(), e));
+        private_pem
+            .read_to_end(&mut result)
+            .expect("Couldn't read PEM");
 
         let cert_path = get_cert_path();
 
-        if !path_exists(&cert_path) {
-            panic!("{} does not exist", cert_path)
-        }
-
-        let authority_cert_path = get_authority_cert_path();
-
-        let pfx_path = get_pfx_path();
-
-        Command::new("openssl")
-            .args(&[
-                "pkcs12",
-                "-export",
-                "-out",
-                &pfx_path,
-                "-inkey",
-                &private_pem_path,
-                "-in",
-                &cert_path,
-                "-certfile",
-                &authority_cert_path,
-                "-passout",
-                "pass:",
-            ])
-            .status()
-            .expect("Error creating pfx");
+        let mut cert = File::open(cert_path)
+            .unwrap_or_else(|e| panic!("Error opening {}: {}", get_cert_path(), e));
+        cert.read_to_end(&mut result)
+            .expect("Couldn't read the certificate");
 
-        std::fs::read(&pfx_path).expect("Could not read pfx")
+        result
     };
 }
diff --git a/iml-agent/src/http_comms/crypto_client.rs b/iml-agent/src/http_comms/crypto_client.rs
@@ -8,13 +8,13 @@ use futures::{stream, Future, Stream, TryFutureExt, TryStreamExt};
 use reqwest::{Client, Identity, IntoUrl, Response};
 use std::time::Duration;
 
-/// Creates an `Identity` from the given pfx buffer
+/// Creates an `Identity` from the given pem buffer
 ///
 /// # Arguments
 ///
-/// * `pfx` - The incoming pfx buffer
-pub fn get_id(pfx: &[u8]) -> Result<Identity, ImlAgentError> {
-    Identity::from_pkcs12_der(pfx, "").map_err(ImlAgentError::Reqwest)
+/// * `pem` - The incoming pem buffer
+pub fn get_id(pem: &[u8]) -> Result<Identity, ImlAgentError> {
+    Identity::from_pem(pem).map_err(ImlAgentError::Reqwest)
 }
 
 /// Creates a client that is authenticated to
@@ -25,6 +25,7 @@ pub fn get_id(pfx: &[u8]) -> Result<Identity, ImlAgentError> {
 /// * `id` - The client identity to use
 pub fn create_client(id: Identity) -> Result<Client, ImlAgentError> {
     Client::builder()
+        .use_rustls_tls()
         .danger_accept_invalid_certs(true)
         .identity(id)
         .timeout(Duration::from_secs(900))

diff --git a/iml-agent/src/http_comms/mailbox_client.rs b/iml-agent/src/http_comms/mailbox_client.rs
@@ -14,7 +14,7 @@ pub async fn send(
 ) -> Result<(), ImlAgentError> {
     tracing::debug!("Sending mailbox message to {}", message_name);
 
-    let id = crypto_client::get_id(&env::PFX)?;
+    let id = crypto_client::get_id(&env::PEM)?;
     let client = crypto_client::create_client(id)?;
 
     let body = Body::wrap_stream(stream);
@@ -39,7 +39,7 @@ pub async fn send(
 pub fn get(message_name: String) -> impl Stream<Item = Result<String, ImlAgentError>> {
     let q: Vec<(String, String)> = vec![];
 
-    future::ready(crypto_client::get_id(&env::PFX))
+    future::ready(crypto_client::get_id(&env::PEM))
         .err_into()
         .and_then(|id| async { crypto_client::create_client(id) })
         .and_then(move |client| async move {

diff --git a/iml-agent/src/main.rs b/iml-agent/src/main.rs
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 
-use env::{MANAGER_URL, PFX};
+use env::{MANAGER_URL, PEM};
 use futures::{FutureExt, TryFutureExt};
 use iml_agent::{
     agent_error::Result,
@@ -21,7 +21,7 @@ async fn main() -> Result<()> {
 
     let start_time = chrono::Utc::now().format("%Y-%m-%dT%T%.6f%:zZ").to_string();
 
-    let identity = crypto_client::get_id(&PFX)?;
+    let identity = crypto_client::get_id(&PEM)?;
     let client = crypto_client::create_client(identity)?;
 
     let agent_client =