arno/clair
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #47 from coreos/sn

Browse Source 
notifier: add ServerName configuration for TLS
This commit is contained in:
Quentin Machu 2015-12-15 14:31:59 -05:00
commit 172693b604
5 changed files with 78 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
api/api.go
View File

@ -17,6 +17,9 @@
package api package api
import ( import (
"crypto/tls"
"crypto/x509"
"io/ioutil"
"net" "net"
"net/http" "net/http"
"strconv" "strconv"
@ -27,7 +30,6 @@ import (
"github.com/coreos/clair/config" "github.com/coreos/clair/config"
"github.com/coreos/clair/utils" "github.com/coreos/clair/utils"
httputils "github.com/coreos/clair/utils/http"
) )
var log = capnslog.NewPackageLogger("github.com/coreos/clair", "api") var log = capnslog.NewPackageLogger("github.com/coreos/clair", "api")
@ -44,7 +46,7 @@ func Run(config *config.APIConfig, st *utils.Stopper) {
} }
log.Infof("starting main API on port %d.", config.Port) log.Infof("starting main API on port %d.", config.Port)
tlsConfig, err := httputils.LoadTLSClientConfigForServer(config.CAFile) tlsConfig, err := tlsClientConfig(config.CAFile)
if err != nil { if err != nil {
log.Fatalf("could not initialize client cert authentification: %s\n", err) log.Fatalf("could not initialize client cert authentification: %s\n", err)
} }
@ -110,3 +112,30 @@ func listenAndServeWithStopper(srv *graceful.Server, st *utils.Stopper, certFile
log.Fatal(err) log.Fatal(err)
} }
} }
// tlsClientConfig initializes a *tls.Config using the given CA. The resulting
// *tls.Config is meant to be used to configure an HTTP server to do client
// certificate authentication.
//
// If no CA is given, a nil *tls.Config is returned; no client certificate will
// be required and verified. In other words, authentification will be disabled.
func tlsClientConfig(caPath string) (*tls.Config, error) {
if caPath == "" {
return nil, nil
}
caCert, err := ioutil.ReadFile(caPath)
if err != nil {
return nil, err
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
tlsConfig := &tls.Config{
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
}
return tlsConfig, nil
}

3
config.example.yaml
View File

@ -31,7 +31,8 @@ updater:
notifier: notifier:
# HTTP endpoint that will receive notifications with POST requests. # HTTP endpoint that will receive notifications with POST requests.
endpoint: endpoint:
# Path to certificates to call the endpoint securely with TLS and client certificate auth. # Server name and path to certificates to call the endpoint securely with TLS and client certificate auth.
servername:
cafile: cafile:
keyfile: keyfile:
certfile: certfile:

9
config/config.go
View File

@ -1,5 +1,3 @@
package config
// Copyright 2015 clair authors // Copyright 2015 clair authors
// //
// Licensed under the Apache License, Version 2.0 (the "License"); // Licensed under the Apache License, Version 2.0 (the "License");
@ -14,6 +12,8 @@ package config
// See the License for the specific language governing permissions and // See the License for the specific language governing permissions and
// limitations under the License. // limitations under the License.
package config
import ( import (
"io/ioutil" "io/ioutil"
"os" "os"
@ -45,7 +45,10 @@ type UpdaterConfig struct {
// NotifierConfig is the configuration for the Notifier service. // NotifierConfig is the configuration for the Notifier service.
type NotifierConfig struct { type NotifierConfig struct {
Endpoint string Endpoint string
CertFile, KeyFile, CAFile string ServerName string
CertFile string
KeyFile string
CAFile string
} }
// APIConfig is the configuration for the API service. // APIConfig is the configuration for the API service.

40
notifier/notifier.go
View File

@ -18,7 +18,10 @@ package notifier
import ( import (
"bytes" "bytes"
"crypto/tls"
"crypto/x509"
"encoding/json" "encoding/json"
"io/ioutil"
"net/http" "net/http"
"net/url" "net/url"
"time" "time"
@ -30,7 +33,6 @@ import (
"github.com/coreos/clair/database" "github.com/coreos/clair/database"
"github.com/coreos/clair/health" "github.com/coreos/clair/health"
"github.com/coreos/clair/utils" "github.com/coreos/clair/utils"
httputils "github.com/coreos/clair/utils/http"
) )
var log = capnslog.NewPackageLogger("github.com/coreos/clair", "notifier") var log = capnslog.NewPackageLogger("github.com/coreos/clair", "notifier")
@ -70,7 +72,7 @@ func New(config *config.NotifierConfig) *Notifier {
} }
// Initialize TLS. // Initialize TLS.
tlsConfig, err := httputils.LoadTLSClientConfig(config.CertFile, config.KeyFile, config.CAFile) tlsConfig, err := loadTLSClientConfig(config)
if err != nil { if err != nil {
log.Fatalf("could not initialize client cert authentification: %s\n", err) log.Fatalf("could not initialize client cert authentification: %s\n", err)
} }
@ -203,3 +205,37 @@ func (n *Notifier) Healthcheck() health.Status {
queueSize, err := database.CountNotificationsToSend() queueSize, err := database.CountNotificationsToSend()
return health.Status{IsEssential: false, IsHealthy: err == nil, Details: struct{ QueueSize int }{QueueSize: queueSize}} return health.Status{IsEssential: false, IsHealthy: err == nil, Details: struct{ QueueSize int }{QueueSize: queueSize}}
} }
// loadTLSClientConfig initializes a *tls.Config using the given notifier
// configuration.
//
// If no certificates are given, (nil, nil) is returned.
// The CA certificate is optional and falls back to the system default.
func loadTLSClientConfig(cfg *config.NotifierConfig) (*tls.Config, error) {
if cfg.CertFile == "" || cfg.KeyFile == "" {
return nil, nil
}
cert, err := tls.LoadX509KeyPair(cfg.CertFile, cfg.KeyFile)
if err != nil {
return nil, err
}
var caCertPool *x509.CertPool
if cfg.CAFile != "" {
caCert, err := ioutil.ReadFile(cfg.CAFile)
if err != nil {
return nil, err
}
caCertPool = x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
}
tlsConfig := &tls.Config{
ServerName: cfg.ServerName,
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
}
return tlsConfig, nil
}

61
utils/http/http.go
View File

@ -16,11 +16,8 @@
package http package http
import ( import (
"crypto/tls"
"crypto/x509"
"encoding/json" "encoding/json"
"io" "io"
"io/ioutil"
"net/http" "net/http"
"github.com/coreos/clair/database" "github.com/coreos/clair/database"
@ -31,64 +28,6 @@ import (
// MaxPostSize is the maximum number of bytes that ParseHTTPBody reads from an http.Request.Body. // MaxPostSize is the maximum number of bytes that ParseHTTPBody reads from an http.Request.Body.
const MaxBodySize int64 = 1048576 const MaxBodySize int64 = 1048576
// LoadTLSClientConfig initializes a *tls.Config using the given certificates and private key, that
// can be used to communicate with a server using client certificate authentificate.
//
// If no certificates are given, a nil *tls.Config is returned.
// The CA certificate is optionnal, the system defaults are used if not provided.
func LoadTLSClientConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
if len(certFile) == 0 || len(keyFile) == 0 {
return nil, nil
}
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
return nil, err
}
var caCertPool *x509.CertPool
if len(caFile) > 0 {
caCert, err := ioutil.ReadFile(caFile)
if err != nil {
return nil, err
}
caCertPool = x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
}
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
}
return tlsConfig, nil
}
// LoadTLSClientConfigForServer initializes a *tls.Config using the given CA, that can be used to
// configure http server to do client certificate authentification.
//
// If no CA is given, a nil *tls.Config is returned: no client certificate will be required and
// verified. In other words, authentification will be disabled.
func LoadTLSClientConfigForServer(caFile string) (*tls.Config, error) {
if len(caFile) == 0 {
return nil, nil
}
caCert, err := ioutil.ReadFile(caFile)
if err != nil {
return nil, err
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
tlsConfig := &tls.Config{
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
}
return tlsConfig, nil
}
// WriteHTTP writes a JSON-encoded object to a http.ResponseWriter, as well as // WriteHTTP writes a JSON-encoded object to a http.ResponseWriter, as well as
// a HTTP status code. // a HTTP status code.
func WriteHTTP(w http.ResponseWriter, httpStatus int, v interface{}) { func WriteHTTP(w http.ResponseWriter, httpStatus int, v interface{}) {