move LoadTLSClientConfigForServer into API package

This isn't reused any where just yet, so we're best off leaving it local to the place that needs it.
9 years ago · 34870a2a2b
parent b3828c9c4c
commit 34870a2a2b
2 changed files with 31 additions and 30 deletions
--- a/api/api.go
+++ b/api/api.go
@ -17,6 +17,9 @@
 package api

 import (
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
 	"net"
 	"net/http"
 	"strconv"
@ -27,7 +30,6 @@ import (

 	"github.com/coreos/clair/config"
 	"github.com/coreos/clair/utils"
-	httputils "github.com/coreos/clair/utils/http"
 )

 var log = capnslog.NewPackageLogger("github.com/coreos/clair", "api")
@ -44,7 +46,7 @@ func Run(config *config.APIConfig, st *utils.Stopper) {
 	}
 	log.Infof("starting main API on port %d.", config.Port)

-	tlsConfig, err := httputils.LoadTLSClientConfigForServer(config.CAFile)
+	tlsConfig, err := tlsClientConfig(config.CAFile)
 	if err != nil {
 		log.Fatalf("could not initialize client cert authentification: %s\n", err)
 	}
@ -110,3 +112,30 @@ func listenAndServeWithStopper(srv *graceful.Server, st *utils.Stopper, certFile
 		log.Fatal(err)
 	}
 }
+
+// tlsClientConfig initializes a *tls.Config using the given CA. The resulting
+// *tls.Config is meant to be used to configure an HTTP server to do client
+// certificate authentication.
+//
+// If no CA is given, a nil *tls.Config is returned; no client certificate will
+// be required and verified. In other words, authentification will be disabled.
+func tlsClientConfig(caPath string) (*tls.Config, error) {
+	if caPath == "" {
+		return nil, nil
+	}
+
+	caCert, err := ioutil.ReadFile(caPath)
+	if err != nil {
+		return nil, err
+	}
+
+	caCertPool := x509.NewCertPool()
+	caCertPool.AppendCertsFromPEM(caCert)
+
+	tlsConfig := &tls.Config{
+		ClientCAs:  caCertPool,
+		ClientAuth: tls.RequireAndVerifyClientCert,
+	}
+
+	return tlsConfig, nil
+}
--- a/utils/http/http.go
+++ b/utils/http/http.go
@ -16,11 +16,8 @@
 package http

 import (
-	"crypto/tls"
-	"crypto/x509"
 	"encoding/json"
 	"io"
-	"io/ioutil"
 	"net/http"

 	"github.com/coreos/clair/database"
@ -31,31 +28,6 @@ import (
 // MaxPostSize is the maximum number of bytes that ParseHTTPBody reads from an http.Request.Body.
 const MaxBodySize int64 = 1048576

-// LoadTLSClientConfigForServer initializes a *tls.Config using the given CA, that can be used to
-// configure http server to do client certificate authentification.
-//
-// If no CA is given, a nil *tls.Config is returned: no client certificate will be required and
-// verified. In other words, authentification will be disabled.
-func LoadTLSClientConfigForServer(caFile string) (*tls.Config, error) {
-	if len(caFile) == 0 {
-		return nil, nil
-	}
-
-	caCert, err := ioutil.ReadFile(caFile)
-	if err != nil {
-		return nil, err
-	}
-	caCertPool := x509.NewCertPool()
-	caCertPool.AppendCertsFromPEM(caCert)
-
-	tlsConfig := &tls.Config{
-		ClientCAs:  caCertPool,
-		ClientAuth: tls.RequireAndVerifyClientCert,
-	}
-
-	return tlsConfig, nil
-}
-
 // WriteHTTP writes a JSON-encoded object to a http.ResponseWriter, as well as
 // a HTTP status code.
 func WriteHTTP(w http.ResponseWriter, httpStatus int, v interface{}) {