arno/clair
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

move LoadTLSClientConfigForServer into API package

Browse Source 
This isn't reused any where just yet, so we're best off leaving it local
to the place that needs it.
This commit is contained in:
Jimmy Zelinskie 2015-12-15 12:03:42 -05:00
parent b3828c9c4c
commit 34870a2a2b
2 changed files with 31 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
api/api.go
View File

@ -17,6 +17,9 @@
package api package api
import ( import (
"crypto/tls"
"crypto/x509"
"io/ioutil"
"net" "net"
"net/http" "net/http"
"strconv" "strconv"
@ -27,7 +30,6 @@ import (
"github.com/coreos/clair/config" "github.com/coreos/clair/config"
"github.com/coreos/clair/utils" "github.com/coreos/clair/utils"
httputils "github.com/coreos/clair/utils/http"
) )
var log = capnslog.NewPackageLogger("github.com/coreos/clair", "api") var log = capnslog.NewPackageLogger("github.com/coreos/clair", "api")
@ -44,7 +46,7 @@ func Run(config *config.APIConfig, st *utils.Stopper) {
} }
log.Infof("starting main API on port %d.", config.Port) log.Infof("starting main API on port %d.", config.Port)
tlsConfig, err := httputils.LoadTLSClientConfigForServer(config.CAFile) tlsConfig, err := tlsClientConfig(config.CAFile)
if err != nil { if err != nil {
log.Fatalf("could not initialize client cert authentification: %s\n", err) log.Fatalf("could not initialize client cert authentification: %s\n", err)
} }
@ -110,3 +112,30 @@ func listenAndServeWithStopper(srv *graceful.Server, st *utils.Stopper, certFile
log.Fatal(err) log.Fatal(err)
} }
} }
// tlsClientConfig initializes a *tls.Config using the given CA. The resulting
// *tls.Config is meant to be used to configure an HTTP server to do client
// certificate authentication.
//
// If no CA is given, a nil *tls.Config is returned; no client certificate will
// be required and verified. In other words, authentification will be disabled.
func tlsClientConfig(caPath string) (*tls.Config, error) {
if caPath == "" {
return nil, nil
}
caCert, err := ioutil.ReadFile(caPath)
if err != nil {
return nil, err
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
tlsConfig := &tls.Config{
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
}
return tlsConfig, nil
}

28
utils/http/http.go
View File

@ -16,11 +16,8 @@
package http package http
import ( import (
"crypto/tls"
"crypto/x509"
"encoding/json" "encoding/json"
"io" "io"
"io/ioutil"
"net/http" "net/http"
"github.com/coreos/clair/database" "github.com/coreos/clair/database"
@ -31,31 +28,6 @@ import (
// MaxPostSize is the maximum number of bytes that ParseHTTPBody reads from an http.Request.Body. // MaxPostSize is the maximum number of bytes that ParseHTTPBody reads from an http.Request.Body.
const MaxBodySize int64 = 1048576 const MaxBodySize int64 = 1048576
// LoadTLSClientConfigForServer initializes a *tls.Config using the given CA, that can be used to
// configure http server to do client certificate authentification.
//
// If no CA is given, a nil *tls.Config is returned: no client certificate will be required and
// verified. In other words, authentification will be disabled.
func LoadTLSClientConfigForServer(caFile string) (*tls.Config, error) {
if len(caFile) == 0 {
return nil, nil
}
caCert, err := ioutil.ReadFile(caFile)
if err != nil {
return nil, err
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
tlsConfig := &tls.Config{
ClientCAs: caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
}
return tlsConfig, nil
}
// WriteHTTP writes a JSON-encoded object to a http.ResponseWriter, as well as // WriteHTTP writes a JSON-encoded object to a http.ResponseWriter, as well as
// a HTTP status code. // a HTTP status code.
func WriteHTTP(w http.ResponseWriter, httpStatus int, v interface{}) { func WriteHTTP(w http.ResponseWriter, httpStatus int, v interface{}) {