move LoadTLSClientConfigForServer into API package
This isn't reused any where just yet, so we're best off leaving it local to the place that needs it.
This commit is contained in:
Jimmy Zelinskie
parent
b3828c9c4c
commit
34870a2a2b
33
api/api.go
33
api/api.go
@ -17,6 +17,9 @@
|
||||
package api
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"net/http"
|
||||
"strconv"
|
||||
@ -27,7 +30,6 @@ import (
|
||||
|
||||
"github.com/coreos/clair/config"
|
||||
"github.com/coreos/clair/utils"
|
||||
httputils "github.com/coreos/clair/utils/http"
|
||||
)
|
||||
|
||||
var log = capnslog.NewPackageLogger("github.com/coreos/clair", "api")
|
||||
@ -44,7 +46,7 @@ func Run(config *config.APIConfig, st *utils.Stopper) {
|
||||
}
|
||||
log.Infof("starting main API on port %d.", config.Port)
|
||||
|
||||
tlsConfig, err := httputils.LoadTLSClientConfigForServer(config.CAFile)
|
||||
tlsConfig, err := tlsClientConfig(config.CAFile)
|
||||
if err != nil {
|
||||
log.Fatalf("could not initialize client cert authentification: %s\n", err)
|
||||
}
|
||||
@ -110,3 +112,30 @@ func listenAndServeWithStopper(srv *graceful.Server, st *utils.Stopper, certFile
|
||||
log.Fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
// tlsClientConfig initializes a *tls.Config using the given CA. The resulting
|
||||
// *tls.Config is meant to be used to configure an HTTP server to do client
|
||||
// certificate authentication.
|
||||
//
|
||||
// If no CA is given, a nil *tls.Config is returned; no client certificate will
|
||||
// be required and verified. In other words, authentification will be disabled.
|
||||
func tlsClientConfig(caPath string) (*tls.Config, error) {
|
||||
if caPath == "" {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
caCert, err := ioutil.ReadFile(caPath)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
caCertPool := x509.NewCertPool()
|
||||
caCertPool.AppendCertsFromPEM(caCert)
|
||||
|
||||
tlsConfig := &tls.Config{
|
||||
ClientCAs: caCertPool,
|
||||
ClientAuth: tls.RequireAndVerifyClientCert,
|
||||
}
|
||||
|
||||
return tlsConfig, nil
|
||||
}
|
||||
|
||||
@ -16,11 +16,8 @@
|
||||
package http
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/json"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
|
||||
"github.com/coreos/clair/database"
|
||||
@ -31,31 +28,6 @@ import (
|
||||
// MaxPostSize is the maximum number of bytes that ParseHTTPBody reads from an http.Request.Body.
|
||||
const MaxBodySize int64 = 1048576
|
||||
|
||||
// LoadTLSClientConfigForServer initializes a *tls.Config using the given CA, that can be used to
|
||||
// configure http server to do client certificate authentification.
|
||||
//
|
||||
// If no CA is given, a nil *tls.Config is returned: no client certificate will be required and
|
||||
// verified. In other words, authentification will be disabled.
|
||||
func LoadTLSClientConfigForServer(caFile string) (*tls.Config, error) {
|
||||
if len(caFile) == 0 {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
caCert, err := ioutil.ReadFile(caFile)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
caCertPool := x509.NewCertPool()
|
||||
caCertPool.AppendCertsFromPEM(caCert)
|
||||
|
||||
tlsConfig := &tls.Config{
|
||||
ClientCAs: caCertPool,
|
||||
ClientAuth: tls.RequireAndVerifyClientCert,
|
||||
}
|
||||
|
||||
return tlsConfig, nil
|
||||
}
|
||||
|
||||
// WriteHTTP writes a JSON-encoded object to a http.ResponseWriter, as well as
|
||||
// a HTTP status code.
|
||||
func WriteHTTP(w http.ResponseWriter, httpStatus int, v interface{}) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user