arno/clair
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

notifier: add ServerName configuration for TLS

Browse Source
This commit is contained in:
Jimmy Zelinskie 2015-12-10 16:46:43 -05:00
parent d3ebc3df33
commit b3828c9c4c
4 changed files with 47 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
config.example.yaml
View File

@ -31,7 +31,8 @@ updater:
notifier: notifier:
# HTTP endpoint that will receive notifications with POST requests. # HTTP endpoint that will receive notifications with POST requests.
endpoint: endpoint:
# Path to certificates to call the endpoint securely with TLS and client certificate auth. # Server name and path to certificates to call the endpoint securely with TLS and client certificate auth.
servername:
cafile: cafile:
keyfile: keyfile:
certfile: certfile:

9
config/config.go
View File

@ -1,5 +1,3 @@
package config
// Copyright 2015 clair authors // Copyright 2015 clair authors
// //
// Licensed under the Apache License, Version 2.0 (the "License"); // Licensed under the Apache License, Version 2.0 (the "License");
@ -14,6 +12,8 @@ package config
// See the License for the specific language governing permissions and // See the License for the specific language governing permissions and
// limitations under the License. // limitations under the License.
package config
import ( import (
"io/ioutil" "io/ioutil"
"os" "os"
@ -45,7 +45,10 @@ type UpdaterConfig struct {
// NotifierConfig is the configuration for the Notifier service. // NotifierConfig is the configuration for the Notifier service.
type NotifierConfig struct { type NotifierConfig struct {
Endpoint string Endpoint string
CertFile, KeyFile, CAFile string ServerName string
CertFile string
KeyFile string
CAFile string
} }
// APIConfig is the configuration for the API service. // APIConfig is the configuration for the API service.

40
notifier/notifier.go
View File

@ -18,7 +18,10 @@ package notifier
import ( import (
"bytes" "bytes"
"crypto/tls"
"crypto/x509"
"encoding/json" "encoding/json"
"io/ioutil"
"net/http" "net/http"
"net/url" "net/url"
"time" "time"
@ -30,7 +33,6 @@ import (
"github.com/coreos/clair/database" "github.com/coreos/clair/database"
"github.com/coreos/clair/health" "github.com/coreos/clair/health"
"github.com/coreos/clair/utils" "github.com/coreos/clair/utils"
httputils "github.com/coreos/clair/utils/http"
) )
var log = capnslog.NewPackageLogger("github.com/coreos/clair", "notifier") var log = capnslog.NewPackageLogger("github.com/coreos/clair", "notifier")
@ -70,7 +72,7 @@ func New(config *config.NotifierConfig) *Notifier {
} }
// Initialize TLS. // Initialize TLS.
tlsConfig, err := httputils.LoadTLSClientConfig(config.CertFile, config.KeyFile, config.CAFile) tlsConfig, err := loadTLSClientConfig(config)
if err != nil { if err != nil {
log.Fatalf("could not initialize client cert authentification: %s\n", err) log.Fatalf("could not initialize client cert authentification: %s\n", err)
} }
@ -203,3 +205,37 @@ func (n *Notifier) Healthcheck() health.Status {
queueSize, err := database.CountNotificationsToSend() queueSize, err := database.CountNotificationsToSend()
return health.Status{IsEssential: false, IsHealthy: err == nil, Details: struct{ QueueSize int }{QueueSize: queueSize}} return health.Status{IsEssential: false, IsHealthy: err == nil, Details: struct{ QueueSize int }{QueueSize: queueSize}}
} }
// loadTLSClientConfig initializes a *tls.Config using the given notifier
// configuration.
//
// If no certificates are given, (nil, nil) is returned.
// The CA certificate is optional and falls back to the system default.
func loadTLSClientConfig(cfg *config.NotifierConfig) (*tls.Config, error) {
if cfg.CertFile == "" || cfg.KeyFile == "" {
return nil, nil
}
cert, err := tls.LoadX509KeyPair(cfg.CertFile, cfg.KeyFile)
if err != nil {
return nil, err
}
var caCertPool *x509.CertPool
if cfg.CAFile != "" {
caCert, err := ioutil.ReadFile(cfg.CAFile)
if err != nil {
return nil, err
}
caCertPool = x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
}
tlsConfig := &tls.Config{
ServerName: cfg.ServerName,
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
}
return tlsConfig, nil
}

33
utils/http/http.go
View File

@ -31,39 +31,6 @@ import (
// MaxPostSize is the maximum number of bytes that ParseHTTPBody reads from an http.Request.Body. // MaxPostSize is the maximum number of bytes that ParseHTTPBody reads from an http.Request.Body.
const MaxBodySize int64 = 1048576 const MaxBodySize int64 = 1048576
// LoadTLSClientConfig initializes a *tls.Config using the given certificates and private key, that
// can be used to communicate with a server using client certificate authentificate.
//
// If no certificates are given, a nil *tls.Config is returned.
// The CA certificate is optionnal, the system defaults are used if not provided.
func LoadTLSClientConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
if len(certFile) == 0 || len(keyFile) == 0 {
return nil, nil
}
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
return nil, err
}
var caCertPool *x509.CertPool
if len(caFile) > 0 {
caCert, err := ioutil.ReadFile(caFile)
if err != nil {
return nil, err
}
caCertPool = x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
}
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
}
return tlsConfig, nil
}
// LoadTLSClientConfigForServer initializes a *tls.Config using the given CA, that can be used to // LoadTLSClientConfigForServer initializes a *tls.Config using the given CA, that can be used to
// configure http server to do client certificate authentification. // configure http server to do client certificate authentification.
// //