Load identity certificate from disk in each connection.
This commit is contained in:
parent
a26d489abd
commit
f5d2f92099
3 changed files with 28 additions and 11 deletions
|
@ -60,7 +60,9 @@ func LoadClient() (*Client, error) {
|
||||||
|
|
||||||
// Prepare transport with information in defaults.json and identity.json
|
// Prepare transport with information in defaults.json and identity.json
|
||||||
tr := http.DefaultTransport.(*http.Transport).Clone()
|
tr := http.DefaultTransport.(*http.Transport).Clone()
|
||||||
tr.TLSClientConfig = &tls.Config{}
|
tr.TLSClientConfig = &tls.Config{
|
||||||
|
GetClientCertificate: identity.GetClientCertificateFunc(),
|
||||||
|
}
|
||||||
|
|
||||||
// RootCAs
|
// RootCAs
|
||||||
b, err = ioutil.ReadFile(defaults.Root)
|
b, err = ioutil.ReadFile(defaults.Root)
|
||||||
|
@ -72,13 +74,6 @@ func LoadClient() (*Client, error) {
|
||||||
tr.TLSClientConfig.RootCAs = pool
|
tr.TLSClientConfig.RootCAs = pool
|
||||||
}
|
}
|
||||||
|
|
||||||
// Certificate
|
|
||||||
crt, err := tls.LoadX509KeyPair(identity.Certificate, identity.Key)
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("error loading certificate: %v", err)
|
|
||||||
}
|
|
||||||
tr.TLSClientConfig.Certificates = []tls.Certificate{crt}
|
|
||||||
|
|
||||||
return &Client{
|
return &Client{
|
||||||
CaURL: caURL,
|
CaURL: caURL,
|
||||||
Client: &http.Client{
|
Client: &http.Client{
|
||||||
|
|
|
@ -185,12 +185,22 @@ func TestLoadClient(t *testing.T) {
|
||||||
t.Errorf("LoadClient() = %#v, want %#v", got, tt.want)
|
t.Errorf("LoadClient() = %#v, want %#v", got, tt.want)
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if !reflect.DeepEqual(got.CaURL, tt.want.CaURL) ||
|
gotTransport := got.Client.Transport.(*http.Transport)
|
||||||
!reflect.DeepEqual(got.Client.Transport.(*http.Transport).TLSClientConfig.RootCAs, tt.want.Client.Transport.(*http.Transport).TLSClientConfig.RootCAs) ||
|
wantTransport := tt.want.Client.Transport.(*http.Transport)
|
||||||
!reflect.DeepEqual(got.Client.Transport.(*http.Transport).TLSClientConfig.Certificates, tt.want.Client.Transport.(*http.Transport).TLSClientConfig.Certificates) {
|
if gotTransport.TLSClientConfig.GetClientCertificate == nil {
|
||||||
|
t.Error("LoadClient() transport does not define GetClientCertificate")
|
||||||
|
} else if !reflect.DeepEqual(got.CaURL, tt.want.CaURL) || !reflect.DeepEqual(gotTransport.TLSClientConfig.RootCAs, wantTransport.TLSClientConfig.RootCAs) {
|
||||||
t.Errorf("LoadClient() = %#v, want %#v", got, tt.want)
|
t.Errorf("LoadClient() = %#v, want %#v", got, tt.want)
|
||||||
|
} else {
|
||||||
|
crt, err := gotTransport.TLSClientConfig.GetClientCertificate(nil)
|
||||||
|
if err != nil {
|
||||||
|
t.Errorf("LoadClient() GetClientCertificate error = %v", err)
|
||||||
|
} else if !reflect.DeepEqual(*crt, wantTransport.TLSClientConfig.Certificates[0]) {
|
||||||
|
t.Errorf("LoadClient() GetClientCertificate crt = %#v, want %#v", *crt, wantTransport.TLSClientConfig.Certificates[0])
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -203,6 +203,18 @@ func (i *Identity) TLSCertificate() (tls.Certificate, error) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// GetClientCertificateFunc returns a method that can be used as the
|
||||||
|
// GetClientCertificate property in a tls.Config.
|
||||||
|
func (i *Identity) GetClientCertificateFunc() func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
||||||
|
return func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
||||||
|
crt, err := tls.LoadX509KeyPair(i.Certificate, i.Key)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "error loading identity certificate")
|
||||||
|
}
|
||||||
|
return &crt, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Renewer is that interface that a renew client must implement.
|
// Renewer is that interface that a renew client must implement.
|
||||||
type Renewer interface {
|
type Renewer interface {
|
||||||
GetRootCAs() *x509.CertPool
|
GetRootCAs() *x509.CertPool
|
||||||
|
|
Loading…
Reference in a new issue