forked from TrueCloudLab/certificates
Fix directory permissions.
This commit is contained in:
parent
f92bb06b6c
commit
db3b795eea
2 changed files with 75 additions and 2 deletions
19
ca/client.go
19
ca/client.go
|
@ -394,6 +394,25 @@ func (c *Client) retryOnError(r *http.Response) bool {
|
|||
return false
|
||||
}
|
||||
|
||||
// GetRootCAs returns the RootCAs certificate pool from the configured
|
||||
// transport.
|
||||
func (c *Client) GetRootCAs() *x509.CertPool {
|
||||
switch t := c.client.Transport.(type) {
|
||||
case *http.Transport:
|
||||
if t.TLSClientConfig != nil {
|
||||
return t.TLSClientConfig.RootCAs
|
||||
}
|
||||
return nil
|
||||
case *http2.Transport:
|
||||
if t.TLSClientConfig != nil {
|
||||
return t.TLSClientConfig.RootCAs
|
||||
}
|
||||
return nil
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
// SetTransport updates the transport of the internal HTTP client.
|
||||
func (c *Client) SetTransport(tr http.RoundTripper) {
|
||||
c.client.Transport = tr
|
||||
|
|
|
@ -8,6 +8,7 @@ import (
|
|||
"encoding/json"
|
||||
"encoding/pem"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
@ -39,16 +40,29 @@ type Identity struct {
|
|||
Key string `json:"key"`
|
||||
}
|
||||
|
||||
// LoadDefaultIdentity loads the default identity.
|
||||
func LoadDefaultIdentity() (*Identity, error) {
|
||||
b, err := ioutil.ReadFile(IdentityFile)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "error reading identity json")
|
||||
}
|
||||
identity := new(Identity)
|
||||
if err := json.Unmarshal(b, &identity); err != nil {
|
||||
return nil, errors.Wrapf(err, "error unmarshaling %s", IdentityFile)
|
||||
}
|
||||
return identity, nil
|
||||
}
|
||||
|
||||
// WriteDefaultIdentity writes the given certificates and key and the
|
||||
// identity.json pointing to the new files.
|
||||
func WriteDefaultIdentity(certChain []api.Certificate, key crypto.PrivateKey) error {
|
||||
base := filepath.Join(config.StepPath(), "config")
|
||||
if err := os.MkdirAll(base, 0600); err != nil {
|
||||
if err := os.MkdirAll(base, 0700); err != nil {
|
||||
return errors.Wrap(err, "error creating config directory")
|
||||
}
|
||||
|
||||
base = filepath.Join(config.StepPath(), "identity")
|
||||
if err := os.MkdirAll(base, 0600); err != nil {
|
||||
if err := os.MkdirAll(base, 0700); err != nil {
|
||||
return errors.Wrap(err, "error creating identity directory")
|
||||
}
|
||||
|
||||
|
@ -156,3 +170,43 @@ func (i *Identity) Options() ([]ClientOption, error) {
|
|||
return nil, errors.Errorf("unsupported identity type %s", i.Type)
|
||||
}
|
||||
}
|
||||
|
||||
// Renew renews the identity certificate using the given client.
|
||||
func (i *Identity) Renew(client *Client) error {
|
||||
switch i.Kind() {
|
||||
case Disabled:
|
||||
return nil
|
||||
case MutualTLS:
|
||||
cert, err := tls.LoadX509KeyPair(i.Certificate, i.Key)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "error creating identity certificate")
|
||||
}
|
||||
tr := &http.Transport{
|
||||
TLSClientConfig: &tls.Config{
|
||||
Certificates: []tls.Certificate{cert},
|
||||
RootCAs: client.GetRootCAs(),
|
||||
PreferServerCipherSuites: true,
|
||||
},
|
||||
}
|
||||
resp, err := client.Renew(tr)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
buf := new(bytes.Buffer)
|
||||
for _, crt := range resp.CertChainPEM {
|
||||
block := &pem.Block{
|
||||
Type: "CERTIFICATE",
|
||||
Bytes: crt.Raw,
|
||||
}
|
||||
if err := pem.Encode(buf, block); err != nil {
|
||||
return errors.Wrap(err, "error encoding identity certificate")
|
||||
}
|
||||
}
|
||||
if err := ioutil.WriteFile(i.Certificate, buf.Bytes(), 0600); err != nil {
|
||||
return errors.Wrap(err, "error writing identity certificate")
|
||||
}
|
||||
return nil
|
||||
default:
|
||||
return errors.Errorf("unsupported identity type %s", i.Type)
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue