From 80ee3645c452678b2bcdb1b86c5363fd7a1e3926 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Wed, 20 Nov 2019 16:03:31 -0800 Subject: [PATCH] Fix directory permissions. --- ca/client.go | 19 +++++++++++++++++ ca/identity.go | 58 ++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 75 insertions(+), 2 deletions(-) diff --git a/ca/client.go b/ca/client.go index 51d21199..eefc4612 100644 --- a/ca/client.go +++ b/ca/client.go @@ -394,6 +394,25 @@ func (c *Client) retryOnError(r *http.Response) bool { return false } +// GetRootCAs returns the RootCAs certificate pool from the configured +// transport. +func (c *Client) GetRootCAs() *x509.CertPool { + switch t := c.client.Transport.(type) { + case *http.Transport: + if t.TLSClientConfig != nil { + return t.TLSClientConfig.RootCAs + } + return nil + case *http2.Transport: + if t.TLSClientConfig != nil { + return t.TLSClientConfig.RootCAs + } + return nil + default: + return nil + } +} + // SetTransport updates the transport of the internal HTTP client. func (c *Client) SetTransport(tr http.RoundTripper) { c.client.Transport = tr diff --git a/ca/identity.go b/ca/identity.go index 5576dde3..f7f37049 100644 --- a/ca/identity.go +++ b/ca/identity.go @@ -8,6 +8,7 @@ import ( "encoding/json" "encoding/pem" "io/ioutil" + "net/http" "os" "path/filepath" "strings" @@ -39,16 +40,29 @@ type Identity struct { Key string `json:"key"` } +// LoadDefaultIdentity loads the default identity. +func LoadDefaultIdentity() (*Identity, error) { + b, err := ioutil.ReadFile(IdentityFile) + if err != nil { + return nil, errors.Wrap(err, "error reading identity json") + } + identity := new(Identity) + if err := json.Unmarshal(b, &identity); err != nil { + return nil, errors.Wrapf(err, "error unmarshaling %s", IdentityFile) + } + return identity, nil +} + // WriteDefaultIdentity writes the given certificates and key and the // identity.json pointing to the new files. func WriteDefaultIdentity(certChain []api.Certificate, key crypto.PrivateKey) error { base := filepath.Join(config.StepPath(), "config") - if err := os.MkdirAll(base, 0600); err != nil { + if err := os.MkdirAll(base, 0700); err != nil { return errors.Wrap(err, "error creating config directory") } base = filepath.Join(config.StepPath(), "identity") - if err := os.MkdirAll(base, 0600); err != nil { + if err := os.MkdirAll(base, 0700); err != nil { return errors.Wrap(err, "error creating identity directory") } @@ -156,3 +170,43 @@ func (i *Identity) Options() ([]ClientOption, error) { return nil, errors.Errorf("unsupported identity type %s", i.Type) } } + +// Renew renews the identity certificate using the given client. +func (i *Identity) Renew(client *Client) error { + switch i.Kind() { + case Disabled: + return nil + case MutualTLS: + cert, err := tls.LoadX509KeyPair(i.Certificate, i.Key) + if err != nil { + return errors.Wrap(err, "error creating identity certificate") + } + tr := &http.Transport{ + TLSClientConfig: &tls.Config{ + Certificates: []tls.Certificate{cert}, + RootCAs: client.GetRootCAs(), + PreferServerCipherSuites: true, + }, + } + resp, err := client.Renew(tr) + if err != nil { + return err + } + buf := new(bytes.Buffer) + for _, crt := range resp.CertChainPEM { + block := &pem.Block{ + Type: "CERTIFICATE", + Bytes: crt.Raw, + } + if err := pem.Encode(buf, block); err != nil { + return errors.Wrap(err, "error encoding identity certificate") + } + } + if err := ioutil.WriteFile(i.Certificate, buf.Bytes(), 0600); err != nil { + return errors.Wrap(err, "error writing identity certificate") + } + return nil + default: + return errors.Errorf("unsupported identity type %s", i.Type) + } +}