Fix directory permissions.

This commit is contained in:
Mariano Cano 2019-11-20 16:03:31 -08:00 committed by max furman
parent f92bb06b6c
commit db3b795eea
2 changed files with 75 additions and 2 deletions

View file

@ -394,6 +394,25 @@ func (c *Client) retryOnError(r *http.Response) bool {
return false
}
// GetRootCAs returns the RootCAs certificate pool from the configured
// transport.
func (c *Client) GetRootCAs() *x509.CertPool {
switch t := c.client.Transport.(type) {
case *http.Transport:
if t.TLSClientConfig != nil {
return t.TLSClientConfig.RootCAs
}
return nil
case *http2.Transport:
if t.TLSClientConfig != nil {
return t.TLSClientConfig.RootCAs
}
return nil
default:
return nil
}
}
// SetTransport updates the transport of the internal HTTP client.
func (c *Client) SetTransport(tr http.RoundTripper) {
c.client.Transport = tr

View file

@ -8,6 +8,7 @@ import (
"encoding/json"
"encoding/pem"
"io/ioutil"
"net/http"
"os"
"path/filepath"
"strings"
@ -39,16 +40,29 @@ type Identity struct {
Key string `json:"key"`
}
// LoadDefaultIdentity loads the default identity.
func LoadDefaultIdentity() (*Identity, error) {
b, err := ioutil.ReadFile(IdentityFile)
if err != nil {
return nil, errors.Wrap(err, "error reading identity json")
}
identity := new(Identity)
if err := json.Unmarshal(b, &identity); err != nil {
return nil, errors.Wrapf(err, "error unmarshaling %s", IdentityFile)
}
return identity, nil
}
// WriteDefaultIdentity writes the given certificates and key and the
// identity.json pointing to the new files.
func WriteDefaultIdentity(certChain []api.Certificate, key crypto.PrivateKey) error {
base := filepath.Join(config.StepPath(), "config")
if err := os.MkdirAll(base, 0600); err != nil {
if err := os.MkdirAll(base, 0700); err != nil {
return errors.Wrap(err, "error creating config directory")
}
base = filepath.Join(config.StepPath(), "identity")
if err := os.MkdirAll(base, 0600); err != nil {
if err := os.MkdirAll(base, 0700); err != nil {
return errors.Wrap(err, "error creating identity directory")
}
@ -156,3 +170,43 @@ func (i *Identity) Options() ([]ClientOption, error) {
return nil, errors.Errorf("unsupported identity type %s", i.Type)
}
}
// Renew renews the identity certificate using the given client.
func (i *Identity) Renew(client *Client) error {
switch i.Kind() {
case Disabled:
return nil
case MutualTLS:
cert, err := tls.LoadX509KeyPair(i.Certificate, i.Key)
if err != nil {
return errors.Wrap(err, "error creating identity certificate")
}
tr := &http.Transport{
TLSClientConfig: &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: client.GetRootCAs(),
PreferServerCipherSuites: true,
},
}
resp, err := client.Renew(tr)
if err != nil {
return err
}
buf := new(bytes.Buffer)
for _, crt := range resp.CertChainPEM {
block := &pem.Block{
Type: "CERTIFICATE",
Bytes: crt.Raw,
}
if err := pem.Encode(buf, block); err != nil {
return errors.Wrap(err, "error encoding identity certificate")
}
}
if err := ioutil.WriteFile(i.Certificate, buf.Bytes(), 0600); err != nil {
return errors.Wrap(err, "error writing identity certificate")
}
return nil
default:
return errors.Errorf("unsupported identity type %s", i.Type)
}
}