certificates/examples/basic-federation/server/main.go
Mariano Cano 50d09c183b Fix example and use ClientCAs.
Server trust client certificates using ClientCAs instead of RootCAs.
2020-09-02 15:10:11 -07:00

73 lines
1.7 KiB
Go

package main
import (
"context"
"fmt"
"net/http"
"os"
"time"
"github.com/smallstep/certificates/ca"
)
func main() {
if len(os.Args) != 2 {
fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0])
os.Exit(1)
}
token := os.Args[1]
// make sure to cancel the renew goroutine
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
srv, err := ca.BootstrapServer(ctx, token, &http.Server{
Addr: ":8443",
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
name := "nobody"
issuer := "none"
if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
name = r.TLS.PeerCertificates[0].Subject.CommonName
issuer = r.TLS.PeerCertificates[len(r.TLS.PeerCertificates)-1].Issuer.CommonName
}
w.Write([]byte(fmt.Sprintf("Hello %s (cert issued by '%s') at %s", name, issuer, time.Now().UTC())))
}),
}, ca.AddFederationToClientCAs(), ListTrustedRoots())
if err != nil {
panic(err)
}
fmt.Println("Listening on :8443 ...")
if err := srv.ListenAndServeTLS("", ""); err != nil {
panic(err)
}
}
// ListTrustedRoots prints list of trusted roots for illustration purposes
func ListTrustedRoots() ca.TLSOption {
fn := func(ctx *ca.TLSOptionCtx) error {
certs, err := ctx.Client.Federation()
if err != nil {
return err
}
roots, err := ctx.Client.Roots()
if err != nil {
return err
}
if len(certs.Certificates) > len(roots.Certificates) {
fmt.Println("Server is using federated root certificates")
}
for _, cert := range certs.Certificates {
fmt.Printf("Accepting certs anchored in %s\n", cert.Certificate.Subject)
}
return nil
}
return func(ctx *ca.TLSOptionCtx) error {
ctx.OnRenewFunc = append(ctx.OnRenewFunc, fn)
return fn(ctx)
}
}