diff --git a/docs/config.md b/docs/config.md index 96099827..96dd7fdc 100644 --- a/docs/config.md +++ b/docs/config.md @@ -61,7 +61,7 @@ The health configuration allows topaz to spin up a health server. - *listen_address* - string - allows the health service to spin up on the configured port (default: "0.0.0.0:9494") -- *certs* - certs.TLSCredsConfig - based on [aserto-dev/certs](https://github.com/aserto-dev/certs) package allows setting the paths of your certificate files. By default the certificates are not configured. +- *certs* - aserto.TLSConfig - based on [aserto-dev/go-aserto](https://github.com/aserto-dev/go-aserto) package allows setting the paths of your certificate files. By default the certificates are not configured. #### Metrics: @@ -70,8 +70,7 @@ The metrics configuration allows topaz to spin up a metric server. - *listen_address* - string - allows the metric service to spin up on the configured port (default: "0.0.0.0:9696") -- *certs* - certs.TLSCredsConfig - based on [aserto-dev/certs](https://github.com/aserto-dev/certs) package allows setting the paths of your certificate files. By default the certificates are not configured. -- *zpages* - bool - if enabled the metrics server will enable [zpages](https://opencensus.io/zpages/go/) on the "/debug" route +- *certs* - certs.TLSConfig - based on [aserto-dev/go-aserto](https://github.com/aserto-dev/go-aserto) package allows setting the paths of your certificate files. By default the certificates are not configured. #### Services APIs: @@ -84,7 +83,7 @@ The grpc section allows configuring the listen address, the connection timeout a - *fqdn* - string - optional value to set the fully qualified domain name for the service endpoint - *listen_address* - string - allows the topaz GRPC server to spin up on the requested port (default: "0.0.0.0:8282") - *connection_timeout_seconds* - uint32 - sets the timeout for a [connection establishment](https://pkg.go.dev/google.golang.org/grpc#ConnectionTimeout) (default: 120) -- *certs* - certs.TLSCredsConfig - based on [aserto-dev/certs](https://github.com/aserto-dev/certs) package allows setting the paths of your certificate files. If you do not have your certificates in the specified paths, topaz will generate self-signed certificates for you. By default topaz will generate the certificates in ` ~/.config/topaz/certs/` path +- *certs* - aserto.TLSConfig - based on [aserto-dev/go-aserto](https://github.com/aserto-dev/go-aserto) package allows setting the paths of your certificate files. If you do not have your certificates in the specified paths, topaz will generate self-signed certificates for you. By default topaz will generate the certificates in ` ~/.config/topaz/certs/` path Example: @@ -108,7 +107,7 @@ The gateway section allows configuring the [grpc gateway](https://github.com/grp - *fqdn* - string - optional value to set the fully qualified domain name for the service endpoint - *listen_address* - string - allows the topaz Gateway server to spin up on the requested port (default: "0.0.0.0:8383") - *http* - boolean - when set to true it allows the gateway service to respond to plain http request (default: false) -- *certs* - certs.TLSCredsConfig - based on [aserto-dev/certs](https://github.com/aserto-dev/certs) package allows setting the paths of your certificate files. If you do not have your certificates in the specified paths, topaz will generate self-signed certificates for you. By default topaz will generate the certificates in ` ~/.config/topaz/certs/` path +- *certs* - aserto.TLSConfig - based on [aserto-dev/go-aserto](https://github.com/aserto-dev/go-aserto) package allows setting the paths of your certificate files. If you do not have your certificates in the specified paths, topaz will generate self-signed certificates for you. By default topaz will generate the certificates in ` ~/.config/topaz/certs/` path - *allowed_origins* - []string - allows setting the paths for the [CORS handler](https://github.com/rs/cors) Detailed information about the gateway http server timeout configuration is available [here](https://pkg.go.dev/net/http#Server) diff --git a/go.mod b/go.mod index 9931a304..91ab0603 100644 --- a/go.mod +++ b/go.mod @@ -2,8 +2,6 @@ module github.com/aserto-dev/topaz go 1.23.3 -replace github.com/aserto-dev/certs => ./internal/pkg/certs - replace github.com/aserto-dev/service-host => ./internal/pkg/service/builder replace github.com/adrg/xdg => ./internal/pkg/xdg @@ -15,9 +13,9 @@ require ( github.com/aserto-dev/aserto-grpc v0.2.6 github.com/aserto-dev/aserto-management v0.9.7 github.com/aserto-dev/azm v0.1.19 - github.com/aserto-dev/certs v0.0.7 + github.com/aserto-dev/certs v0.1.0 github.com/aserto-dev/errors v0.0.11 - github.com/aserto-dev/go-aserto v0.33.0 + github.com/aserto-dev/go-aserto v0.33.1 github.com/aserto-dev/go-authorizer v0.20.11 github.com/aserto-dev/go-directory v0.31.14 github.com/aserto-dev/go-edge-ds v0.32.12 @@ -61,8 +59,8 @@ require ( github.com/testcontainers/testcontainers-go v0.34.0 golang.org/x/sync v0.9.0 golang.org/x/sys v0.27.0 - google.golang.org/grpc v1.67.1 - google.golang.org/protobuf v1.35.1 + google.golang.org/grpc v1.68.0 + google.golang.org/protobuf v1.35.2 gopkg.in/natefinch/lumberjack.v2 v2.2.1 ) @@ -82,7 +80,7 @@ require ( github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect - github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 // indirect + github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect github.com/containerd/containerd v1.7.22 // indirect github.com/containerd/errdefs v0.2.0 // indirect github.com/containerd/log v0.1.0 // indirect diff --git a/go.sum b/go.sum index 4dc7bd19..14be9479 100644 --- a/go.sum +++ b/go.sum @@ -415,10 +415,12 @@ github.com/aserto-dev/aserto-management v0.9.7 h1:nT7hu1BUEz9LMZ9vthEf9ML2blO+Ak github.com/aserto-dev/aserto-management v0.9.7/go.mod h1:ErZ4BGsYkAt1IhQVEgs6Cuhzn+UGA0tuNVUmKeA+twk= github.com/aserto-dev/azm v0.1.19 h1:pFHNzUhNeg5vKjpXsFnQGfKBbIsBra5Jb+hJt5ohpaQ= github.com/aserto-dev/azm v0.1.19/go.mod h1:uxUKXGA6d41ZbJBfEu+/PwXGLuI3tErKkH7VPZHDcX4= +github.com/aserto-dev/certs v0.1.0 h1:eklyoGdondx0uowVpY3+Oifz+Bhe615Ls5I6oWJrq34= +github.com/aserto-dev/certs v0.1.0/go.mod h1:xWtPdSkBGgXnBXUUDUg5OD4SdFKiEOtVwkDlDIWMtTM= github.com/aserto-dev/errors v0.0.11 h1:CXo+Uwmh09doG2HvL1SC8Fnne8f9VPrGyEQPtogAfyY= github.com/aserto-dev/errors v0.0.11/go.mod h1:T1YQOtcxpgBriPTn5HXJkD/QukYz5YojYOIzGMo0ybM= -github.com/aserto-dev/go-aserto v0.33.0 h1:seloEPmdLY53pxykbenFZV7K+BumP1KVj5ZGrc1GjeU= -github.com/aserto-dev/go-aserto v0.33.0/go.mod h1:t2qs6Q7pXlMkKh5MhbssKDbGb62f36Q6Bj3QDXww31s= +github.com/aserto-dev/go-aserto v0.33.1 h1:oFTlatM7+mq2grD/ut+ff0v7CjCV6YenKd6XWJbonbE= +github.com/aserto-dev/go-aserto v0.33.1/go.mod h1:t2qs6Q7pXlMkKh5MhbssKDbGb62f36Q6Bj3QDXww31s= github.com/aserto-dev/go-authorizer v0.20.11 h1:OaYJwyljt2yBuDtIiMl1mqjyMU0dUuv1eZsBNHo4+O4= github.com/aserto-dev/go-authorizer v0.20.11/go.mod h1:iwVdTU2xOrNW0TZ+UWX+Mn2hgR2Lj1XmKgei0tt5pbY= github.com/aserto-dev/go-decision-logs v0.1.2 h1:f26bgKDIroNeN71+Ot2AXfCAtausNcBykF94RWP5I0I= @@ -476,8 +478,8 @@ github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= -github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20 h1:N+3sFI5GUjRKBi+i0TxYVST9h4Ie192jJWpHvthBBgg= -github.com/cncf/xds/go v0.0.0-20240723142845-024c85f92f20/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= +github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 h1:QVw89YDxXxEe+l8gU8ETbOasdwEV+avkR75ZzsVV9WI= +github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8= github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= github.com/containerd/cgroups/v3 v3.0.2 h1:f5WFqIVSgo5IZmtTT3qVBo6TzI1ON6sycSBKkymb9L0= github.com/containerd/cgroups/v3 v3.0.2/go.mod h1:JUgITrzdFqp42uI2ryGA+ge0ap/nxzYgkGmIcetmErE= @@ -1513,8 +1515,8 @@ google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCD google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww= -google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= -google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= +google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0= +google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= @@ -1531,8 +1533,8 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= -google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= +google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= +google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= diff --git a/go.work b/go.work index cdaab8ab..40b3e113 100644 --- a/go.work +++ b/go.work @@ -2,7 +2,6 @@ go 1.23.3 use ( . - ./internal/pkg/certs ./internal/pkg/service/builder ./internal/pkg/xdg ) diff --git a/internal/pkg/certs/certs.go b/internal/pkg/certs/certs.go deleted file mode 100644 index b5f337c4..00000000 --- a/internal/pkg/certs/certs.go +++ /dev/null @@ -1,268 +0,0 @@ -package certs - -import ( - "bytes" - "crypto/rand" - "crypto/rsa" - "crypto/x509" - "crypto/x509/pkix" - "encoding/pem" - "math/big" - "net" - "os" - "path/filepath" - "time" - - "github.com/pkg/errors" - "github.com/rs/zerolog" -) - -// Generator generates certs without any external dependencies. -type Generator struct { - logger *zerolog.Logger -} - -// CertGenConfig contains details about how cert generation should happen. -type CertGenConfig struct { - CommonName string - CertKeyPath string - CertPath string - CACertPath string - DNSNames []string -} - -// NewGenerator creates a new cert generator. -func NewGenerator(logger *zerolog.Logger) *Generator { - log := logger.With().Str("component", "cert-generator").Logger() - return &Generator{ - logger: &log, - } -} - -// MakeDevCert creates a development certificate request and private key. -// It persists it in the work dir and returns the CSR. -// nolint: funlen -func (c *Generator) MakeDevCert(genConfig *CertGenConfig) error { - c.logger.Info().Str("common-name", genConfig.CommonName).Str("cert-path", genConfig.CertPath).Msg("generating certificate") - c.logger.Info().Str("common-name", genConfig.CommonName).Str("key-path", genConfig.CertKeyPath).Msg("generating certificate") - c.logger.Info().Str("common-name", genConfig.CommonName).Str("ca-cert-path", genConfig.CACertPath).Msg("generating certificate") - - if genConfig.CertPath == "" || genConfig.CertKeyPath == "" || genConfig.CACertPath == "" { - c.logger.Warn().Msg("cert path not set, certificate generation SKIPPED") - return nil - } - - err := c.checkDir(genConfig) - if err != nil { - return errors.Wrap(err, "directory verification returned an error") - } - - c.logger.Info().Str("common-name", genConfig.CommonName).Str("file", genConfig.CACertPath).Msg("generating ca certificate") - - serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) - serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) - if err != nil { - return errors.Wrap(err, "failed to generate serial number") - } - - ca := &x509.Certificate{ - SerialNumber: serialNumber, - Subject: pkix.Name{ - Organization: []string{"Aserto, Inc."}, - Country: []string{"US"}, - Province: []string{"WA"}, - Locality: []string{"Seattle"}, - StreetAddress: []string{"-"}, - PostalCode: []string{"-"}, - CommonName: genConfig.CommonName + "-ca", - }, - NotBefore: time.Now(), - NotAfter: time.Now().AddDate(1, 0, 0), - IsCA: true, - BasicConstraintsValid: true, - KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, - } - - caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096) - if err != nil { - return err - } - caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey) - if err != nil { - return err - } - - caPEM := new(bytes.Buffer) - err = pem.Encode(caPEM, &pem.Block{ - Type: "CERTIFICATE", - Bytes: caBytes, - }) - if err != nil { - return errors.Wrap(err, "failed to encode cert") - } - - caPrivKeyPEM := new(bytes.Buffer) - err = pem.Encode(caPrivKeyPEM, &pem.Block{ - Type: "RSA PRIVATE KEY", - Bytes: x509.MarshalPKCS1PrivateKey(caPrivKey), - }) - if err != nil { - return errors.Wrap(err, "failed to encode key") - } - - ipAddresses := []net.IP{net.IPv4(127, 0, 0, 1), net.IPv4(0, 0, 0, 0), net.IPv6loopback} - dnsNames := []string{} - - for _, h := range getDNSNames(genConfig.DNSNames) { - if ip := net.ParseIP(h); ip != nil { - ipAddresses = append(ipAddresses, ip) - } else { - dnsNames = append(dnsNames, h) - } - } - - cert := &x509.Certificate{ - SerialNumber: big.NewInt(1658), - Subject: pkix.Name{ - Organization: []string{"Aserto, Inc."}, - Country: []string{"US"}, - Province: []string{"WA"}, - Locality: []string{"Seattle"}, - StreetAddress: []string{"-"}, - PostalCode: []string{"-"}, - CommonName: genConfig.CommonName, - }, - DNSNames: dnsNames, - IPAddresses: ipAddresses, - NotBefore: time.Now(), - NotAfter: time.Now().AddDate(1, 0, 0), - SubjectKeyId: []byte{1, 2, 3, 4, 6}, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, - KeyUsage: x509.KeyUsageDigitalSignature, - } - - certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096) - if err != nil { - return err - } - - c.logger.Info().Str("common-name", genConfig.CommonName).Str("cert-file", genConfig.CertPath).Msg("signing certificate") - c.logger.Info().Str("common-name", genConfig.CommonName).Str("key-file", genConfig.CertKeyPath).Msg("signing certificate") - - return c.signCerts(genConfig, cert, ca, certPrivKey, caPrivKey, caPEM) -} - -func (c *Generator) signCerts(genConfig *CertGenConfig, cert, ca *x509.Certificate, certPrivKey, caPrivKey *rsa.PrivateKey, caPEM *bytes.Buffer) error { - c.logger.Info().Str("common-name", genConfig.CommonName).Str("cert-file", genConfig.CertPath).Msg("signing certificate") - c.logger.Info().Str("common-name", genConfig.CommonName).Str("key-file", genConfig.CertKeyPath).Msg("signing certificate") - - certBytes, err := x509.CreateCertificate(rand.Reader, cert, ca, &certPrivKey.PublicKey, caPrivKey) - if err != nil { - return err - } - - certPEM := new(bytes.Buffer) - err = pem.Encode(certPEM, &pem.Block{ - Type: "CERTIFICATE", - Bytes: certBytes, - }) - if err != nil { - return errors.Wrap(err, "failed to encode cert") - } - - certPrivKeyPEM := new(bytes.Buffer) - err = pem.Encode(certPrivKeyPEM, &pem.Block{ - Type: "RSA PRIVATE KEY", - Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey), - }) - if err != nil { - return errors.Wrap(err, "failed to encode key") - } - - err = writeFile( - genConfig.CACertPath, - caPEM.Bytes(), - ) - if err != nil { - return errors.Wrap(err, "failed to write ca cert") - } - - err = writeFile( - genConfig.CertKeyPath, - certPrivKeyPEM.Bytes(), - ) - if err != nil { - return errors.Wrap(err, "failed to write key") - } - - err = writeFile( - genConfig.CertKeyPath, - certPrivKeyPEM.Bytes(), - ) - if err != nil { - return errors.Wrap(err, "failed to write key") - } - - err = writeFile( - genConfig.CertPath, - certPEM.Bytes(), - ) - if err != nil { - return errors.Wrap(err, "failed to write key") - } - - return nil -} - -func writeFile(file string, contents []byte) error { - fo, err := os.Create(file) - if err != nil { - return errors.Wrapf(err, "failed to open cert file '%s' for writing", file) - } - defer func() { - err = fo.Close() - if err != nil { - err = errors.Wrapf(err, "failed to close cert file '%s'", file) - } - }() - - _, err = fo.Write(contents) - if err != nil { - return errors.Wrapf(err, "failed to write cert contents to file '%s'", file) - } - - return err -} - -func getDNSNames(setNames []string) []string { - // if DNSNames specified use only the specified DNS Names list - if len(setNames) > 0 { - return setNames - } - - dnsNames := []string{"localhost"} - hostname, err := os.Hostname() - if err == nil { - // If there's a hostname for the local machine, add it to the cert's DNS names. - dnsNames = append(dnsNames, hostname) - } - - return dnsNames -} - -func (c *Generator) checkDir(genConfig *CertGenConfig) error { - certDir := filepath.Dir(genConfig.CertPath) - keyDir := filepath.Dir(genConfig.CertKeyPath) - caCertDir := filepath.Dir(genConfig.CACertPath) - - if certDir != keyDir || certDir != caCertDir { - return errors.New("output directory for all configured certificates and keys must be the same") - } - - if err := os.MkdirAll(certDir, 0o777); err != nil { - return errors.Wrapf(err, "failed to create certs directory %q", certDir) - } - - return nil -} diff --git a/internal/pkg/certs/go.mod b/internal/pkg/certs/go.mod deleted file mode 100644 index 7924de09..00000000 --- a/internal/pkg/certs/go.mod +++ /dev/null @@ -1,18 +0,0 @@ -module github.com/aserto-dev/certs - -go 1.21 - -require ( - github.com/pkg/errors v0.9.1 - github.com/rs/zerolog v1.33.0 - google.golang.org/grpc v1.67.1 -) - -require ( - github.com/mattn/go-colorable v0.1.13 // indirect - github.com/mattn/go-isatty v0.0.20 // indirect - golang.org/x/net v0.31.0 // indirect - golang.org/x/sys v0.27.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect - google.golang.org/protobuf v1.35.1 // indirect -) diff --git a/internal/pkg/certs/go.sum b/internal/pkg/certs/go.sum deleted file mode 100644 index 4dd13e61..00000000 --- a/internal/pkg/certs/go.sum +++ /dev/null @@ -1,30 +0,0 @@ -github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= -github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= -github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= -github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= -github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= -github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= -github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= -github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= -github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8= -github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss= -golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= -golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= -golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= -golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= -golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 h1:XVhgTWWV3kGQlwJHR3upFWZeTsei6Oks1apkZSeonIE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= -google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= -google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= -google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA= -google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= diff --git a/internal/pkg/certs/tls.go b/internal/pkg/certs/tls.go deleted file mode 100644 index a6839e82..00000000 --- a/internal/pkg/certs/tls.go +++ /dev/null @@ -1,82 +0,0 @@ -package certs - -import ( - "crypto/tls" - "crypto/x509" - "os" - - "github.com/pkg/errors" - "google.golang.org/grpc/credentials" -) - -// TLSCredsConfig contains paths to certificates. -type TLSCredsConfig struct { - TLSCertPath string `json:"tls_cert_path"` - TLSKeyPath string `json:"tls_key_path"` - TLSCACertPath string `json:"tls_ca_cert_path"` -} - -func (c *TLSCredsConfig) NoTLS() bool { - return (c == nil || c.TLSCertPath == "" || c.TLSKeyPath == "" || c.TLSCACertPath == "") -} - -func (c *TLSCredsConfig) TLS() bool { - return !c.NoTLS() -} - -// GRPCServerTLSCreds gets TLS credentials for a GRPC server. -func GRPCServerTLSCreds(config TLSCredsConfig) (credentials.TransportCredentials, error) { - certificate, err := tls.LoadX509KeyPair(config.TLSCertPath, config.TLSKeyPath) - if err != nil { - return nil, errors.Wrapf(err, "failed to load GRPC certs") - } - - tlsConfig := &tls.Config{ - Certificates: []tls.Certificate{certificate}, - MinVersion: tls.VersionTLS12, - } - - return credentials.NewTLS(tlsConfig), nil -} - -// GatewayAsClientTLSCreds returns transport credentials so an HTTP gateway can connect to the GRPC server. -func GatewayAsClientTLSCreds(config TLSCredsConfig) (credentials.TransportCredentials, error) { - certPool := x509.NewCertPool() - caCertBytes, err := os.ReadFile(config.TLSCACertPath) - if err != nil { - return nil, errors.Wrapf(err, "failed to read ca cert: %s", config.TLSCACertPath) - } - - ok := certPool.AppendCertsFromPEM(caCertBytes) - if !ok { - return nil, errors.Wrap(err, "failed to append client ca cert: %s") - } - - certificate, err := tls.LoadX509KeyPair(config.TLSCertPath, config.TLSKeyPath) - if err != nil { - return nil, errors.Wrap(err, "could not load server key pair") - } - - clientCreds := credentials.NewTLS(&tls.Config{ - Certificates: []tls.Certificate{certificate}, - RootCAs: certPool, - MinVersion: tls.VersionTLS12, - }) - - return clientCreds, nil -} - -// GatewayServerTLSConfig returns a TLS config for the gateway server. -func GatewayServerTLSConfig(config TLSCredsConfig) (*tls.Config, error) { - certificate, err := tls.LoadX509KeyPair(config.TLSCertPath, config.TLSKeyPath) - if err != nil { - return nil, errors.Wrapf(err, "failed to load gateway certs") - } - - tlsConfig := &tls.Config{ - Certificates: []tls.Certificate{certificate}, - MinVersion: tls.VersionTLS12, - } - - return tlsConfig, nil -} diff --git a/internal/pkg/service/builder/go.mod b/internal/pkg/service/builder/go.mod index c3e2a973..68e5e75c 100644 --- a/internal/pkg/service/builder/go.mod +++ b/internal/pkg/service/builder/go.mod @@ -5,7 +5,7 @@ go 1.23 toolchain go1.23.2 require ( - github.com/aserto-dev/certs v0.0.7 + github.com/aserto-dev/go-aserto v0.33.1 github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 @@ -21,10 +21,14 @@ require ( ) require ( + github.com/aserto-dev/header v0.0.8 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0 // indirect + github.com/hashicorp/errwrap v1.0.0 // indirect + github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/klauspost/compress v1.17.11 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect @@ -33,6 +37,7 @@ require ( github.com/prometheus/client_model v0.6.1 // indirect github.com/prometheus/common v0.60.1 // indirect github.com/prometheus/procfs v0.15.1 // indirect + github.com/samber/lo v1.47.0 // indirect golang.org/x/net v0.31.0 // indirect golang.org/x/sys v0.27.0 // indirect golang.org/x/text v0.20.0 // indirect diff --git a/internal/pkg/service/builder/go.sum b/internal/pkg/service/builder/go.sum index 8dde48fb..6a12b235 100644 --- a/internal/pkg/service/builder/go.sum +++ b/internal/pkg/service/builder/go.sum @@ -1,5 +1,7 @@ -github.com/aserto-dev/certs v0.0.7 h1:WsFrHywNE88tgUeDJ2FsV+mgy46QFQvCIYm7c5TNIKE= -github.com/aserto-dev/certs v0.0.7/go.mod h1:aguR/vIf6cag3O7vaYpJ4Jt1+1DJehBC2Uzto9gxXv8= +github.com/aserto-dev/go-aserto v0.33.1 h1:oFTlatM7+mq2grD/ut+ff0v7CjCV6YenKd6XWJbonbE= +github.com/aserto-dev/go-aserto v0.33.1/go.mod h1:t2qs6Q7pXlMkKh5MhbssKDbGb62f36Q6Bj3QDXww31s= +github.com/aserto-dev/header v0.0.8 h1:T052WblWFZ/5Mg3MphHylE3sZobdIQpdj5cP3sPMhL8= +github.com/aserto-dev/header v0.0.8/go.mod h1:wmWm+omABTWf6QRRmw9yOdvgTstk/vYDqIA1duR8Pus= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= @@ -14,6 +16,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1 h1:qnpSQwGEnkcRpTqNOIR6bJbR0gAorgP9CSALpRcKoAA= github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1/go.mod h1:lXGCsh6c22WGtjr+qGHj1otzZpV/1kwTMAqkwZsnWRU= github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.1.0 h1:pRhl55Yx1eC7BZ1N+BBWwnKaMyD8uC+34TLdndZMAKk= @@ -22,6 +26,10 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92Bcuy github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0 h1:ad0vkEBuk23VJzZR9nkLVG0YAoN9coASF1GusYX6AlU= github.com/grpc-ecosystem/grpc-gateway/v2 v2.23.0/go.mod h1:igFoXX2ELCW06bol23DWPB5BEWfZISOzSP5K2sbLea0= +github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= +github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc= github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= @@ -51,6 +59,8 @@ github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg= github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8= github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss= +github.com/samber/lo v1.47.0 h1:z7RynLwP5nbyRscyvcD043DWYoOcYRv3mV8lBeqOCLc= +github.com/samber/lo v1.47.0/go.mod h1:RmDH9Ct32Qy3gduHQuKJ3gW1fMHAnE/fAzQuf6He5cU= github.com/slok/go-http-metrics v0.13.0 h1:lQDyJJx9wKhmbliyUsZ2l6peGnXRHjsjoqPt5VYzcP8= github.com/slok/go-http-metrics v0.13.0/go.mod h1:HIr7t/HbN2sJaunvnt9wKP9xoBBVZFo1/KiHU3b0w+4= github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= diff --git a/internal/pkg/service/builder/health.go b/internal/pkg/service/builder/health.go index cce3b66b..79007118 100644 --- a/internal/pkg/service/builder/health.go +++ b/internal/pkg/service/builder/health.go @@ -1,7 +1,7 @@ package builder import ( - "github.com/aserto-dev/certs" + "github.com/aserto-dev/go-aserto" "google.golang.org/grpc" "google.golang.org/grpc/health" @@ -16,7 +16,7 @@ type Health struct { } // newGRPCHealthServer creates a new HealthServer. -func newGRPCHealthServer(certCfg *certs.TLSCredsConfig) *Health { +func newGRPCHealthServer(certCfg *aserto.TLSConfig) *Health { healthServer := health.NewServer() grpcHealthServer, err := prepareGrpcServer(certCfg, nil) diff --git a/internal/pkg/service/builder/service.go b/internal/pkg/service/builder/service.go index e6254ac3..3beabe80 100644 --- a/internal/pkg/service/builder/service.go +++ b/internal/pkg/service/builder/service.go @@ -6,7 +6,7 @@ import ( "net/http" "time" - "github.com/aserto-dev/certs" + "github.com/aserto-dev/go-aserto" "github.com/grpc-ecosystem/grpc-gateway/v2/runtime" "google.golang.org/grpc" @@ -33,7 +33,7 @@ type Server struct { type Gateway struct { Server *http.Server Mux *http.ServeMux - Certs *certs.TLSCredsConfig + Certs *aserto.TLSConfig } type API struct { @@ -43,21 +43,21 @@ type API struct { ListenAddress string `json:"listen_address"` // Default connection timeout is 120 seconds // https://godoc.org/google.golang.org/grpc#ConnectionTimeout - ConnectionTimeoutSeconds uint32 `json:"connection_timeout_seconds"` - Certs certs.TLSCredsConfig `json:"certs"` + ConnectionTimeoutSeconds uint32 `json:"connection_timeout_seconds"` + Certs aserto.TLSConfig `json:"certs"` } `json:"grpc"` Gateway struct { - FQDN string `json:"fqdn"` - ListenAddress string `json:"listen_address"` - AllowedOrigins []string `json:"allowed_origins"` - AllowedHeaders []string `json:"allowed_headers"` - AllowedMethods []string `json:"allowed_methods"` - Certs certs.TLSCredsConfig `json:"certs"` - HTTP bool `json:"http"` - ReadTimeout time.Duration `json:"read_timeout"` - ReadHeaderTimeout time.Duration `json:"read_header_timeout"` - WriteTimeout time.Duration `json:"write_timeout"` - IdleTimeout time.Duration `json:"idle_timeout"` + FQDN string `json:"fqdn"` + ListenAddress string `json:"listen_address"` + AllowedOrigins []string `json:"allowed_origins"` + AllowedHeaders []string `json:"allowed_headers"` + AllowedMethods []string `json:"allowed_methods"` + Certs aserto.TLSConfig `json:"certs"` + HTTP bool `json:"http"` + ReadTimeout time.Duration `json:"read_timeout"` + ReadHeaderTimeout time.Duration `json:"read_header_timeout"` + WriteTimeout time.Duration `json:"write_timeout"` + IdleTimeout time.Duration `json:"idle_timeout"` } `json:"gateway"` } diff --git a/internal/pkg/service/builder/service_factory.go b/internal/pkg/service/builder/service_factory.go index 7c24f1fa..594389e3 100644 --- a/internal/pkg/service/builder/service_factory.go +++ b/internal/pkg/service/builder/service_factory.go @@ -7,7 +7,7 @@ import ( "net/http" "strconv" - "github.com/aserto-dev/certs" + "github.com/aserto-dev/go-aserto" "github.com/grpc-ecosystem/grpc-gateway/v2/runtime" "github.com/pkg/errors" @@ -109,8 +109,8 @@ func (f *ServiceFactory) prepareGateway(config *API, gatewayOpts *GatewayOptions runtimeMux := f.gatewayMux(config.Gateway.AllowedHeaders, gatewayOpts.ErrorHandler) opts := []grpc.DialOption{} - if config.GRPC.Certs.TLS() { - tlsCreds, err := certs.GatewayAsClientTLSCreds(config.GRPC.Certs) + if TLS(&config.GRPC.Certs) { + tlsCreds, err := config.GRPC.Certs.ClientCredentials(true) if err != nil { return Gateway{}, errors.Wrapf(err, "failed to get TLS credentials") } @@ -141,12 +141,12 @@ func (f *ServiceFactory) prepareGateway(config *API, gatewayOpts *GatewayOptions IdleTimeout: config.Gateway.IdleTimeout, } - if config.Gateway.Certs.NoTLS() { + if NoTLS(&config.Gateway.Certs) { config.Gateway.HTTP = true } if !config.Gateway.HTTP { - tlsServerConfig, err := certs.GatewayServerTLSConfig(config.Gateway.Certs) + tlsServerConfig, err := config.Gateway.Certs.ServerConfig() if err != nil { return Gateway{Server: gtwServer, Mux: mux, Certs: &config.Gateway.Certs}, err } @@ -234,15 +234,15 @@ func httpResponseModifier(ctx context.Context, w http.ResponseWriter, p proto.Me } // prepareGrpcServer provides a new grpc server with the provided grpc.ServerOptions using the provided certificates. -func prepareGrpcServer(certCfg *certs.TLSCredsConfig, opts []grpc.ServerOption) (*grpc.Server, error) { +func prepareGrpcServer(certCfg *aserto.TLSConfig, opts []grpc.ServerOption) (*grpc.Server, error) { // NoTLS path. - if certCfg.NoTLS() { + if NoTLS(certCfg) { opts = append(opts, grpc.Creds(insecure.NewCredentials())) return grpc.NewServer(opts...), nil } // TLS path. - tlsCreds, err := certs.GRPCServerTLSCreds(*certCfg) + tlsCreds, err := certCfg.ServerCredentials() if err != nil { return nil, errors.Wrapf(err, "failed to get TLS credentials") } diff --git a/internal/pkg/service/builder/service_manager.go b/internal/pkg/service/builder/service_manager.go index 80e067bd..94e58c6a 100644 --- a/internal/pkg/service/builder/service_manager.go +++ b/internal/pkg/service/builder/service_manager.go @@ -7,7 +7,7 @@ import ( "reflect" "time" - "github.com/aserto-dev/certs" + "github.com/aserto-dev/go-aserto" grpc_prometheus "github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus" go_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus" @@ -59,7 +59,7 @@ func (s *ServiceManager) AddGRPCServer(server *Server) error { return nil } -func (s *ServiceManager) SetupHealthServer(address string, certCfg *certs.TLSCredsConfig) error { +func (s *ServiceManager) SetupHealthServer(address string, certCfg *aserto.TLSConfig) error { healthServer := newGRPCHealthServer(certCfg) healthServer.Address = address @@ -75,7 +75,7 @@ func (s *ServiceManager) SetupHealthServer(address string, certCfg *certs.TLSCre return nil } -func (s *ServiceManager) SetupMetricsServer(address string, certCfg *certs.TLSCredsConfig, enableZpages bool) ([]grpc.ServerOption, +func (s *ServiceManager) SetupMetricsServer(address string, certCfg *aserto.TLSConfig, enableZpages bool) ([]grpc.ServerOption, error, ) { metric := http.Server{ @@ -105,11 +105,11 @@ func (s *ServiceManager) SetupMetricsServer(address string, certCfg *certs.TLSCr s.logger.Info().Msgf("Starting %s metric server", address) - if certCfg.NoTLS() { + if NoTLS(certCfg) { s.errGroup.Go(metric.ListenAndServe) } else { s.errGroup.Go(func() error { - return metric.ListenAndServeTLS(certCfg.TLSCertPath, certCfg.TLSKeyPath) + return metric.ListenAndServeTLS(certCfg.Cert, certCfg.Key) }) } @@ -163,14 +163,14 @@ func (s *ServiceManager) StartServers(ctx context.Context) error { if httpServer.Server != nil { s.errGroup.Go(func() error { s.logger.Info().Msgf("Starting %s gateway server", httpServer.Server.Addr) - if httpServer.Certs.NoTLS() { + if NoTLS(httpServer.Certs) { err := httpServer.Server.ListenAndServe() if err != nil { return err } } - if httpServer.Certs.TLS() { - err := httpServer.Server.ListenAndServeTLS(httpServer.Certs.TLSCertPath, httpServer.Certs.TLSKeyPath) + if TLS(httpServer.Certs) { + err := httpServer.Server.ListenAndServeTLS(httpServer.Certs.Cert, httpServer.Certs.Key) if err != nil { return err } diff --git a/internal/pkg/service/builder/tls.go b/internal/pkg/service/builder/tls.go new file mode 100644 index 00000000..bab95780 --- /dev/null +++ b/internal/pkg/service/builder/tls.go @@ -0,0 +1,11 @@ +package builder + +import "github.com/aserto-dev/go-aserto" + +func NoTLS(cfg *aserto.TLSConfig) bool { + return (cfg == nil || cfg.CA == "" || cfg.Key == "" || cfg.Cert == "") +} + +func TLS(cfg *aserto.TLSConfig) bool { + return !NoTLS(cfg) +} diff --git a/pkg/app/authorizer.go b/pkg/app/authorizer.go index 6c28574b..7c19c4d0 100644 --- a/pkg/app/authorizer.go +++ b/pkg/app/authorizer.go @@ -5,7 +5,6 @@ import ( "net/http" "strconv" - "github.com/aserto-dev/certs" authz "github.com/aserto-dev/go-authorizer/aserto/authorizer/v2" azOpenAPI "github.com/aserto-dev/openapi-authorizer/publish/authorizer" builder "github.com/aserto-dev/service-host" @@ -33,8 +32,8 @@ const ( ) func NewAuthorizer(ctx context.Context, cfg *builder.API, commonConfig *config.Common, authorizerOpts []grpc.ServerOption, logger *zerolog.Logger) (ServiceTypes, error) { - if cfg.GRPC.Certs.TLS() { - tlsCreds, err := certs.GRPCServerTLSCreds(cfg.GRPC.Certs) + if builder.TLS(&cfg.GRPC.Certs) { + tlsCreds, err := cfg.GRPC.Certs.ServerCredentials() if err != nil { return nil, errors.Wrap(err, "failed to calculate tls config") } diff --git a/pkg/app/console.go b/pkg/app/console.go index b23d913a..760d062b 100644 --- a/pkg/app/console.go +++ b/pkg/app/console.go @@ -111,7 +111,7 @@ func getGatewayAddress(serviceConfig *builder.API) string { } addr := serviceAddress(serviceConfig.Gateway.ListenAddress) - if serviceConfig.Gateway.Certs.NoTLS() { + if builder.NoTLS(&serviceConfig.Gateway.Certs) { serviceConfig.Gateway.HTTP = true } diff --git a/pkg/cc/config/config.go b/pkg/cc/config/config.go index 9ffde834..25d0aa11 100644 --- a/pkg/cc/config/config.go +++ b/pkg/cc/config/config.go @@ -30,13 +30,13 @@ const ( type ServicesConfig struct { Health struct { - ListenAddress string `json:"listen_address"` - Certificates *certs.TLSCredsConfig `json:"certs"` + ListenAddress string `json:"listen_address"` + Certificates *client.TLSConfig `json:"certs"` } `json:"health"` Metrics struct { - ListenAddress string `json:"listen_address"` - Certificates *certs.TLSCredsConfig `json:"certs"` - ZPages bool `json:"zpages"` + ListenAddress string `json:"listen_address"` + Certificates *client.TLSConfig `json:"certs"` + ZPages bool `json:"zpages"` } `json:"metrics"` Services map[string]*builder.API `json:"services"` } @@ -180,12 +180,12 @@ func (c *Config) setupCerts(log *zerolog.Logger, certsGenerator *certs.Generator existingFiles := []string{} for serviceName, config := range c.APIConfig.Services { for _, file := range []string{ - config.GRPC.Certs.TLSCACertPath, - config.GRPC.Certs.TLSCertPath, - config.GRPC.Certs.TLSKeyPath, - config.Gateway.Certs.TLSCACertPath, - config.Gateway.Certs.TLSCertPath, - config.Gateway.Certs.TLSKeyPath, + config.GRPC.Certs.CA, + config.GRPC.Certs.Cert, + config.GRPC.Certs.Key, + config.Gateway.Certs.CA, + config.Gateway.Certs.Cert, + config.Gateway.Certs.Key, } { exists, err := FileExists(file) if err != nil { @@ -200,12 +200,12 @@ func (c *Config) setupCerts(log *zerolog.Logger, certsGenerator *certs.Generator } if len(existingFiles) == 0 { - if config.GRPC.Certs.TLS() { + if builder.TLS(&config.GRPC.Certs) { err := certsGenerator.MakeDevCert(&certs.CertGenConfig{ CommonName: fmt.Sprintf("%s-grpc", commonName), - CertKeyPath: config.GRPC.Certs.TLSKeyPath, - CertPath: config.GRPC.Certs.TLSCertPath, - CACertPath: config.GRPC.Certs.TLSCACertPath, + CertKeyPath: config.GRPC.Certs.Key, + CertPath: config.GRPC.Certs.Cert, + CertCAPath: config.GRPC.Certs.CA, }) if err != nil { return errors.Wrapf(err, "failed to generate grpc certs (%s)", serviceName) @@ -213,12 +213,12 @@ func (c *Config) setupCerts(log *zerolog.Logger, certsGenerator *certs.Generator log.Info().Str("service", serviceName).Msg("gRPC certs configured") } - if config.Gateway.Certs.TLS() { + if builder.TLS(&config.Gateway.Certs) { err := certsGenerator.MakeDevCert(&certs.CertGenConfig{ CommonName: fmt.Sprintf("%s-gateway", commonName), - CertKeyPath: config.Gateway.Certs.TLSKeyPath, - CertPath: config.Gateway.Certs.TLSCertPath, - CACertPath: config.Gateway.Certs.TLSCACertPath, + CertKeyPath: config.Gateway.Certs.Key, + CertPath: config.Gateway.Certs.Cert, + CertCAPath: config.Gateway.Certs.CA, }) if err != nil { return errors.Wrapf(err, "failed to generate gateway certs (%s)", serviceName) diff --git a/pkg/cc/config/loader.go b/pkg/cc/config/loader.go index 11171a85..7cf0edc7 100644 --- a/pkg/cc/config/loader.go +++ b/pkg/cc/config/loader.go @@ -98,26 +98,26 @@ func (l *Loader) GetPaths() ([]string, error) { paths[l.Configuration.Edge.DBPath] = true } if l.Configuration.APIConfig.Health.Certificates != nil { - if l.Configuration.APIConfig.Health.Certificates.TLSCACertPath != "" { - paths[l.Configuration.APIConfig.Health.Certificates.TLSCACertPath] = true + if l.Configuration.APIConfig.Health.Certificates.CA != "" { + paths[l.Configuration.APIConfig.Health.Certificates.CA] = true } - if l.Configuration.APIConfig.Health.Certificates.TLSCertPath != "" { - paths[l.Configuration.APIConfig.Health.Certificates.TLSCertPath] = true + if l.Configuration.APIConfig.Health.Certificates.Cert != "" { + paths[l.Configuration.APIConfig.Health.Certificates.Cert] = true } - if l.Configuration.APIConfig.Health.Certificates.TLSKeyPath != "" { - paths[l.Configuration.APIConfig.Health.Certificates.TLSKeyPath] = true + if l.Configuration.APIConfig.Health.Certificates.Key != "" { + paths[l.Configuration.APIConfig.Health.Certificates.Key] = true } } if l.Configuration.APIConfig.Metrics.Certificates != nil { - if l.Configuration.APIConfig.Metrics.Certificates.TLSCACertPath != "" { - paths[l.Configuration.APIConfig.Metrics.Certificates.TLSCACertPath] = true + if l.Configuration.APIConfig.Metrics.Certificates.CA != "" { + paths[l.Configuration.APIConfig.Metrics.Certificates.CA] = true } - if l.Configuration.APIConfig.Metrics.Certificates.TLSCertPath != "" { - paths[l.Configuration.APIConfig.Metrics.Certificates.TLSCertPath] = true + if l.Configuration.APIConfig.Metrics.Certificates.Cert != "" { + paths[l.Configuration.APIConfig.Metrics.Certificates.Cert] = true } - if l.Configuration.APIConfig.Metrics.Certificates.TLSKeyPath != "" { - paths[l.Configuration.APIConfig.Metrics.Certificates.TLSKeyPath] = true + if l.Configuration.APIConfig.Metrics.Certificates.Key != "" { + paths[l.Configuration.APIConfig.Metrics.Certificates.Key] = true } } @@ -231,23 +231,23 @@ func getPortFromAddress(address string) (string, error) { func getUniqueServiceCertPaths(services map[string]*builder.API) []string { paths := make(map[string]bool) for _, service := range services { - if service.GRPC.Certs.TLSCACertPath != "" { - paths[service.GRPC.Certs.TLSCACertPath] = true + if service.GRPC.Certs.CA != "" { + paths[service.GRPC.Certs.CA] = true } - if service.GRPC.Certs.TLSCertPath != "" { - paths[service.GRPC.Certs.TLSCertPath] = true + if service.GRPC.Certs.Cert != "" { + paths[service.GRPC.Certs.Cert] = true } - if service.GRPC.Certs.TLSKeyPath != "" { - paths[service.GRPC.Certs.TLSKeyPath] = true + if service.GRPC.Certs.Key != "" { + paths[service.GRPC.Certs.Key] = true } - if service.Gateway.Certs.TLSCACertPath != "" { - paths[service.Gateway.Certs.TLSCACertPath] = true + if service.Gateway.Certs.CA != "" { + paths[service.Gateway.Certs.CA] = true } - if service.Gateway.Certs.TLSCertPath != "" { - paths[service.Gateway.Certs.TLSCertPath] = true + if service.Gateway.Certs.Cert != "" { + paths[service.Gateway.Certs.Cert] = true } - if service.Gateway.Certs.TLSKeyPath != "" { - paths[service.Gateway.Certs.TLSKeyPath] = true + if service.Gateway.Certs.Key != "" { + paths[service.Gateway.Certs.Key] = true } } var pathList []string diff --git a/pkg/cli/certs/generator.go b/pkg/cli/certs/generator.go index ce68cc6b..a79e6ce5 100644 --- a/pkg/cli/certs/generator.go +++ b/pkg/cli/certs/generator.go @@ -61,7 +61,7 @@ func generate(c *cc.CommonCtx, dnsNames []string, certPaths ...*CertPaths) error CommonName: certPaths.Name, CertKeyPath: certPaths.Key, CertPath: certPaths.Cert, - CACertPath: certPaths.CA, + CertCAPath: certPaths.CA, DNSNames: dnsNames, }); err != nil { return errors.Wrap(err, "failed to create dev certs")