Skip to content
Snippets Groups Projects
Commit 0e9ca859 authored by Olgun Cengiz's avatar Olgun Cengiz :drum:
Browse files

Implemented Vault integration in k-s-a

parent f624ba65
No related branches found
No related tags found
1 merge request!30Implemented Vault integration in k-s-a
Hide whitespace changes
Inline Side-by-side
Gopkg.toml
+ 1
1
View file @ 0e9ca859
[[constraint]] [[constraint]]
branch = "master" branch = "107-Vault_integration"
name = "code.vereign.com/code/viam-apis" name = "code.vereign.com/code/viam-apis"
[[constraint]] [[constraint]]
......
config.yaml.sample
+ 37
20
View file @ 0e9ca859
...@@ -11,26 +11,43 @@ restListenAddress: localhost:7878 ...@@ -11,26 +11,43 @@ restListenAddress: localhost:7878
viamUUID: viam-system viamUUID: viam-system
viamSession: viam-session viamSession: viam-session
# Choose a certificate method for providing PEM strings
# 1 = Read from file (*.crt and *.key files)
# 2 = Read from Vault server (this will require additional config information for Vault)
certificateMethod: 1
# Read Certificates From Folder and Files
certDir: cert
certFile: server.crt
certKey: server.key
vereignCertFile: vereign_ca.cer
vereignCertKey: vereign_ca.key
caCertFile: ca.crt
# Maximum Message Size (in megabytes) # Maximum Message Size (in megabytes)
maxMessageSize: 64 maxMessageSize: 64
# Read Certificates From Vault Server # Certification Access Method
vaultAddress: http://10.6.10.119:8200 # 1 = Certificate Folder and Files
vaultToken: 00000000-0000-0000-0000-000000000000 # 2 = Vault Integration
vaultPath: /developers/data/devteam/cert #certificationMethod: 1
certificateKey: certificateKey certificationMethod: 2
privateKey: privateKey
caCertificateKey: caCertificateKey # Certification URL
# For Method 1: Can be anything (will be ignored)
# For Method 2: IP address and port number of Vault server
#certificationURL: localhost
certificationURL: http://10.6.10.119:8200
# Certification Token
# For Method 1: Can be anything (will be ignored)
# For Method 2: Vault authentication token
#certificationToken: .
certificationToken: YOUR_VAULT_TOKEN
# Certification Path
# For Method 1: The full path of the folder where the certificate and private key files are stored
# For Method 2: Base mount path for certificate secrets
#certificationPath: /home/ocengiz/Documents/Vereign/03-Codebase/cert
certificationPath: /developers/data/devteam/cert
# Certification Files
# For Method 1: The name of the files for certification
# For Method 2: The name of the secret keys on Vault
#certificationCertFile: localhost.crt
certificationCertFile: certificateKey
#certificationKeyFile: localhost.key
certificationKeyFile: privateKey
#certificationCaCertFile: ca.crt
certificationCaCertFile: caCertificateKey
#certificationVereignCertFile: vereign_ca.cer
certificationVereignCertFile: vereignCaCertificateKey
#certificationVereignKeyFile: vereign_ca.key
certificationVereignKeyFile: vereignCaPrivateKey
\ No newline at end of file
handler/generate_keypair.go
+ 5
5
View file @ 0e9ca859
...@@ -40,7 +40,7 @@ func (s *KeyStorageServerImpl) GenerateKeyPair(ctx context.Context, ...@@ -40,7 +40,7 @@ func (s *KeyStorageServerImpl) GenerateKeyPair(ctx context.Context,
auth := s.CreateAuthentication(ctx) auth := s.CreateAuthentication(ctx)
client := &client.DataStorageClientImpl{} client := &client.DataStorageClientImpl{}
client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath, s.MaxMessageSize) client.SetUpClient(auth, s.DataStorageUrl, s.CertPEM, s.KeyPEM, s.CaCertPEM, s.MaxMessageSize)
defer client.CloseClient() defer client.CloseClient()
generateKeyPairResponse := &api.GenerateKeyPairResponse{} generateKeyPairResponse := &api.GenerateKeyPairResponse{}
...@@ -94,7 +94,7 @@ func (s *KeyStorageServerImpl) GenerateKeyPair(ctx context.Context, ...@@ -94,7 +94,7 @@ func (s *KeyStorageServerImpl) GenerateKeyPair(ctx context.Context,
} }
if generateKeyPairResponse.StatusList == nil || len(generateKeyPairResponse.StatusList) == 0 { if generateKeyPairResponse.StatusList == nil || len(generateKeyPairResponse.StatusList) == 0 {
encryptedAesKeyBytes, err := rsaEncryptWithServerKey(s.VereignCertFilePath, aesKeyBytes, []byte("aeskeys")) encryptedAesKeyBytes, err := rsaEncryptWithServerKey(s.VereignCertPEM, aesKeyBytes, []byte("aeskeys"))
if err != nil { if err != nil {
log.Printf("Error: %v", err) log.Printf("Error: %v", err)
generateKeyPairResponse.StatusList = utils.AddStatus(generateKeyPairResponse.StatusList, generateKeyPairResponse.StatusList = utils.AddStatus(generateKeyPairResponse.StatusList,
...@@ -109,7 +109,7 @@ func (s *KeyStorageServerImpl) GenerateKeyPair(ctx context.Context, ...@@ -109,7 +109,7 @@ func (s *KeyStorageServerImpl) GenerateKeyPair(ctx context.Context,
} }
if generateKeyPairResponse.StatusList == nil || len(generateKeyPairResponse.StatusList) == 0 { if generateKeyPairResponse.StatusList == nil || len(generateKeyPairResponse.StatusList) == 0 {
encryptedPrivateKeyNonceBytes, err := rsaEncryptWithServerKey(s.VereignCertFilePath, privateKeyNonce, []byte("nonce")) encryptedPrivateKeyNonceBytes, err := rsaEncryptWithServerKey(s.VereignCertPEM, privateKeyNonce, []byte("nonce"))
if err != nil { if err != nil {
log.Printf("Error: %v", err) log.Printf("Error: %v", err)
generateKeyPairResponse.StatusList = utils.AddStatus(generateKeyPairResponse.StatusList, generateKeyPairResponse.StatusList = utils.AddStatus(generateKeyPairResponse.StatusList,
...@@ -176,8 +176,8 @@ func generateKeyPair(keySize int) ([]byte, []byte, error) { ...@@ -176,8 +176,8 @@ func generateKeyPair(keySize int) ([]byte, []byte, error) {
return privateKeyBytes, publicKeyBytes, nil return privateKeyBytes, publicKeyBytes, nil
} }
func rsaEncryptWithServerKey(certFilePath string, message []byte, label []byte) ([]byte, error) { func rsaEncryptWithServerKey(certPEM []byte, message []byte, label []byte) ([]byte, error) {
serverCertificate, err := readCertificateFromFile(certFilePath) serverCertificate, err := readCertificateFromPEM(certPEM)
if err != nil { if err != nil {
log.Printf("Error: %v", err) log.Printf("Error: %v", err)
return nil, err return nil, err
......
handler/handler.go
+ 11
12
View file @ 0e9ca859
...@@ -19,7 +19,6 @@ package handler ...@@ -19,7 +19,6 @@ package handler
import ( import (
"log" "log"
"io/ioutil"
"strings" "strings"
"code.vereign.com/code/viam-apis/versions" "code.vereign.com/code/viam-apis/versions"
...@@ -36,11 +35,11 @@ import ( ...@@ -36,11 +35,11 @@ import (
// Server represents the gRPC server // Server represents the gRPC server
type KeyStorageServerImpl struct { type KeyStorageServerImpl struct {
DataStorageUrl string DataStorageUrl string
CertFilePath string CertPEM []byte
KeyFilePath string KeyPEM []byte
CaCertFilePath string CaCertPEM []byte
VereignCertFilePath string VereignCertPEM []byte
VereignPrivateKeyFilePath string VereignPrivateKeyPEM []byte
MaxMessageSize int MaxMessageSize int
} }
...@@ -66,23 +65,23 @@ func (s *KeyStorageServerImpl) GetKey(ctx context.Context, in *api.GetKeyRequest ...@@ -66,23 +65,23 @@ func (s *KeyStorageServerImpl) GetKey(ctx context.Context, in *api.GetKeyRequest
auth := s.CreateAuthentication(ctx) auth := s.CreateAuthentication(ctx)
client := &client.DataStorageClientImpl{} client := &client.DataStorageClientImpl{}
client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath, s.MaxMessageSize) client.SetUpClient(auth, s.DataStorageUrl, s.CertPEM, s.KeyPEM, s.CaCertPEM, s.MaxMessageSize)
defer client.CloseClient() defer client.CloseClient()
getKeyResponse := &api.GetKeyResponse{} getKeyResponse := &api.GetKeyResponse{}
if in.KeyType == api.KeyType_CERTIFICATE && in.Uuid == "root" { if in.KeyType == api.KeyType_CERTIFICATE && in.Uuid == "root" {
key := &api.Key{} key := &api.Key{}
data, err := ioutil.ReadFile(s.VereignCertFilePath) /*data, err := ioutil.ReadFile(s.VereignCertFilePath)
if err != nil { if err != nil {
log.Printf("Error: %v", err) log.Printf("Error: %v", err)
getKeyResponse.StatusList = utils.AddStatus(getKeyResponse.StatusList, getKeyResponse.StatusList = utils.AddStatus(getKeyResponse.StatusList,
"400", api.StatusType_ERROR, "Can not get root certificate") "400", api.StatusType_ERROR, "Can not get root certificate")
return getKeyResponse, nil return getKeyResponse, nil
} }*/
key.Content = data key.Content = s.VereignCertPEM
key.Revoked = false key.Revoked = false
getKeyResponse.Key = key getKeyResponse.Key = key
...@@ -114,7 +113,7 @@ func (s *KeyStorageServerImpl) SetKey(ctx context.Context, in *api.SetKeyRequest ...@@ -114,7 +113,7 @@ func (s *KeyStorageServerImpl) SetKey(ctx context.Context, in *api.SetKeyRequest
auth := s.CreateAuthentication(ctx) auth := s.CreateAuthentication(ctx)
client := &client.DataStorageClientImpl{} client := &client.DataStorageClientImpl{}
client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath, s.MaxMessageSize) client.SetUpClient(auth, s.DataStorageUrl, s.CertPEM, s.KeyPEM, s.CaCertPEM, s.MaxMessageSize)
defer client.CloseClient() defer client.CloseClient()
setKeyResponse := &api.SetKeyResponse{} setKeyResponse := &api.SetKeyResponse{}
...@@ -162,7 +161,7 @@ func (s *KeyStorageServerImpl) ReserveKeyUUID(ctx context.Context, in *api.Reser ...@@ -162,7 +161,7 @@ func (s *KeyStorageServerImpl) ReserveKeyUUID(ctx context.Context, in *api.Reser
auth := s.CreateAuthentication(ctx) auth := s.CreateAuthentication(ctx)
client := &client.DataStorageClientImpl{} client := &client.DataStorageClientImpl{}
client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath, s.MaxMessageSize) client.SetUpClient(auth, s.DataStorageUrl, s.CertPEM, s.KeyPEM, s.CaCertPEM, s.MaxMessageSize)
defer client.CloseClient() defer client.CloseClient()
reserveKeyUUIDResponse := &api.ReserveKeyUUIDResponse{} reserveKeyUUIDResponse := &api.ReserveKeyUUIDResponse{}
......
handler/revoke.go
+ 1
1
View file @ 0e9ca859
...@@ -29,7 +29,7 @@ func (s *KeyStorageServerImpl) Revoke(ctx context.Context, in *api.RevokeRequest ...@@ -29,7 +29,7 @@ func (s *KeyStorageServerImpl) Revoke(ctx context.Context, in *api.RevokeRequest
auth := s.CreateAuthentication(ctx) auth := s.CreateAuthentication(ctx)
client := &client.DataStorageClientImpl{} client := &client.DataStorageClientImpl{}
client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath, s.MaxMessageSize) client.SetUpClient(auth, s.DataStorageUrl, s.CertPEM, s.KeyPEM, s.CaCertPEM, s.MaxMessageSize)
defer client.CloseClient() defer client.CloseClient()
revokeResponse := &api.RevokeResponse{} revokeResponse := &api.RevokeResponse{}
......
handler/utils.go
+ 24
0
View file @ 0e9ca859
...@@ -75,6 +75,30 @@ func handlePutDataErrors(statusList []*api.Status, errors string, err error) []* ...@@ -75,6 +75,30 @@ func handlePutDataErrors(statusList []*api.Status, errors string, err error) []*
return statusList return statusList
} }
func readCertificateFromPEM(pemString []byte) (*x509.Certificate, error) {
certificatePemBlock, err := readPemBlockFromBytes(pemString)
if err != nil {
log.Printf("Error: %v", err)
return nil, err
}
certificate, err := x509.ParseCertificate(certificatePemBlock.Bytes)
if err != nil {
log.Printf("Error: %v", err)
return nil, err
}
return certificate, nil
}
func readPemBlockFromBytes(pemString []byte) (*pem.Block, error) {
fileBytes := pemString
certificatePemBlock, _ := pem.Decode(fileBytes)
return certificatePemBlock, nil
}
func readCertificateFromFile(fileName string) (*x509.Certificate, error) { func readCertificateFromFile(fileName string) (*x509.Certificate, error) {
certificatePemBlock, err := readPemBlockFromFile(fileName) certificatePemBlock, err := readPemBlockFromFile(fileName)
if err != nil { if err != nil {
......
main.go
+ 8
16
View file @ 0e9ca859
...@@ -28,29 +28,21 @@ import ( ...@@ -28,29 +28,21 @@ import (
func main() { func main() {
server.SetConfigValues() server.SetConfigValues()
// TODO this should be done via configuration or even a certificate repository
certDir := viper.GetString("certDir")
if certDir == "" {
log.Printf("cert-dir cannot be empty")
return
}
grpcAddress := viper.GetString("grpcListenAddress") grpcAddress := viper.GetString("grpcListenAddress")
restAddress := viper.GetString("restListenAddress") restAddress := viper.GetString("restListenAddress")
dataStorageAddress := viper.GetString("dataStorageUrl") dataStorageAddress := viper.GetString("dataStorageUrl")
certPem := server.GetCertificatePEM()
certFilePath := certDir + "/" + viper.GetString("certFile") keyPem := server.GetPrivateKeyPEM()
privateKeyFilePath := certDir + "/" + viper.GetString("certKey") caCertPem := server.GetCaCertificatePEM()
caCertFilePath := certDir + "/" + viper.GetString("caCertFile") vereignCaCertificatePem := server.GetVereignCaCertificatePEM()
vereignCertFilePath := certDir + "/" + viper.GetString("vereignCertFile") vereignCaKeyPem := server.GetVereignCaKeyPEM()
vereignPrivateKeyFilePath := certDir + "/" + viper.GetString("vereignCertKey")
maxMessageSize := viper.GetInt("maxMessageSize") maxMessageSize := viper.GetInt("maxMessageSize")
// fire the gRPC server in a goroutine // fire the gRPC server in a goroutine
go func() { go func() {
err := server.StartGRPCServer(grpcAddress, certFilePath, privateKeyFilePath, caCertFilePath, vereignCertFilePath, err := server.StartGRPCServer(grpcAddress, certPem, keyPem, caCertPem, vereignCaCertificatePem,
vereignPrivateKeyFilePath, dataStorageAddress, maxMessageSize) vereignCaKeyPem, dataStorageAddress, maxMessageSize)
if err != nil { if err != nil {
log.Fatalf("failed to start gRPC server: %s", err) log.Fatalf("failed to start gRPC server: %s", err)
} }
...@@ -58,7 +50,7 @@ func main() { ...@@ -58,7 +50,7 @@ func main() {
// fire the REST server in a goroutine // fire the REST server in a goroutine
go func() { go func() {
err := server.StartRESTServer(restAddress, grpcAddress, certFilePath) err := server.StartRESTServer(restAddress, grpcAddress, certPem)
if err != nil { if err != nil {
log.Fatalf("failed to start gRPC server: %s", err) log.Fatalf("failed to start gRPC server: %s", err)
} }
......
server/configs.go
+ 76
8
View file @ 0e9ca859
...@@ -5,6 +5,14 @@ import ( ...@@ -5,6 +5,14 @@ import (
"github.com/spf13/viper" "github.com/spf13/viper"
) )
var certificationMethod string
var p PEMReader
var certificatePEM []byte
var privateKeyPEM []byte
var caCertificatePEM []byte
var vereignCaCertificatePEM []byte
var vereignCaKeyPEM []byte
func SetConfigValues() { func SetConfigValues() {
// Set Default Values For Config Variables // Set Default Values For Config Variables
...@@ -12,20 +20,37 @@ func SetConfigValues() { ...@@ -12,20 +20,37 @@ func SetConfigValues() {
viper.SetDefault("grpcListenAddress", "localhost:7877") viper.SetDefault("grpcListenAddress", "localhost:7877")
viper.SetDefault("restListenAddress", "localhost:7878") viper.SetDefault("restListenAddress", "localhost:7878")
viper.SetDefault("dataStorageUrl", "localhost:7777") viper.SetDefault("dataStorageUrl", "localhost:7777")
// Certificates Related
viper.SetDefault("certDir", "cert")
viper.SetDefault("certFile", "server.crt")
viper.SetDefault("certKey", "server.key")
viper.SetDefault("caCertFile", "ca.crt")
viper.SetDefault("vereignCertFile", "vereign_ca.cer")
viper.SetDefault("vereignCertKey", "vereign_ca.key")
viper.SetDefault("viamUUID", "viam-system") viper.SetDefault("viamUUID", "viam-system")
viper.SetDefault("viamSession", "viam-session") viper.SetDefault("viamSession", "viam-session")
viper.SetDefault("maxMessageSize", 64) viper.SetDefault("maxMessageSize", 64)
// Certification Related
// File System Defaults
viper.SetDefault("certificationMethod", "1")
viper.SetDefault("certificationURL", ".")
viper.SetDefault("certificationToken", ".")
viper.SetDefault("certificationPath", "cert")
viper.SetDefault("certificationCertFile", "server.crt")
viper.SetDefault("certificationKeyFile", "server.key")
viper.SetDefault("certificationCaCertFile", "ca.crt")
viper.SetDefault("certificationVereignCertFile", "vereign_ca.cer")
viper.SetDefault("certificationVereignKeyFile", "vereign_ca.key")
/*
// Vault Defaults
viper.SetDefault("certificationMethod", "2")
viper.SetDefault("certificationURL", "http://10.6.10.119:8200")
viper.SetDefault("certificationToken", "")
viper.SetDefault("certificationPath", "/developers/data/devteam/cert")
viper.SetDefault("certificationCertFile", "certificateKey")
viper.SetDefault("certificationKeyFile", "privateKey")
viper.SetDefault("certificationCaCertFile", "caCertificateKey")
viper.SetDefault("certificationVereignCertFile", "vereignCaCertificateKey")
viper.SetDefault("certificationVereignKeyFile", "vereignCaPrivateKey")
*/
// Read Config File // Read Config File
viper.SetConfigName("config") viper.SetConfigName("config")
viper.AddConfigPath(".") viper.AddConfigPath(".")
...@@ -33,10 +58,53 @@ func SetConfigValues() { ...@@ -33,10 +58,53 @@ func SetConfigValues() {
log.Printf("can't read config: %s, will use default values", err) log.Printf("can't read config: %s, will use default values", err)
} }
certificationMethod = viper.GetString("certificationMethod")
if certificationMethod == "1" {
// Read From File System
p = FilePEMReader{certificationURL: viper.GetString("certificationURL"),
certificationToken: viper.GetString("certificationToken"),
certificationPath: viper.GetString("certificationPath"),
certificationCertFile: viper.GetString("certificationCertFile"),
certificationKeyFile: viper.GetString("certificationKeyFile"),
certificationCaCertFile: viper.GetString("certificationCaCertFile"),
certificationVereignCertFile: viper.GetString("certificationVereignCertFile"),
certificationVereignKeyFile: viper.GetString("certificationVereignKeyFile")}
} else if certificationMethod == "2" {
// Read From Vault
p = VaultPEMReader{certificationURL: viper.GetString("certificationURL"),
certificationToken: viper.GetString("certificationToken"),
certificationPath: viper.GetString("certificationPath"),
certificationCertFile: viper.GetString("certificationCertFile"),
certificationKeyFile: viper.GetString("certificationKeyFile"),
certificationCaCertFile: viper.GetString("certificationCaCertFile"),
certificationVereignCertFile: viper.GetString("certificationVereignCertFile"),
certificationVereignKeyFile: viper.GetString("certificationVereignKeyFile")}
}
// Print all config values to log file // Print all config values to log file
log.Printf("All Settings From Config:") log.Printf("All Settings From Config:")
as := viper.AllSettings() as := viper.AllSettings()
for key, _ := range as { for key, _ := range as {
log.Printf("%s => %s", key, viper.GetString(key)) log.Printf("%s => %s", key, viper.GetString(key))
} }
}
func GetCertificatePEM() []byte {
return p.readCertificatePEM()
}
func GetPrivateKeyPEM() []byte {
return p.readPrivateKeyPEM()
}
func GetCaCertificatePEM() []byte {
return p.readCaCertificatePEM()
}
func GetVereignCaCertificatePEM() []byte {
return p.readVereignCaCertificatePEM()
}
func GetVereignCaKeyPEM() []byte {
return p.readVereignCaKeyPEM()
} }
\ No newline at end of file
server/pem_reader.go 0 → 100644
+ 217
0
View file @ 0e9ca859
package server
import (
"log"
"io/ioutil"
vc "github.com/hashicorp/vault/api"
)
type PEMReader interface {
readCertificatePEM() []byte
readPrivateKeyPEM() []byte
readCaCertificatePEM() []byte
readVereignCaCertificatePEM() []byte
readVereignCaKeyPEM() []byte
}
type FilePEMReader struct {
certificationURL string
certificationToken string
certificationPath string
certificationCertFile string
certificationKeyFile string
certificationCaCertFile string
certificationVereignCertFile string
certificationVereignKeyFile string
}
func (f FilePEMReader) readCertificatePEM() []byte {
pem, err := ioutil.ReadFile(f.certificationPath + "/" + f.certificationCertFile)
if err != nil {
log.Printf("Error: %v", err)
return []byte("")
}
return pem
}
func (f FilePEMReader) readPrivateKeyPEM() []byte {
pem, err := ioutil.ReadFile(f.certificationPath + "/" + f.certificationKeyFile)
if err != nil {
log.Printf("Error: %v", err)
return []byte("")
}
return pem
}
func (f FilePEMReader) readCaCertificatePEM() []byte {
pem, err := ioutil.ReadFile(f.certificationPath + "/" + f.certificationCaCertFile)
if err != nil {
log.Printf("Error: %v", err)
return []byte("")
}
return pem
}
func (f FilePEMReader) readVereignCaCertificatePEM() []byte {
pem, err := ioutil.ReadFile(f.certificationPath + "/" + f.certificationVereignCertFile)
if err != nil {
log.Printf("Error: %v", err)
return []byte("")
}
return pem
}
func (f FilePEMReader) readVereignCaKeyPEM() []byte {
pem, err := ioutil.ReadFile(f.certificationPath + "/" + f.certificationVereignKeyFile)
if err != nil {
log.Printf("Error: %v", err)
return []byte("")
}
return pem
}
type VaultPEMReader struct {
certificationURL string
certificationToken string
certificationPath string
certificationCertFile string
certificationKeyFile string
certificationCaCertFile string
certificationVereignCertFile string
certificationVereignKeyFile string
}
func (v VaultPEMReader) readCertificatePEM() []byte {
client, err := vc.NewClient(&vc.Config{
Address: v.certificationURL,
})
if err != nil {
log.Printf("Error: VAULT Can't create client, %s", err)
}
client.SetToken(v.certificationToken)
keyname := v.certificationPath
secretValues, err := client.Logical().Read(keyname)
if err != nil {
log.Printf("Error: VAULT Can't read value, %s", err)
}
pemMap := secretValues.Data["data"].(map[string]interface{})
for propName, propValue := range pemMap {
if propName == v.certificationCertFile {
return []byte(propValue.(string))
}
}
return []byte("")
}
func (v VaultPEMReader) readPrivateKeyPEM() []byte {
client, err := vc.NewClient(&vc.Config{
Address: v.certificationURL,
})
if err != nil {
log.Printf("Error: VAULT Can't create client, %s", err)
}
client.SetToken(v.certificationToken)
keyname := v.certificationPath
secretValues, err := client.Logical().Read(keyname)
if err != nil {
log.Printf("Error: VAULT Can't read value, %s", err)
}
pemMap := secretValues.Data["data"].(map[string]interface{})
for propName, propValue := range pemMap {
if propName == v.certificationKeyFile {
return []byte(propValue.(string))
}
}
return []byte("")
}
func (v VaultPEMReader) readCaCertificatePEM() []byte {
client, err := vc.NewClient(&vc.Config{
Address: v.certificationURL,
})
if err != nil {
log.Printf("Error: VAULT Can't create client, %s", err)
}
client.SetToken(v.certificationToken)
keyname := v.certificationPath
secretValues, err := client.Logical().Read(keyname)
if err != nil {
log.Printf("Error: VAULT Can't read value, %s", err)
}
pemMap := secretValues.Data["data"].(map[string]interface{})
for propName, propValue := range pemMap {
if propName == v.certificationCaCertFile {
return []byte(propValue.(string))
}
}
return []byte("")
}
func (v VaultPEMReader) readVereignCaCertificatePEM() []byte {
client, err := vc.NewClient(&vc.Config{
Address: v.certificationURL,
})
if err != nil {
log.Printf("Error: VAULT Can't create client, %s", err)
}
client.SetToken(v.certificationToken)
keyname := v.certificationPath
secretValues, err := client.Logical().Read(keyname)
if err != nil {
log.Printf("Error: VAULT Can't read value, %s", err)
}
pemMap := secretValues.Data["data"].(map[string]interface{})
for propName, propValue := range pemMap {
if propName == v.certificationVereignCertFile {
return []byte(propValue.(string))
}
}
return []byte("")
}
func (v VaultPEMReader) readVereignCaKeyPEM() []byte {
client, err := vc.NewClient(&vc.Config{
Address: v.certificationURL,
})
if err != nil {
log.Printf("Error: VAULT Can't create client, %s", err)
}
client.SetToken(v.certificationToken)
keyname := v.certificationPath
secretValues, err := client.Logical().Read(keyname)
if err != nil {
log.Printf("Error: VAULT Can't read value, %s", err)
}
pemMap := secretValues.Data["data"].(map[string]interface{})
for propName, propValue := range pemMap {
if propName == v.certificationVereignKeyFile {
return []byte(propValue.(string))
}
}
return []byte("")
}
\ No newline at end of file
server/server.go
+ 50
26
View file @ 0e9ca859
...@@ -23,11 +23,10 @@ import ( ...@@ -23,11 +23,10 @@ import (
"net" "net"
"net/http" "net/http"
"strings" "strings"
"crypto/x509"
"crypto/tls"
"github.com/grpc-ecosystem/grpc-gateway/runtime" "github.com/grpc-ecosystem/grpc-gateway/runtime"
"golang.org/x/net/context" "golang.org/x/net/context"
"code.vereign.com/code/key-storage-agent/handler" "code.vereign.com/code/key-storage-agent/handler"
"code.vereign.com/code/key-storage-agent/session" "code.vereign.com/code/key-storage-agent/session"
"code.vereign.com/code/viam-apis/authentication" "code.vereign.com/code/viam-apis/authentication"
...@@ -46,9 +45,9 @@ const ( ...@@ -46,9 +45,9 @@ const (
clientIDKey contextKey = iota clientIDKey contextKey = iota
) )
var pkgCertFile string var pkgCertPEM []byte
var pkgKeyFile string var pkgKeyPEM []byte
var pkgCaCertFile string var pkgCaCertPEM []byte
func credMatcher(headerName string) (mdName string, ok bool) { func credMatcher(headerName string) (mdName string, ok bool) {
if headerName == "Session" { if headerName == "Session" {
...@@ -72,7 +71,7 @@ func authenticateClient(ctx context.Context, s *handler.KeyStorageServerImpl, in ...@@ -72,7 +71,7 @@ func authenticateClient(ctx context.Context, s *handler.KeyStorageServerImpl, in
} }
sessionClient := &client.DataStorageClientImpl{} sessionClient := &client.DataStorageClientImpl{}
sessionClient.SetUpClient(viamAuth, viper.GetString("dataStorageUrl"), pkgCertFile, pkgKeyFile, pkgCaCertFile, viper.GetInt("maxMessageSize")) sessionClient.SetUpClient(viamAuth, viper.GetString("dataStorageUrl"), pkgCertPEM, pkgKeyPEM, pkgCaCertPEM, viper.GetInt("maxMessageSize"))
defer sessionClient.CloseClient() defer sessionClient.CloseClient()
if clientAuth.Uuid == viamAuth.Uuid { if clientAuth.Uuid == viamAuth.Uuid {
...@@ -110,10 +109,10 @@ func unaryInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServ ...@@ -110,10 +109,10 @@ func unaryInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServ
return handler1(ctx, req) return handler1(ctx, req)
} }
func StartGRPCServer(address, certFilePath, privateKeyFilePath, caCertFilePath, vereignCertFilePath, vereignPrivateKeyFilePath, dataStorageAddress string, maxMessageSize int) error { func StartGRPCServer(address string, certPEM, privateKeyPEM, caCertPEM, vereignCertPEM, vereignPrivateKeyPEM []byte, dataStorageAddress string, maxMessageSize int) error {
pkgCertFile = certFilePath pkgCertPEM = certPEM
pkgKeyFile = privateKeyFilePath pkgKeyPEM = privateKeyPEM
pkgCaCertFile = caCertFilePath pkgCaCertPEM = caCertPEM
// create a listener on TCP port // create a listener on TCP port
lis, err := net.Listen("tcp", address) lis, err := net.Listen("tcp", address)
...@@ -124,21 +123,40 @@ func StartGRPCServer(address, certFilePath, privateKeyFilePath, caCertFilePath, ...@@ -124,21 +123,40 @@ func StartGRPCServer(address, certFilePath, privateKeyFilePath, caCertFilePath,
// create a server instance // create a server instance
s := handler.KeyStorageServerImpl{ s := handler.KeyStorageServerImpl{
DataStorageUrl: dataStorageAddress, DataStorageUrl: dataStorageAddress,
CertFilePath: certFilePath, CertPEM: certPEM,
KeyFilePath: privateKeyFilePath, KeyPEM: privateKeyPEM,
CaCertFilePath: caCertFilePath, CaCertPEM: caCertPEM,
VereignCertFilePath: vereignCertFilePath, VereignCertPEM: vereignCertPEM,
VereignPrivateKeyFilePath: vereignPrivateKeyFilePath, VereignPrivateKeyPEM: vereignPrivateKeyPEM,
MaxMessageSize: maxMessageSize, MaxMessageSize: maxMessageSize,
} }
// Create the TLS credentials // Load the certificates from PEM Strings
creds, err := credentials.NewServerTLSFromFile(certFilePath, privateKeyFilePath) certificate, err := tls.X509KeyPair(certPEM, privateKeyPEM)
if err != nil { if err != nil {
log.Printf("Error: %v", err) log.Printf("Error: %v", err)
return fmt.Errorf("could not load TLS keys: %s", err) return fmt.Errorf("could not load server key pair: %s", err)
}
// Create a certificate pool from the certificate authority
// Get the SystemCertPool, continue with an empty pool on error
certPool, _ := x509.SystemCertPool()
if certPool == nil {
certPool = x509.NewCertPool()
} }
if ok := certPool.AppendCertsFromPEM(caCertPEM); !ok {
return fmt.Errorf("failed to append server certs")
}
// Create the TLS credentials
creds := credentials.NewTLS(&tls.Config{
//ClientAuth: tls.RequireAndVerifyClientCert,
Certificates: []tls.Certificate{certificate},
ClientCAs: certPool,
})
// Create an array of gRPC options with the credentials // Create an array of gRPC options with the credentials
opts := []grpc.ServerOption{ opts := []grpc.ServerOption{
...@@ -162,19 +180,25 @@ func StartGRPCServer(address, certFilePath, privateKeyFilePath, caCertFilePath, ...@@ -162,19 +180,25 @@ func StartGRPCServer(address, certFilePath, privateKeyFilePath, caCertFilePath,
return nil return nil
} }
func StartRESTServer(address, grpcAddress, certFile string) error { func StartRESTServer(address, grpcAddress string, certPEM []byte) error {
ctx := context.Background() ctx := context.Background()
ctx, cancel := context.WithCancel(ctx) ctx, cancel := context.WithCancel(ctx)
defer cancel() defer cancel()
mux := runtime.NewServeMux(runtime.WithIncomingHeaderMatcher(credMatcher)) mux := runtime.NewServeMux(runtime.WithIncomingHeaderMatcher(credMatcher))
creds, err := credentials.NewClientTLSFromFile(certFile, "") certPool, err := x509.SystemCertPool()
if err != nil { if certPool == nil {
log.Printf("Error: %v", err) certPool = x509.NewCertPool()
return fmt.Errorf("could not load TLS certificate: %s", err)
} }
// Append the client certificates from the CA
if ok := certPool.AppendCertsFromPEM(certPEM); !ok {
return fmt.Errorf("failed to append client certs")
}
creds := credentials.NewClientTLSFromCert(certPool, "")
// Setup the client gRPC options // Setup the client gRPC options
opts := []grpc.DialOption{grpc.WithTransportCredentials(creds)} opts := []grpc.DialOption{grpc.WithTransportCredentials(creds)}
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment