diff --git a/Gopkg.toml b/Gopkg.toml
index 6e4954b45287512568d441b89e2ef45c00efcee1..1e5c022553c12ab6426fb4b8bbe8cc54173a54ba 100644
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -1,11 +1,7 @@
[[constraint]]
- branch = "master"
+ branch = "142-Implement_CA_cert"
name = "code.vereign.com/code/viam-apis"
-[[constraint]]
- branch = "master"
- name = "code.vereign.com/code/data-storage-agent"
-
[[constraint]]
name = "github.com/golang/protobuf"
version = "1.1.0"
diff --git a/config.yaml.sample b/config.yaml.sample
index 0ec5701dd0ea40c10f194f720f069e448cea9857..246f7b61a69df770e0bf38f4adf7fd91338622b9 100644
--- a/config.yaml.sample
+++ b/config.yaml.sample
@@ -1,10 +1,29 @@
-dataStorageClientUrl: localhost:7777
-grpcClientUrl: localhost:7877
-restClientUrl: localhost:7878
+# Make sure you have a "config.yaml" file on the root folder of this repo
-# Certificate Related Config
+# You can use this sample YAML file to configure your installation
+
+# Connection Information
+dataStorageUrl: localhost:7777
+grpcListenAddress: localhost:7877
+restListenAddress: localhost:7878
+
+# Choose a certificate method for providing PEM strings
+# 1 = Read from file (*.crt and *.key files)
+# 2 = Read from Vault server (this will require additional config information for Vault)
+certificateMethod: 1
+
+# Read Certificates From Folder and Files
certDir: cert
certFile: server.crt
certKey: server.key
vereignCertFile: vereign_ca.cer
-vereignCertKey: vereign_ca.key
\ No newline at end of file
+vereignCertKey: vereign_ca.key
+caCertFile: ca.crt
+
+# Read Certificates From Vault Server
+vaultAddress: http://10.6.10.119:8200
+vaultToken: 00000000-0000-0000-0000-000000000000
+vaultPath: /developers/data/devteam/cert
+certificateKey: certificateKey
+privateKey: privateKey
+caCertificateKey: caCertificateKey
diff --git a/handler/generate_keypair.go b/handler/generate_keypair.go
index 19f658283c8ab9b10d05a56bfa9d87d535efbbc2..89fa5a0e27e15b88eb5236ee6ec4c1c861ab1b2d 100644
--- a/handler/generate_keypair.go
+++ b/handler/generate_keypair.go
@@ -39,7 +39,7 @@ func (s *KeyStorageServerImpl) GenerateKeyPair(ctx context.Context,
auth := s.CreateAuthentication(ctx)
client := &client.DataStorageClientImpl{}
- client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath)
+ client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath)
defer client.CloseClient()
generateKeyPairResponse := &api.GenerateKeyPairResponse{}
diff --git a/handler/handler.go b/handler/handler.go
index ab527483a014f32cb929b0f099b92b511705ac75..cd29dbdf20db89c79d9b1ec65daca34eb5fdae8a 100644
--- a/handler/handler.go
+++ b/handler/handler.go
@@ -36,6 +36,8 @@ import (
type KeyStorageServerImpl struct {
DataStorageUrl string
CertFilePath string
+ KeyFilePath string
+ CaCertFilePath string
VereignCertFilePath string
VereignPrivateKeyFilePath string
}
@@ -60,7 +62,7 @@ func (s *KeyStorageServerImpl) GetKey(ctx context.Context, in *api.GetKeyRequest
auth := s.CreateAuthentication(ctx)
client := &client.DataStorageClientImpl{}
- client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath)
+ client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath)
defer client.CloseClient()
getKeyResponse := &api.GetKeyResponse{}
@@ -107,7 +109,7 @@ func (s *KeyStorageServerImpl) SetKey(ctx context.Context, in *api.SetKeyRequest
auth := s.CreateAuthentication(ctx)
client := &client.DataStorageClientImpl{}
- client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath)
+ client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath)
defer client.CloseClient()
setKeyResponse := &api.SetKeyResponse{}
@@ -155,7 +157,7 @@ func (s *KeyStorageServerImpl) ReserveKeyUUID(ctx context.Context, in *api.Reser
auth := s.CreateAuthentication(ctx)
client := &client.DataStorageClientImpl{}
- client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath)
+ client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath)
defer client.CloseClient()
reserveKeyUUIDResponse := &api.ReserveKeyUUIDResponse{}
diff --git a/handler/revoke.go b/handler/revoke.go
index 8f757b298b6d750587f54e312a3bb8388e8038a7..79994ea4abfb16d9b81531f3104683875bd1ed4b 100644
--- a/handler/revoke.go
+++ b/handler/revoke.go
@@ -29,7 +29,7 @@ func (s *KeyStorageServerImpl) Revoke(ctx context.Context, in *api.RevokeRequest
auth := s.CreateAuthentication(ctx)
client := &client.DataStorageClientImpl{}
- client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath)
+ client.SetUpClient(auth, s.DataStorageUrl, s.CertFilePath, s.KeyFilePath, s.CaCertFilePath)
defer client.CloseClient()
revokeResponse := &api.RevokeResponse{}
diff --git a/main.go b/main.go
index 076a8b7ac919e1f026a07659d6ca1176b3386b80..c6595c4d5b13a22486977b38778e134378a772c4 100644
--- a/main.go
+++ b/main.go
@@ -35,18 +35,19 @@ func main() {
return
}
- grpcAddress := viper.GetString("grpcClientUrl")
- restAddress := viper.GetString("restClientUrl")
- dataStorageAddress := viper.GetString("dataStorageClientUrl")
+ grpcAddress := viper.GetString("grpcListenAddress")
+ restAddress := viper.GetString("restListenAddress")
+ dataStorageAddress := viper.GetString("dataStorageUrl")
certFilePath := certDir + "/" + viper.GetString("certFile")
privateKeyFilePath := certDir + "/" + viper.GetString("certKey")
+ caCertFilePath := certDir + "/" + viper.GetString("caCertFile")
vereignCertFilePath := certDir + "/" + viper.GetString("vereignCertFile")
vereignPrivateKeyFilePath := certDir + "/" + viper.GetString("vereignCertKey")
// fire the gRPC server in a goroutine
go func() {
- err := server.StartGRPCServer(grpcAddress, certFilePath, privateKeyFilePath, vereignCertFilePath,
+ err := server.StartGRPCServer(grpcAddress, certFilePath, privateKeyFilePath, caCertFilePath, vereignCertFilePath,
vereignPrivateKeyFilePath, dataStorageAddress)
if err != nil {
log.Fatalf("failed to start gRPC server: %s", err)
diff --git a/server/configs.go b/server/configs.go
index 635427583f2eeae2fd99fb4263581bd7628bf8b5..6c4cbb916e56295c0cbfb0d2e4bfc4bb8ee43db0 100644
--- a/server/configs.go
+++ b/server/configs.go
@@ -9,14 +9,15 @@ func SetConfigValues() {
// Set Default Values For Config Variables
// Vereign API Related
- viper.SetDefault("grpcClientUrl", "localhost:7877")
- viper.SetDefault("restClientUrl", "localhost:7878")
- viper.SetDefault("dataStorageClientUrl", "localhost:7777")
+ viper.SetDefault("grpcListenAddress", "localhost:7877")
+ viper.SetDefault("restListenAddress", "localhost:7878")
+ viper.SetDefault("dataStorageUrl", "localhost:7777")
// Certificates Related
viper.SetDefault("certDir", "cert")
viper.SetDefault("certFile", "server.crt")
viper.SetDefault("certKey", "server.key")
+ viper.SetDefault("caCertFile", "ca.crt")
viper.SetDefault("vereignCertFile", "vereign_ca.cer")
viper.SetDefault("vereignCertKey", "vereign_ca.key")
diff --git a/server/server.go b/server/server.go
index 8a58bd72c851ee9f855224963509fbb48c2366f7..89fb106a28310a92bd0071f62e44f868e1d676e0 100644
--- a/server/server.go
+++ b/server/server.go
@@ -47,6 +47,8 @@ const (
)
var pkgCertFile string
+var pkgKeyFile string
+var pkgCaCertFile string
func credMatcher(headerName string) (mdName string, ok bool) {
if headerName == "Session" {
@@ -70,7 +72,7 @@ func authenticateClient(ctx context.Context, s *handler.KeyStorageServerImpl, in
}
sessionClient := &client.DataStorageClientImpl{}
- sessionClient.SetUpClient(viamAuth, viper.GetString("dataStorageClientUrl"), pkgCertFile)
+ sessionClient.SetUpClient(viamAuth, viper.GetString("dataStorageUrl"), pkgCertFile, pkgKeyFile, pkgCaCertFile)
defer sessionClient.CloseClient()
if clientAuth.Uuid == viamAuth.Uuid {
@@ -107,8 +109,10 @@ func unaryInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServ
return handler1(ctx, req)
}
-func StartGRPCServer(address, certFilePath, privateKeyFilePath, vereignCertFilePath, vereignPrivateKeyFilePath, dataStorageAddress string) error {
+func StartGRPCServer(address, certFilePath, privateKeyFilePath, caCertFilePath, vereignCertFilePath, vereignPrivateKeyFilePath, dataStorageAddress string) error {
pkgCertFile = certFilePath
+ pkgKeyFile = privateKeyFilePath
+ pkgCaCertFile = caCertFilePath
// create a listener on TCP port
lis, err := net.Listen("tcp", address)
@@ -120,6 +124,8 @@ func StartGRPCServer(address, certFilePath, privateKeyFilePath, vereignCertFileP
s := handler.KeyStorageServerImpl{
DataStorageUrl: dataStorageAddress,
CertFilePath: certFilePath,
+ KeyFilePath: privateKeyFilePath,
+ CaCertFilePath: caCertFilePath,
VereignCertFilePath: vereignCertFilePath,
VereignPrivateKeyFilePath: vereignPrivateKeyFilePath,
}
diff --git a/server/server_test.go b/server/server_test.go
deleted file mode 100644
index 33f1aa4d0e21242e0f5dc38e3b171c25c5b12147..0000000000000000000000000000000000000000
--- a/server/server_test.go
+++ /dev/null
@@ -1,261 +0,0 @@
-/*
-Copyright (c) 2018 Vereign AG [https://www.vereign.com]
-
-This is free software: you can redistribute it and/or modify
-it under the terms of the GNU Affero General Public License as
-published by the Free Software Foundation, either version 3 of the
-License, or (at your option) any later version.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU Affero General Public License for more details.
-
-You should have received a copy of the GNU Affero General Public License
-along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-package server
-
-import (
- "log"
- "os"
- "testing"
- "time"
-
- dataStorageServer "code.vereign.com/code/data-storage-agent/server"
- "code.vereign.com/code/data-storage-agent/utils"
- "code.vereign.com/code/viam-apis/authentication"
- ksapi "code.vereign.com/code/viam-apis/key-storage-agent/api"
- ksclient "code.vereign.com/code/viam-apis/key-storage-agent/client"
- timestamp "github.com/golang/protobuf/ptypes/timestamp"
-)
-
-const (
- dataStorageGrpcAddress = "localhost:7777"
- keyStorageGrpcAddress = "localhost:7877"
- certFilePath = "../cert/server.crt"
- privateKeyFilePath = "../cert/server.key"
- vereignCertFilePath = "../cert/vereign_ca.cer"
- vereignPrivateKeyFilePath = "../cert/vereign_ca.key"
-)
-
-func TestSetAndGetKeys(t *testing.T) {
- dataStorageClient := utils.CreateClientFromUuidAndSession("viam-system", "viam-session", dataStorageGrpcAddress, certFilePath)
-
- keyStorageAuth := &authentication.Authentication{
- Uuid: "some-uuid",
- Session: "some-session",
- }
-
- _, _, _ = dataStorageClient.RenewSession(keyStorageAuth.Uuid, keyStorageAuth.Session)
-
- keyStorageClient := &ksclient.KeyStorageClientImpl{}
- keyStorageClient.SetUpClient(keyStorageAuth, keyStorageGrpcAddress, certFilePath)
- defer keyStorageClient.CloseClient()
-
- uuid, statusList, _ := keyStorageClient.DoReserveKeyUUID()
- for _, status := range statusList {
- if status.StatusType == ksapi.StatusType_ERROR {
- t.Errorf("DoReserveKeyUUID, returned error: %s.", status.Code+":"+status.Description)
- }
- }
-
- privateKey := &ksapi.Key{
- Content: []byte{0, 1, 4},
- }
-
- statusList, _ = keyStorageClient.DoSetKey(uuid, ksapi.KeyType_PRIVATE, privateKey)
- for _, status := range statusList {
- if status.StatusType == ksapi.StatusType_ERROR {
- t.Errorf("DoSetKey, returned error: %s.", status.Code+":"+status.Description)
- return
- }
- }
-
- privateKeyResult, statusList, _ := keyStorageClient.DoGetKey(uuid, ksapi.KeyType_PRIVATE)
- for _, status := range statusList {
- if status.StatusType == ksapi.StatusType_ERROR {
- t.Errorf("DoGetKey, returned error: %s.", status.Code+":"+status.Description)
- return
- }
- }
- if privateKeyResult.Content == nil || !utils.CompareByteArrays(privateKeyResult.Content, []byte{0, 1, 4}) {
- t.Errorf("DoGetKey, incorrect keyResult.Content, expected: %v, but was: %v",
- []byte{0, 1, 2}, privateKeyResult.Content)
- }
-
- // Test setting the same key twice
- statusList, _ = keyStorageClient.DoSetKey(uuid, ksapi.KeyType_PRIVATE, privateKey)
- for _, status := range statusList {
- if status.StatusType != ksapi.StatusType_ERROR {
- t.Errorf("DoSetKey, expected error, but got success")
- return
- }
- }
-
- publicKey := &ksapi.Key{
- Content: []byte{3, 4, 2},
- }
-
- statusList, _ = keyStorageClient.DoSetKey(uuid, ksapi.KeyType_PUBLIC, publicKey)
- for _, status := range statusList {
- if status.StatusType == ksapi.StatusType_ERROR {
- t.Errorf("DoSetKey, returned error: %s.", status.Code+":"+status.Description)
- }
- }
-
- publicKeyResult, statusList, _ := keyStorageClient.DoGetKey(uuid, ksapi.KeyType_PUBLIC)
- for _, status := range statusList {
- if status.StatusType == ksapi.StatusType_ERROR {
- t.Errorf("DoGetKey, returned error: %s.", status.Code+":"+status.Description)
- }
- }
- if publicKeyResult.Content == nil || !utils.CompareByteArrays(publicKeyResult.Content, []byte{3, 4, 2}) {
- t.Errorf("DoGetKey, incorrect publicKeyResult.Content, expected: %v, but was: %v",
- []byte{3, 4, 2}, publicKeyResult.Content)
- }
-
- statusList, _ = keyStorageClient.DoRevoke(uuid)
- for _, status := range statusList {
- if status.StatusType == ksapi.StatusType_ERROR {
- t.Errorf("DoRevoke, returned error: %s.", status.Code+":"+status.Description)
- }
- }
- revokedPrivateKeyResult, statusList, _ := keyStorageClient.DoGetKey(uuid, ksapi.KeyType_PRIVATE)
- for _, status := range statusList {
- if status.StatusType == ksapi.StatusType_ERROR {
- t.Errorf("DoGetKey, returned error: %s.", status.Code+":"+status.Description)
- }
- }
- if revokedPrivateKeyResult.Revoked == false {
- t.Errorf("DoRevoke, key was not revoked")
- }
- revokedPublicKeyResult, statusList, _ := keyStorageClient.DoGetKey(uuid, ksapi.KeyType_PUBLIC)
- for _, status := range statusList {
- if status.StatusType == ksapi.StatusType_ERROR {
- t.Errorf("DoGetKey, returned error: %s.", status.Code+":"+status.Description)
- }
- }
- if revokedPublicKeyResult.Revoked == false {
- t.Errorf("DoRevoke, key was not revoked")
- }
-}
-func TestGenerateKeyPairAndCertificate(t *testing.T) {
- dataStorageClient := utils.CreateClientFromUuidAndSession("viam-system", "viam-session", dataStorageGrpcAddress, certFilePath)
-
- keyStorageAuth := &authentication.Authentication{
- Uuid: "some-uuid",
- Session: "some-session",
- }
-
- _, _, _ = dataStorageClient.RenewSession(keyStorageAuth.Uuid, keyStorageAuth.Session)
-
- keyStorageClient := &ksclient.KeyStorageClientImpl{}
- keyStorageClient.SetUpClient(keyStorageAuth, keyStorageGrpcAddress, certFilePath)
- defer keyStorageClient.CloseClient()
-
- uuid, statusList, _ := keyStorageClient.DoGenerateKeyPair(2048)
- for _, status := range statusList {
- if status.StatusType == ksapi.StatusType_ERROR {
- t.Errorf("DoGenerateKeyPair, returned error: %s.", status.Code+":"+status.Description)
- return
- }
- }
- if uuid == "" {
- t.Errorf("DoGenerateKeyPair, uuid is empty")
- return
- }
-
- privateKeyResult, statusList, _ := keyStorageClient.DoGetKey(uuid, ksapi.KeyType_PRIVATE)
- for _, status := range statusList {
- if status.StatusType == ksapi.StatusType_ERROR {
- t.Errorf("DoGetKey, returned error: %s.", status.Code+":"+status.Description)
- return
- }
- }
- if privateKeyResult.Content == nil {
- t.Errorf("DoGetKey, privateKeyResult.Content is nil")
- }
-
- publicKeyResult, statusList, _ := keyStorageClient.DoGetKey(uuid, ksapi.KeyType_PUBLIC)
- for _, status := range statusList {
- if status.StatusType == ksapi.StatusType_ERROR {
- t.Errorf("DoGetKey, returned error: %s.", status.Code+":"+status.Description)
- return
- }
- }
- if publicKeyResult.Content == nil {
- t.Errorf("DoGetKey, publicKeyResult.Content is nil")
- }
-
- nowTime := time.Now()
- nowTimeSeconds := time.Now().Unix()
- nowTimeNanoSeconds := int32(nowTime.Sub(time.Unix(nowTimeSeconds, 0)))
- notBefore := ×tamp.Timestamp{
- Seconds: nowTimeSeconds,
- Nanos: nowTimeNanoSeconds,
- }
- timeAfterOneDay := nowTime.Add(1000000 * 3600 * 24)
- secondsAfterOneDay := time.Now().Unix()
- nanoSecondsAfterOneDay := int32(timeAfterOneDay.Sub(time.Unix(secondsAfterOneDay, 0)))
- notAfter := ×tamp.Timestamp{
- Seconds: secondsAfterOneDay,
- Nanos: nanoSecondsAfterOneDay,
- }
-
- certificateData := &ksapi.GenerateCertificateRequest_CertificateData{
- Country: "BG",
- Organization: "company",
- OrganizationalUnit: "DEV",
- CommonName: "CN",
- NotBefore: notBefore,
- NotAfter: notAfter,
- Host: "abcde.com",
- }
-
- statusList, _ = keyStorageClient.DoGenerateCertificate(uuid, certificateData)
- for _, status := range statusList {
- if status.StatusType == ksapi.StatusType_ERROR {
- t.Errorf("DoGenerateCertificate, returned error: %s.", status.Code+":"+status.Description)
- }
- }
-
- certificate, statusList, _ := keyStorageClient.DoGetKey(uuid, ksapi.KeyType_CERTIFICATE)
- for _, status := range statusList {
- if status.StatusType == ksapi.StatusType_ERROR {
- t.Errorf("DoGetKey, returned error: %s.", status.Code+":"+status.Description)
- }
- }
- if certificate == nil || certificate.Content == nil {
- t.Errorf("DoGetKey, certificate is nil")
- }
-}
-
-func TestMain(m *testing.M) {
- // fire the gRPC server in a goroutine
- go func() {
- err := dataStorageServer.StartGRPCServer(dataStorageGrpcAddress, certFilePath, privateKeyFilePath)
- if err != nil {
- log.Fatalf("failed to start gRPC server: %s", err)
- }
- }()
-
- // wait a second for the server to start
- time.Sleep(time.Duration(1) * time.Second)
-
- // fire the gRPC server in a goroutine
- go func() {
- err := StartGRPCServer(keyStorageGrpcAddress, certFilePath, privateKeyFilePath,
- vereignCertFilePath, vereignPrivateKeyFilePath, dataStorageGrpcAddress)
- if err != nil {
- log.Fatalf("failed to start gRPC server: %s", err)
- }
- }()
-
- // wait a second for the server to start
- time.Sleep(time.Duration(1) * time.Second)
-
- retCode := m.Run()
- os.Exit(retCode)
-}