mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-02 08:19:23 +02:00
merge master
This commit is contained in:
parent
d514ec2ecf
commit
ef399380b7
49 changed files with 1473 additions and 534 deletions
|
@ -1,69 +1,120 @@
|
|||
package cluster
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
// TLSCerts holds the certificate authority, certificate and certificate key for a TLS connection.
|
||||
type TLSCerts struct {
|
||||
CA string
|
||||
Cert string
|
||||
Key string
|
||||
CA []byte
|
||||
Cert []byte
|
||||
Key []byte
|
||||
Client struct {
|
||||
Cert []byte
|
||||
Key []byte
|
||||
}
|
||||
}
|
||||
|
||||
func bootstrapCerts(ctx context.Context) (*TLSCerts, error) {
|
||||
err := run(ctx, "mkcert", withArgs("-install"))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error install root certificate: %w", err)
|
||||
}
|
||||
|
||||
var buf bytes.Buffer
|
||||
err = run(ctx, "mkcert", withArgs("-CAROOT"), withStdout(&buf))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error running mkcert")
|
||||
}
|
||||
|
||||
caPath := strings.TrimSpace(buf.String())
|
||||
ca, err := ioutil.ReadFile(filepath.Join(caPath, "rootCA.pem"))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error reading root ca: %w", err)
|
||||
}
|
||||
|
||||
wd := filepath.Join(os.TempDir(), uuid.New().String())
|
||||
err = os.MkdirAll(wd, 0755)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error creating temporary directory: %w", err)
|
||||
}
|
||||
defer func() {
|
||||
_ = os.RemoveAll(wd)
|
||||
}()
|
||||
|
||||
err = run(ctx, "mkcert", withArgs("*.localhost.pomerium.io"), withWorkingDir(wd))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error generating certificates: %w", err)
|
||||
}
|
||||
|
||||
cert, err := ioutil.ReadFile(filepath.Join(wd, "_wildcard.localhost.pomerium.io.pem"))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error reading certificate: %w", err)
|
||||
}
|
||||
|
||||
key, err := ioutil.ReadFile(filepath.Join(wd, "_wildcard.localhost.pomerium.io-key.pem"))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error reading certificate key: %w", err)
|
||||
}
|
||||
|
||||
return &TLSCerts{
|
||||
CA: string(ca),
|
||||
Cert: string(cert),
|
||||
Key: string(key),
|
||||
}, nil
|
||||
// TLSCertsBundle holds various TLSCerts.
|
||||
type TLSCertsBundle struct {
|
||||
Trusted TLSCerts
|
||||
WronglyNamed TLSCerts
|
||||
Untrusted TLSCerts
|
||||
}
|
||||
|
||||
func bootstrapCerts(ctx context.Context) (*TLSCertsBundle, error) {
|
||||
wd := filepath.Join(os.TempDir(), "pomerium-integration-tests", "certs")
|
||||
err := os.MkdirAll(wd, 0755)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error creating integration tests working directory: %w", err)
|
||||
}
|
||||
|
||||
var bundle TLSCertsBundle
|
||||
|
||||
var generators = []struct {
|
||||
certs *TLSCerts
|
||||
caroot string
|
||||
install bool
|
||||
name string
|
||||
}{
|
||||
{&bundle.Trusted, filepath.Join(wd, "trusted"), true, "*.localhost.pomerium.io"},
|
||||
{&bundle.WronglyNamed, filepath.Join(wd, "wrongly-named"), true, "*.localhost.notpomerium.io"},
|
||||
{&bundle.Untrusted, filepath.Join(wd, "untrusted"), false, "*.localhost.pomerium.io"},
|
||||
}
|
||||
|
||||
for _, generator := range generators {
|
||||
err = os.MkdirAll(generator.caroot, 0755)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error creating integration tests %s working directory: %w",
|
||||
filepath.Base(generator.caroot), err)
|
||||
}
|
||||
|
||||
args := []string{"-install"}
|
||||
env := []string{"CAROOT=" + generator.caroot}
|
||||
if !generator.install {
|
||||
env = append(env, "TRUST_STORES=xxx")
|
||||
}
|
||||
err = run(ctx, "mkcert", withArgs(args...), withEnv(env...))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error creating %s certificate authority: %w",
|
||||
filepath.Base(generator.caroot), err)
|
||||
}
|
||||
|
||||
fp := filepath.Join(generator.caroot, "rootCA.pem")
|
||||
generator.certs.CA, err = ioutil.ReadFile(fp)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error reading %s root ca: %w",
|
||||
filepath.Base(generator.caroot), err)
|
||||
}
|
||||
|
||||
root := filepath.Join(generator.caroot, strings.ReplaceAll(generator.name, "*", "_wildcard"))
|
||||
fileMap := map[string]*[]byte{
|
||||
root + ".pem": &generator.certs.Cert,
|
||||
root + "-client.pem": &generator.certs.Client.Cert,
|
||||
root + "-key.pem": &generator.certs.Key,
|
||||
root + "-client-key.pem": &generator.certs.Client.Key,
|
||||
}
|
||||
|
||||
regenerate := false
|
||||
for name := range fileMap {
|
||||
if _, err := os.Stat(name); err != nil {
|
||||
regenerate = true
|
||||
}
|
||||
}
|
||||
|
||||
if regenerate {
|
||||
env = []string{"CAROOT=" + generator.caroot}
|
||||
err = run(ctx, "mkcert",
|
||||
withArgs(generator.name),
|
||||
withWorkingDir(generator.caroot),
|
||||
withEnv(env...))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error generating %s certificates: %w",
|
||||
filepath.Base(generator.caroot), err)
|
||||
}
|
||||
err = run(ctx, "mkcert",
|
||||
withArgs("-client", generator.name),
|
||||
withWorkingDir(generator.caroot),
|
||||
withEnv(env...))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error generating %s client certificates: %w",
|
||||
filepath.Base(generator.caroot), err)
|
||||
}
|
||||
}
|
||||
|
||||
for name, ptr := range fileMap {
|
||||
*ptr, err = ioutil.ReadFile(name)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error reading %s: %w",
|
||||
name, err)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return &bundle, nil
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue