-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathrequestcert.go
More file actions
121 lines (103 loc) · 3.4 KB
/
requestcert.go
File metadata and controls
121 lines (103 loc) · 3.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
package bifrost
import (
"bytes"
"context"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"fmt"
"io"
"net/http"
"github.com/VictoriaMetrics/metrics"
"github.com/google/uuid"
)
// CertificateRequestTemplate returns a bifrost certificate request template for a namespace and public key.
func CertificateRequestTemplate(ns uuid.UUID, key *PublicKey) *x509.CertificateRequest {
return &x509.CertificateRequest{
Subject: pkix.Name{
CommonName: key.UUID(ns).String(),
Organization: []string{ns.String()},
},
SignatureAlgorithm: SignatureAlgorithm,
}
}
// RequestCertificate sends a certificate request over HTTP to url and returns the signed certificate.
// The returned error wraps ErrCertificateRequestInvalid or ErrCertificateRequestDenied
// if the request is invalid or denied.
func RequestCertificate(ctx context.Context, caUrl string, key *PrivateKey) (*Certificate, error) {
namespace, err := GetNamespace(ctx, caUrl)
if err != nil {
return nil, fmt.Errorf("bifrost: error getting namespace: %w", err)
}
template := CertificateRequestTemplate(namespace, key.PublicKey())
csr, err := x509.CreateCertificateRequest(rand.Reader, template, key)
if err != nil {
return nil, fmt.Errorf("bifrost: error creating certificate request: %w", err)
}
req, err := http.NewRequestWithContext(
ctx,
http.MethodPost,
caUrl+"/issue",
bytes.NewReader(csr),
)
if err != nil {
return nil, fmt.Errorf("bifrost: error creating request: %w", err)
}
req.Header.Set("Content-Type", "application/octet-stream")
resp, err := http.DefaultClient.Do(req)
if err != nil {
return nil, fmt.Errorf("bifrost: error sending request: %w", err)
}
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
return nil, fmt.Errorf("bifrost: unexpected error reading response body: %w", err)
}
switch resp.StatusCode {
case http.StatusOK:
case http.StatusBadRequest:
return nil, fmt.Errorf("%w, response: %s", ErrRequestInvalid, body)
case http.StatusForbidden:
return nil, fmt.Errorf("%w, response: %s", ErrRequestDenied, body)
case http.StatusServiceUnavailable:
return nil, fmt.Errorf("%w, response: %s", ErrRequestAborted, body)
default:
return nil, fmt.Errorf(
"bifrost: unexpected response status: %s, body: %s",
resp.Status,
body,
)
}
cert, err := ParseCertificate(body)
if err != nil {
return nil, fmt.Errorf("bifrost: error parsing certificate: %w", err)
}
metrics.GetOrCreateCounter(
fmt.Sprintf(`bifrost_certificate_requests_total{namespace="%s"}`, namespace),
).Inc()
return cert, nil
}
// GetNamespace returns the namespace from the CA at url.
func GetNamespace(ctx context.Context, caUrl string) (uuid.UUID, error) {
req, err := http.NewRequestWithContext(ctx, http.MethodGet, caUrl+"/namespace", nil)
if err != nil {
return uuid.Nil, fmt.Errorf("bifrost: error creating request: %w", err)
}
resp, err := http.DefaultClient.Do(req)
if err != nil {
return uuid.Nil, fmt.Errorf("bifrost: error sending request: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return uuid.Nil, fmt.Errorf("bifrost: unexpected response status: %s", resp.Status)
}
var nss string
if _, err := fmt.Fscan(resp.Body, &nss); err != nil {
return uuid.Nil, fmt.Errorf("bifrost: error reading response body: %w", err)
}
ns, err := uuid.Parse(nss)
if err != nil {
return uuid.Nil, fmt.Errorf("bifrost: error parsing namespace: %w", err)
}
return ns, nil
}