github.com/choria-io/go-choria@v0.28.1-0.20240416190746-b3bf9c7d5a45/broker/network/util.go

github.com/choria-io/go-choria@v0.28.1-0.20240416190746-b3bf9c7d5a45/broker/network/util.go (about)

     1  // Copyright (c) 2020-2021, R.I. Pienaar and the Choria Project contributors
     2  //
     3  // SPDX-License-Identifier: Apache-2.0
     4  
     5  package network
     6  
     7  import (
     8  	"crypto/tls"
     9  	"crypto/x509"
    10  	"fmt"
    11  	"os"
    12  )
    13  
    14  func (s *Server) extractKeyedConfigString(prefix string, key string, property string, dflt string) (result string) {
    15  	item := "plugin.choria.network." + prefix + "." + key + "." + property
    16  	value := s.config.Option(item, dflt)
    17  	s.log.Debugf("Looking for config item %s, found %q", item, value)
    18  	return value
    19  }
    20  
    21  func (s *Server) extractTLSCFromKeyedConfig(prefix string, key string) (tlsc *tls.Config, disabled bool, err error) {
    22  	cert := s.extractKeyedConfigString(prefix, key, "tls.cert", "")
    23  	private := s.extractKeyedConfigString(prefix, key, "tls.key", "")
    24  	ca := s.extractKeyedConfigString(prefix, key, "tls.ca", "")
    25  	verifyS := s.extractKeyedConfigString(prefix, key, "tls.verify", "yes")
    26  	disableS := s.extractKeyedConfigString(prefix, key, "tls.disable", "no")
    27  
    28  	verify := !(verifyS == "false" || verifyS == "no" || verifyS == "off" || verifyS == "0")
    29  	disabled = !(disableS == "false" || disableS == "no" || disableS == "off" || disableS == "0")
    30  
    31  	if private == "" && cert == "" && ca == "" {
    32  		return nil, disabled, nil
    33  	}
    34  
    35  	s.log.Debugf("Generating custom TLS for %s.%s: cert: '%s' private: '%s' ca: '%s' verify: %v disable: %v", prefix, key, cert, private, ca, verify, disabled)
    36  
    37  	tlsc, err = s.genTLSc(private, cert, ca, verify)
    38  	return tlsc, disabled, err
    39  }
    40  
    41  // Started determines if the server have been started
    42  func (s *Server) Started() bool {
    43  	s.mu.Lock()
    44  	defer s.mu.Unlock()
    45  
    46  	return s.started
    47  }
    48  
    49  // IsTLS determines if tls should be enabled
    50  func (s *Server) IsTLS() bool {
    51  	return !s.config.DisableTLS
    52  }
    53  
    54  // IsVerifiedTLS determines if tls should be enabled
    55  func (s *Server) IsVerifiedTLS() bool {
    56  	return !s.config.DisableTLSVerify
    57  }
    58  
    59  func (s *Server) genTLSc(pri string, pub string, ca string, verify bool) (tlsc *tls.Config, err error) {
    60  	tlsc = &tls.Config{
    61  		MinVersion: tls.VersionTLS12,
    62  	}
    63  
    64  	if pri != "" && pub != "" {
    65  		cert, err := tls.LoadX509KeyPair(pub, pri)
    66  		if err != nil {
    67  			return nil, fmt.Errorf("could not load certificate %s and key %s: %s", pub, pri, err)
    68  		}
    69  
    70  		cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0])
    71  		if err != nil {
    72  			return nil, fmt.Errorf("error parsing certificate: %v", err)
    73  		}
    74  
    75  		tlsc.Certificates = []tls.Certificate{cert}
    76  	}
    77  
    78  	if ca != "" {
    79  		caCert, err := os.ReadFile(ca)
    80  		if err != nil {
    81  			return nil, err
    82  		}
    83  
    84  		caCertPool := x509.NewCertPool()
    85  		caCertPool.AppendCertsFromPEM(caCert)
    86  
    87  		tlsc.ClientCAs = caCertPool
    88  		tlsc.RootCAs = caCertPool
    89  	}
    90  
    91  	if !verify {
    92  		tlsc.InsecureSkipVerify = true
    93  	}
    94  
    95  	return tlsc, nil
    96  }