github.com/choria-io/go-choria@v0.28.1-0.20240416190746-b3bf9c7d5a45/providers/security/filesec/option.go

github.com/choria-io/go-choria@v0.28.1-0.20240416190746-b3bf9c7d5a45/providers/security/filesec/option.go (about)

     1  // Copyright (c) 2020-2022, R.I. Pienaar and the Choria Project contributors
     2  //
     3  // SPDX-License-Identifier: Apache-2.0
     4  
     5  package filesec
     6  
     7  import (
     8  	"fmt"
     9  	"os"
    10  
    11  	"github.com/choria-io/go-choria/inter"
    12  	"github.com/choria-io/go-choria/tlssetup"
    13  
    14  	"github.com/choria-io/go-choria/config"
    15  	"github.com/sirupsen/logrus"
    16  )
    17  
    18  // Option is a function that can configure the File Security Provider
    19  type Option func(*FileSecurity) error
    20  
    21  // BuildInfoProvider provides info about the build
    22  type BuildInfoProvider interface {
    23  	ClientIdentitySuffix() string
    24  }
    25  
    26  // WithChoriaConfig optionally configures the File Security Provider from settings found in a typical Choria configuration
    27  func WithChoriaConfig(bi BuildInfoProvider, c *config.Config) Option {
    28  	cfg := Config{
    29  		AllowList:                  c.Choria.CertnameAllowList,
    30  		CA:                         c.Choria.FileSecurityCA,
    31  		Certificate:                c.Choria.FileSecurityCertificate,
    32  		Key:                        c.Choria.FileSecurityKey,
    33  		DisableTLSVerify:           c.DisableTLSVerify,
    34  		PrivilegedUsers:            c.Choria.PrivilegedUsers,
    35  		Identity:                   c.Identity,
    36  		RemoteSignerURL:            c.Choria.RemoteSignerURL,
    37  		RemoteSignerTokenFile:      c.Choria.RemoteSignerTokenFile,
    38  		RemoteSignerSeedFile:       c.Choria.RemoteSignerTokenSeedFile,
    39  		TLSConfig:                  tlssetup.TLSConfig(c),
    40  		BackwardCompatVerification: c.Choria.SecurityAllowLegacyCerts,
    41  		IdentitySuffix:             bi.ClientIdentitySuffix(),
    42  	}
    43  
    44  	if cfg.IdentitySuffix == "" {
    45  		cfg.IdentitySuffix = "mcollective"
    46  	}
    47  
    48  	if cn, ok := os.LookupEnv("MCOLLECTIVE_CERTNAME"); ok {
    49  		c.OverrideCertname = cn
    50  	}
    51  
    52  	if c.OverrideCertname != "" {
    53  		cfg.Identity = c.OverrideCertname
    54  	} else if !(runtimeOs() == "windows" || uid() == 0) {
    55  		if u, ok := os.LookupEnv("USER"); ok {
    56  			cfg.Identity = fmt.Sprintf("%s.%s", u, cfg.IdentitySuffix)
    57  		}
    58  	}
    59  
    60  	return WithConfig(&cfg)
    61  }
    62  
    63  // WithSigner configures a remote request signer
    64  func WithSigner(signer inter.RequestSigner) Option {
    65  	return func(fs *FileSecurity) error {
    66  		fs.conf.RemoteSigner = signer
    67  
    68  		return nil
    69  	}
    70  }
    71  
    72  // WithConfig optionally configures the File Security Provider using its native configuration format
    73  func WithConfig(c *Config) Option {
    74  	return func(fs *FileSecurity) error {
    75  		fs.conf = c
    76  
    77  		if fs.conf.TLSConfig == nil {
    78  			fs.conf.TLSConfig = tlssetup.TLSConfig(nil)
    79  		}
    80  
    81  		return nil
    82  	}
    83  }
    84  
    85  // WithLog configures a logger for the File Security Provider
    86  func WithLog(l *logrus.Entry) Option {
    87  	return func(fs *FileSecurity) error {
    88  		fs.log = l.WithFields(logrus.Fields{"security": "file"})
    89  
    90  		if fs.conf.TLSConfig == nil {
    91  			fs.conf.TLSConfig = tlssetup.TLSConfig(nil)
    92  		}
    93  
    94  		return nil
    95  	}
    96  }