github.com/choria-io/go-choria@v0.28.1-0.20240416190746-b3bf9c7d5a45/providers/security/puppetsec/option.go (about) 1 // Copyright (c) 2020-2022, R.I. Pienaar and the Choria Project contributors 2 // 3 // SPDX-License-Identifier: Apache-2.0 4 5 package puppetsec 6 7 import ( 8 "fmt" 9 "os" 10 "runtime" 11 12 "github.com/choria-io/go-choria/inter" 13 "github.com/choria-io/go-choria/tlssetup" 14 15 "github.com/choria-io/go-choria/config" 16 "github.com/sirupsen/logrus" 17 ) 18 19 // Option is a function that can configure the Puppet Security Provider 20 type Option func(*PuppetSecurity) error 21 22 // WithChoriaConfig optionally configures the Security Provider from settings found in a typical Choria configuration 23 func WithChoriaConfig(bi BuildInfoProvider, c *config.Config) Option { 24 return func(p *PuppetSecurity) error { 25 cfg := Config{ 26 AllowList: c.Choria.CertnameAllowList, 27 DisableTLSVerify: c.DisableTLSVerify, 28 PrivilegedUsers: c.Choria.PrivilegedUsers, 29 SSLDir: c.Choria.SSLDir, 30 PuppetCAHost: c.Choria.PuppetCAHost, 31 PuppetCAPort: c.Choria.PuppetCAPort, 32 Identity: c.Identity, 33 RemoteSignerURL: c.Choria.RemoteSignerURL, 34 RemoteSignerTokenFile: c.Choria.RemoteSignerTokenFile, 35 TLSConfig: tlssetup.TLSConfig(c), 36 IdentitySuffix: bi.ClientIdentitySuffix(), 37 } 38 39 if cfg.IdentitySuffix == "" { 40 cfg.IdentitySuffix = "mcollective" 41 } 42 43 if c.Choria.NetworkClientAdvertiseName != "" { 44 cfg.AltNames = append(cfg.AltNames, c.Choria.NetworkClientAdvertiseName) 45 } 46 47 if c.HasOption("plugin.choria.puppetca_host") || c.HasOption("plugin.choria.puppetca_port") { 48 cfg.DisableSRV = true 49 } 50 51 if c.OverrideCertname == "" { 52 if cn, ok := os.LookupEnv("MCOLLECTIVE_CERTNAME"); ok { 53 c.OverrideCertname = cn 54 } 55 } 56 57 if c.OverrideCertname != "" { 58 cfg.Identity = c.OverrideCertname 59 } else if !c.InitiatedByServer { 60 userEnvVar := "USER" 61 62 if runtime.GOOS == "windows" { 63 userEnvVar = "USERNAME" 64 } 65 66 u, ok := os.LookupEnv(userEnvVar) 67 if !ok { 68 return fmt.Errorf("could not determine client identity, ensure %s environment variable is set", userEnvVar) 69 } 70 71 cfg.Identity = fmt.Sprintf("%s.%s", u, cfg.IdentitySuffix) 72 } 73 74 if cfg.SSLDir == "" { 75 d, err := userSSlDir() 76 if err != nil { 77 return err 78 } 79 80 cfg.SSLDir = d 81 } 82 83 p.conf = &cfg 84 85 return nil 86 } 87 } 88 89 // WithSigner configures a remote request signer 90 func WithSigner(signer inter.RequestSigner) Option { 91 return func(p *PuppetSecurity) error { 92 p.conf.RemoteSigner = signer 93 94 return nil 95 } 96 } 97 98 // WithConfig optionally configures the Puppet Security Provider using its native configuration format 99 func WithConfig(c *Config) Option { 100 return func(p *PuppetSecurity) error { 101 p.conf = c 102 103 return nil 104 } 105 } 106 107 // WithLog configures a logger for the Puppet Security Provider 108 func WithLog(l *logrus.Entry) Option { 109 return func(p *PuppetSecurity) error { 110 p.log = l.WithFields(logrus.Fields{"security": "puppet"}) 111 112 return nil 113 } 114 } 115 116 // WithResolver configures a SRV resolver for the Puppet Security Provider 117 func WithResolver(r Resolver) Option { 118 return func(p *PuppetSecurity) error { 119 p.res = r 120 121 return nil 122 } 123 }