github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/acceptance/cluster/certs.go

github.com/cockroachdb/cockroach@v20.2.0-alpha.1+incompatible/pkg/acceptance/cluster/certs.go (about)

     1  // Copyright 2018 The Cockroach Authors.
     2  //
     3  // Use of this software is governed by the Business Source License
     4  // included in the file licenses/BSL.txt.
     5  //
     6  // As of the Change Date specified in that file, in accordance with
     7  // the Business Source License, use of this software will be governed
     8  // by the Apache License, Version 2.0, included in the file
     9  // licenses/APL.txt.
    10  
    11  package cluster
    12  
    13  import (
    14  	"context"
    15  	"fmt"
    16  	"os"
    17  	"os/exec"
    18  	"path/filepath"
    19  	"time"
    20  
    21  	"github.com/cockroachdb/cockroach/pkg/security"
    22  )
    23  
    24  const certsDir = ".localcluster.certs"
    25  
    26  // keyLen is the length (in bits) of the generated CA and node certs.
    27  const keyLen = 1024
    28  
    29  // GenerateCerts generates CA and client certificates and private keys to be
    30  // used with a cluster. It returns a function that will clean up the generated
    31  // files.
    32  func GenerateCerts(ctx context.Context) func() {
    33  	maybePanic(os.RemoveAll(certsDir))
    34  
    35  	maybePanic(security.CreateCAPair(
    36  		certsDir, filepath.Join(certsDir, security.EmbeddedCAKey),
    37  		keyLen, 96*time.Hour, false, false))
    38  
    39  	// Root user.
    40  	maybePanic(security.CreateClientPair(
    41  		certsDir, filepath.Join(certsDir, security.EmbeddedCAKey),
    42  		1024, 48*time.Hour, false, security.RootUser, true /* generate pk8 key */))
    43  
    44  	// Test user.
    45  	maybePanic(security.CreateClientPair(
    46  		certsDir, filepath.Join(certsDir, security.EmbeddedCAKey),
    47  		1024, 48*time.Hour, false, "testuser", true /* generate pk8 key */))
    48  
    49  	// Certs for starting a cockroach server. Key size is from cli/cert.go:defaultKeySize.
    50  	maybePanic(security.CreateNodePair(
    51  		certsDir, filepath.Join(certsDir, security.EmbeddedCAKey),
    52  		2048, 48*time.Hour, false, []string{"localhost", "cockroach"}))
    53  
    54  	// Store a copy of the client certificate and private key in a PKCS#12
    55  	// bundle, which is the only format understood by Npgsql (.NET).
    56  	{
    57  		execCmd("openssl", "pkcs12", "-export", "-password", "pass:",
    58  			"-in", filepath.Join(certsDir, "client.root.crt"),
    59  			"-inkey", filepath.Join(certsDir, "client.root.key"),
    60  			"-out", filepath.Join(certsDir, "client.root.pk12"))
    61  	}
    62  
    63  	return func() { _ = os.RemoveAll(certsDir) }
    64  }
    65  
    66  // GenerateCerts is only called in a file protected by a build tag. Suppress the
    67  // unused linter's warning.
    68  var _ = GenerateCerts
    69  
    70  func execCmd(args ...string) {
    71  	cmd := exec.Command(args[0], args[1:]...)
    72  	if out, err := cmd.CombinedOutput(); err != nil {
    73  		panic(fmt.Sprintf("error: %s: %s\nout: %s\n", args, err, out))
    74  	}
    75  }