github.com/cornelk/go-cloud@v0.17.1/azure/azuredb/azuredb.go

github.com/cornelk/go-cloud@v0.17.1/azure/azuredb/azuredb.go (about)

     1  // Copyright 2019 The Go Cloud Development Kit Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     https://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package azuredb contains Wire providers that are common across Azure Database.
    16  package azuredb
    17  
    18  import (
    19  	"context"
    20  	"crypto/x509"
    21  	"encoding/pem"
    22  	"fmt"
    23  	"io"
    24  	"io/ioutil"
    25  	"net/http"
    26  
    27  	"golang.org/x/net/context/ctxhttp"
    28  )
    29  
    30  const caBundleURL = "https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem"
    31  
    32  // A CertPoolProvider returns a certificate pool that contains the Azure CA certificate.
    33  type CertPoolProvider interface {
    34  	AzureCertPool(context.Context) (*x509.CertPool, error)
    35  }
    36  
    37  // CertFetcher pulls the Azure CA certificates from Digicert's servers. The zero
    38  // value will fetch certificates using the default HTTP client.
    39  type CertFetcher struct {
    40  	// Client is the HTTP client used to make requests. If nil, then
    41  	// http.DefaultClient is used.
    42  	Client *http.Client
    43  }
    44  
    45  // AzureCertPool fetches the Azure CA certificates and places them into a pool.
    46  // It is safe to call from multiple goroutines.
    47  func (cf *CertFetcher) AzureCertPool(ctx context.Context) (*x509.CertPool, error) {
    48  	certs, err := cf.Fetch(ctx)
    49  	if err != nil {
    50  		return nil, err
    51  	}
    52  	certPool := x509.NewCertPool()
    53  	for _, c := range certs {
    54  		certPool.AddCert(c)
    55  	}
    56  	return certPool, nil
    57  }
    58  
    59  // Fetch fetches the Azure CA certificates. It is safe to call from multiple goroutines.
    60  func (cf *CertFetcher) Fetch(ctx context.Context) ([]*x509.Certificate, error) {
    61  	client := cf.Client
    62  	if client == nil {
    63  		client = http.DefaultClient
    64  	}
    65  	resp, err := ctxhttp.Get(ctx, client, caBundleURL)
    66  	if err != nil {
    67  		return nil, fmt.Errorf("fetch Azure certificates: %v", err)
    68  	}
    69  	defer resp.Body.Close()
    70  	if resp.StatusCode != http.StatusOK {
    71  		return nil, fmt.Errorf("fetch Azure certificates: HTTP %s", resp.Status)
    72  	}
    73  	pemData, err := ioutil.ReadAll(&io.LimitedReader{R: resp.Body, N: 1 << 20}) // limit to 1MiB
    74  	if err != nil {
    75  		return nil, fmt.Errorf("fetch Azure certificates: %v", err)
    76  	}
    77  	var certs []*x509.Certificate
    78  	for len(pemData) > 0 {
    79  		var block *pem.Block
    80  		block, pemData = pem.Decode(pemData)
    81  		if block == nil {
    82  			break
    83  		}
    84  		if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
    85  			continue
    86  		}
    87  		c, err := x509.ParseCertificate(block.Bytes)
    88  		if err != nil {
    89  			return nil, fmt.Errorf("fetch Azure certificates: %v", err)
    90  		}
    91  		certs = append(certs, c)
    92  	}
    93  	return certs, nil
    94  }