github.com/ztalab/ZACA@v0.0.1/pkg/caclient/exchanger.go (about) 1 package caclient 2 3 import ( 4 "github.com/cloudflare/backoff" 5 "github.com/pkg/errors" 6 "github.com/ztalab/ZACA/pkg/keyprovider" 7 "github.com/ztalab/ZACA/pkg/spiffe" 8 "github.com/ztalab/cfssl/hook" 9 "github.com/ztalab/cfssl/transport" 10 "github.com/ztalab/cfssl/transport/roots" 11 "go.uber.org/zap" 12 "net/url" 13 "reflect" 14 ) 15 16 const ( 17 // CertRefreshDurationRate Certificate cycle time rate 18 CertRefreshDurationRate int = 2 19 ) 20 21 // Exchanger ... 22 type Exchanger struct { 23 Transport *Transport 24 IDGIdentity *spiffe.IDGIdentity 25 OcspFetcher OcspClient 26 27 caAddr string 28 logger *zap.SugaredLogger 29 30 caiConf *Conf 31 } 32 33 func init() { 34 // Cfssl API client connects to API server without certificate verification (one-way TLS) 35 hook.ClientInsecureSkipVerify = true 36 } 37 38 // NewExchangerWithKeypair ... 39 func (cai *CAInstance) NewExchangerWithKeypair(id *spiffe.IDGIdentity, keyPEM []byte, certPEM []byte) (*Exchanger, error) { 40 tr, err := cai.NewTransport(id, keyPEM, certPEM) 41 if err != nil { 42 return nil, err 43 } 44 of, err := NewOcspMemCache(cai.Logger.Sugar().Named("ocsp"), cai.Conf.OcspAddr) 45 if err != nil { 46 return nil, err 47 } 48 return &Exchanger{ 49 Transport: tr, 50 IDGIdentity: id, 51 OcspFetcher: of, 52 logger: cai.Logger.Sugar().Named("ca"), 53 caAddr: cai.CaAddr, 54 55 caiConf: &cai.Conf, 56 }, nil 57 } 58 59 // NewExchanger ... 60 func (cai *CAInstance) NewExchanger(id *spiffe.IDGIdentity) (*Exchanger, error) { 61 tr, err := cai.NewTransport(id, nil, nil) 62 if err != nil { 63 return nil, err 64 } 65 of, err := NewOcspMemCache(cai.Logger.Sugar().Named("ocsp"), cai.Conf.OcspAddr) 66 if err != nil { 67 return nil, err 68 } 69 return &Exchanger{ 70 Transport: tr, 71 IDGIdentity: id, 72 OcspFetcher: of, 73 logger: cai.Logger.Sugar().Named("ca"), 74 caAddr: cai.CaAddr, 75 76 caiConf: &cai.Conf, 77 }, nil 78 } 79 80 // NewTransport ... 81 func (cai *CAInstance) NewTransport(id *spiffe.IDGIdentity, keyPEM []byte, certPEM []byte) (*Transport, error) { 82 l := cai.Logger.Sugar() 83 84 l.Debug("NewTransport Start") 85 86 if _, err := url.Parse(cai.CaAddr); err != nil { 87 return nil, errors.Wrap(err, "CA ADDR Error") 88 } 89 90 var tr = &Transport{ 91 CertRefreshDurationRate: CertRefreshDurationRate, 92 Identity: cai.CFIdentity, 93 Backoff: &backoff.Backoff{}, 94 logger: l.Named("ca"), 95 } 96 97 l.Debugf("[NEW]: Certificate rotation rate: %v", tr.CertRefreshDurationRate) 98 99 l.Debug("roots Initialization") 100 store, err := roots.New(cai.CFIdentity.Roots) 101 if err != nil { 102 return nil, err 103 } 104 tr.TrustStore = store 105 106 l.Debug("client roots Initialization") 107 if len(cai.CFIdentity.ClientRoots) > 0 { 108 if !reflect.DeepEqual(cai.CFIdentity.Roots, cai.CFIdentity.ClientRoots) { 109 store, err = roots.New(cai.CFIdentity.ClientRoots) 110 if err != nil { 111 return nil, err 112 } 113 } 114 115 tr.ClientTrustStore = store 116 } 117 118 l.Debug("xkeyProvider Initialization") 119 xkey, err := keyprovider.NewXKeyProvider(id) 120 if err != nil { 121 return nil, err 122 } 123 124 xkey.CSRConf = cai.CSRConf 125 if keyPEM != nil && certPEM != nil { 126 l.Debug("xkeyProvider set up keyPEM") 127 if err := xkey.SetPrivateKeyPEM(keyPEM); err != nil { 128 return nil, err 129 } 130 l.Debug("xkeyProvider set up certPEM") 131 if err := xkey.SetCertificatePEM(certPEM); err != nil { 132 return nil, err 133 } 134 } 135 tr.Provider = xkey 136 137 l.Debug("CA Initialization") 138 tr.CA, err = transport.NewCA(cai.CFIdentity) 139 if err != nil { 140 return nil, err 141 } 142 143 return tr, nil 144 } 145 146 // RotateController ... 147 func (ex *Exchanger) RotateController() *RotateController { 148 return &RotateController{ 149 transport: ex.Transport, 150 rotateAfter: ex.caiConf.RotateAfter, 151 logger: ex.logger.Named("rotator"), 152 } 153 }