mirror of
https://github.com/ultravioletrs/cocos.git
synced 2026-06-23 04:10:25 +00:00
Sammy Kerata Oina
42b05524c8
CI / lint (push) Has been cancelled
CI / test (agent) (push) Has been cancelled
CI / test (cli) (push) Has been cancelled
CI / test (cmd) (push) Has been cancelled
CI / test (internal) (push) Has been cancelled
CI / test (manager, true) (push) Has been cancelled
CI / test (pkg) (push) Has been cancelled
CI / upload-coverage (push) Has been cancelled
* feat: Implement structured logging with log forwarding for `ingress-proxy` and `computation-runner`, update component versions, and improve aTLS initialization and error handling. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * refactor: Remove explicit AGENT_ENABLE_ATLS configuration and update component versions. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix: Correct aTLS nonce verification for truncated hashes, delegate internal CVM server TLS to Ingress Proxy, and update component versions. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * chore: Update package build sources to ultravioletrs/cocos main branch and remove local development keys and encrypted algorithm. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * Remove the `pkg/server` module, including its generic gRPC and HTTP server implementations. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * chore: clarify nonce truncation in the certificate verifier. Signed-off-by: Sammy Oina <sammyoina@gmail.com> --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com>
147 lines
3.7 KiB
Go
147 lines
3.7 KiB
Go
// Copyright (c) Ultraviolet
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package ingress
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"errors"
|
|
"fmt"
|
|
"os"
|
|
"strings"
|
|
)
|
|
|
|
var (
|
|
ErrAppendServerCA = errors.New("failed to append server ca to tls.Config")
|
|
ErrAppendClientCA = errors.New("failed to append client ca to tls.Config")
|
|
)
|
|
|
|
// TLSSetupResult contains the result of TLS configuration setup.
|
|
type TLSSetupResult struct {
|
|
Config *tls.Config
|
|
MTLS bool
|
|
}
|
|
|
|
// LoadCertFile loads certificate data from file path or returns empty byte slice if path is empty.
|
|
func LoadCertFile(certFile string) ([]byte, error) {
|
|
if certFile != "" {
|
|
return ReadFileOrData(certFile)
|
|
}
|
|
return []byte{}, nil
|
|
}
|
|
|
|
// ReadFileOrData reads data from file if input looks like a file path,
|
|
// otherwise treats input as raw data.
|
|
func ReadFileOrData(input string) ([]byte, error) {
|
|
if len(input) < 1000 && !strings.Contains(input, "\n") {
|
|
data, err := os.ReadFile(input)
|
|
if err == nil {
|
|
return data, nil
|
|
}
|
|
return nil, err
|
|
}
|
|
return []byte(input), nil
|
|
}
|
|
|
|
// LoadX509KeyPair loads X.509 key pair from certificate and key files or data.
|
|
func LoadX509KeyPair(certfile, keyfile string) (tls.Certificate, error) {
|
|
cert, err := ReadFileOrData(certfile)
|
|
if err != nil {
|
|
return tls.Certificate{}, fmt.Errorf("failed to read cert: %w", err)
|
|
}
|
|
|
|
key, err := ReadFileOrData(keyfile)
|
|
if err != nil {
|
|
return tls.Certificate{}, fmt.Errorf("failed to read key: %w", err)
|
|
}
|
|
|
|
return tls.X509KeyPair(cert, key)
|
|
}
|
|
|
|
// ConfigureRootCA configures the root CA certificates for the TLS config.
|
|
func ConfigureRootCA(tlsConfig *tls.Config, serverCAFile string) error {
|
|
rootCA, err := LoadCertFile(serverCAFile)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to load server ca file: %w", err)
|
|
}
|
|
|
|
if len(rootCA) == 0 {
|
|
return nil
|
|
}
|
|
|
|
if tlsConfig.RootCAs == nil {
|
|
tlsConfig.RootCAs = x509.NewCertPool()
|
|
}
|
|
|
|
if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCA) {
|
|
return ErrAppendServerCA
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// ConfigureClientCA configures the client CA certificates for the TLS config
|
|
// Returns true if client CA was configured, false otherwise.
|
|
func ConfigureClientCA(tlsConfig *tls.Config, clientCAFile string) (bool, error) {
|
|
clientCA, err := LoadCertFile(clientCAFile)
|
|
if err != nil {
|
|
return false, fmt.Errorf("failed to load client ca file: %w", err)
|
|
}
|
|
|
|
if len(clientCA) == 0 {
|
|
return false, nil
|
|
}
|
|
|
|
if tlsConfig.ClientCAs == nil {
|
|
tlsConfig.ClientCAs = x509.NewCertPool()
|
|
}
|
|
|
|
if !tlsConfig.ClientCAs.AppendCertsFromPEM(clientCA) {
|
|
return false, ErrAppendClientCA
|
|
}
|
|
|
|
return true, nil
|
|
}
|
|
|
|
// ConfigureCertificateAuthorities configures both root and client CAs for the TLS config
|
|
// Returns true if mTLS should be enabled (client CA is configured).
|
|
func ConfigureCertificateAuthorities(tlsConfig *tls.Config, serverCAFile, clientCAFile string) (bool, error) {
|
|
// Configure root CA
|
|
if err := ConfigureRootCA(tlsConfig, serverCAFile); err != nil {
|
|
return false, err
|
|
}
|
|
|
|
// Configure client CA
|
|
hasClientCA, err := ConfigureClientCA(tlsConfig, clientCAFile)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
return hasClientCA, nil
|
|
}
|
|
|
|
// SetupRegularTLS sets up TLS configuration using regular certificates.
|
|
func SetupRegularTLS(certFile, keyFile, serverCAFile, clientCAFile string) (*TLSSetupResult, error) {
|
|
certificate, err := LoadX509KeyPair(certFile, keyFile)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to load auth certificates: %w", err)
|
|
}
|
|
|
|
tlsConfig := &tls.Config{
|
|
ClientAuth: tls.NoClientCert,
|
|
Certificates: []tls.Certificate{certificate},
|
|
}
|
|
|
|
mtls, err := ConfigureCertificateAuthorities(tlsConfig, serverCAFile, clientCAFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if mtls {
|
|
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
|
}
|
|
|
|
return &TLSSetupResult{Config: tlsConfig, MTLS: mtls}, nil
|
|
}
|