forked from googleapis/google-api-go-client
/
default_cert.go
127 lines (114 loc) · 3.47 KB
/
default_cert.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
// Copyright 2020 Google LLC.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package cert contains certificate tools for Google API clients.
// This package is intended to be used with crypto/tls.Config.GetClientCertificate.
//
// The certificates can be used to satisfy Google's Endpoint Validation.
// See https://cloud.google.com/endpoint-verification/docs/overview
//
// This package is not intended for use by end developers. Use the
// google.golang.org/api/option package to configure API clients.
package cert
import (
"crypto/tls"
"crypto/x509"
"encoding/json"
"errors"
"fmt"
"io/ioutil"
"os"
"os/exec"
"os/user"
"path/filepath"
"sync"
"time"
)
const (
metadataPath = ".secureConnect"
metadataFile = "context_aware_metadata.json"
)
var (
defaultSourceOnce sync.Once
defaultSource Source
defaultSourceErr error
defaultSourceCachedCertMutex sync.Mutex
defaultSourceCachedCert *tls.Certificate
)
// Source is a function that can be passed into crypto/tls.Config.GetClientCertificate.
type Source func(*tls.CertificateRequestInfo) (*tls.Certificate, error)
// DefaultSource returns a certificate source that execs the command specified
// in the file at ~/.secureConnect/context_aware_metadata.json
//
// If that file does not exist, a nil source is returned.
func DefaultSource() (Source, error) {
defaultSourceOnce.Do(func() {
defaultSource, defaultSourceErr = newSecureConnectSource()
})
return defaultSource, defaultSourceErr
}
type secureConnectSource struct {
metadata secureConnectMetadata
}
type secureConnectMetadata struct {
Cmd []string `json:"cert_provider_command"`
}
// newSecureConnectSource creates a secureConnectSource by reading the well-known file.
func newSecureConnectSource() (Source, error) {
user, err := user.Current()
if err != nil {
// Ignore.
return nil, nil
}
filename := filepath.Join(user.HomeDir, metadataPath, metadataFile)
file, err := ioutil.ReadFile(filename)
if os.IsNotExist(err) {
// Ignore.
return nil, nil
}
if err != nil {
return nil, err
}
var metadata secureConnectMetadata
if err := json.Unmarshal(file, &metadata); err != nil {
return nil, fmt.Errorf("cert: could not parse JSON in %q: %v", filename, err)
}
if err := validateMetadata(metadata); err != nil {
return nil, fmt.Errorf("cert: invalid config in %q: %v", filename, err)
}
return (&secureConnectSource{
metadata: metadata,
}).getClientCertificate, nil
}
func validateMetadata(metadata secureConnectMetadata) error {
if len(metadata.Cmd) == 0 {
return errors.New("empty cert_provider_command")
}
return nil
}
func (s *secureConnectSource) getClientCertificate(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
defaultSourceCachedCertMutex.Lock()
defer defaultSourceCachedCertMutex.Unlock()
if defaultSourceCachedCert != nil && !isCertificateExpired(defaultSourceCachedCert) {
return defaultSourceCachedCert, nil
}
command := s.metadata.Cmd
data, err := exec.Command(command[0], command[1:]...).Output()
if err != nil {
// TODO(cbro): read stderr for error message? Might contain sensitive info.
return nil, err
}
cert, err := tls.X509KeyPair(data, data)
if err != nil {
return nil, err
}
defaultSourceCachedCert = &cert
return &cert, nil
}
func isCertificateExpired(cert *tls.Certificate) bool {
parsed, err := x509.ParseCertificate(cert.Certificate[0])
if err != nil {
return true
}
return time.Now().After(parsed.NotAfter)
}