2018-08-27 22:21:45 +02:00
|
|
|
package serve
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
"github.com/zrepl/zrepl/config"
|
|
|
|
"github.com/zrepl/zrepl/tlsconf"
|
|
|
|
"net"
|
|
|
|
"time"
|
2018-09-05 01:41:54 +02:00
|
|
|
"context"
|
2018-08-27 22:21:45 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
type TLSListenerFactory struct {
|
|
|
|
address string
|
|
|
|
clientCA *x509.CertPool
|
|
|
|
serverCert tls.Certificate
|
|
|
|
handshakeTimeout time.Duration
|
|
|
|
}
|
|
|
|
|
2018-08-31 21:50:59 +02:00
|
|
|
func TLSListenerFactoryFromConfig(c *config.Global, in *config.TLSServe) (lf *TLSListenerFactory, err error) {
|
2018-08-27 22:21:45 +02:00
|
|
|
lf = &TLSListenerFactory{
|
|
|
|
address: in.Listen,
|
2018-09-05 17:32:59 +02:00
|
|
|
handshakeTimeout: in.HandshakeTimeout,
|
2018-08-27 22:21:45 +02:00
|
|
|
}
|
|
|
|
|
2018-09-05 01:41:54 +02:00
|
|
|
if in.Ca == "" || in.Cert == "" || in.Key == "" {
|
|
|
|
return nil, errors.New("fields 'ca', 'cert' and 'key'must be specified")
|
2018-08-27 22:21:45 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
lf.clientCA, err = tlsconf.ParseCAFile(in.Ca)
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrap(err, "cannot parse ca file")
|
|
|
|
}
|
|
|
|
|
|
|
|
lf.serverCert, err = tls.LoadX509KeyPair(in.Cert, in.Key)
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrap(err, "cannot parse cer/key pair")
|
|
|
|
}
|
|
|
|
|
|
|
|
return lf, nil
|
|
|
|
}
|
|
|
|
|
2018-09-05 01:41:54 +02:00
|
|
|
func (f *TLSListenerFactory) Listen() (AuthenticatedListener, error) {
|
2018-08-27 22:21:45 +02:00
|
|
|
l, err := net.Listen("tcp", f.address)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2018-09-05 01:41:54 +02:00
|
|
|
tl := tlsconf.NewClientAuthListener(l, f.clientCA, f.serverCert, f.handshakeTimeout)
|
|
|
|
return tlsAuthListener{tl}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type tlsAuthListener struct {
|
|
|
|
*tlsconf.ClientAuthListener
|
|
|
|
}
|
|
|
|
|
|
|
|
func (l tlsAuthListener) Accept(ctx context.Context) (AuthenticatedConn, error) {
|
|
|
|
c, cn, err := l.ClientAuthListener.Accept()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return authConn{c, cn}, nil
|
2018-08-27 22:21:45 +02:00
|
|
|
}
|
2018-09-05 01:41:54 +02:00
|
|
|
|
|
|
|
|