|
|
|
|
@ -19,9 +19,16 @@ package registry
|
|
|
|
|
import (
|
|
|
|
|
"bytes"
|
|
|
|
|
"context"
|
|
|
|
|
"crypto/rand"
|
|
|
|
|
"crypto/rsa"
|
|
|
|
|
"crypto/x509"
|
|
|
|
|
"crypto/x509/pkix"
|
|
|
|
|
"encoding/pem"
|
|
|
|
|
"fmt"
|
|
|
|
|
"io"
|
|
|
|
|
"io/ioutil"
|
|
|
|
|
"math/big"
|
|
|
|
|
"net"
|
|
|
|
|
"net/http"
|
|
|
|
|
"net/http/httptest"
|
|
|
|
|
"net/url"
|
|
|
|
|
@ -47,6 +54,10 @@ import (
|
|
|
|
|
var (
|
|
|
|
|
testCacheRootDir = "helm-registry-test"
|
|
|
|
|
testHtpasswdFileBasename = "authtest.htpasswd"
|
|
|
|
|
testCACertFileName = "root.pem"
|
|
|
|
|
testCAKeyFileName = "root-key.pem"
|
|
|
|
|
testClientCertFileName = "client.pem"
|
|
|
|
|
testClientKeyFileName = "client-key.pem"
|
|
|
|
|
testUsername = "myuser"
|
|
|
|
|
testPassword = "mypass"
|
|
|
|
|
)
|
|
|
|
|
@ -58,6 +69,15 @@ type RegistryClientTestSuite struct {
|
|
|
|
|
CompromisedRegistryHost string
|
|
|
|
|
CacheRootDir string
|
|
|
|
|
RegistryClient *Client
|
|
|
|
|
|
|
|
|
|
PlainHTTPDockerRegistryHost string
|
|
|
|
|
TLSDockerRegistryHost string
|
|
|
|
|
TLSVerifyClientDockerRegistryHost string
|
|
|
|
|
|
|
|
|
|
PlainHTTPRegistryClient *Client
|
|
|
|
|
InsecureRegistryClient *Client
|
|
|
|
|
RegistryClientWithCA *Client
|
|
|
|
|
RegistryClientWithCertKey *Client
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (suite *RegistryClientTestSuite) SetupSuite() {
|
|
|
|
|
@ -70,7 +90,7 @@ func (suite *RegistryClientTestSuite) SetupSuite() {
|
|
|
|
|
credentialsFile := filepath.Join(suite.CacheRootDir, CredentialsFileBasename)
|
|
|
|
|
|
|
|
|
|
client, err := auth.NewClient(credentialsFile)
|
|
|
|
|
suite.Nil(err, "no error creating auth client")
|
|
|
|
|
suite.Nil(err, "error creating auth client")
|
|
|
|
|
|
|
|
|
|
resolver, err := client.Resolver(context.Background(), http.DefaultClient, false)
|
|
|
|
|
suite.Nil(err, "no error creating resolver")
|
|
|
|
|
@ -81,7 +101,39 @@ func (suite *RegistryClientTestSuite) SetupSuite() {
|
|
|
|
|
CacheOptWriter(suite.Out),
|
|
|
|
|
CacheOptRoot(filepath.Join(suite.CacheRootDir, CacheRootDir)),
|
|
|
|
|
)
|
|
|
|
|
suite.Nil(err, "no error creating cache")
|
|
|
|
|
suite.Nil(err, "error creating cache")
|
|
|
|
|
|
|
|
|
|
// find the first non-local IP as the registry address
|
|
|
|
|
// or else, using localhost will always be insecure
|
|
|
|
|
var hostname string
|
|
|
|
|
addrs, err := net.InterfaceAddrs()
|
|
|
|
|
suite.Nil(err, "error getting IP addresses")
|
|
|
|
|
for _, address := range addrs {
|
|
|
|
|
if n, ok := address.(*net.IPNet); ok {
|
|
|
|
|
if n.IP.IsLinkLocalUnicast() || n.IP.IsLoopback() {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
hostname = n.IP.String()
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
suite.NotEmpty(hostname, "failed to get ip address as hostname")
|
|
|
|
|
|
|
|
|
|
// generate self-sign CA cert/key and client cert/key
|
|
|
|
|
caCert, caKey, clientCert, clientKey, err := genCerts(hostname)
|
|
|
|
|
suite.Nil(err, "error generating certs")
|
|
|
|
|
caCertPath := filepath.Join(suite.CacheRootDir, testCACertFileName)
|
|
|
|
|
err = ioutil.WriteFile(caCertPath, caCert, 0644)
|
|
|
|
|
suite.Nil(err, "error creating test ca cert file")
|
|
|
|
|
caKeyPath := filepath.Join(suite.CacheRootDir, testCAKeyFileName)
|
|
|
|
|
err = ioutil.WriteFile(caKeyPath, caKey, 0644)
|
|
|
|
|
suite.Nil(err, "error creating test ca key file")
|
|
|
|
|
clientCertPath := filepath.Join(suite.CacheRootDir, testClientCertFileName)
|
|
|
|
|
err = ioutil.WriteFile(clientCertPath, clientCert, 0644)
|
|
|
|
|
suite.Nil(err, "error creating test client cert file")
|
|
|
|
|
clientKeyPath := filepath.Join(suite.CacheRootDir, testClientKeyFileName)
|
|
|
|
|
err = ioutil.WriteFile(clientKeyPath, clientKey, 0644)
|
|
|
|
|
suite.Nil(err, "error creating test client key file")
|
|
|
|
|
|
|
|
|
|
// init test client
|
|
|
|
|
suite.RegistryClient, err = NewClient(
|
|
|
|
|
@ -97,17 +149,66 @@ func (suite *RegistryClientTestSuite) SetupSuite() {
|
|
|
|
|
)
|
|
|
|
|
suite.Nil(err, "no error creating registry client")
|
|
|
|
|
|
|
|
|
|
// init plain http client
|
|
|
|
|
suite.PlainHTTPRegistryClient, err = NewClient(
|
|
|
|
|
ClientOptDebug(true),
|
|
|
|
|
ClientOptWriter(suite.Out),
|
|
|
|
|
ClientOptAuthorizer(&Authorizer{
|
|
|
|
|
Client: client,
|
|
|
|
|
}),
|
|
|
|
|
ClientOptPlainHTTP(true),
|
|
|
|
|
ClientOptCache(cache),
|
|
|
|
|
)
|
|
|
|
|
suite.Nil(err, "error creating plain http registry client")
|
|
|
|
|
|
|
|
|
|
// init insecure client
|
|
|
|
|
suite.InsecureRegistryClient, err = NewClient(
|
|
|
|
|
ClientOptDebug(true),
|
|
|
|
|
ClientOptWriter(suite.Out),
|
|
|
|
|
ClientOptAuthorizer(&Authorizer{
|
|
|
|
|
Client: client,
|
|
|
|
|
}),
|
|
|
|
|
ClientOptInsecureSkipVerifyTLS(true),
|
|
|
|
|
ClientOptCache(cache),
|
|
|
|
|
)
|
|
|
|
|
suite.Nil(err, "error creating insecure registry client")
|
|
|
|
|
|
|
|
|
|
// init client with CA cert
|
|
|
|
|
suite.RegistryClientWithCA, err = NewClient(
|
|
|
|
|
ClientOptDebug(true),
|
|
|
|
|
ClientOptWriter(suite.Out),
|
|
|
|
|
ClientOptAuthorizer(&Authorizer{
|
|
|
|
|
Client: client,
|
|
|
|
|
}),
|
|
|
|
|
ClientOptCAFile(caCertPath),
|
|
|
|
|
ClientOptCache(cache),
|
|
|
|
|
)
|
|
|
|
|
suite.Nil(err, "error creating registry client with CA cert")
|
|
|
|
|
|
|
|
|
|
// init client with CA cert and client cert/key
|
|
|
|
|
suite.RegistryClientWithCertKey, err = NewClient(
|
|
|
|
|
ClientOptDebug(true),
|
|
|
|
|
ClientOptWriter(suite.Out),
|
|
|
|
|
ClientOptAuthorizer(&Authorizer{
|
|
|
|
|
Client: client,
|
|
|
|
|
}),
|
|
|
|
|
ClientOptCAFile(caCertPath),
|
|
|
|
|
ClientOptCertKeyFiles(clientCertPath, clientKeyPath),
|
|
|
|
|
ClientOptCache(cache),
|
|
|
|
|
)
|
|
|
|
|
suite.Nil(err, "error creating registry client with CA cert")
|
|
|
|
|
|
|
|
|
|
// create htpasswd file (w BCrypt, which is required)
|
|
|
|
|
pwBytes, err := bcrypt.GenerateFromPassword([]byte(testPassword), bcrypt.DefaultCost)
|
|
|
|
|
suite.Nil(err, "no error generating bcrypt password for test htpasswd file")
|
|
|
|
|
suite.Nil(err, "error generating bcrypt password for test htpasswd file")
|
|
|
|
|
htpasswdPath := filepath.Join(suite.CacheRootDir, testHtpasswdFileBasename)
|
|
|
|
|
err = ioutil.WriteFile(htpasswdPath, []byte(fmt.Sprintf("%s:%s\n", testUsername, string(pwBytes))), 0644)
|
|
|
|
|
suite.Nil(err, "no error creating test htpasswd file")
|
|
|
|
|
suite.Nil(err, "error creating test htpasswd file")
|
|
|
|
|
|
|
|
|
|
// Registry config
|
|
|
|
|
config := &configuration.Configuration{}
|
|
|
|
|
port, err := freeport.GetFreePort()
|
|
|
|
|
suite.Nil(err, "no error finding free port for test registry")
|
|
|
|
|
suite.Nil(err, "no error finding free port for test plain HTTP registry")
|
|
|
|
|
suite.DockerRegistryHost = fmt.Sprintf("localhost:%d", port)
|
|
|
|
|
config.HTTP.Addr = fmt.Sprintf(":%d", port)
|
|
|
|
|
config.HTTP.DrainTimeout = time.Duration(10) * time.Second
|
|
|
|
|
@ -123,8 +224,61 @@ func (suite *RegistryClientTestSuite) SetupSuite() {
|
|
|
|
|
|
|
|
|
|
suite.CompromisedRegistryHost = initCompromisedRegistryTestServer()
|
|
|
|
|
|
|
|
|
|
// Start Docker registry
|
|
|
|
|
// plain http registry
|
|
|
|
|
plainHTTPConfig := &configuration.Configuration{}
|
|
|
|
|
plainHTTPPort, err := freeport.GetFreePort()
|
|
|
|
|
suite.Nil(err, "no error finding free port for test plain HTTP registry")
|
|
|
|
|
suite.PlainHTTPDockerRegistryHost = fmt.Sprintf("%s:%d", hostname, plainHTTPPort)
|
|
|
|
|
plainHTTPConfig.HTTP.Addr = fmt.Sprintf(":%d", plainHTTPPort)
|
|
|
|
|
plainHTTPConfig.Storage = map[string]configuration.Parameters{"inmemory": map[string]interface{}{}}
|
|
|
|
|
plainHTTPConfig.Auth = configuration.Auth{
|
|
|
|
|
"htpasswd": configuration.Parameters{
|
|
|
|
|
"realm": hostname,
|
|
|
|
|
"path": htpasswdPath,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
plainHTTPDockerRegistry, err := registry.NewRegistry(context.Background(), plainHTTPConfig)
|
|
|
|
|
suite.Nil(err, "no error creating test plain http registry")
|
|
|
|
|
|
|
|
|
|
// init TLS registry with self-signed CA
|
|
|
|
|
tlsRegistryPort, err := freeport.GetFreePort()
|
|
|
|
|
suite.Nil(err, "no error finding free port for test TLS registry")
|
|
|
|
|
suite.TLSDockerRegistryHost = fmt.Sprintf("%s:%d", hostname, tlsRegistryPort)
|
|
|
|
|
|
|
|
|
|
tlsRegistryConfig := &configuration.Configuration{}
|
|
|
|
|
tlsRegistryConfig.HTTP.Addr = fmt.Sprintf(":%d", tlsRegistryPort)
|
|
|
|
|
tlsRegistryConfig.HTTP.TLS.Certificate = caCertPath
|
|
|
|
|
tlsRegistryConfig.HTTP.TLS.Key = caKeyPath
|
|
|
|
|
tlsRegistryConfig.Storage = map[string]configuration.Parameters{"inmemory": map[string]interface{}{}}
|
|
|
|
|
tlsRegistryConfig.Auth = configuration.Auth{
|
|
|
|
|
"htpasswd": configuration.Parameters{
|
|
|
|
|
"realm": hostname,
|
|
|
|
|
"path": htpasswdPath,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
tlsDockerRegistry, err := registry.NewRegistry(context.Background(), tlsRegistryConfig)
|
|
|
|
|
suite.Nil(err, "no error creating test TLS registry")
|
|
|
|
|
|
|
|
|
|
// init TLS registry with self-signed CA and client verification enabled
|
|
|
|
|
anotherTLSRegistryPort, err := freeport.GetFreePort()
|
|
|
|
|
suite.Nil(err, "no error finding free port for test another TLS registry")
|
|
|
|
|
suite.TLSVerifyClientDockerRegistryHost = fmt.Sprintf("%s:%d", hostname, anotherTLSRegistryPort)
|
|
|
|
|
|
|
|
|
|
anotherTLSRegistryConfig := &configuration.Configuration{}
|
|
|
|
|
anotherTLSRegistryConfig.HTTP.Addr = fmt.Sprintf(":%d", anotherTLSRegistryPort)
|
|
|
|
|
anotherTLSRegistryConfig.HTTP.TLS.Certificate = caCertPath
|
|
|
|
|
anotherTLSRegistryConfig.HTTP.TLS.Key = caKeyPath
|
|
|
|
|
anotherTLSRegistryConfig.HTTP.TLS.ClientCAs = []string{caCertPath}
|
|
|
|
|
anotherTLSRegistryConfig.Storage = map[string]configuration.Parameters{"inmemory": map[string]interface{}{}}
|
|
|
|
|
// no auth because we cannot pass Login action
|
|
|
|
|
anotherTLSDockerRegistry, err := registry.NewRegistry(context.Background(), anotherTLSRegistryConfig)
|
|
|
|
|
suite.Nil(err, "no error creating test another TLS registry")
|
|
|
|
|
|
|
|
|
|
// start registries
|
|
|
|
|
go dockerRegistry.ListenAndServe()
|
|
|
|
|
go plainHTTPDockerRegistry.ListenAndServe()
|
|
|
|
|
go tlsDockerRegistry.ListenAndServe()
|
|
|
|
|
go anotherTLSDockerRegistry.ListenAndServe()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (suite *RegistryClientTestSuite) TearDownSuite() {
|
|
|
|
|
@ -143,6 +297,24 @@ func (suite *RegistryClientTestSuite) Test_0_Login() {
|
|
|
|
|
|
|
|
|
|
err = suite.RegistryClient.Login(suite.DockerRegistryHost, testUsername, testPassword, true)
|
|
|
|
|
suite.Nil(err, "no error logging into registry with good credentials, insecure mode")
|
|
|
|
|
|
|
|
|
|
err = suite.PlainHTTPRegistryClient.Login(suite.PlainHTTPDockerRegistryHost, testUsername, testPassword, false)
|
|
|
|
|
suite.NotNil(err, "no error logging into registry with good credentials")
|
|
|
|
|
|
|
|
|
|
err = suite.PlainHTTPRegistryClient.Login(suite.PlainHTTPDockerRegistryHost, testUsername, testPassword, true)
|
|
|
|
|
suite.Nil(err, "error logging into registry with good credentials, insecure mode")
|
|
|
|
|
|
|
|
|
|
err = suite.InsecureRegistryClient.Login(suite.TLSDockerRegistryHost, testUsername, testPassword, false)
|
|
|
|
|
suite.NotNil(err, "no error logging into insecure with good credentials")
|
|
|
|
|
|
|
|
|
|
err = suite.InsecureRegistryClient.Login(suite.TLSDockerRegistryHost, testUsername, testPassword, true)
|
|
|
|
|
suite.Nil(err, "error logging into insecure with good credentials, insecure mode")
|
|
|
|
|
|
|
|
|
|
err = suite.RegistryClientWithCA.Login(suite.TLSDockerRegistryHost, testUsername, testPassword, false)
|
|
|
|
|
suite.NotNil(err, "no error logging into insecure with good credentials")
|
|
|
|
|
|
|
|
|
|
err = suite.RegistryClientWithCA.Login(suite.TLSDockerRegistryHost, testUsername, testPassword, true)
|
|
|
|
|
suite.Nil(err, "error logging into insecure with good credentials, insecure mode")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (suite *RegistryClientTestSuite) Test_1_SaveChart() {
|
|
|
|
|
@ -162,6 +334,22 @@ func (suite *RegistryClientTestSuite) Test_1_SaveChart() {
|
|
|
|
|
}
|
|
|
|
|
err = suite.RegistryClient.SaveChart(ch, ref)
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
|
|
|
|
|
// prepare the cache for plain http/TLS registries
|
|
|
|
|
ref, err = ParseReference(fmt.Sprintf("%s/testrepo/testchart:1.2.3", suite.PlainHTTPDockerRegistryHost))
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
err = suite.RegistryClient.SaveChart(ch, ref)
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
|
|
|
|
|
ref, err = ParseReference(fmt.Sprintf("%s/testrepo/testchart:1.2.3", suite.TLSDockerRegistryHost))
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
err = suite.RegistryClient.SaveChart(ch, ref)
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
|
|
|
|
|
ref, err = ParseReference(fmt.Sprintf("%s/testrepo/testchart:1.2.3", suite.TLSVerifyClientDockerRegistryHost))
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
err = suite.RegistryClient.SaveChart(ch, ref)
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (suite *RegistryClientTestSuite) Test_2_LoadChart() {
|
|
|
|
|
@ -194,6 +382,28 @@ func (suite *RegistryClientTestSuite) Test_3_PushChart() {
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
err = suite.RegistryClient.PushChart(ref)
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
|
|
|
|
|
// plain http registry
|
|
|
|
|
ref, err = ParseReference(fmt.Sprintf("%s/testrepo/testchart:1.2.3", suite.PlainHTTPDockerRegistryHost))
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
err = suite.PlainHTTPRegistryClient.PushChart(ref)
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
|
|
|
|
|
// insecure TLS registry
|
|
|
|
|
ref, err = ParseReference(fmt.Sprintf("%s/testrepo/testchart:1.2.3", suite.TLSDockerRegistryHost))
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
err = suite.InsecureRegistryClient.PushChart(ref)
|
|
|
|
|
suite.Nil(err, "error insecure pushing %s", ref.FullName())
|
|
|
|
|
|
|
|
|
|
// TLS registry with CA cert
|
|
|
|
|
err = suite.RegistryClientWithCA.PushChart(ref)
|
|
|
|
|
suite.Nil(err, "error pushing %s with CA", ref.FullName())
|
|
|
|
|
|
|
|
|
|
// TLS registry with client cert verification enabled
|
|
|
|
|
ref, err = ParseReference(fmt.Sprintf("%s/testrepo/testchart:1.2.3", suite.TLSVerifyClientDockerRegistryHost))
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
err = suite.RegistryClientWithCertKey.PushChart(ref)
|
|
|
|
|
suite.Nil(err, "error pushing %s with client cert", ref.FullName())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (suite *RegistryClientTestSuite) Test_4_PullChart() {
|
|
|
|
|
@ -209,6 +419,29 @@ func (suite *RegistryClientTestSuite) Test_4_PullChart() {
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
_, err = suite.RegistryClient.PullChart(ref)
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
|
|
|
|
|
// plain http registry
|
|
|
|
|
ref, err = ParseReference(fmt.Sprintf("%s/testrepo/testchart:1.2.3", suite.PlainHTTPDockerRegistryHost))
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
_, err = suite.PlainHTTPRegistryClient.PullChart(ref)
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
|
|
|
|
|
// insecure registry
|
|
|
|
|
ref, err = ParseReference(fmt.Sprintf("%s/testrepo/testchart:1.2.3", suite.TLSDockerRegistryHost))
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
_, err = suite.InsecureRegistryClient.PullChart(ref)
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
|
|
|
|
|
// registry with CA
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
_, err = suite.RegistryClientWithCA.PullChart(ref)
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
|
|
|
|
|
// TLS registry with cert verification enabled
|
|
|
|
|
ref, err = ParseReference(fmt.Sprintf("%s/testrepo/testchart:1.2.3", suite.TLSVerifyClientDockerRegistryHost))
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
_, err = suite.RegistryClientWithCertKey.PullChart(ref)
|
|
|
|
|
suite.Nil(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (suite *RegistryClientTestSuite) Test_5_PrintChartTable() {
|
|
|
|
|
@ -233,10 +466,20 @@ func (suite *RegistryClientTestSuite) Test_6_RemoveChart() {
|
|
|
|
|
|
|
|
|
|
func (suite *RegistryClientTestSuite) Test_7_Logout() {
|
|
|
|
|
err := suite.RegistryClient.Logout("this-host-aint-real:5000")
|
|
|
|
|
suite.NotNil(err, "error logging out of registry that has no entry")
|
|
|
|
|
suite.NotNil(err, "no error logging out of registry that has no entry")
|
|
|
|
|
|
|
|
|
|
err = suite.RegistryClient.Logout(suite.DockerRegistryHost)
|
|
|
|
|
suite.Nil(err, "no error logging out of registry")
|
|
|
|
|
suite.Nil(err, "error logging out of registry")
|
|
|
|
|
|
|
|
|
|
err = suite.PlainHTTPRegistryClient.Logout(suite.PlainHTTPDockerRegistryHost)
|
|
|
|
|
suite.Nil(err, "error logging out of plain http registry")
|
|
|
|
|
|
|
|
|
|
err = suite.InsecureRegistryClient.Logout(suite.TLSDockerRegistryHost)
|
|
|
|
|
suite.Nil(err, "error logging out of insecure registry")
|
|
|
|
|
|
|
|
|
|
// error as logout happened for TLSDockerRegistryHost in last step
|
|
|
|
|
err = suite.RegistryClientWithCA.Logout(suite.TLSDockerRegistryHost)
|
|
|
|
|
suite.NotNil(err, "no error logging out of insecure registry with ca cert")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (suite *RegistryClientTestSuite) Test_8_ManInTheMiddle() {
|
|
|
|
|
@ -292,3 +535,103 @@ func initCompromisedRegistryTestServer() string {
|
|
|
|
|
u, _ := url.Parse(s.URL)
|
|
|
|
|
return fmt.Sprintf("localhost:%s", u.Port())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Code from https://shaneutt.com/blog/golang-ca-and-signed-cert-go/
|
|
|
|
|
func genCerts(ip string) (caCert, caKey, clientCert, clientKey []byte, retErr error) {
|
|
|
|
|
addr := net.ParseIP(ip)
|
|
|
|
|
if addr == nil {
|
|
|
|
|
retErr = fmt.Errorf("invalid IP %s", ip)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
ca := &x509.Certificate{
|
|
|
|
|
SerialNumber: big.NewInt(2021),
|
|
|
|
|
Subject: pkix.Name{
|
|
|
|
|
CommonName: "helm.sh",
|
|
|
|
|
Organization: []string{"Helm"},
|
|
|
|
|
Country: []string{"US"},
|
|
|
|
|
Province: []string{"CO"},
|
|
|
|
|
Locality: []string{"Boulder"},
|
|
|
|
|
},
|
|
|
|
|
IPAddresses: []net.IP{addr},
|
|
|
|
|
NotBefore: time.Now(),
|
|
|
|
|
NotAfter: time.Now().AddDate(10, 0, 0),
|
|
|
|
|
IsCA: true,
|
|
|
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
|
|
|
|
|
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
|
|
|
|
BasicConstraintsValid: true,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// create ca private and public key
|
|
|
|
|
caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
|
|
|
|
|
if err != nil {
|
|
|
|
|
retErr = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// create the CA
|
|
|
|
|
caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)
|
|
|
|
|
if err != nil {
|
|
|
|
|
retErr = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// pem encode
|
|
|
|
|
caPEM := new(bytes.Buffer)
|
|
|
|
|
pem.Encode(caPEM, &pem.Block{
|
|
|
|
|
Type: "CERTIFICATE",
|
|
|
|
|
Bytes: caBytes,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
caPrivKeyPEM := new(bytes.Buffer)
|
|
|
|
|
pem.Encode(caPrivKeyPEM, &pem.Block{
|
|
|
|
|
Type: "RSA PRIVATE KEY",
|
|
|
|
|
Bytes: x509.MarshalPKCS1PrivateKey(caPrivKey),
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
// client certificate
|
|
|
|
|
cert := &x509.Certificate{
|
|
|
|
|
SerialNumber: big.NewInt(2021),
|
|
|
|
|
Subject: pkix.Name{
|
|
|
|
|
Organization: []string{"Helm"},
|
|
|
|
|
Country: []string{"US"},
|
|
|
|
|
Province: []string{"CO"},
|
|
|
|
|
Locality: []string{"Boulder"},
|
|
|
|
|
},
|
|
|
|
|
NotBefore: time.Now(),
|
|
|
|
|
NotAfter: time.Now().AddDate(10, 0, 0),
|
|
|
|
|
SubjectKeyId: []byte{1, 2, 3, 4, 6},
|
|
|
|
|
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
|
|
|
|
|
KeyUsage: x509.KeyUsageDigitalSignature,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
|
|
|
|
|
if err != nil {
|
|
|
|
|
retErr = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
certBytes, err := x509.CreateCertificate(rand.Reader, cert, ca, &certPrivKey.PublicKey, caPrivKey)
|
|
|
|
|
if err != nil {
|
|
|
|
|
retErr = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
certPEM := new(bytes.Buffer)
|
|
|
|
|
pem.Encode(certPEM, &pem.Block{
|
|
|
|
|
Type: "CERTIFICATE",
|
|
|
|
|
Bytes: certBytes,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
certPrivKeyPEM := new(bytes.Buffer)
|
|
|
|
|
pem.Encode(certPrivKeyPEM, &pem.Block{
|
|
|
|
|
Type: "RSA PRIVATE KEY",
|
|
|
|
|
Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
caCert = caPEM.Bytes()
|
|
|
|
|
caKey = caPrivKeyPEM.Bytes()
|
|
|
|
|
clientCert = certPEM.Bytes()
|
|
|
|
|
clientKey = certPrivKeyPEM.Bytes()
|
|
|
|
|
|
|
|
|
|
return caCert, caKey, clientCert, clientKey, nil
|
|
|
|
|
}
|
|
|
|
|
|
Chen Winston
5 years ago