forked from argoproj/argo-workflows
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: Generate TLS Certificates on startup and only keep in memory (ar…
…goproj#6540) Signed-off-by: David Collom <[email protected]>
- Loading branch information
1 parent
5464c4c
commit 478d794
Showing
7 changed files
with
152 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,27 +1,13 @@ | ||
package commands | ||
|
||
import ( | ||
"os" | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
) | ||
|
||
func TestDefaultSecureMode(t *testing.T) { | ||
// No certs: We should run insecure | ||
// Secure mode by default | ||
cmd := NewServerCommand() | ||
assert.Equal(t, "false", cmd.Flag("secure").Value.String()) | ||
|
||
// Clean up and delete tests files | ||
defer func() { | ||
_ = os.Remove("argo-server.crt") | ||
_ = os.Remove("argo-server.key") | ||
}() | ||
|
||
_, _ = os.Create("argo-server.crt") | ||
_, _ = os.Create("argo-server.key") | ||
|
||
// No certs: We should secure | ||
cmd = NewServerCommand() | ||
assert.Equal(t, "true", cmd.Flag("secure").Value.String()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
package tls | ||
|
||
import ( | ||
"crypto" | ||
"crypto/ecdsa" | ||
"crypto/elliptic" | ||
"crypto/rand" | ||
"crypto/tls" | ||
"crypto/x509" | ||
"crypto/x509/pkix" | ||
"encoding/pem" | ||
"fmt" | ||
"log" | ||
"math/big" | ||
"net" | ||
"os" | ||
"time" | ||
) | ||
|
||
func pemBlockForKey(priv interface{}) *pem.Block { | ||
switch k := priv.(type) { | ||
case *ecdsa.PrivateKey: | ||
b, err := x509.MarshalECPrivateKey(k) | ||
if err != nil { | ||
log.Fatal(err) | ||
os.Exit(2) | ||
} | ||
return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b} | ||
default: | ||
return nil | ||
} | ||
} | ||
|
||
func generate() ([]byte, crypto.PrivateKey, error) { | ||
hosts := []string{"localhost"} | ||
|
||
var err error | ||
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) | ||
if err != nil { | ||
return nil, nil, fmt.Errorf("failed to generate private key: %s", err) | ||
} | ||
|
||
notBefore := time.Now() | ||
notAfter := notBefore.Add(365 * 24 * time.Hour) | ||
|
||
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) | ||
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) | ||
if err != nil { | ||
return nil, nil, fmt.Errorf("failed to generate serial number: %s", err) | ||
} | ||
|
||
template := x509.Certificate{ | ||
SerialNumber: serialNumber, | ||
Subject: pkix.Name{ | ||
Organization: []string{"ArgoProj"}, | ||
}, | ||
NotBefore: notBefore, | ||
NotAfter: notAfter, | ||
|
||
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, | ||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, | ||
BasicConstraintsValid: true, | ||
} | ||
|
||
for _, h := range hosts { | ||
if ip := net.ParseIP(h); ip != nil { | ||
template.IPAddresses = append(template.IPAddresses, ip) | ||
} else { | ||
template.DNSNames = append(template.DNSNames, h) | ||
} | ||
} | ||
|
||
certBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey) | ||
if err != nil { | ||
return nil, nil, fmt.Errorf("failed to create certificate: %s", err) | ||
} | ||
return certBytes, privateKey, nil | ||
} | ||
|
||
// generatePEM generates a new certificate and key and returns it as PEM encoded bytes | ||
func generatePEM() ([]byte, []byte, error) { | ||
certBytes, privateKey, err := generate() | ||
if err != nil { | ||
return nil, nil, err | ||
} | ||
certpem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certBytes}) | ||
keypem := pem.EncodeToMemory(pemBlockForKey(privateKey)) | ||
return certpem, keypem, nil | ||
} | ||
|
||
// GenerateX509KeyPair generates a X509 key pair | ||
func GenerateX509KeyPair() (*tls.Certificate, error) { | ||
certpem, keypem, err := generatePEM() | ||
if err != nil { | ||
return nil, err | ||
} | ||
cert, err := tls.X509KeyPair(certpem, keypem) | ||
if err != nil { | ||
return nil, err | ||
} | ||
return &cert, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
package tls | ||
|
||
import ( | ||
"crypto/x509" | ||
"testing" | ||
"time" | ||
|
||
"github.com/stretchr/testify/assert" | ||
) | ||
|
||
func TestGenerate(t *testing.T) { | ||
t.Run("Create certificate with default options", func(t *testing.T) { | ||
certBytes, privKey, err := generate() | ||
assert.NoError(t, err) | ||
assert.NotNil(t, privKey) | ||
cert, err := x509.ParseCertificate(certBytes) | ||
assert.NoError(t, err) | ||
assert.NotNil(t, cert) | ||
assert.Len(t, cert.DNSNames, 1) | ||
assert.Equal(t, "localhost", cert.DNSNames[0]) | ||
assert.Empty(t, cert.IPAddresses) | ||
assert.LessOrEqual(t, int64(time.Since(cert.NotBefore)), int64(10*time.Second)) | ||
}) | ||
} | ||
|
||
func TestGeneratePEM(t *testing.T) { | ||
t.Run("Create PEM from certficate options", func(t *testing.T) { | ||
cert, key, err := generatePEM() | ||
assert.NoError(t, err) | ||
assert.NotNil(t, cert) | ||
assert.NotNil(t, key) | ||
}) | ||
|
||
t.Run("Create X509KeyPair", func(t *testing.T) { | ||
cert, err := GenerateX509KeyPair() | ||
assert.NoError(t, err) | ||
assert.NotNil(t, cert) | ||
}) | ||
} |