// Copyright (c) 2021. Huawei Technologies Co., Ltd. All rights reserved.

// Package common this file define WebCertUtil
package common

import (
   "crypto/tls"
   "crypto/x509"
   "encoding/pem"
   "errors"
   "fmt"
   "github.com/gin-gonic/gin"
   "huawei.com/npu-exporter/hwlog"
   "huawei.com/npu-exporter/limiter"
   "huawei.com/npu-exporter/utils"
   "io/ioutil"
   "net/http"
   "strconv"
   "strings"
   "time"
)

const keyLength = 4096

var webCert *WebCertUtil

// WebCertUtil WebCertUtil
type WebCertUtil struct {
   *CertificateUtils
}

// NewWebCertUtil NewWebCertUtil
func NewWebCertUtil(dnsName, dirName string, overdueTime int) *WebCertUtil {
   ws := &WebCertUtil{
      CertificateUtils: NewCertificateUtils(dnsName, dirName, overdueTime),
   }
   if err := utils.MakeSureDir(ws.KeyStore); err != nil {
      hwlog.RunLog.Fatal(err)
   }

   return ws
}

// GetWebCertUtil return webCert
func GetWebCertUtil() *WebCertUtil {
   return webCert
}

// CheckCertValidityPeriod CheckCertValidityPeriod
func (ws *WebCertUtil) CheckCertValidityPeriod(interval time.Duration) {
   hwlog.RunLog.Info("start cert period check...")
   ticker := time.NewTicker(interval)
   defer ticker.Stop()
   hasTask := false
   for {
      _, ok := <-ticker.C
      if !ok {
         return
      }
      if hasTask {
         continue
      }
      ws.Lock.RLock()
      if ws.Cert == nil {
         ws.Lock.RUnlock()
         continue
      }
      x509Cert, err := x509.ParseCertificate(ws.Cert.Certificate[0])
      if err != nil {
         ws.Lock.RUnlock()
         continue
      }
      err = utils.CheckValidityPeriodWithError(x509Cert, ws.OverdueTime)
      ws.Lock.RUnlock()
      if err == nil {
         continue
      }
      hwlog.RunLog.Warn(err)
      go func() {
         hasTask = true
         defer func() {
            hasTask = false
            hwlog.RunLog.Info("apply for a new certificate success")
         }()
         hwlog.RunLog.Info("apply for a new certificate because the certificate has expired")
         if err = ws.ApplyForCertificateByRequest(); err != nil {
            hwlog.RunLog.Error(err)
         }
      }()
   }
}

// GetCaByRequest get ca by request
func (ws *WebCertUtil) GetCaByRequest() ([]byte, error) {
   caByte, err := DefaultClsMgrClient.GetRootCertificate()
   if err != nil {
      return nil, err
   }
   hwlog.RunLog.Info("succeeded in getting ca certificate by request")
   if err = ioutil.WriteFile(ws.CaStore, caByte, utils.RWMode); err != nil {
      return nil, errors.New("write caBytes to file failed")
   }
   hwlog.RunLog.Info("succeeded in saving ca certificate to file")
   ws.CaBytes = caByte
   return caByte, nil
}

// ApplyForCertificateByRequest apply for certificate by request
func (ws *WebCertUtil) ApplyForCertificateByRequest() error {
   certPem, err := DefaultClsMgrClient.ApplyForCertificatePemByte(ws.DNSName, ws.CaBytes, ws.PrivateKey)
   if err != nil {
      return err
   }
   hwlog.RunLog.Info("succeeded in getting certificate by request")

   derStream := x509.MarshalPKCS1PrivateKey(ws.PrivateKey)
   block := &pem.Block{
      Type:  RSAPrivateKey,
      Bytes: derStream,
   }
   keyPem := pem.EncodeToMemory(block)
   tlsCert, err := utils.ValidateCertPair(certPem, keyPem, false, ws.OverdueTime)
   if err != nil {
      return err
   }
   if err = ioutil.WriteFile(ws.CertStore, certPem, utils.RWMode); err != nil {
      return errors.New("write certBytes to file failed ")
   }
   hwlog.RunLog.Info("succeeded in saving certificate to file")

   ws.Lock.RLock()
   defer ws.Lock.RUnlock()

   ws.refreshCertStatus(tlsCert)
   ws.Cert = tlsCert
   return nil
}

func (ws *WebCertUtil) refreshCertStatus(tlsCert *tls.Certificate) {
   // clear cert status record
   ws.ClearCertificateMap()

   caCert, err := utils.LoadCertsFromPEM(ws.CaBytes)
   if err == nil {
      // refresh ca record
      err = utils.AddToCertStatusTrace(caCert)
   }
   if err != nil {
      hwlog.RunLog.Error("prepare refresh ca info failed: " + err.Error())
   }

   x509Cert, err := x509.ParseCertificate(tlsCert.Certificate[0])
   if err == nil {
      // refresh certificate record
      err = utils.AddToCertStatusTrace(x509Cert)
   }
   if err != nil {
      hwlog.RunLog.Error("prepare refresh certificate info failed: " + err.Error())
   }
   hwlog.RunLog.Info("succeeded in refresh ca/cert info")
}

// SetHTTPSServer set http server config for one or two way auth
func (ws *WebCertUtil) SetHTTPSServer(s *http.Server, concurrency, maxConcurrency int,
   cipherSuites []uint16, ginObj *gin.Engine) error {
   tlsConfig, err := utils.NewTLSConfigV2(ws.CaBytes, *ws.Cert, cipherSuites)
   if err != nil {
      return err
   }

   tlsConfig.Certificates = nil
   tlsConfig.GetCertificate = ws.GetCertificateFunc()
   s.Handler = limiter.NewLimitHandler(concurrency, maxConcurrency, utils.Interceptor(ginObj, ws.CrlList), false)
   s.TLSConfig = tlsConfig

   return nil
}

// ReApplyCertificate reapply certificate
func (ws *WebCertUtil) ReApplyCertificate(algorithm int) error {
   hwlog.RunLog.Info("prepare to reapply a new certificate")
   if ws.PrivateKey == nil {
      if _, err := ws.GenerateRSAPrivateKey(keyLength, algorithm); err != nil {
         return err
      }
   }
   if err := ws.ApplyForCertificateByRequest(); err != nil {
      return err
   }

   return nil
}

// GetRequestClient get http client for request
func (ws *WebCertUtil) GetRequestClient(authMode string) (*http.Client, error) {
   // https auth two way
   if authMode == TwoWay {
      requestClient, err := ws.GetTwoWayAuthRequestClient()
      if err != nil {
         return nil, err
      }

      return requestClient, nil
   }

   // https auth one way
   pool, err := x509.SystemCertPool()
   if err != nil {
      return nil, fmt.Errorf("cannot get system trusted certificates pool: %w", err)
   }
   if !pool.AppendCertsFromPEM(ws.CaBytes) {
      return nil, fmt.Errorf("failed to append to certificates pool")
   }
   c := &http.Client{
      Transport: &http.Transport{
         TLSClientConfig: &tls.Config{
            RootCAs: pool,
         },
      },
   }

   return c, nil
}

// InitCert init cert and ca
func InitCert(sp *ServerParam) error {
   ws := NewWebCertUtil(sp.DNSName, sp.DirName, sp.OverdueTime)
   var reApply bool
   var caBytes []byte
   // load ca
   _, err := ws.LoadCAOnStart(sp.AuthMode)
   if err != nil && strings.Contains(err.Error(), ReApply) {
      reApply = true
   }
   // reapply ca
   if reApply {
      caBytes, err = ws.GetCaByRequest()
      if len(caBytes) == 0 || err != nil {
         return err
      }
      reApply = false
   }
   if err != nil {
      return err
   }
   // load cert and private key
   _, err = ws.LoadCertAndKeyOnStart(sp.EncryptAlgorithm)
   if err != nil && strings.Contains(err.Error(), ReApply) {
      reApply = true
   }
   // reapply cert
   if reApply {
      if err = ws.ReApplyCertificate(sp.EncryptAlgorithm); err != nil {
         return err
      }
   }
   if err != nil {
      return err
   }

   // init global WebCertUtil
   webCert = ws
   return nil
}

// StartServerListen StartServerListen
func StartServerListen(sp *ServerParam, engine *gin.Engine) {
   s := &http.Server{
      ReadTimeout:  sp.ReadTimeOut * time.Second,
      WriteTimeout: sp.WriteTimeOut * time.Second,
      Addr:         sp.IP + ":" + strconv.Itoa(sp.Port),
      Handler:      limiter.NewLimitHandler(sp.Concurrency, sp.MaxConcurrency, engine, false),
   }
   // http
   if sp.EnableHTTP {
      // http
      hwlog.RunLog.Warn("Service started with an insecure http server enabled")
      if err := s.ListenAndServe(); err != nil {
         hwlog.RunLog.Error("Http server error and stopped")
      }
      return
   }

   // init web cert util
   err := InitCert(sp)
   if err != nil {
      hwlog.RunLog.Error(err)
      return
   }
   ParseTLSParams(sp)
   wc := GetWebCertUtil()
   if err = wc.SetHTTPSServer(s, sp.Concurrency, sp.MaxConcurrency, sp.CipherSuites,
      engine); err != nil {
      hwlog.RunLog.Error(err)
      return
   }
   hwlog.RunLog.Info("start https server now...")
   // start certificate period check
   go wc.CheckCertValidityPeriod(sp.CheckCertPeriod)

   if err = s.ListenAndServeTLS("", ""); err != nil {
      hwlog.RunLog.Error("Https server error by: %s and stopped", err.Error())
   }
}

mindxdl--common--web_cert_utils.go的更多相关文章

  1. Socket聊天程序——Common

    写在前面: 上一篇记录了Socket聊天程序的客户端设计,为了记录的完整性,这里还是将Socket聊天的最后一个模块--Common模块记录一下.Common的设计如下: 功能说明: Common模块 ...

  2. angularjs 1 开发简单案例(包含common.js,service.js,controller.js,page)

    common.js var app = angular.module('app', ['ngFileUpload']) .factory('SV_Common', function ($http) { ...

  3. Common Bugs in C Programming

    There are some Common Bugs in C Programming. Most of the contents are directly from or modified from ...

  4. ANSI Common Lisp Practice - My Answers - Chatper - 3

    Ok, Go ahead. 1 (a) (b) (c) (d) 2 注:union 在 Common Lisp 中的作用就是求两个集合的并集.但是这有一个前提,即给的两个列表已经满足集合的属性了.具体 ...

  5. [LeetCode] Lowest Common Ancestor of a Binary Tree 二叉树的最小共同父节点

    Given a binary tree, find the lowest common ancestor (LCA) of two given nodes in the tree. According ...

  6. [LeetCode] Lowest Common Ancestor of a Binary Search Tree 二叉搜索树的最小共同父节点

    Given a binary search tree (BST), find the lowest common ancestor (LCA) of two given nodes in the BS ...

  7. [LeetCode] Longest Common Prefix 最长共同前缀

    Write a function to find the longest common prefix string amongst an array of strings. 这道题让我们求一系列字符串 ...

  8. 48. 二叉树两结点的最低共同父结点(3种变种情况)[Get lowest common ancestor of binary tree]

    [题目] 输入二叉树中的两个结点,输出这两个结点在数中最低的共同父结点. 二叉树的结点定义如下:  C++ Code  123456   struct BinaryTreeNode {     int ...

  9. 动态规划求最长公共子序列(Longest Common Subsequence, LCS)

    1. 问题描述 子串应该比较好理解,至于什么是子序列,这里给出一个例子:有两个母串 cnblogs belong 比如序列bo, bg, lg在母串cnblogs与belong中都出现过并且出现顺序与 ...

  10. 【leetcode】Longest Common Prefix

    题目简述: Write a function to find the longest common prefix string amongst an array of strings. 解题思路: c ...

随机推荐

  1. Sqoop 组件安装与配置

    下载和解压 Sqoop Sqoop相关发行版本可以通过官网 https://mirror-hk.koddos.net/apache/sqoop/ 来获取 安装 Sqoop组件需要与 Hadoop环境适 ...

  2. Python图像处理丨认识图像锐化和边缘提取的4个算子

    摘要:图像锐化和边缘提取技术可以消除图像中的噪声,提取图像信息中用来表征图像的一些变量,为图像识别提供基础. 本文分享自华为云社区<[Python图像处理] 十七.图像锐化与边缘检测之Rober ...

  3. [Python]-sklearn模块-机器学习Python入门《Python机器学习手册》-02-加载数据:加载数据集

    <Python机器学习手册--从数据预处理到深度学习> 这本书类似于工具书或者字典,对于python具体代码的调用和使用场景写的很清楚,感觉虽然是工具书,但是对照着做一遍应该可以对机器学习 ...

  4. [python]-random模块-手动随机数

    random模块通常用来生成随机数,结合time模块生成随机数的代码: import time import random random.seed(time.time()) x = random.ra ...

  5. 第2篇----Istio架构概述篇

    Istio的工作机制 Istio的工作机制和架构,分为控制面和数据面两部分.控制面主要包括Pilot.Mixer.Citadel等服务组件:数据面由伴随每个应用程序部署的代理程序Envoy组成,执行针 ...

  6. Elasticsearch 架构解析与最佳实践

    文章转载自:https://mp.weixin.qq.com/s/7pWNsUYbM4NyubZO6M3P5g

  7. 使用pip的方式安装docker-compose

    # 国内开启pip 下载加速:http://mirrors.aliyun.com/help/pypi mkdir ~/.pip/ cat > ~/.pip/pip.conf <<'E ...

  8. 部署AlertManager

    部署Alertmanager Alertmanager和Prometheus Server一样均采用Golang实现,并且没有第三方依赖.一般来说我们可以通过以下几种方式来部署Alertmanager ...

  9. 工厂里懂得mes和erp有发展吗?

    在工厂里懂得MES.ERP肯定有发展啊,现在数字化转型.智能制造正当时,ERP.MES之类的系统是刚需,只是不同工厂启动的早晚有别,使用的系统不相同而已,但知识体系.逻辑.理念等大都是相通的.比如你熟 ...

  10. SpringBoot实战派读书笔记---响应式编程

    1.什么是WebFlux? WebFlux不需要Servlet API,在完全异步且无阻塞,并通过Reactor项目实现了Reactor Streams规范. WebFlux可以在资源有限的情况下提高 ...