// Copyright (c) 2021. Huawei Technologies Co., Ltd. All rights reserved.

// Package common this file define WebCertUtil
package common

import (
   "crypto/tls"
   "crypto/x509"
   "encoding/pem"
   "errors"
   "fmt"
   "github.com/gin-gonic/gin"
   "huawei.com/npu-exporter/hwlog"
   "huawei.com/npu-exporter/limiter"
   "huawei.com/npu-exporter/utils"
   "io/ioutil"
   "net/http"
   "strconv"
   "strings"
   "time"
)

const keyLength = 4096

var webCert *WebCertUtil

// WebCertUtil WebCertUtil
type WebCertUtil struct {
   *CertificateUtils
}

// NewWebCertUtil NewWebCertUtil
func NewWebCertUtil(dnsName, dirName string, overdueTime int) *WebCertUtil {
   ws := &WebCertUtil{
      CertificateUtils: NewCertificateUtils(dnsName, dirName, overdueTime),
   }
   if err := utils.MakeSureDir(ws.KeyStore); err != nil {
      hwlog.RunLog.Fatal(err)
   }

   return ws
}

// GetWebCertUtil return webCert
func GetWebCertUtil() *WebCertUtil {
   return webCert
}

// CheckCertValidityPeriod CheckCertValidityPeriod
func (ws *WebCertUtil) CheckCertValidityPeriod(interval time.Duration) {
   hwlog.RunLog.Info("start cert period check...")
   ticker := time.NewTicker(interval)
   defer ticker.Stop()
   hasTask := false
   for {
      _, ok := <-ticker.C
      if !ok {
         return
      }
      if hasTask {
         continue
      }
      ws.Lock.RLock()
      if ws.Cert == nil {
         ws.Lock.RUnlock()
         continue
      }
      x509Cert, err := x509.ParseCertificate(ws.Cert.Certificate[0])
      if err != nil {
         ws.Lock.RUnlock()
         continue
      }
      err = utils.CheckValidityPeriodWithError(x509Cert, ws.OverdueTime)
      ws.Lock.RUnlock()
      if err == nil {
         continue
      }
      hwlog.RunLog.Warn(err)
      go func() {
         hasTask = true
         defer func() {
            hasTask = false
            hwlog.RunLog.Info("apply for a new certificate success")
         }()
         hwlog.RunLog.Info("apply for a new certificate because the certificate has expired")
         if err = ws.ApplyForCertificateByRequest(); err != nil {
            hwlog.RunLog.Error(err)
         }
      }()
   }
}

// GetCaByRequest get ca by request
func (ws *WebCertUtil) GetCaByRequest() ([]byte, error) {
   caByte, err := DefaultClsMgrClient.GetRootCertificate()
   if err != nil {
      return nil, err
   }
   hwlog.RunLog.Info("succeeded in getting ca certificate by request")
   if err = ioutil.WriteFile(ws.CaStore, caByte, utils.RWMode); err != nil {
      return nil, errors.New("write caBytes to file failed")
   }
   hwlog.RunLog.Info("succeeded in saving ca certificate to file")
   ws.CaBytes = caByte
   return caByte, nil
}

// ApplyForCertificateByRequest apply for certificate by request
func (ws *WebCertUtil) ApplyForCertificateByRequest() error {
   certPem, err := DefaultClsMgrClient.ApplyForCertificatePemByte(ws.DNSName, ws.CaBytes, ws.PrivateKey)
   if err != nil {
      return err
   }
   hwlog.RunLog.Info("succeeded in getting certificate by request")

   derStream := x509.MarshalPKCS1PrivateKey(ws.PrivateKey)
   block := &pem.Block{
      Type:  RSAPrivateKey,
      Bytes: derStream,
   }
   keyPem := pem.EncodeToMemory(block)
   tlsCert, err := utils.ValidateCertPair(certPem, keyPem, false, ws.OverdueTime)
   if err != nil {
      return err
   }
   if err = ioutil.WriteFile(ws.CertStore, certPem, utils.RWMode); err != nil {
      return errors.New("write certBytes to file failed ")
   }
   hwlog.RunLog.Info("succeeded in saving certificate to file")

   ws.Lock.RLock()
   defer ws.Lock.RUnlock()

   ws.refreshCertStatus(tlsCert)
   ws.Cert = tlsCert
   return nil
}

func (ws *WebCertUtil) refreshCertStatus(tlsCert *tls.Certificate) {
   // clear cert status record
   ws.ClearCertificateMap()

   caCert, err := utils.LoadCertsFromPEM(ws.CaBytes)
   if err == nil {
      // refresh ca record
      err = utils.AddToCertStatusTrace(caCert)
   }
   if err != nil {
      hwlog.RunLog.Error("prepare refresh ca info failed: " + err.Error())
   }

   x509Cert, err := x509.ParseCertificate(tlsCert.Certificate[0])
   if err == nil {
      // refresh certificate record
      err = utils.AddToCertStatusTrace(x509Cert)
   }
   if err != nil {
      hwlog.RunLog.Error("prepare refresh certificate info failed: " + err.Error())
   }
   hwlog.RunLog.Info("succeeded in refresh ca/cert info")
}

// SetHTTPSServer set http server config for one or two way auth
func (ws *WebCertUtil) SetHTTPSServer(s *http.Server, concurrency, maxConcurrency int,
   cipherSuites []uint16, ginObj *gin.Engine) error {
   tlsConfig, err := utils.NewTLSConfigV2(ws.CaBytes, *ws.Cert, cipherSuites)
   if err != nil {
      return err
   }

   tlsConfig.Certificates = nil
   tlsConfig.GetCertificate = ws.GetCertificateFunc()
   s.Handler = limiter.NewLimitHandler(concurrency, maxConcurrency, utils.Interceptor(ginObj, ws.CrlList), false)
   s.TLSConfig = tlsConfig

   return nil
}

// ReApplyCertificate reapply certificate
func (ws *WebCertUtil) ReApplyCertificate(algorithm int) error {
   hwlog.RunLog.Info("prepare to reapply a new certificate")
   if ws.PrivateKey == nil {
      if _, err := ws.GenerateRSAPrivateKey(keyLength, algorithm); err != nil {
         return err
      }
   }
   if err := ws.ApplyForCertificateByRequest(); err != nil {
      return err
   }

   return nil
}

// GetRequestClient get http client for request
func (ws *WebCertUtil) GetRequestClient(authMode string) (*http.Client, error) {
   // https auth two way
   if authMode == TwoWay {
      requestClient, err := ws.GetTwoWayAuthRequestClient()
      if err != nil {
         return nil, err
      }

      return requestClient, nil
   }

   // https auth one way
   pool, err := x509.SystemCertPool()
   if err != nil {
      return nil, fmt.Errorf("cannot get system trusted certificates pool: %w", err)
   }
   if !pool.AppendCertsFromPEM(ws.CaBytes) {
      return nil, fmt.Errorf("failed to append to certificates pool")
   }
   c := &http.Client{
      Transport: &http.Transport{
         TLSClientConfig: &tls.Config{
            RootCAs: pool,
         },
      },
   }

   return c, nil
}

// InitCert init cert and ca
func InitCert(sp *ServerParam) error {
   ws := NewWebCertUtil(sp.DNSName, sp.DirName, sp.OverdueTime)
   var reApply bool
   var caBytes []byte
   // load ca
   _, err := ws.LoadCAOnStart(sp.AuthMode)
   if err != nil && strings.Contains(err.Error(), ReApply) {
      reApply = true
   }
   // reapply ca
   if reApply {
      caBytes, err = ws.GetCaByRequest()
      if len(caBytes) == 0 || err != nil {
         return err
      }
      reApply = false
   }
   if err != nil {
      return err
   }
   // load cert and private key
   _, err = ws.LoadCertAndKeyOnStart(sp.EncryptAlgorithm)
   if err != nil && strings.Contains(err.Error(), ReApply) {
      reApply = true
   }
   // reapply cert
   if reApply {
      if err = ws.ReApplyCertificate(sp.EncryptAlgorithm); err != nil {
         return err
      }
   }
   if err != nil {
      return err
   }

   // init global WebCertUtil
   webCert = ws
   return nil
}

// StartServerListen StartServerListen
func StartServerListen(sp *ServerParam, engine *gin.Engine) {
   s := &http.Server{
      ReadTimeout:  sp.ReadTimeOut * time.Second,
      WriteTimeout: sp.WriteTimeOut * time.Second,
      Addr:         sp.IP + ":" + strconv.Itoa(sp.Port),
      Handler:      limiter.NewLimitHandler(sp.Concurrency, sp.MaxConcurrency, engine, false),
   }
   // http
   if sp.EnableHTTP {
      // http
      hwlog.RunLog.Warn("Service started with an insecure http server enabled")
      if err := s.ListenAndServe(); err != nil {
         hwlog.RunLog.Error("Http server error and stopped")
      }
      return
   }

   // init web cert util
   err := InitCert(sp)
   if err != nil {
      hwlog.RunLog.Error(err)
      return
   }
   ParseTLSParams(sp)
   wc := GetWebCertUtil()
   if err = wc.SetHTTPSServer(s, sp.Concurrency, sp.MaxConcurrency, sp.CipherSuites,
      engine); err != nil {
      hwlog.RunLog.Error(err)
      return
   }
   hwlog.RunLog.Info("start https server now...")
   // start certificate period check
   go wc.CheckCertValidityPeriod(sp.CheckCertPeriod)

   if err = s.ListenAndServeTLS("", ""); err != nil {
      hwlog.RunLog.Error("Https server error by: %s and stopped", err.Error())
   }
}

mindxdl--common--web_cert_utils.go的更多相关文章

  1. Socket聊天程序——Common

    写在前面: 上一篇记录了Socket聊天程序的客户端设计,为了记录的完整性,这里还是将Socket聊天的最后一个模块--Common模块记录一下.Common的设计如下: 功能说明: Common模块 ...

  2. angularjs 1 开发简单案例(包含common.js,service.js,controller.js,page)

    common.js var app = angular.module('app', ['ngFileUpload']) .factory('SV_Common', function ($http) { ...

  3. Common Bugs in C Programming

    There are some Common Bugs in C Programming. Most of the contents are directly from or modified from ...

  4. ANSI Common Lisp Practice - My Answers - Chatper - 3

    Ok, Go ahead. 1 (a) (b) (c) (d) 2 注:union 在 Common Lisp 中的作用就是求两个集合的并集.但是这有一个前提,即给的两个列表已经满足集合的属性了.具体 ...

  5. [LeetCode] Lowest Common Ancestor of a Binary Tree 二叉树的最小共同父节点

    Given a binary tree, find the lowest common ancestor (LCA) of two given nodes in the tree. According ...

  6. [LeetCode] Lowest Common Ancestor of a Binary Search Tree 二叉搜索树的最小共同父节点

    Given a binary search tree (BST), find the lowest common ancestor (LCA) of two given nodes in the BS ...

  7. [LeetCode] Longest Common Prefix 最长共同前缀

    Write a function to find the longest common prefix string amongst an array of strings. 这道题让我们求一系列字符串 ...

  8. 48. 二叉树两结点的最低共同父结点(3种变种情况)[Get lowest common ancestor of binary tree]

    [题目] 输入二叉树中的两个结点,输出这两个结点在数中最低的共同父结点. 二叉树的结点定义如下:  C++ Code  123456   struct BinaryTreeNode {     int ...

  9. 动态规划求最长公共子序列(Longest Common Subsequence, LCS)

    1. 问题描述 子串应该比较好理解,至于什么是子序列,这里给出一个例子:有两个母串 cnblogs belong 比如序列bo, bg, lg在母串cnblogs与belong中都出现过并且出现顺序与 ...

  10. 【leetcode】Longest Common Prefix

    题目简述: Write a function to find the longest common prefix string amongst an array of strings. 解题思路: c ...

随机推荐

  1. 公网可用的RTMP、RTSP测试地址(2021年3月)

    好多博客提到的公网可测试的RTSP和RTMP URL大多都不用了,以下是大牛直播SDK(Github)于2021年3月亲测可用的几个URL,有其他可用的URL,也欢迎大家在评论区回复. RTMP流地址 ...

  2. [深度学习]-Dataset数据集加载

    加载数据集dataloader from torch.utils.data import DataLoader form 自己写的dataset import Dataset train_set = ...

  3. k8s 如何关联pvc到特定的pv

    可以使用对 pv 打 label 的方式,具体如下: 创建 pv,指定 label $ cat nfs-pv2.yaml apiVersion: v1 kind: PersistentVolume # ...

  4. MySQL集群搭建(3)-MMM高可用架构

    1 MMM 介绍 1.1 简介 MMM 是一套支持双主故障切换以及双主日常管理的第三方软件.MMM 由 Perl 开发,用来管理和监控双主复制,虽然是双主架构,但是业务上同一时间只允许一个节点进行写入 ...

  5. @property装饰器和property()函数

    @property装饰器 Python内置的@property装饰器可以把类的方法伪装成属性调用的方式.也就是本来是Foo.func()的调用方法,变成Foo.func的方式. class Peopl ...

  6. 内网横向渗透 之 ATT&CK系列一 win7的yxcms

    Yxcms渗透 前言 通过phpMyAdmin慢日志查询Getshell后,蚁剑连接,发现win7下面还有个cms靶场,于是就兴致勃勃的去打了一波. cms渗透 进入页面后,搜刮了页面所有可见信息,发 ...

  7. AdaBoost:自适应提升算法的原理及其实现

    AdaBoost:通过改变训练样本权重来学习多个弱分类器并线性组合成强分类器的Boosting算法. Boosting方法要解答的两个关键问题:一是在训练过程中如何改变训练样本的权重或者概率分布,二是 ...

  8. 追求性能极致:Redis6.0的多线程模型

    Redis系列1:深刻理解高性能Redis的本质 Redis系列2:数据持久化提高可用性 Redis系列3:高可用之主从架构 Redis系列4:高可用之Sentinel(哨兵模式) Redis系列5: ...

  9. input框限制只能输入数字的两种方法

    方法一: <input type="text"   oninput="value=value.replace(/[^\d.%]/g,'')"> 方法 ...

  10. JUC(3)

    文章目录 1.集合类不安全 2.在高并发情况下arraylist()并不安全 3.高并发下set并不安全 3.测试map(高并发情况下出现问题) 1.集合类不安全 2.在高并发情况下arraylist ...