open-consul/agent/structs/config_entry_inline_certifi...

package structs

import (
	"crypto/tls"
	"crypto/x509"
	"encoding/pem"
	"errors"
	"fmt"

	"github.com/hashicorp/consul/acl"
)

// InlineCertificateConfigEntry manages the configuration for an inline certificate
// with the given name.
type InlineCertificateConfigEntry struct {
	// Kind of config entry. This will be set to structs.InlineCertificate.
	Kind string

	// Name is used to match the config entry with its associated inline certificate.
	Name string

	// Certificate is the public certificate component of an x509 key pair encoded in raw PEM format.
	Certificate string
	// PrivateKey is the private key component of an x509 key pair encoded in raw PEM format.
	PrivateKey string

	Meta               map[string]string `json:",omitempty"`
	acl.EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
	RaftIndex
}

func (e *InlineCertificateConfigEntry) GetKind() string {
	return InlineCertificate
}

func (e *InlineCertificateConfigEntry) GetName() string {
	return e.Name
}

func (e *InlineCertificateConfigEntry) Normalize() error {
	return nil
}

func (e *InlineCertificateConfigEntry) Validate() error {
	privateKeyBlock, _ := pem.Decode([]byte(e.PrivateKey))
	if privateKeyBlock == nil {
		return errors.New("failed to parse private key PEM")
	}

	certificateBlock, _ := pem.Decode([]byte(e.Certificate))
	if certificateBlock == nil {
		return errors.New("failed to parse certificate PEM")
	}

	// make sure we have a valid x509 certificate
	_, err := x509.ParseCertificate(certificateBlock.Bytes)
	if err != nil {
		return fmt.Errorf("failed to parse certificate: %w", err)
	}

	// validate that the cert was generated with the given private key
	_, err = tls.X509KeyPair([]byte(e.Certificate), []byte(e.PrivateKey))
	if err != nil {
		return err
	}

	return nil
}

func (e *InlineCertificateConfigEntry) CanRead(authz acl.Authorizer) error {
	var authzContext acl.AuthorizerContext
	e.FillAuthzContext(&authzContext)
	return authz.ToAllowAuthorizer().MeshReadAllowed(&authzContext)
}

func (e *InlineCertificateConfigEntry) CanWrite(authz acl.Authorizer) error {
	var authzContext acl.AuthorizerContext
	e.FillAuthzContext(&authzContext)
	return authz.ToAllowAuthorizer().MeshWriteAllowed(&authzContext)
}

func (e *InlineCertificateConfigEntry) GetMeta() map[string]string {
	if e == nil {
		return nil
	}
	return e.Meta
}

func (e *InlineCertificateConfigEntry) GetEnterpriseMeta() *acl.EnterpriseMeta {
	if e == nil {
		return nil
	}
	return &e.EnterpriseMeta
}

func (e *InlineCertificateConfigEntry) GetRaftIndex() *RaftIndex {
	if e == nil {
		return &RaftIndex{}
	}
	return &e.RaftIndex
}
Native API Gateway Config Entries (#15897) * Stub Config Entries for Consul Native API Gateway (#15644) * Add empty InlineCertificate struct and protobuf * apigateway stubs * Stub HTTPRoute in api pkg * Stub HTTPRoute in structs pkg * Simplify api.APIGatewayConfigEntry to be consistent w/ other entries * Update makeConfigEntry switch, add docstring for HTTPRouteConfigEntry * Add TCPRoute to MakeConfigEntry, return unique Kind * Stub BoundAPIGatewayConfigEntry in agent * Add RaftIndex to APIGatewayConfigEntry stub * Add new config entry kinds to validation allow-list * Add RaftIndex to other added config entry stubs * Update usage metrics assertions to include new cfg entries * Add Meta and acl.EnterpriseMeta to all new ConfigEntry types * Remove unnecessary Services field from added config entry types * Implement GetMeta(), GetEnterpriseMeta() for added config entry types * Add meta field to proto, name consistently w/ existing config entries * Format config_entry.proto * Add initial implementation of CanRead + CanWrite for new config entry types * Add unit tests for decoding of new config entry types * Add unit tests for parsing of new config entry types * Add unit tests for API Gateway config entry ACLs * Return typed PermissionDeniedError on BoundAPIGateway CanWrite * Add unit tests for added config entry ACLs * Add BoundAPIGateway type to AllConfigEntryKinds * Return proper kind from BoundAPIGateway * Add docstrings for new config entry types * Add missing config entry kinds to proto def * Update usagemetrics_oss_test.go * Use utility func for returning PermissionDeniedError * EventPublisher subscriptions for Consul Native API Gateway (#15757) * Create new event topics in subscribe proto * Add tests for PBSubscribe func * Make configs singular, add all configs to PBToStreamSubscribeRequest * Add snapshot methods * Add config_entry_events tests * Add config entry kind to topic for new configs * Add unit tests for snapshot methods * Start adding integration test * Test using the new controller code * Update agent/consul/state/config_entry_events.go * Check value of error * Add controller stubs for API Gateway (#15837) * update initial stub implementation * move files, clean up mutex references * Remove embed, use idiomatic names for constructors * Remove stray file introduced in merge * Add APIGateway validation (#15847) * Add APIGateway validation * Add additional validations * Add cert ref validation * Add protobuf definitions * Fix up field types * Add API structs * Move struct fields around a bit * APIGateway InlineCertificate validation (#15856) * Add APIGateway validation * Add additional validations * Add protobuf definitions * Tabs to spaces * Add API structs * Move struct fields around a bit * Add validation for InlineCertificate * Fix ACL test * APIGateway BoundAPIGateway validation (#15858) * Add APIGateway validation * Add additional validations * Add cert ref validation * Add protobuf definitions * Fix up field types * Add API structs * Move struct fields around a bit * Add validation for BoundAPIGateway * APIGateway TCPRoute validation (#15855) * Add APIGateway validation * Add additional validations * Add cert ref validation * Add protobuf definitions * Fix up field types * Add API structs * Add TCPRoute normalization and validation * Add forgotten Status * Add some more field docs in api package * Fix test * Format imports * Rename snapshot test variable names * Add plumbing for Native API GW Subscriptions (#16003) Co-authored-by: Sarah Alsmiller <sarah.alsmiller@hashicorp.com> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com> 2023-01-18 22:14:34 +00:00			`package structs`

			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
			`"encoding/pem"`
			`"errors"`
			`"fmt"`

			`"github.com/hashicorp/consul/acl"`
			`)`

			`// InlineCertificateConfigEntry manages the configuration for an inline certificate`
			`// with the given name.`
			`type InlineCertificateConfigEntry struct {`
			`// Kind of config entry. This will be set to structs.InlineCertificate.`
			`Kind string`

			`// Name is used to match the config entry with its associated inline certificate.`
			`Name string`

			`// Certificate is the public certificate component of an x509 key pair encoded in raw PEM format.`
			`Certificate string`
			`// PrivateKey is the private key component of an x509 key pair encoded in raw PEM format.`
			`PrivateKey string`

			Meta map[string]string `json:",omitempty"`
			acl.EnterpriseMeta `hcl:",squash" mapstructure:",squash"`
			`RaftIndex`
			`}`

			`func (e *InlineCertificateConfigEntry) GetKind() string {`
			`return InlineCertificate`
			`}`

			`func (e *InlineCertificateConfigEntry) GetName() string {`
			`return e.Name`
			`}`

			`func (e *InlineCertificateConfigEntry) Normalize() error {`
			`return nil`
			`}`

			`func (e *InlineCertificateConfigEntry) Validate() error {`
			`privateKeyBlock, _ := pem.Decode([]byte(e.PrivateKey))`
			`if privateKeyBlock == nil {`
			`return errors.New("failed to parse private key PEM")`
			`}`

			`certificateBlock, _ := pem.Decode([]byte(e.Certificate))`
			`if certificateBlock == nil {`
			`return errors.New("failed to parse certificate PEM")`
			`}`

			`// make sure we have a valid x509 certificate`
			`_, err := x509.ParseCertificate(certificateBlock.Bytes)`
			`if err != nil {`
			`return fmt.Errorf("failed to parse certificate: %w", err)`
			`}`

			`// validate that the cert was generated with the given private key`
			`_, err = tls.X509KeyPair([]byte(e.Certificate), []byte(e.PrivateKey))`
			`if err != nil {`
			`return err`
			`}`

			`return nil`
			`}`

			`func (e *InlineCertificateConfigEntry) CanRead(authz acl.Authorizer) error {`
			`var authzContext acl.AuthorizerContext`
			`e.FillAuthzContext(&authzContext)`
			`return authz.ToAllowAuthorizer().MeshReadAllowed(&authzContext)`
			`}`

			`func (e *InlineCertificateConfigEntry) CanWrite(authz acl.Authorizer) error {`
			`var authzContext acl.AuthorizerContext`
			`e.FillAuthzContext(&authzContext)`
			`return authz.ToAllowAuthorizer().MeshWriteAllowed(&authzContext)`
			`}`

			`func (e *InlineCertificateConfigEntry) GetMeta() map[string]string {`
			`if e == nil {`
			`return nil`
			`}`
			`return e.Meta`
			`}`

			`func (e InlineCertificateConfigEntry) GetEnterpriseMeta() acl.EnterpriseMeta {`
			`if e == nil {`
			`return nil`
			`}`
			`return &e.EnterpriseMeta`
			`}`

			`func (e InlineCertificateConfigEntry) GetRaftIndex() RaftIndex {`
			`if e == nil {`
			`return &RaftIndex{}`
			`}`
			`return &e.RaftIndex`
			`}`