open-vault/command/server/listener.go

159 lines
4.7 KiB
Go
Raw Normal View History

2015-03-13 16:37:32 +00:00
package server
import (
2015-07-23 20:51:45 +00:00
// We must import sha512 so that it registers with the runtime so that
// certificates that use it can be parsed.
_ "crypto/sha512"
2015-03-13 16:56:08 +00:00
"crypto/tls"
"crypto/x509"
2015-03-13 16:37:32 +00:00
"fmt"
2016-06-02 16:40:25 +00:00
"io"
"io/ioutil"
2015-03-13 16:37:32 +00:00
"net"
2016-07-12 23:32:47 +00:00
"github.com/hashicorp/vault/helper/parseutil"
"github.com/hashicorp/vault/helper/proxyutil"
"github.com/hashicorp/vault/helper/reload"
2016-07-12 23:32:47 +00:00
"github.com/hashicorp/vault/helper/tlsutil"
2015-03-13 16:37:32 +00:00
)
// ListenerFactory is the factory function to create a listener.
type ListenerFactory func(map[string]interface{}, io.Writer) (net.Listener, map[string]string, reload.ReloadFunc, error)
2015-03-13 16:37:32 +00:00
// BuiltinListeners is the list of built-in listener types.
var BuiltinListeners = map[string]ListenerFactory{
"tcp": tcpListenerFactory,
2015-03-13 16:37:32 +00:00
}
// NewListener creates a new listener of the given type with the given
// configuration. The type is looked up in the BuiltinListeners map.
func NewListener(t string, config map[string]interface{}, logger io.Writer) (net.Listener, map[string]string, reload.ReloadFunc, error) {
2015-03-13 16:37:32 +00:00
f, ok := BuiltinListeners[t]
if !ok {
return nil, nil, nil, fmt.Errorf("unknown listener type: %s", t)
2015-03-13 16:37:32 +00:00
}
2016-06-02 16:40:25 +00:00
return f(config, logger)
2015-03-13 16:37:32 +00:00
}
2015-03-13 16:56:08 +00:00
func listenerWrapProxy(ln net.Listener, config map[string]interface{}) (net.Listener, error) {
behaviorRaw, ok := config["proxy_protocol_behavior"]
if !ok {
return ln, nil
}
behavior, ok := behaviorRaw.(string)
if !ok {
return nil, fmt.Errorf("failed parsing proxy_protocol_behavior value: not a string")
}
authorizedAddrsRaw, ok := config["proxy_protocol_authorized_addrs"]
if !ok {
return nil, fmt.Errorf("proxy_protocol_behavior set but no proxy_protocol_authorized_addrs value")
}
proxyProtoConfig := &proxyutil.ProxyProtoConfig{
Behavior: behavior,
}
if err := proxyProtoConfig.SetAuthorizedAddrs(authorizedAddrsRaw); err != nil {
return nil, fmt.Errorf("failed parsing proxy_protocol_authorized_addrs: %v", err)
}
newLn, err := proxyutil.WrapInProxyProto(ln, proxyProtoConfig)
if err != nil {
return nil, fmt.Errorf("failed configuring PROXY protocol wrapper: %s", err)
}
return newLn, nil
}
2015-03-13 16:56:08 +00:00
func listenerWrapTLS(
2015-04-04 19:06:41 +00:00
ln net.Listener,
props map[string]string,
config map[string]interface{}) (net.Listener, map[string]string, reload.ReloadFunc, error) {
2015-04-04 19:06:41 +00:00
props["tls"] = "disabled"
if v, ok := config["tls_disable"]; ok {
disabled, err := parseutil.ParseBool(v)
if err != nil {
return nil, nil, nil, fmt.Errorf("invalid value for 'tls_disable': %v", err)
}
if disabled {
return ln, props, nil, nil
}
2015-03-13 16:56:08 +00:00
}
_, ok := config["tls_cert_file"]
2015-03-13 16:56:08 +00:00
if !ok {
return nil, nil, nil, fmt.Errorf("'tls_cert_file' must be set")
2015-03-13 16:56:08 +00:00
}
_, ok = config["tls_key_file"]
2015-03-13 16:56:08 +00:00
if !ok {
return nil, nil, nil, fmt.Errorf("'tls_key_file' must be set")
2015-03-13 16:56:08 +00:00
}
cg := reload.NewCertificateGetter(config["tls_cert_file"].(string), config["tls_key_file"].(string))
if err := cg.Reload(config); err != nil {
return nil, nil, nil, fmt.Errorf("error loading TLS cert: %s", err)
2015-03-13 16:56:08 +00:00
}
var tlsvers string
tlsversRaw, ok := config["tls_min_version"]
2015-07-23 03:19:41 +00:00
if !ok {
tlsvers = "tls12"
} else {
tlsvers = tlsversRaw.(string)
2015-07-23 03:19:41 +00:00
}
2015-07-23 20:51:45 +00:00
2015-03-13 16:56:08 +00:00
tlsConf := &tls.Config{}
tlsConf.GetCertificate = cg.GetCertificate
tlsConf.NextProtos = []string{"h2", "http/1.1"}
2016-07-12 23:32:47 +00:00
tlsConf.MinVersion, ok = tlsutil.TLSLookup[tlsvers]
2015-07-23 03:19:41 +00:00
if !ok {
return nil, nil, nil, fmt.Errorf("'tls_min_version' value %s not supported, please specify one of [tls10,tls11,tls12]", tlsvers)
2015-07-23 03:19:41 +00:00
}
tlsConf.ClientAuth = tls.RequestClientCert
2015-03-13 16:56:08 +00:00
if v, ok := config["tls_cipher_suites"]; ok {
ciphers, err := tlsutil.ParseCiphers(v.(string))
if err != nil {
return nil, nil, nil, fmt.Errorf("invalid value for 'tls_cipher_suites': %v", err)
}
tlsConf.CipherSuites = ciphers
}
if v, ok := config["tls_prefer_server_cipher_suites"]; ok {
preferServer, err := parseutil.ParseBool(v)
if err != nil {
return nil, nil, nil, fmt.Errorf("invalid value for 'tls_prefer_server_cipher_suites': %v", err)
}
tlsConf.PreferServerCipherSuites = preferServer
}
if v, ok := config["tls_require_and_verify_client_cert"]; ok {
requireClient, err := parseutil.ParseBool(v)
if err != nil {
return nil, nil, nil, fmt.Errorf("invalid value for 'tls_require_and_verify_client_cert': %v", err)
}
if requireClient {
tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
}
if tlsClientCaFile, ok := config["tls_client_ca_file"]; ok {
caPool := x509.NewCertPool()
data, err := ioutil.ReadFile(tlsClientCaFile.(string))
if err != nil {
return nil, nil, nil, fmt.Errorf("failed to read tls_client_ca_file: %v", err)
}
if !caPool.AppendCertsFromPEM(data) {
return nil, nil, nil, fmt.Errorf("failed to parse CA certificate in tls_client_ca_file")
}
tlsConf.ClientCAs = caPool
}
}
2015-03-13 16:56:08 +00:00
ln = tls.NewListener(ln, tlsConf)
2015-04-04 19:06:41 +00:00
props["tls"] = "enabled"
return ln, props, cg.Reload, nil
2015-03-13 16:56:08 +00:00
}