open-vault/command/server/listener.go

package server

import (
	// We must import sha512 so that it registers with the runtime so that
	// certificates that use it can be parsed.
	_ "crypto/sha512"
	"crypto/tls"
	"fmt"
	"net"
	"strconv"
)

// ListenerFactory is the factory function to create a listener.
type ListenerFactory func(map[string]string) (net.Listener, map[string]string, error)

// BuiltinListeners is the list of built-in listener types.
var BuiltinListeners = map[string]ListenerFactory{
	"tcp": tcpListenerFactory,
}

// tlsLookup maps the tls_min_version configuration to the internal value
var tlsLookup = map[string]uint16{
	"tls10": tls.VersionTLS10,
	"tls11": tls.VersionTLS11,
	"tls12": tls.VersionTLS12,
}

// NewListener creates a new listener of the given type with the given
// configuration. The type is looked up in the BuiltinListeners map.
func NewListener(t string, config map[string]string) (net.Listener, map[string]string, error) {
	f, ok := BuiltinListeners[t]
	if !ok {
		return nil, nil, fmt.Errorf("unknown listener type: %s", t)
	}

	return f(config)
}

func listenerWrapTLS(
	ln net.Listener,
	props map[string]string,
	config map[string]string) (net.Listener, map[string]string, error) {
	props["tls"] = "disabled"

	if v, ok := config["tls_disable"]; ok {
		disabled, err := strconv.ParseBool(v)
		if err != nil {
			return nil, nil, fmt.Errorf("invalid value for 'tls_disable': %v", err)
		}
		if disabled {
			return ln, props, nil
		}
	}

	certFile, ok := config["tls_cert_file"]
	if !ok {
		return nil, nil, fmt.Errorf("'tls_cert_file' must be set")
	}

	keyFile, ok := config["tls_key_file"]
	if !ok {
		return nil, nil, fmt.Errorf("'tls_key_file' must be set")
	}

	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
	if err != nil {
		return nil, nil, fmt.Errorf("error loading TLS cert: %s", err)
	}

	tlsvers, ok := config["tls_min_version"]
	if !ok {
		tlsvers = "tls12"
	}

	tlsConf := &tls.Config{}
	tlsConf.Certificates = []tls.Certificate{cert}
	tlsConf.NextProtos = []string{"http/1.1"}
	tlsConf.MinVersion, ok = tlsLookup[tlsvers]
	if !ok {
		return nil, nil, fmt.Errorf("'tls_min_version' value %s not supported, please specify one of [tls10,tls11,tls12]", tlsvers)
	}
	tlsConf.ClientAuth = tls.RequestClientCert

	ln = tls.NewListener(ln, tlsConf)
	props["tls"] = "enabled"
	return ln, props, nil
}
command/server: tcp listener 2015-03-13 16:37:32 +00:00			`package server`

			`import (`
server: import sha512. Fixes #448 2015-07-23 20:51:45 +00:00			`// We must import sha512 so that it registers with the runtime so that`
			`// certificates that use it can be parsed.`
			`_ "crypto/sha512"`
command/server: support TLS 2015-03-13 16:56:08 +00:00			`"crypto/tls"`
command/server: tcp listener 2015-03-13 16:37:32 +00:00			`"fmt"`
			`"net"`
server: sanity check value for 'tls_disable' 2015-11-25 19:37:57 +00:00			`"strconv"`
command/server: tcp listener 2015-03-13 16:37:32 +00:00			`)`

			`// ListenerFactory is the factory function to create a listener.`
command/server: cleaner output 2015-04-04 19:06:41 +00:00			`type ListenerFactory func(map[string]string) (net.Listener, map[string]string, error)`
command/server: tcp listener 2015-03-13 16:37:32 +00:00
			`// BuiltinListeners is the list of built-in listener types.`
			`var BuiltinListeners = map[string]ListenerFactory{`
			`"tcp": tcpListenerFactory,`
			`}`

server: import sha512. Fixes #448 2015-07-23 20:51:45 +00:00			`// tlsLookup maps the tls_min_version configuration to the internal value`
			`var tlsLookup = map[string]uint16{`
			`"tls10": tls.VersionTLS10,`
			`"tls11": tls.VersionTLS11,`
			`"tls12": tls.VersionTLS12,`
			`}`

command/server: tcp listener 2015-03-13 16:37:32 +00:00			`// NewListener creates a new listener of the given type with the given`
			`// configuration. The type is looked up in the BuiltinListeners map.`
command/server: cleaner output 2015-04-04 19:06:41 +00:00			`func NewListener(t string, config map[string]string) (net.Listener, map[string]string, error) {`
command/server: tcp listener 2015-03-13 16:37:32 +00:00			`f, ok := BuiltinListeners[t]`
			`if !ok {`
command/server: cleaner output 2015-04-04 19:06:41 +00:00			`return nil, nil, fmt.Errorf("unknown listener type: %s", t)`
command/server: tcp listener 2015-03-13 16:37:32 +00:00			`}`

			`return f(config)`
			`}`
command/server: support TLS 2015-03-13 16:56:08 +00:00
			`func listenerWrapTLS(`
command/server: cleaner output 2015-04-04 19:06:41 +00:00			`ln net.Listener,`
			`props map[string]string,`
			`config map[string]string) (net.Listener, map[string]string, error) {`
			`props["tls"] = "disabled"`

server: sanity check value for 'tls_disable' 2015-11-25 19:37:57 +00:00			`if v, ok := config["tls_disable"]; ok {`
			`disabled, err := strconv.ParseBool(v)`
			`if err != nil {`
			`return nil, nil, fmt.Errorf("invalid value for 'tls_disable': %v", err)`
			`}`
			`if disabled {`
			`return ln, props, nil`
			`}`
command/server: support TLS 2015-03-13 16:56:08 +00:00			`}`

			`certFile, ok := config["tls_cert_file"]`
			`if !ok {`
command/server: cleaner output 2015-04-04 19:06:41 +00:00			`return nil, nil, fmt.Errorf("'tls_cert_file' must be set")`
command/server: support TLS 2015-03-13 16:56:08 +00:00			`}`

			`keyFile, ok := config["tls_key_file"]`
			`if !ok {`
command/server: cleaner output 2015-04-04 19:06:41 +00:00			`return nil, nil, fmt.Errorf("'tls_key_file' must be set")`
command/server: support TLS 2015-03-13 16:56:08 +00:00			`}`

			`cert, err := tls.LoadX509KeyPair(certFile, keyFile)`
			`if err != nil {`
command/server: cleaner output 2015-04-04 19:06:41 +00:00			`return nil, nil, fmt.Errorf("error loading TLS cert: %s", err)`
command/server: support TLS 2015-03-13 16:56:08 +00:00			`}`

Avoid unnecessary abbreviation 2015-07-23 03:26:02 +00:00			`tlsvers, ok := config["tls_min_version"]`
Allow specifying a TLS minimum version 2015-07-23 03:19:41 +00:00			`if !ok {`
			`tlsvers = "tls12"`
			`}`
server: import sha512. Fixes #448 2015-07-23 20:51:45 +00:00
command/server: support TLS 2015-03-13 16:56:08 +00:00			`tlsConf := &tls.Config{}`
			`tlsConf.Certificates = []tls.Certificate{cert}`
			`tlsConf.NextProtos = []string{"http/1.1"}`
server: import sha512. Fixes #448 2015-07-23 20:51:45 +00:00			`tlsConf.MinVersion, ok = tlsLookup[tlsvers]`
Allow specifying a TLS minimum version 2015-07-23 03:19:41 +00:00			`if !ok {`
Avoid unnecessary abbreviation 2015-07-23 03:26:02 +00:00			`return nil, nil, fmt.Errorf("'tls_min_version' value %s not supported, please specify one of [tls10,tls11,tls12]", tlsvers)`
Allow specifying a TLS minimum version 2015-07-23 03:19:41 +00:00			`}`
command/listener: Request TLS client cert. Fixes #214 2015-05-20 23:01:40 +00:00			`tlsConf.ClientAuth = tls.RequestClientCert`
command/server: support TLS 2015-03-13 16:56:08 +00:00
			`ln = tls.NewListener(ln, tlsConf)`
command/server: cleaner output 2015-04-04 19:06:41 +00:00			`props["tls"] = "enabled"`
			`return ln, props, nil`
command/server: support TLS 2015-03-13 16:56:08 +00:00			`}`