ContainerImage.Pinniped/internal/issuer/issuer.go

// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package issuer

import (
	"fmt"
	"strings"
	"time"

	"k8s.io/apimachinery/pkg/util/errors"

	"go.pinniped.dev/internal/constable"
)

const defaultCertIssuerErr = constable.Error("failed to issue cert")

type ClientCertIssuer interface {
	Name() string
	IssueClientCertPEM(username string, groups []string, ttl time.Duration) (certPEM, keyPEM []byte, err error)
}

var _ ClientCertIssuer = ClientCertIssuers{}

type ClientCertIssuers []ClientCertIssuer

func (c ClientCertIssuers) Name() string {
	if len(c) == 0 {
		return "empty-client-cert-issuers"
	}

	names := make([]string, 0, len(c))
	for _, issuer := range c {
		names = append(names, issuer.Name())
	}

	return strings.Join(names, ",")
}

func (c ClientCertIssuers) IssueClientCertPEM(username string, groups []string, ttl time.Duration) ([]byte, []byte, error) {
	var errs []error

	for _, issuer := range c {
		certPEM, keyPEM, err := issuer.IssueClientCertPEM(username, groups, ttl)
		if err != nil {
			errs = append(errs, fmt.Errorf("%s failed to issue client cert: %w", issuer.Name(), err))
			continue
		}
		return certPEM, keyPEM, nil
	}

	if err := errors.NewAggregate(errs); err != nil {
		return nil, nil, err
	}

	return nil, nil, defaultCertIssuerErr
}
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00			`// Copyright 2021 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`package issuer`

			`import (`
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`"fmt"`
			`"strings"`
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00			`"time"`

			`"k8s.io/apimachinery/pkg/util/errors"`

			`"go.pinniped.dev/internal/constable"`
			`)`

			`const defaultCertIssuerErr = constable.Error("failed to issue cert")`

certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly. 2021-03-13 00:09:16 +00:00			`type ClientCertIssuer interface {`
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`Name() string`
certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly. 2021-03-13 00:09:16 +00:00			`IssueClientCertPEM(username string, groups []string, ttl time.Duration) (certPEM, keyPEM []byte, err error)`
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00			`}`

certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly. 2021-03-13 00:09:16 +00:00			`var _ ClientCertIssuer = ClientCertIssuers{}`
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00
certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly. 2021-03-13 00:09:16 +00:00			`type ClientCertIssuers []ClientCertIssuer`
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`func (c ClientCertIssuers) Name() string {`
			`if len(c) == 0 {`
			`return "empty-client-cert-issuers"`
			`}`

			`names := make([]string, 0, len(c))`
			`for _, issuer := range c {`
			`names = append(names, issuer.Name())`
			`}`

			`return strings.Join(names, ",")`
			`}`

certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly. 2021-03-13 00:09:16 +00:00			`func (c ClientCertIssuers) IssueClientCertPEM(username string, groups []string, ttl time.Duration) ([]byte, []byte, error) {`
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00			`var errs []error`

			`for _, issuer := range c {`
certauthority.go: Refactor issuing client versus server certs We were previously issuing both client certs and server certs with both extended key usages included. Split the Issue() methods into separate methods for issuing server certs versus client certs so they can have different extended key usages tailored for each use case. Also took the opportunity to clean up the parameters of the Issue() methods and New() methods to more closely match how we prefer to call them. We were always only passing the common name part of the pkix.Name to New(), so now the New() method just takes the common name as a string. When making a server cert, we don't need to set the deprecated common name field, so remove that param. When making a client cert, we're always making it in the format expected by the Kube API server, so just accept the username and group as parameters directly. 2021-03-13 00:09:16 +00:00			`certPEM, keyPEM, err := issuer.IssueClientCertPEM(username, groups, ttl)`
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00			`if err != nil {`
dynamiccert: split into serving cert and CA providers Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-15 16:24:07 +00:00			`errs = append(errs, fmt.Errorf("%s failed to issue client cert: %w", issuer.Name(), err))`
Use TokenCredentialRequest instead of base64 token with impersonator To make an impersonation request, first make a TokenCredentialRequest to get a certificate. That cert will either be issued by the Kube API server's CA or by a new CA specific to the impersonator. Either way, you can then make a request to the impersonator and present that client cert for auth and the impersonator will accept it and make the impesonation call on your behalf. The impersonator http handler now borrows some Kube library code to handle request processing. This will allow us to more closely mimic the behavior of a real API server, e.g. the client cert auth will work exactly like the real API server. Signed-off-by: Monis Khan <mok@vmware.com> 2021-03-10 18:30:06 +00:00			`continue`
			`}`
			`return certPEM, keyPEM, nil`
			`}`

			`if err := errors.NewAggregate(errs); err != nil {`
			`return nil, nil, err`
			`}`

			`return nil, nil, defaultCertIssuerErr`
			`}`