ContainerImage.Pinniped/internal/issuer/issuer.go
Monis Khan 00694c9cb6
dynamiccert: split into serving cert and CA providers
Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-15 12:24:07 -04:00

58 lines
1.3 KiB
Go

// Copyright 2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package issuer
import (
"fmt"
"strings"
"time"
"k8s.io/apimachinery/pkg/util/errors"
"go.pinniped.dev/internal/constable"
)
const defaultCertIssuerErr = constable.Error("failed to issue cert")
type ClientCertIssuer interface {
Name() string
IssueClientCertPEM(username string, groups []string, ttl time.Duration) (certPEM, keyPEM []byte, err error)
}
var _ ClientCertIssuer = ClientCertIssuers{}
type ClientCertIssuers []ClientCertIssuer
func (c ClientCertIssuers) Name() string {
if len(c) == 0 {
return "empty-client-cert-issuers"
}
names := make([]string, 0, len(c))
for _, issuer := range c {
names = append(names, issuer.Name())
}
return strings.Join(names, ",")
}
func (c ClientCertIssuers) IssueClientCertPEM(username string, groups []string, ttl time.Duration) ([]byte, []byte, error) {
var errs []error
for _, issuer := range c {
certPEM, keyPEM, err := issuer.IssueClientCertPEM(username, groups, ttl)
if err != nil {
errs = append(errs, fmt.Errorf("%s failed to issue client cert: %w", issuer.Name(), err))
continue
}
return certPEM, keyPEM, nil
}
if err := errors.NewAggregate(errs); err != nil {
return nil, nil, err
}
return nil, nil, defaultCertIssuerErr
}