From 5442e71e7710897126a0034f487fab7e5013b3cc Mon Sep 17 00:00:00 2001 From: Rasmus Dahlberg Date: Sun, 17 Dec 2023 19:10:46 +0100 Subject: Drafty server package to receive node requests curl http://localhost:2009/get-status curl -X POST --data-binary @/home/rgdd/fullchain.pem -u node_a:aaaa http://localhost:2009/add-chain --- pkg/server/nodes.go | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 pkg/server/nodes.go (limited to 'pkg/server/nodes.go') diff --git a/pkg/server/nodes.go b/pkg/server/nodes.go new file mode 100644 index 0000000..164c06f --- /dev/null +++ b/pkg/server/nodes.go @@ -0,0 +1,53 @@ +package server + +import ( + "crypto/x509" + "fmt" + "net/http" +) + +// Node is an identified system that can request certificates +type Node struct { + Name string `json:"name"` // Artbirary node name for authentication + Secret string `json:"secret"` // Arbitrary node secret for authentication + Domains []string `json:"issues"` // Exact-match domain names that are allowed +} + +func (node *Node) authenticate(r *http.Request) error { + user, password, ok := r.BasicAuth() + if !ok { + return fmt.Errorf("no http basic auth credentials") + } + if user != node.Name || password != node.Secret { + return fmt.Errorf("invalid http basic auth credentials") + } + return nil +} + +func (node *Node) check(crt x509.Certificate) error { + for _, san := range crt.DNSNames { + ok := false + for _, domain := range node.Domains { + if domain == san { + ok = true + break + } + } + if !ok { + return fmt.Errorf("%s: not authorized to issue certificates for %s", node.Name, san) + } + } + return nil +} + +// Nodes is a list of nodes that can request certificates +type Nodes []Node + +func (nodes *Nodes) authenticate(r *http.Request) (Node, error) { + for _, node := range (*nodes)[:] { + if err := node.authenticate(r); err == nil { + return node, nil + } + } + return Node{}, fmt.Errorf("no valid HTTP basic auth credentials") +} -- cgit v1.2.3