New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(transport): Integrate with enterprise certificate proxy #1570
Merged
Merged
Changes from all commits
Commits
Show all changes
17 commits
Select commit
Hold shift + click to select a range
fb576bd
fix(google-api-go-generator): add temporary patch for compute mtls en…
andyrzhao b5b5bed
Merge branch 'master' into master
codyoss 9798e2a
Merge pull request #3 from googleapis/master
andyrzhao 502ec8b
fix(transport): expand OS environment variables in cert provider command
andyrzhao 32d8f59
Merge branch 'googleapis:master' into master
andyrzhao 83dd1d9
Merge branch 'googleapis:main' into master
andyrzhao 14ab00f
feat(transport): Integrate with enterprise certificate proxy
andyrzhao a360980
feat(transport): Minor comment updates
andyrzhao b608fd1
feat(transport): Minor test update
andyrzhao 8fc15d4
feat(transport): Go mod tidy
andyrzhao 030d395
feat(transport): Update comments
andyrzhao 30bc6f3
feat(transport): Update tests
andyrzhao 84dad39
feat(transport): Address PR comments
andyrzhao 2bce4aa
feat(transport): Fix test_signer.go
andyrzhao 35378e1
Merge branch 'main' into master
codyoss 6a1e113
feat(transport): Update tests to conform to go idiom
andyrzhao cdb0e7c
Merge branch 'main' into master
codyoss File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
// Copyright 2022 Google LLC. | ||
// Use of this source code is governed by a BSD-style | ||
// license that can be found in the LICENSE file. | ||
|
||
// Package cert contains certificate tools for Google API clients. | ||
// This package is intended to be used with crypto/tls.Config.GetClientCertificate. | ||
// | ||
// The certificates can be used to satisfy Google's Endpoint Validation. | ||
// See https://cloud.google.com/endpoint-verification/docs/overview | ||
// | ||
// This package is not intended for use by end developers. Use the | ||
// google.golang.org/api/option package to configure API clients. | ||
package cert | ||
|
||
import ( | ||
"crypto/tls" | ||
"errors" | ||
"os" | ||
|
||
"github.com/googleapis/enterprise-certificate-proxy/client" | ||
) | ||
|
||
type ecpSource struct { | ||
key *client.Key | ||
} | ||
|
||
// NewEnterpriseCertificateProxySource creates a certificate source | ||
// using the Enterprise Certificate Proxy client, which delegates | ||
// certifcate related operations to an OS-specific "signer binary" | ||
// that communicates with the native keystore (ex. keychain on MacOS). | ||
// | ||
// The configFilePath points to a config file containing relevant parameters | ||
// such as the certificate issuer and the location of the signer binary. | ||
// If configFilePath is empty, the client will attempt to load the config from | ||
// a well-known gcloud location. | ||
func NewEnterpriseCertificateProxySource(configFilePath string) (Source, error) { | ||
andyrzhao marked this conversation as resolved.
Show resolved
Hide resolved
|
||
key, err := client.Cred(configFilePath) | ||
if err != nil { | ||
if errors.Is(err, os.ErrNotExist) { | ||
// Config file missing means Enterprise Certificate Proxy is not supported. | ||
return nil, errSourceUnavailable | ||
} | ||
return nil, err | ||
} | ||
|
||
return (&ecpSource{ | ||
key: key, | ||
}).getClientCertificate, nil | ||
} | ||
|
||
func (s *ecpSource) getClientCertificate(info *tls.CertificateRequestInfo) (*tls.Certificate, error) { | ||
var cert tls.Certificate | ||
cert.PrivateKey = s.key | ||
andyrzhao marked this conversation as resolved.
Show resolved
Hide resolved
|
||
cert.Certificate = s.key.CertificateChain() | ||
return &cert, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
// Copyright 2022 Google LLC. | ||
// Use of this source code is governed by a BSD-style | ||
// license that can be found in the LICENSE file. | ||
package cert | ||
|
||
import ( | ||
"errors" | ||
"testing" | ||
) | ||
|
||
func TestEnterpriseCertificateProxySource_ConfigMissing(t *testing.T) { | ||
source, err := NewEnterpriseCertificateProxySource("missing.json") | ||
if got, want := err, errSourceUnavailable; !errors.Is(err, errSourceUnavailable) { | ||
t.Fatalf("NewEnterpriseCertificateProxySource: with missing config; got %v, want %v err", got, want) | ||
} | ||
if source != nil { | ||
t.Errorf("NewEnterpriseCertificateProxySource: with missing config; got %v, want nil source", source) | ||
} | ||
} | ||
|
||
// This test launches a mock signer binary "test_signer.go" that uses a valid pem file. | ||
func TestEnterpriseCertificateProxySource_GetClientCertificateSuccess(t *testing.T) { | ||
source, err := NewEnterpriseCertificateProxySource("testdata/enterprise_certificate_config.json") | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
cert, err := source(nil) | ||
if err != nil { | ||
t.Fatal(err) | ||
} | ||
if cert.Certificate == nil { | ||
t.Error("getClientCertificate: got nil, want non-nil Certificate") | ||
} | ||
if cert.PrivateKey == nil { | ||
t.Error("getClientCertificate: got nil, want non-nil PrivateKey") | ||
} | ||
} | ||
|
||
// This test launches a mock signer binary "test_signer.go" that uses an invalid pem file. | ||
func TestEnterpriseCertificateProxySource_InitializationFailure(t *testing.T) { | ||
_, err := NewEnterpriseCertificateProxySource("testdata/enterprise_certificate_config_invalid_pem.json") | ||
if err == nil { | ||
t.Error("NewEnterpriseCertificateProxySource: got nil, want non-nil err") | ||
} | ||
} |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don' think this case3 is needed. In the case that err is non-nil and a source can't be detected we should just return the error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the reason why we return "nil, nil" when DefaultSource is unavailable is because the eventual caller of DefaultSource will take a different action when we don't have a certificate (i.e. it will not use mTLS path) - we don't want to error out in this scenario (in other words, nil Source is an acceptable return value). The other possibility to support this semantics is to export "errSourceUnavailable", so the caller can condition on that, but not sure if exporting custom errors is good practice, and it would also technically be non-backwards-compatible. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right it would be a behavior change, but until this commit I don't think we documented that a nil error could be returned. It is definitely a grey area as far as breaking changes are concerned. But after thinking more I agree with you that although the current semantics are not ideal, I think it is best to keep them the same to avoid potential breakages.