220 lines
6 KiB
Go
220 lines
6 KiB
Go
/*
|
|
Copyright 2022 CAcert Inc.
|
|
SPDX-License-Identifier: Apache-2.0
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package handler
|
|
|
|
import (
|
|
"fmt"
|
|
"time"
|
|
|
|
"github.com/shamaton/msgpackgen/msgpack"
|
|
"github.com/sirupsen/logrus"
|
|
|
|
"git.cacert.org/cacert-gosignerclient/internal/client"
|
|
|
|
"git.cacert.org/cacert-gosigner/pkg/messages"
|
|
|
|
"git.cacert.org/cacert-gosigner/pkg/protocol"
|
|
"git.cacert.org/cacert-gosignerclient/internal/config"
|
|
)
|
|
|
|
type SignerClientHandler struct {
|
|
logger *logrus.Logger
|
|
commands chan *protocol.Command
|
|
config *config.ClientConfig
|
|
clientCallback chan interface{}
|
|
}
|
|
|
|
func (s *SignerClientHandler) Send(command *protocol.Command, out chan []byte) error {
|
|
var (
|
|
frame []byte
|
|
err error
|
|
)
|
|
|
|
frame, err = msgpack.Marshal(command.Announce)
|
|
if err != nil {
|
|
return fmt.Errorf("could not marshal command annoucement: %w", err)
|
|
}
|
|
|
|
s.logger.WithField("announcement", command.Announce).Debug("write command announcement")
|
|
|
|
s.logger.Trace("writing command announcement")
|
|
|
|
out <- frame
|
|
|
|
frame, err = msgpack.Marshal(command.Command)
|
|
if err != nil {
|
|
return fmt.Errorf("could not marshal command data: %w", err)
|
|
}
|
|
|
|
s.logger.WithField("command", command.Command).Debug("write command data")
|
|
|
|
out <- frame
|
|
|
|
return nil
|
|
}
|
|
|
|
func (s *SignerClientHandler) ResponseAnnounce(in chan []byte) (*protocol.Response, error) {
|
|
response := &protocol.Response{}
|
|
|
|
var announce messages.ResponseAnnounce
|
|
|
|
select {
|
|
case frame := <-in:
|
|
if err := msgpack.Unmarshal(frame, &announce); err != nil {
|
|
return nil, fmt.Errorf("could not unmarshal response announcement: %w", err)
|
|
}
|
|
|
|
response.Announce = &announce
|
|
|
|
s.logger.WithField("announcement", response.Announce).Debug("received response announcement")
|
|
|
|
return response, nil
|
|
case <-time.After(s.config.ResponseAnnounceTimeout):
|
|
return nil, protocol.ErrResponseAnnounceTimeoutExpired
|
|
}
|
|
}
|
|
|
|
func (s *SignerClientHandler) ResponseData(in chan []byte, response *protocol.Response) error {
|
|
select {
|
|
case frame := <-in:
|
|
switch response.Announce.Code {
|
|
case messages.RespHealth:
|
|
var resp messages.HealthResponse
|
|
if err := msgpack.Unmarshal(frame, &resp); err != nil {
|
|
return fmt.Errorf("could not unmarshal health response data: %w", err)
|
|
}
|
|
|
|
response.Response = &resp
|
|
case messages.RespFetchCRL:
|
|
var resp messages.FetchCRLResponse
|
|
if err := msgpack.Unmarshal(frame, &resp); err != nil {
|
|
return fmt.Errorf("could not unmarshal fetch CRL response data: %w", err)
|
|
}
|
|
|
|
response.Response = &resp
|
|
case messages.RespError:
|
|
var resp messages.ErrorResponse
|
|
if err := msgpack.Unmarshal(frame, &resp); err != nil {
|
|
return fmt.Errorf("could not unmarshal error response data: %w", err)
|
|
}
|
|
|
|
response.Response = &resp
|
|
default:
|
|
return fmt.Errorf("unhandled response code %s", response.Announce.Code)
|
|
}
|
|
case <-time.After(s.config.ResponseDataTimeout):
|
|
return protocol.ErrResponseDataTimeoutExpired
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (s *SignerClientHandler) HandleResponse(response *protocol.Response) error {
|
|
s.logger.WithField("response", response.Announce).Info("handled response")
|
|
s.logger.WithField("response", response).Debug("full response")
|
|
|
|
switch r := response.Response.(type) {
|
|
case *messages.ErrorResponse:
|
|
s.logger.WithField("message", r.Message).Error("error from signer")
|
|
case *messages.HealthResponse:
|
|
s.handleHealthResponse(r)
|
|
case *messages.FetchCRLResponse:
|
|
s.handleFetchCRLResponse(r)
|
|
default:
|
|
s.logger.WithField("response", response).Warnf("unhandled response of type %T", response.Response)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (s *SignerClientHandler) handleHealthResponse(r *messages.HealthResponse) {
|
|
signerInfo := client.SignerInfo{}
|
|
|
|
signerInfo.SignerHealth = r.Healthy
|
|
signerInfo.SignerVersion = r.Version
|
|
|
|
if !r.Healthy {
|
|
// it might be a good idea to notify monitoring if the signer is not OK
|
|
s.logger.Error("signer is not healthy")
|
|
}
|
|
|
|
for _, item := range r.Info {
|
|
if !item.Healthy {
|
|
s.logger.WithField("component", item.Source).Error("signer component is not healthy")
|
|
}
|
|
|
|
switch item.Source {
|
|
case "HSM":
|
|
signerInfo.CACertificates = make([]client.CertInfo, 0)
|
|
signerInfo.UsableProfiles = make(map[string][]client.Profile)
|
|
|
|
for certName, value := range item.MoreInfo {
|
|
certInfo, err := messages.ParseCertificateInfo(value)
|
|
if err != nil {
|
|
s.logger.WithError(err).Error("could not parse certificate information")
|
|
|
|
break
|
|
}
|
|
|
|
s.logger.WithFields(map[string]interface{}{
|
|
"certificate": certName,
|
|
"signing": certInfo.Signing,
|
|
"profiles": certInfo.Profiles,
|
|
"status": certInfo.Status,
|
|
"valid-until": certInfo.ValidUntil,
|
|
}).Trace("certificate info")
|
|
|
|
signerInfo.CACertificates = append(
|
|
signerInfo.CACertificates,
|
|
client.CertInfo{Name: certName, FetchCRL: certInfo.Signing},
|
|
)
|
|
|
|
if certInfo.Signing {
|
|
for _, profile := range certInfo.Profiles {
|
|
signerInfo.UsableProfiles[certName] = append(
|
|
signerInfo.UsableProfiles[certName],
|
|
client.Profile{Name: profile.Name, UseFor: string(profile.UseFor)},
|
|
)
|
|
}
|
|
}
|
|
}
|
|
default:
|
|
s.logger.WithField("source", item.Source).Warn("unhandled health source")
|
|
}
|
|
}
|
|
|
|
s.clientCallback <- signerInfo
|
|
}
|
|
|
|
func (s *SignerClientHandler) handleFetchCRLResponse(r *messages.FetchCRLResponse) {
|
|
s.clientCallback <- r
|
|
}
|
|
|
|
func New(
|
|
config *config.ClientConfig,
|
|
logger *logrus.Logger,
|
|
commands chan *protocol.Command,
|
|
clientCallback chan interface{},
|
|
) (protocol.ClientHandler, error) {
|
|
return &SignerClientHandler{
|
|
logger: logger,
|
|
config: config,
|
|
commands: commands,
|
|
clientCallback: clientCallback,
|
|
}, nil
|
|
}
|