Merge pull request #59 from xataio/update-tls-lib

Support PEM certificates as well as files
xataio · Aug 5, 2024 · 7418324 · 7418324
2 parents 8b098ab + 6500486
commit 7418324
Show file tree

Hide file tree

Showing 5 changed files with 360 additions and 27 deletions.
diff --git a/pkg/tls/test/test.csr b/pkg/tls/test/test.csr
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEjTCCAnUCAQAwSDELMAkGA1UEBhMCU1AxEzARBgNVBAgMClNvbWUtU3RhdGUx
+FTATBgNVBAoMDFBnc3RyZWFtIEx0ZDENMAsGA1UECwwEWGF0YTCCAiIwDQYJKoZI
+hvcNAQEBBQADggIPADCCAgoCggIBAMZG8/obpyvJ+WkGkdO/hbExSN1nWR206/Dh
+pSYzcZyI1Jj0R4Af0gD/EFVM+4KTDr20nOofmfBWOYHV+KwiKtWQQ+oT0+xVcTT6
+IC5I5K9+AXERuTu/NbnjkxuC/1u7K511RrUK0lxUra2/B8mGTc9nu2g415GVk2hU
+rJjWEX09hVH7xBSmnzYN+IfepsftxgnR5m2YzqOSnsphBBfyyOsL+3Jo5Uv4yY22
+bnJCDxx/TPG37EcGMb4Q/aCWk5mXm4Io5mBfcl7SNxy867JpBO2CCP6fFaWRUGmF
+/O+YBD5z0cSb1wZrMBRgezggpa2gacYVtsWrQYzAxMtCf3MwM89z8i+W9ME3cMhg
+T7b6T0XCQ5gkqmLxDCsg9ocNV0W0wb5EEPlt4/TeqMmLbpLkIa6rnR2C6gg+wFSQ
+Vk8c/aBtm9BjKFLWWUwDUPPzp1RdIVAfuobDK37dVqr+1m6oTDl+BoDuM5PsgTS4
+bFW2ZJVZB+d4IFmGhqTtKKmYa7QbwhzF8i5ShV+419KOt6hRkJ/jREdea7ZS/uyK
+wBAvPHZVkUk8tfTpcuKTFVKsgXXV8uwwnI2W6safYbTXaN+7gfA88wntaigjeij/
+LrO+itAiv9GTGkpMlXyuAX/d5+4j0EHcV64NYL61GvMcbJ5G0SeQrXuBlgMTYaNr
+O7miEujnAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEAGYFGSgMARWuH5VXK0/Fl
+nNg+/rzdff1NYkY9QrvFxCQeVJ9rD1ml7VLZXDtXhMNEGJyYbkouc1Ehx0BsihT6
+YztcnQ6TzWAzvr3Ns9X3riADzXxdDHV5xs+8VPV8RvT3XNcrlw2NQmzJ4Juc8PkT
+4ZfguZBywAmFTw1oX8JqlQSp5pYtP7popsvGPS6ieUm0Kmv8kK3sRDs+JSc7iXtB
+/HymqeSylFNHgFZsdbYmu32v2qbcqimAitB/v5tGNhuiMXx6vEeQnB69V+AV70Rl
+9dnvAo7ihTRMzecUVsoDFtc8OWSPdTm6t8vDI2JqmeDN25Xhyf89cKwoY97NhA99
+ds5WHs6TzsHohPZAsaxtZnjwxMEne7Y4FLFmTHVk5o0POTZcOC/sMB1iBDsd/YJe
+AYsoiqLYtu6x6Avfe6LXWYWYa/R4/UXh8H6WiChsFXzOIilp3apjaeHM3z7iKx2S
+VtGyVTrrcbzRiF0ShKVnbDXnvcoNZxPiXfh6Zz4SkBbV01T3hluBwzp4mjcWpiv3
+AOAWChMnbmkg/T+OME6e1JVHDR5tAC/7vF2QkZYpiH2RVnZmCTDWBcRGpMkhkRgF
+eycowzKBkgIOcJ99p0sGEqQ3W0J1M4bzuumncLID08EG/dEp1eIdunahcHHyhnnv
+BcGFr2/OxuaVmxcy5/QQjAg=
+-----END CERTIFICATE REQUEST-----
diff --git a/pkg/tls/test/test.key b/pkg/tls/test/test.key
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDGRvP6G6cryflp
+BpHTv4WxMUjdZ1kdtOvw4aUmM3GciNSY9EeAH9IA/xBVTPuCkw69tJzqH5nwVjmB
+1fisIirVkEPqE9PsVXE0+iAuSOSvfgFxEbk7vzW545Mbgv9buyuddUa1CtJcVK2t
+vwfJhk3PZ7toONeRlZNoVKyY1hF9PYVR+8QUpp82DfiH3qbH7cYJ0eZtmM6jkp7K
+YQQX8sjrC/tyaOVL+MmNtm5yQg8cf0zxt+xHBjG+EP2glpOZl5uCKOZgX3Je0jcc
+vOuyaQTtggj+nxWlkVBphfzvmAQ+c9HEm9cGazAUYHs4IKWtoGnGFbbFq0GMwMTL
+Qn9zMDPPc/IvlvTBN3DIYE+2+k9FwkOYJKpi8QwrIPaHDVdFtMG+RBD5beP03qjJ
+i26S5CGuq50dguoIPsBUkFZPHP2gbZvQYyhS1llMA1Dz86dUXSFQH7qGwyt+3Vaq
+/tZuqEw5fgaA7jOT7IE0uGxVtmSVWQfneCBZhoak7SipmGu0G8IcxfIuUoVfuNfS
+jreoUZCf40RHXmu2Uv7sisAQLzx2VZFJPLX06XLikxVSrIF11fLsMJyNlurGn2G0
+12jfu4HwPPMJ7WooI3oo/y6zvorQIr/RkxpKTJV8rgF/3efuI9BB3FeuDWC+tRrz
+HGyeRtEnkK17gZYDE2Gjazu5ohLo5wIDAQABAoICAFEXJaMNejIzeViVwkA6nP/Z
+6zX5lX3Lx48NidB0y6s8Xs5rYW6qFOYpatGoGVjOsgGuA1rRL9EWQpCyJPCpTKFp
+Tg1GrK6ERzdmcJDdaQHI4+gNWpdv3RY4V6qxyaQHiY/tLczPLzdpvlpHvXSTA/Gm
+OAQo8yjsZowNzUT4j9CLv6HG+OuFNaoSzqkqy0ULHqpXeQkrrJ9DUMPuJ5FvzvIq
+RV0GP3jxt+TITqVWFP4PpjVZhj2J8AAOzNvHmXgAhC4YchfKEWlsSfPr4+1kfApy
+2yDfiSfcpWlyzf5jSqEMFyd0oN1UKya6Ssqqt3eqGnhT2xs+riFVmWaTvLIsbZNb
+ML2OT7s0nqSkhkomVcQxgh+rypgljPB2JhHNSScKF3BYlIBFX9GarZ32vcLdBb/Z
+u1GOiu6Fd5uBVfS0PTwX/8/NwCOmofUTxUa3J8oLcxBZRe8y0sxnfdsbKbXLviym
+okOUyk6h4KaTXB2+99Q7TSHGGXissCeTCU8tIMEKFHlN3PQeSphEcHvhIBKTPdK3
+vCbzfpoMWzyTBvSdffQRewSwij3fImPrWsE9s15jjDW3AwLjuNtPCYg3Amu0yK0k
+ktAnJgruoWhnrxJae9iXPUuZghPvweDNnhtQb5Uf3jeYKwL2fLE3eaVtjqiWha5B
+ziDK7ZelBH85IEP6COWxAoIBAQDpHIZ/aFl49AV0BhCDv2+28OlR1s6p4QZmX5mb
+pQfON868Ya7iR+tPjzN71IJfga02QiaaXOUeh0FxCJMqdypSLW6XOIlppHLO8jmV
+6RztF/iA1h1+fo3DMuuL2Nw3ivo4NhBvSoyfAfSI+Nn5eJl2Zqhason5aWSZsxrN
+9A4Kcig8RS3aE3zQKCsT/ZBeM7AT+qqtGNceRh9pLgYkSnaugDX4JwD+f5VhUQOd
+ivB9E4xHZJJN61iefok1SkMekQ+GF8WQRCr8dKbQAgxh5Eu84J7iax4EvFsoHuIs
+9Wez0Yiy14ArW2+tkA+2GE0PBRvOPfjtVZ3n3lNOCjbLozWfAoIBAQDZvtXst+CS
+lQJjkDenb51ujAum9JaxbKoU2kOEEEeN8AYgvmIqpSsgaMmzYNtW1yVT+O2z0Ix7
+I6lG2cNz5XuWWJkBroAwPeHBZjOwyR9AdglYenIui6dftTdMDVnYbt/Fu905yh3t
+fGtT8IRGond3c+WZZCgbr6sO+nq4PpG+i+nuyqOo0JJCLtgWyyK9jrfEhk2fNZyK
+B7uaKwOhMHetkfnp5jyszGYsU2YU++NGL0vcacXUbZyYV4BT7+s3m+H0G8wf4qSP
+FAkX+sloEl5HRWDB4SP0H9erKg8zoKDI7DVtv2DJLnLMB88XjOz3l24/HOVzyI+N
+X3SfSQP55De5AoIBACpwGgA55AgEDLYZoIoLoO/iHefbPlZo8/xRLSrLuYcOW+Gp
+uufRBgK+5DWH85AlkH4PPu3dOYz8PKqyT/BsL1U0liyLi2CjIo+QQ3GKNczoD0KN
+OGNd8Lr3mzAjc7vc3j67gPRx0vXjqjwBadVj4jRO7hlM5Zd1W24r0BZsdt3p+G84
+fOd1osRWe7kw8UZlDIommUnX+tm1FGTWjyGuOLr99lVN7H1ohq5nzEuzDqMGmwQo
+SAZNcR2xlZMRCPUYnYXg8AOalWTOa8v0g4KSyEMDdYlszNM54zKDpNNgfdebrtI4
+L0o1ZDhpwKJ6/BRe7rf2SkoSyyN6MxpC+8TI2qsCggEAbN/X1VoHpyNso13cBhNw
+E3Ng7CUGKEbeMDkGY0VEkfr/BWZMbWhSzQy4NcHrSlufJYKlUDCp3XRyUqPV7+BB
+0GYSc13OaNC4TdyNYgreXnvmpl/rMczQbrGMqbFPSEIAD72kmx2toy5/9+OeMDdS
+Jt9DYVRMHbPTg1TJAdD/TNhmquiVtnY7e24yzArcHw36YwCIVWAYGohNTIPPd8xl
+Ottvq31cv0YgnG9C7qEX/eLuOpKEwXfhQecWmmGvKgn+i/FOOm83uvbYqS3TgP8W
+NurAu5CYSpuVWddY7IaXfn9lI6/6c/2Olugcq3jij9Ye4N3Q+PjClnyxMmfu3gc3
+uQKCAQAmpjnO3OukXxgEtDusQKh/IxsvKQMfSQNh68cQ6iroGDAguYBusSTYU1gA
+IKvR6Uqqv52yPe6u5pYC0fA8L+2S3nuFA4f4a1JHdpf5X5HwBtTERG4Qxh7p1gss
+3AZpLfYa442d8UuCCYoimBXqXXF0TLsfoRjcgrKd9yNO6Pa79jzUR+ixQmkyE7XA
+XGHx7Qsl6E0E1DgK4MHPOALg/tJiLNJQgIKDtiBn4GTR8tSHRDY64rEuOClq14y1
+cpXNj7lcV1xz1vLNRcksS0/QA7Hzol+Dt8xVOBK1smhCREMetUMXHwBYLnNemxNX
+/WF38bnN3/Dej6Ns6FRE8gNSRmeT
+-----END PRIVATE KEY-----
diff --git a/pkg/tls/test/test.pem b/pkg/tls/test/test.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFPzCCAyegAwIBAgIULV6zejFwt/Tri8WKZFBxj15uvaIwDQYJKoZIhvcNAQEL
+BQAwSDELMAkGA1UEBhMCU1AxEzARBgNVBAgMClNvbWUtU3RhdGUxFTATBgNVBAoM
+DFBnc3RyZWFtIEx0ZDENMAsGA1UECwwEWGF0YTAeFw0yNDA4MDUxNTE3NDBaFw0y
+NTA4MDUxNTE3NDBaMEgxCzAJBgNVBAYTAlNQMRMwEQYDVQQIDApTb21lLVN0YXRl
+MRUwEwYDVQQKDAxQZ3N0cmVhbSBMdGQxDTALBgNVBAsMBFhhdGEwggIiMA0GCSqG
+SIb3DQEBAQUAA4ICDwAwggIKAoICAQDGRvP6G6cryflpBpHTv4WxMUjdZ1kdtOvw
+4aUmM3GciNSY9EeAH9IA/xBVTPuCkw69tJzqH5nwVjmB1fisIirVkEPqE9PsVXE0
++iAuSOSvfgFxEbk7vzW545Mbgv9buyuddUa1CtJcVK2tvwfJhk3PZ7toONeRlZNo
+VKyY1hF9PYVR+8QUpp82DfiH3qbH7cYJ0eZtmM6jkp7KYQQX8sjrC/tyaOVL+MmN
+tm5yQg8cf0zxt+xHBjG+EP2glpOZl5uCKOZgX3Je0jccvOuyaQTtggj+nxWlkVBp
+hfzvmAQ+c9HEm9cGazAUYHs4IKWtoGnGFbbFq0GMwMTLQn9zMDPPc/IvlvTBN3DI
+YE+2+k9FwkOYJKpi8QwrIPaHDVdFtMG+RBD5beP03qjJi26S5CGuq50dguoIPsBU
+kFZPHP2gbZvQYyhS1llMA1Dz86dUXSFQH7qGwyt+3Vaq/tZuqEw5fgaA7jOT7IE0
+uGxVtmSVWQfneCBZhoak7SipmGu0G8IcxfIuUoVfuNfSjreoUZCf40RHXmu2Uv7s
+isAQLzx2VZFJPLX06XLikxVSrIF11fLsMJyNlurGn2G012jfu4HwPPMJ7WooI3oo
+/y6zvorQIr/RkxpKTJV8rgF/3efuI9BB3FeuDWC+tRrzHGyeRtEnkK17gZYDE2Gj
+azu5ohLo5wIDAQABoyEwHzAdBgNVHQ4EFgQUcj2UaSuSsgkex5hfS0eDAkPdbJ0w
+DQYJKoZIhvcNAQELBQADggIBAJK6fMa4L7iIQSlPzG3pHTSSLQd9Unev2naX9/S1
+Yo55Tj9VCBhViGa7CbDtaW7ZYr/fXydZVcthXYZzZ7QEVyYaguWlzXLjy/qF8kgk
+cDwinFa8hiJnP+BJUGnzq3LYQJ2labI4YUscc6p4inh9y8JZ3n33VqX2YjqCdHMA
+j8nw5xpThdQ/a8z3Z8ugFCLO09Hts1eKFhs5PwaQvjkoX+dSE2FeX51OMlLOPDsu
+C6ScDU7FG0J5JE36nRqp2XwSdGAfc5pHKmsuomxnoE/d/hL7O6zouo/jvQyCNFtn
+5/pzhkhhOjUTP2gIW5ueNn8oQF9F32GWRNJGQVTBiK17dWvHxiSvIzgKqUyrD8lI
+VefVEQgRbfHD3nSk6G30gAeWzt8T10lI8MtQWTtoFJGFBaSVr/lSyHo4QS4SyTmK
+uvnFGJVivRtaAP4d+u/6/1Mvy5sNsSiWRRKfKTB/FEerbe7blhnqJhrBp98nKBv/
+IJtmewD7lVGGDY8sWnxnpNyqLVhvRilO9d+4oQWqKgN8m1PXAI2jDYA0RZ+Qs/ko
+5FB88mRi8hNOhmADXguKlnCid/X0StK6wpphvFIaNnGLFzjeZXc65BoV1c2+Boxe
+cNwpkrW5tKaf/Ox1ntHnnQBpUhM4AxGoczfIj0dEnYio54gagsAMK/Pjq2KiX7Bi
+RUm4
+-----END CERTIFICATE-----
diff --git a/pkg/tls/tls.go b/pkg/tls/tls.go
@@ -6,34 +6,36 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
-	"io"
 	"os"
 )
 
 type Config struct {
 	// Enabled determines if TLS should be used. Defaults to false.
 	Enabled bool
-	// File path to the CA PEM certificate to be used for TLS connection. If TLS is
-	// enabled and no CA cert file is provided, the system certificate pool is
-	// used as default.
+	// File path to the CA PEM certificate or PEM certificate to be used for TLS
+	// connection. If TLS is enabled and no CA cert file is provided, the system
+	// certificate pool is used as default.
 	CaCertFile string
-	// File path to the client PEM certificate
+	CaCertPEM  string
+	// File path to the client PEM certificate or client PEM certificate
 	ClientCertFile string
-	// File path to the client PEM key
+	ClientCertPEM  string
+	// File path to the client PEM key or client PEM key content
 	ClientKeyFile string
+	ClientKeyPEM  string
 }
 
 func NewConfig(cfg *Config) (*tls.Config, error) {
 	if !cfg.Enabled {
 		return nil, nil
 	}
 
-	certPool, err := getCertPool(cfg.CaCertFile)
+	certPool, err := getCertPool(cfg)
 	if err != nil {
 		return nil, err
 	}
 
-	certificates, err := getCertificates(cfg.ClientCertFile, cfg.ClientKeyFile)
+	certificates, err := getCertificates(cfg)
 	if err != nil {
 		return nil, err
 	}
@@ -46,23 +48,32 @@ func NewConfig(cfg *Config) (*tls.Config, error) {
 	}, nil
 }
 
-func getCertPool(caCertFile string) (*x509.CertPool, error) {
-	if caCertFile != "" {
-		pemCertBytes, err := readFile(caCertFile)
-		if err != nil {
-			return nil, fmt.Errorf("reading CA certificate file: %w", err)
-		}
-		certPool := x509.NewCertPool()
-		certPool.AppendCertsFromPEM(pemCertBytes)
-		return certPool, nil
+func getCertPool(cfg *Config) (*x509.CertPool, error) {
+	pemCertBytes, err := readPEMBytes(cfg.CaCertFile, cfg.CaCertPEM)
+	if err != nil {
+		return nil, fmt.Errorf("reading CA certificate file: %w", err)
+	}
+
+	if len(pemCertBytes) == 0 {
+		return x509.SystemCertPool()
 	}
 
-	return x509.SystemCertPool()
+	certPool := x509.NewCertPool()
+	certPool.AppendCertsFromPEM(pemCertBytes)
+	return certPool, nil
 }
 
-func getCertificates(clientCertFile, clientKeyFile string) ([]tls.Certificate, error) {
-	if clientCertFile != "" && clientKeyFile != "" {
-		cert, err := tls.LoadX509KeyPair(clientCertFile, clientKeyFile)
+func getCertificates(cfg *Config) ([]tls.Certificate, error) {
+	if cfg.IsClientCertProvided() {
+		pemCertBytes, err := readPEMBytes(cfg.ClientCertFile, cfg.ClientCertPEM)
+		if err != nil {
+			return nil, err
+		}
+		pemKeyBytes, err := readPEMBytes(cfg.ClientKeyFile, cfg.ClientKeyPEM)
+		if err != nil {
+			return nil, err
+		}
+		cert, err := tls.X509KeyPair(pemCertBytes, pemKeyBytes)
 		if err != nil {
 			return nil, err
 		}
@@ -72,12 +83,16 @@ func getCertificates(clientCertFile, clientKeyFile string) ([]tls.Certificate, e
 	return []tls.Certificate{}, nil
 }
 
-func readFile(path string) ([]byte, error) {
-	file, err := os.Open(path)
-	if err != nil {
-		return nil, err
+// readPEMBytes will parse the certificate on input and return the pem byte
+// content. It accepts a pem certificate or the file path to a pem certificate.
+func readPEMBytes(certFile, certPEM string) ([]byte, error) {
+	if certFile != "" {
+		return os.ReadFile(certFile)
 	}
-	defer file.Close()
 
-	return io.ReadAll(file)
+	return []byte(certPEM), nil
+}
+
+func (c *Config) IsClientCertProvided() bool {
+	return (c.ClientCertFile != "" || c.ClientCertPEM != "") && (c.ClientKeyFile != "" || c.ClientKeyPEM != "")
 }