mirror of https://github.com/docker/docs.git
97 lines
2.8 KiB
Go
97 lines
2.8 KiB
Go
package server
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/tls"
|
|
"log"
|
|
"net"
|
|
"net/http"
|
|
|
|
"github.com/endophage/go-tuf/signed"
|
|
"github.com/gorilla/mux"
|
|
"golang.org/x/net/context"
|
|
|
|
"github.com/docker/vetinari/config"
|
|
"github.com/docker/vetinari/server/handlers"
|
|
"github.com/docker/vetinari/utils"
|
|
)
|
|
|
|
// Run sets up and starts a TLS server that can be cancelled using the
|
|
// given configuration. The context it is passed is the context it should
|
|
// use directly for the TLS server, and generate children off for requests
|
|
func Run(ctx context.Context, conf *config.Configuration) error {
|
|
|
|
var trust signed.TrustService
|
|
if conf.TrustService.Type == "remote" {
|
|
log.Println("[Vetinari Server] : Using remote signing service")
|
|
trust = newRufusSigner(conf.TrustService.Hostname, conf.TrustService.Port)
|
|
} else {
|
|
log.Println("[Vetinari Server] : Using local signing service")
|
|
trust = signed.NewEd25519()
|
|
}
|
|
|
|
keypair, err := tls.LoadX509KeyPair(conf.Server.TLSCertFile, conf.Server.TLSKeyFile)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
tlsConfig := &tls.Config{
|
|
MinVersion: tls.VersionTLS12,
|
|
PreferServerCipherSuites: true,
|
|
CipherSuites: []uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
|
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
|
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
|
},
|
|
Certificates: []tls.Certificate{keypair},
|
|
Rand: rand.Reader,
|
|
}
|
|
|
|
tcpAddr, err := net.ResolveTCPAddr("tcp", conf.Server.Addr)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
lsnr, err := net.ListenTCP("tcp", tcpAddr)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
tlsLsnr := tls.NewListener(lsnr, tlsConfig)
|
|
|
|
// This is a basic way to shutdown the running listeners.
|
|
// A more complete implementation would ensure each individual connection
|
|
// gets cleaned up.
|
|
go func() {
|
|
doneChan := ctx.Done()
|
|
<-doneChan
|
|
// TODO: log that we received close signal
|
|
lsnr.Close()
|
|
tlsLsnr.Close()
|
|
}()
|
|
|
|
|
|
hand := utils.RootHandlerFactory(&utils.InsecureAuthorizer{}, utils.NewContext, trust)
|
|
|
|
r := mux.NewRouter()
|
|
// TODO (endophage): use correct regexes for image and tag names
|
|
r.Methods("PUT").Path("/{imageName}/init").Handler(hand(handlers.GenKeysHandler, utils.SSCreate))
|
|
r.Methods("GET").Path("/{imageName}/{tufFile}").Handler(hand(handlers.GetHandler, utils.SSNoAuth))
|
|
r.Methods("DELETE").Path("/{imageName}:{tag}").Handler(hand(handlers.RemoveHandler, utils.SSDelete))
|
|
r.Methods("POST").Path("/{imageName}:{tag}").Handler(hand(handlers.AddHandler, utils.SSUpdate))
|
|
|
|
server := http.Server{
|
|
Addr: conf.Server.Addr,
|
|
Handler: r,
|
|
}
|
|
|
|
log.Println("[Vetinari Server] : Listening on", conf.Server.Addr)
|
|
|
|
err = server.Serve(tlsLsnr)
|
|
|
|
return err
|
|
}
|