Main functionality of File Watcher (Directory) CRL provider

2023-09-28 22:23:41 +00:00 · 2023-09-28 22:23:41 +00:00 · 1feaae3b5c
parent c88d12da96
commit 1feaae3b5c
1 changed files with 144 additions and 2 deletions
--- a/security/advancedtls/crl_provider.go
+++ b/security/advancedtls/crl_provider.go
@ -20,8 +20,13 @@ package advancedtls
 import (
 	"crypto/x509"
 	"fmt"
 	"os"
 	"time"
 )
 const defaultCRLRefreshDuration = 1 * time.Hour
 type CRLProvider interface {
 	// Callers are expected to use the returned value as read-only.
 	CRL(cert *x509.Certificate) (*CRL, error)
@ -41,10 +46,147 @@ func MakeStaticCRLProvider() *StaticCRLProvider {
 }
 func (p *StaticCRLProvider) AddCRL(crl *CRL) {
-	p.crls[crl.CertList.Issuer.ToRDNSequence().String()] = crl
+	key := crl.CertList.Issuer.ToRDNSequence().String()
 	p.crls[key] = crl
 }
 func (p *StaticCRLProvider) CRL(cert *x509.Certificate) (*CRL, error) {
 	// TODO handle no CRL found
-	return p.crls[cert.Issuer.ToRDNSequence().String()], nil
+	key := cert.Issuer.ToRDNSequence().String()
 	return p.crls[key], nil
 }
 type Options struct {
 	CRLDirectory    string
 	RefreshDuration time.Duration
 }
 // NewFileWatcherCRLProvider creates a new FileWatcherCRLProvider.
 type FileWatcherCRLProvider struct {
 	crls map[string]*CRL
 	opts Options
 	done chan bool
 }
 func NewFileWatcherCRLProvider(o Options) (*FileWatcherCRLProvider, error) {
 	if err := o.validate(); err != nil {
 		return nil, err
 	}
 	return &FileWatcherCRLProvider{
 		crls: make(map[string]*CRL),
 		opts: o,
 		done: make(chan bool),
 	}, nil
 }
 func (o Options) validate() error {
 	// Checks relates to CRLDirectory.
 	if o.CRLDirectory == "" {
 		return fmt.Errorf("advancedtls: CRLDirectory needs to be specified")
 	}
 	fileInfo, err := os.Stat(o.CRLDirectory)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return fmt.Errorf("advancedtls: CRLDirectory %v does not exist", o.CRLDirectory)
 		} else {
 			return err
 		}
 	}
 	if !fileInfo.IsDir() {
 		return fmt.Errorf("advancedtls: CRLDirectory %v is not a directory", o.CRLDirectory)
 	}
 	_, err = os.Open(o.CRLDirectory)
 	if err != nil {
 		if os.IsPermission(err) {
 			return fmt.Errorf("advancedtls: CRLDirectory %v is not readable:", o.CRLDirectory)
 		} else {
 			return err
 		}
 	}
 	// Checks related to RefreshDuration.
 	if o.RefreshDuration <= 0 || o.RefreshDuration < time.Second {
 		grpclogLogger.Warningf("RefreshDuration must larger then 1 second: provided value %v, default value will be used %v", o.RefreshDuration, defaultCRLRefreshDuration)
 	}
 	return nil
 }
 // Start starts watching the directory for CRL files and updates the provider accordingly.
 func (p *FileWatcherCRLProvider) Start() {
 	ticker := time.NewTicker(p.opts.RefreshDuration)
 	defer ticker.Stop()
 	// Initial CRL load
 	p.scanCRLDirectory()
 	for {
 		select {
 		case <-ticker.C:
 			p.scanCRLDirectory()
 		case <-p.done:
 			return
 		}
 	}
 }
 // Stop stops the CRL provider and releases resources.
 func (p *FileWatcherCRLProvider) Stop() {
 	close(p.done)
 }
 func (p *FileWatcherCRLProvider) scanCRLDirectory() {
 	dir, err := os.Open(p.opts.CRLDirectory)
 	if err != nil {
 		grpclogLogger.Errorf("Can't open CRLDirectory %v", p.opts.CRLDirectory, err)
 	}
 	defer dir.Close()
 	files, err := dir.ReadDir(0)
 	if err != nil {
 		grpclogLogger.Errorf("Can't access files under CRLDirectory %v", p.opts.CRLDirectory, err)
 	}
 	successCounter := 0
 	failCounter := 0
 	for _, file := range files {
 		filePath := fmt.Sprintf("%s/%s", p.opts.CRLDirectory, file.Name())
 		err := p.addCRL(filePath)
 		if err != nil {
 			failCounter++
 			grpclogLogger.Warningf("Can't add CRL from file %v under CRLDirectory %v", filePath, p.opts.CRLDirectory, err)
 			continue
 		}
 		successCounter++
 	}
 	grpclogLogger.Infof("Scan of CRLDirectory %v completed, tried %v files, added %v CRLs, %v files failed", len(files), successCounter, failCounter)
 }
 func (p *FileWatcherCRLProvider) addCRL(filePath string) error {
 	crlBytes, err := os.ReadFile(filePath)
 	if err != nil {
 		return err
 	}
 	crl, err := parseRevocationList(crlBytes)
 	if err != nil {
 		return fmt.Errorf("addCRL: can't parse CRL from file %v: %v", filePath, err)
 	}
 	var certList *CRL
 	if certList, err = parseCRLExtensions(crl); err != nil {
 		return fmt.Errorf("addCRL: unsupported crl %v: %v", filePath, err)
 	}
 	rawCRLIssuer, err := extractCRLIssuer(crlBytes)
 	if err != nil {
 		return fmt.Errorf("addCRL: can't extract Issuer from CRL from file %v: %v", filePath, err)
 	}
 	certList.RawIssuer = rawCRLIssuer
 	key := certList.CertList.Issuer.ToRDNSequence().String()
 	p.crls[key] = certList
 	grpclogLogger.Infof("In-memory CRL storage of FileWatcherCRLProvider for key %v updated", key)
 	return nil
 }
 // CRL retrieves the CRL associated with the given certificate's issuer DN.
 func (p *FileWatcherCRLProvider) CRL(cert *x509.Certificate) (*CRL, error) {
 	// TODO handle no CRL found
 	key := cert.Issuer.ToRDNSequence().String()
 	return p.crls[key], nil
 }