Add support for client certificates

2016-01-11 21:04:57 +01:00 · 2016-01-11 21:04:57 +01:00 · 937560e859
commit 937560e859
parent d9b63dd0ef
20 changed files with 376 additions and 39 deletions
--- a/storage/directory.go
+++ b/storage/directory.go
@ -33,6 +33,22 @@ func (d directory) Index(userID string) string {
 	return filepath.Join(d.Logs(), userID+".idx")
 }

+func (d directory) Users() string {
+	return filepath.Join(d.Root(), "users")
+}
+
+func (d directory) User(userID string) string {
+	return filepath.Join(d.Users(), userID)
+}
+
+func (d directory) Certificate(userID string) string {
+	return filepath.Join(d.User(userID), "cert.pem")
+}
+
+func (d directory) Key(userID string) string {
+	return filepath.Join(d.User(userID), "key.pem")
+}
+
 func (d directory) Config() string {
 	return filepath.Join(d.Root(), "config.toml")
 }
--- a/storage/user.go
+++ b/storage/user.go
@ -2,10 +2,12 @@ package storage

 import (
 	"bytes"
+	"crypto/tls"
 	"encoding/json"
 	"log"
 	"strconv"
 	"strings"
+	"sync"
 	"time"

 	"github.com/khlieng/dispatch/Godeps/_workspace/src/github.com/blevesearch/bleve"
@ -39,10 +41,12 @@ type Message struct {
 }

 type User struct {
-	UUID string
+	UUID        string
+	Certificate *tls.Certificate `json:"-"`

 	messageLog   *bolt.DB
 	messageIndex bleve.Index
+	lock         sync.Mutex
 }

 func NewUser(uuid string) *User {
@ -73,6 +77,7 @@ func LoadUsers() []*User {
 		b.ForEach(func(k, v []byte) error {
 			user := User{UUID: string(k)}
 			user.openMessageLog()
+			user.loadCertificate()

 			users = append(users, &user)

--- a/storage/user_cert.go
+++ b/storage/user_cert.go
@ -0,0 +1,60 @@
+package storage
+
+import (
+	"crypto/tls"
+	"errors"
+	"io/ioutil"
+	"os"
+)
+
+var (
+	ErrInvalidCert      = errors.New("Invalid certificate")
+	ErrCouldNotSaveCert = errors.New("Could not save certificate")
+)
+
+func (u *User) SetCertificate(certPEM, keyPEM []byte) error {
+	cert, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		return ErrInvalidCert
+	}
+	u.lock.Lock()
+	u.Certificate = &cert
+	u.lock.Unlock()
+
+	err = os.MkdirAll(Path.User(u.UUID), 0700)
+	if err != nil {
+		return ErrCouldNotSaveCert
+	}
+
+	err = ioutil.WriteFile(Path.Certificate(u.UUID), certPEM, 0600)
+	if err != nil {
+		return ErrCouldNotSaveCert
+	}
+
+	err = ioutil.WriteFile(Path.Key(u.UUID), keyPEM, 0600)
+	if err != nil {
+		return ErrCouldNotSaveCert
+	}
+
+	return nil
+}
+
+func (u *User) loadCertificate() error {
+	certPEM, err := ioutil.ReadFile(Path.Certificate(u.UUID))
+	if err != nil {
+		return err
+	}
+
+	keyPEM, err := ioutil.ReadFile(Path.Key(u.UUID))
+	if err != nil {
+		return err
+	}
+
+	cert, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		return err
+	}
+
+	u.Certificate = &cert
+	return nil
+}