Skip to content

Commit

Permalink
Updated PR
Browse files Browse the repository at this point in the history
  • Loading branch information
@kayrus
kayrus committed Jul 21, 2016
1 parent 23c6d2a commit e016f6d
Show file tree
Hide file tree
Showing 3 changed files with 113 additions and 81 deletions.
157 changes: 93 additions & 64 deletions cmd/vendor/github.com/cloudflare/cfssl/revoke/revoke.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

21 changes: 15 additions & 6 deletions embed/etcd.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"net/http"
"path"

"github.com/cloudflare/cfssl/revoke"
"github.com/coreos/etcd/etcdserver"
"github.com/coreos/etcd/etcdserver/api/v2http"
"github.com/coreos/etcd/pkg/cors"
Expand Down Expand Up @@ -294,14 +295,17 @@ func (e *Etcd) serve() (err error) {
plog.Infof("cors = %s", e.cfg.CorsInfo)
}

// Start the peer server in a goroutine
var ph, clientHandler http.Handler
// Define the peer server handler
var ph http.Handler
if e.cfg.PeerTLSInfo.CRLCheck {
// Enable CRL checker handler for the peer server
peerRH := revoke.New(e.cfg.PeerTLSInfo.CRLHardFail)
if err = peerRH.SetLocalCRL(e.cfg.PeerTLSInfo.CRLFile); err != nil {
return err
}
ph = tlsutil.NewRevokeHandler(
v2http.NewPeerHandler(e.Server),
e.cfg.PeerTLSInfo.CRLFile,
e.cfg.PeerTLSInfo.CRLHardFail)
peerRH)
} else {
ph = v2http.NewPeerHandler(e.Server)
}
Expand All @@ -312,12 +316,17 @@ func (e *Etcd) serve() (err error) {
}(l)
}

// Define the client server handler
var clientHandler http.Handler
if e.cfg.ClientTLSInfo.CRLCheck {
// Enable CRL checker handler for the client server
clientRH := revoke.New(e.cfg.ClientTLSInfo.CRLHardFail)
if err = clientRH.SetLocalCRL(e.cfg.ClientTLSInfo.CRLFile); err != nil {
return err
}
clientHandler = tlsutil.NewRevokeHandler(
v2http.NewClientHandler(e.Server, e.Server.Cfg.ReqTimeout()),
e.cfg.ClientTLSInfo.CRLFile,
e.cfg.ClientTLSInfo.CRLHardFail)
clientRH)
} else {
clientHandler = v2http.NewClientHandler(e.Server, e.Server.Cfg.ReqTimeout())
}
Expand Down
16 changes: 5 additions & 11 deletions pkg/tlsutil/tlsutil.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,18 +74,13 @@ func NewCert(certfile, keyfile string, parseFunc func([]byte, []byte) (tls.Certi
return &tlsCert, nil
}

func isReqCertValid(req *http.Request, CRLpath string, revokeChecker *revoke.Revoke) bool {
func isReqCertValid(req *http.Request, rc *revoke.Revoke) bool {
if req.TLS == nil {
return true
}
for _, cert := range req.TLS.PeerCertificates {
var revoked, ok bool
if CRLpath != "" {
revoked, ok = revokeChecker.VerifyCertificateByCRLPath(cert, CRLpath)
} else {
revoked, ok = revokeChecker.VerifyCertificate(cert)
}
if !ok && revokeChecker.HardFail {
revoked, ok := rc.VerifyCertificate(cert)
if !ok && rc.HardFail() {
return false
}
if revoked {
Expand All @@ -95,10 +90,9 @@ func isReqCertValid(req *http.Request, CRLpath string, revokeChecker *revoke.Rev
return true
}

func NewRevokeHandler(handler http.Handler, CRLpath string, hardfail bool) http.Handler {
revokeChecker := revoke.New(hardfail)
func NewRevokeHandler(handler http.Handler, rc *revoke.Revoke) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
if isReqCertValid(req, CRLpath, revokeChecker) {
if isReqCertValid(req, rc) {
handler.ServeHTTP(w, req)
return
}
Expand Down

0 comments on commit e016f6d

Please sign in to comment.