Utilize lxdhelper library for certain functions

yyyar · Jun 6, 2017 · ccfb356 · ccfb356
1 parent 828807a
commit ccfb356
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 98 deletions.
diff --git a/Makefile b/Makefile
@@ -68,7 +68,8 @@ deps: clean-deps
 	github.com/spf13/cobra \
 	github.com/laher/goxc \
 	github.com/gin-contrib/cors \
-	github.com/lxc/lxd
+	github.com/lxc/lxd \
+	github.com/jtopjian/lxdhelpers
 
 clean-dist:
 	rm -rf ./dist/${VERSION}

diff --git a/src/discovery/lxd.go b/src/discovery/lxd.go
@@ -6,11 +6,7 @@
 package discovery
 
 import (
-	"crypto/x509"
-	"encoding/pem"
 	"fmt"
-	"net/http"
-	"os"
 	"strings"
 	"time"
 
@@ -19,6 +15,8 @@ import (
 	"../logging"
 	"../utils"
 
+	"github.com/jtopjian/lxdhelpers"
+
 	"github.com/lxc/lxd"
 	"github.com/lxc/lxd/shared"
 )
@@ -156,7 +154,7 @@ func lxdBuildClient(cfg config.DiscoveryConfig) (*lxd.Client, error) {
 	if strings.HasPrefix(cfg.LXDServerAddress, "https:") {
 
 		/* Validate or generate certificates on the client side (gobetween) */
-		if err := lxdValidateClientCertificates(cfg, lxdConfig); err != nil {
+		if err := lxdhelpers.ValidateClientCertificates(lxdConfig, cfg.LXDClientGenerateCerts); err != nil {
 			return nil, err
 		}
 
@@ -184,7 +182,7 @@ func lxdBuildClient(cfg config.DiscoveryConfig) (*lxd.Client, error) {
 			if _, err := client.GetServerConfig(); err != nil {
 				if cfg.LXDClientAcceptServerCert {
 					var err error
-					client, err = lxdGetServerCertificate(client, cfg.LXDServerRemoteName)
+					client, err = lxdhelpers.GetRemoteCertificate(client, cfg.LXDServerRemoteName)
 					if err != nil {
 						return nil, fmt.Errorf("Could not add the LXD server: ", err)
 					}
@@ -203,13 +201,14 @@ func lxdBuildClient(cfg config.DiscoveryConfig) (*lxd.Client, error) {
 			 *
 			 * Authentication must happen even if PKI is in use.
 			 */
-			if !client.AmTrusted() {
-				log.Info("Attempting to authenticate")
-				if err := client.AddMyCertToServer(cfg.LXDServerRemotePassword); err != nil {
-					return nil, err
-				}
-				log.Info("Authentication successful")
+			log.Info("Attempting to authenticate")
+			err = lxdhelpers.ValidateRemoteConnection(client, cfg.LXDServerRemoteName, cfg.LXDServerRemotePassword)
+			if err != nil {
+				log.Info("Authentication unsuccessful")
+				return nil, err
 			}
+
+			log.Info("Authentication successful")
 		}
 	}
 
@@ -245,91 +244,6 @@ func lxdBuildConfig(cfg config.DiscoveryConfig) (lxd.Config, error) {
 	return config, nil
 }
 
-func lxdValidateClientCertificates(cfg config.DiscoveryConfig, lxdConfig lxd.Config) error {
-	log := logging.For("lxdValidateClientCertificates")
-	certf := lxdConfig.ConfigPath("client.crt")
-	keyf := lxdConfig.ConfigPath("client.key")
-
-	if !shared.PathExists(certf) || !shared.PathExists(keyf) {
-		if cfg.LXDClientGenerateCerts {
-			log.Info("Attempting to generate client certificates. This could take a minute.")
-			if err := shared.FindOrGenCert(certf, keyf, true); err != nil {
-				return err
-			}
-		} else {
-			err := fmt.Errorf("Certificate or key not found:\n\t%s\n\t%s\n"+
-				"Either set lxd_generate_client_certs to true or generate the "+
-				"certificates out of band of gobetween and try again", certf, keyf)
-			return err
-		}
-	}
-
-	return nil
-}
-
-func lxdGetServerCertificate(client *lxd.Client, remote string) (*lxd.Client, error) {
-	var certificate *x509.Certificate
-	var err error
-
-	log := logging.For("lxdGetRemoteCertificate")
-	addr := client.Config.Remotes[remote]
-
-	log.Info("Attempting to retrieve remote server certificate")
-	tlsConfig, err := shared.GetTLSConfig("", "", "", nil)
-	if err != nil {
-		return nil, err
-	}
-
-	tlsConfig.InsecureSkipVerify = true
-	tr := &http.Transport{
-		TLSClientConfig: tlsConfig,
-		Dial:            shared.RFC3493Dialer,
-		Proxy:           shared.ProxyFromEnvironment,
-	}
-
-	/* Connect to the remote */
-	httpClient := &http.Client{Transport: tr}
-	resp, err := httpClient.Get(addr.Addr)
-	if err != nil {
-		return nil, err
-	}
-
-	/* Retrieve the certificate */
-	if resp.TLS == nil || len(resp.TLS.PeerCertificates) == 0 {
-		return client, fmt.Errorf("Unable to read remote TLS certificate")
-	}
-
-	certificate = resp.TLS.PeerCertificates[0]
-
-	/* Save the server certificate in the LXDConfigDirectory */
-	dnam := client.Config.ConfigPath("servercerts")
-	if err := os.MkdirAll(dnam, 0750); err != nil {
-		return client, fmt.Errorf("Could not create server cert dir")
-	}
-
-	certf := fmt.Sprintf("%s/%s.crt", dnam, client.Name)
-	certOut, err := os.Create(certf)
-	if err != nil {
-		return client, err
-	}
-
-	pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: certificate.Raw})
-	certOut.Close()
-
-	// Setup a new connection, this time with the remote certificate
-	client, err = lxd.NewClient(&client.Config, remote)
-	if err != nil {
-		return client, err
-	}
-
-	// Validate the client before returning
-	if _, err := client.GetServerConfig(); err != nil {
-		return client, err
-	}
-
-	return client, nil
-}
-
 /**
  * Get container IP address depending on network interface and address type
  */