diff --git a/Makefile b/Makefile index 1e6e284f..3d1fff4c 100644 --- a/Makefile +++ b/Makefile @@ -68,7 +68,8 @@ deps: clean-deps github.com/spf13/cobra \ github.com/laher/goxc \ github.com/gin-contrib/cors \ - github.com/lxc/lxd + github.com/lxc/lxd \ + github.com/jtopjian/lxdhelpers clean-dist: rm -rf ./dist/${VERSION} diff --git a/src/discovery/lxd.go b/src/discovery/lxd.go index aa8d4eaa..2338a1d2 100644 --- a/src/discovery/lxd.go +++ b/src/discovery/lxd.go @@ -6,11 +6,7 @@ package discovery import ( - "crypto/x509" - "encoding/pem" "fmt" - "net/http" - "os" "strings" "time" @@ -19,6 +15,8 @@ import ( "../logging" "../utils" + "github.com/jtopjian/lxdhelpers" + "github.com/lxc/lxd" "github.com/lxc/lxd/shared" ) @@ -156,7 +154,7 @@ func lxdBuildClient(cfg config.DiscoveryConfig) (*lxd.Client, error) { if strings.HasPrefix(cfg.LXDServerAddress, "https:") { /* Validate or generate certificates on the client side (gobetween) */ - if err := lxdValidateClientCertificates(cfg, lxdConfig); err != nil { + if err := lxdhelpers.ValidateClientCertificates(lxdConfig, cfg.LXDClientGenerateCerts); err != nil { return nil, err } @@ -184,7 +182,7 @@ func lxdBuildClient(cfg config.DiscoveryConfig) (*lxd.Client, error) { if _, err := client.GetServerConfig(); err != nil { if cfg.LXDClientAcceptServerCert { var err error - client, err = lxdGetServerCertificate(client, cfg.LXDServerRemoteName) + client, err = lxdhelpers.GetRemoteCertificate(client, cfg.LXDServerRemoteName) if err != nil { return nil, fmt.Errorf("Could not add the LXD server: ", err) } @@ -203,13 +201,14 @@ func lxdBuildClient(cfg config.DiscoveryConfig) (*lxd.Client, error) { * * Authentication must happen even if PKI is in use. */ - if !client.AmTrusted() { - log.Info("Attempting to authenticate") - if err := client.AddMyCertToServer(cfg.LXDServerRemotePassword); err != nil { - return nil, err - } - log.Info("Authentication successful") + log.Info("Attempting to authenticate") + err = lxdhelpers.ValidateRemoteConnection(client, cfg.LXDServerRemoteName, cfg.LXDServerRemotePassword) + if err != nil { + log.Info("Authentication unsuccessful") + return nil, err } + + log.Info("Authentication successful") } } @@ -245,91 +244,6 @@ func lxdBuildConfig(cfg config.DiscoveryConfig) (lxd.Config, error) { return config, nil } -func lxdValidateClientCertificates(cfg config.DiscoveryConfig, lxdConfig lxd.Config) error { - log := logging.For("lxdValidateClientCertificates") - certf := lxdConfig.ConfigPath("client.crt") - keyf := lxdConfig.ConfigPath("client.key") - - if !shared.PathExists(certf) || !shared.PathExists(keyf) { - if cfg.LXDClientGenerateCerts { - log.Info("Attempting to generate client certificates. This could take a minute.") - if err := shared.FindOrGenCert(certf, keyf, true); err != nil { - return err - } - } else { - err := fmt.Errorf("Certificate or key not found:\n\t%s\n\t%s\n"+ - "Either set lxd_generate_client_certs to true or generate the "+ - "certificates out of band of gobetween and try again", certf, keyf) - return err - } - } - - return nil -} - -func lxdGetServerCertificate(client *lxd.Client, remote string) (*lxd.Client, error) { - var certificate *x509.Certificate - var err error - - log := logging.For("lxdGetRemoteCertificate") - addr := client.Config.Remotes[remote] - - log.Info("Attempting to retrieve remote server certificate") - tlsConfig, err := shared.GetTLSConfig("", "", "", nil) - if err != nil { - return nil, err - } - - tlsConfig.InsecureSkipVerify = true - tr := &http.Transport{ - TLSClientConfig: tlsConfig, - Dial: shared.RFC3493Dialer, - Proxy: shared.ProxyFromEnvironment, - } - - /* Connect to the remote */ - httpClient := &http.Client{Transport: tr} - resp, err := httpClient.Get(addr.Addr) - if err != nil { - return nil, err - } - - /* Retrieve the certificate */ - if resp.TLS == nil || len(resp.TLS.PeerCertificates) == 0 { - return client, fmt.Errorf("Unable to read remote TLS certificate") - } - - certificate = resp.TLS.PeerCertificates[0] - - /* Save the server certificate in the LXDConfigDirectory */ - dnam := client.Config.ConfigPath("servercerts") - if err := os.MkdirAll(dnam, 0750); err != nil { - return client, fmt.Errorf("Could not create server cert dir") - } - - certf := fmt.Sprintf("%s/%s.crt", dnam, client.Name) - certOut, err := os.Create(certf) - if err != nil { - return client, err - } - - pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: certificate.Raw}) - certOut.Close() - - // Setup a new connection, this time with the remote certificate - client, err = lxd.NewClient(&client.Config, remote) - if err != nil { - return client, err - } - - // Validate the client before returning - if _, err := client.GetServerConfig(); err != nil { - return client, err - } - - return client, nil -} - /** * Get container IP address depending on network interface and address type */