41aacd8817
Bumps the go-deps group with 6 updates: | Package | From | To | | --- | --- | --- | | [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) | `1.45.10` | `1.45.16` | | [github.com/gophercloud/gophercloud](https://github.com/gophercloud/gophercloud) | `1.6.0` | `1.7.0` | | [github.com/openshift-online/ocm-sdk-go](https://github.com/openshift-online/ocm-sdk-go) | `0.1.364` | `0.1.371` | | [github.com/osbuild/images](https://github.com/osbuild/images) | `0.5.1-0.20230915095808-dd48a38be218` | `0.7.0` | | [github.com/vmware/govmomi](https://github.com/vmware/govmomi) | `0.30.7` | `0.31.0` | | [google.golang.org/api](https://github.com/googleapis/google-api-go-client) | `0.142.0` | `0.143.0` | Updates `github.com/aws/aws-sdk-go` from 1.45.10 to 1.45.16 - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.45.10...v1.45.16) Updates `github.com/gophercloud/gophercloud` from 1.6.0 to 1.7.0 - [Release notes](https://github.com/gophercloud/gophercloud/releases) - [Changelog](https://github.com/gophercloud/gophercloud/blob/v1.7.0/CHANGELOG.md) - [Commits](https://github.com/gophercloud/gophercloud/compare/v1.6.0...v1.7.0) Updates `github.com/openshift-online/ocm-sdk-go` from 0.1.364 to 0.1.371 - [Release notes](https://github.com/openshift-online/ocm-sdk-go/releases) - [Changelog](https://github.com/openshift-online/ocm-sdk-go/blob/main/CHANGES.md) - [Commits](https://github.com/openshift-online/ocm-sdk-go/compare/v0.1.364...v0.1.371) Updates `github.com/osbuild/images` from 0.5.1-0.20230915095808-dd48a38be218 to 0.7.0 - [Release notes](https://github.com/osbuild/images/releases) - [Commits](https://github.com/osbuild/images/commits/v0.7.0) Updates `github.com/vmware/govmomi` from 0.30.7 to 0.31.0 - [Release notes](https://github.com/vmware/govmomi/releases) - [Changelog](https://github.com/vmware/govmomi/blob/main/CHANGELOG.md) - [Commits](https://github.com/vmware/govmomi/compare/v0.30.7...v0.31.0) Updates `google.golang.org/api` from 0.142.0 to 0.143.0 - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.142.0...v0.143.0) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-deps - dependency-name: github.com/gophercloud/gophercloud dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: github.com/openshift-online/ocm-sdk-go dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-deps - dependency-name: github.com/osbuild/images dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: github.com/vmware/govmomi dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-deps ... Signed-off-by: dependabot[bot] <support@github.com>
136 lines
3.6 KiB
Go
136 lines
3.6 KiB
Go
// Copyright 2023 Google LLC.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package internal
|
|
|
|
import (
|
|
"encoding/json"
|
|
"log"
|
|
"sync"
|
|
"time"
|
|
|
|
"cloud.google.com/go/compute/metadata"
|
|
)
|
|
|
|
const configEndpointSuffix = "instance/platform-security/auto-mtls-configuration"
|
|
|
|
// The period an MTLS config can be reused before needing refresh.
|
|
var configExpiry = time.Hour
|
|
|
|
// GetS2AAddress returns the S2A address to be reached via plaintext connection.
|
|
func GetS2AAddress() string {
|
|
c, err := getMetadataMTLSAutoConfig().Config()
|
|
if err != nil {
|
|
return ""
|
|
}
|
|
if !c.Valid() {
|
|
return ""
|
|
}
|
|
return c.S2A.PlaintextAddress
|
|
}
|
|
|
|
type mtlsConfigSource interface {
|
|
Config() (*mtlsConfig, error)
|
|
}
|
|
|
|
// mdsMTLSAutoConfigSource is an instance of reuseMTLSConfigSource, with metadataMTLSAutoConfig as its config source.
|
|
var (
|
|
mdsMTLSAutoConfigSource mtlsConfigSource
|
|
once sync.Once
|
|
)
|
|
|
|
// getMetadataMTLSAutoConfig returns mdsMTLSAutoConfigSource, which is backed by config from MDS with auto-refresh.
|
|
func getMetadataMTLSAutoConfig() mtlsConfigSource {
|
|
once.Do(func() {
|
|
mdsMTLSAutoConfigSource = &reuseMTLSConfigSource{
|
|
src: &metadataMTLSAutoConfig{},
|
|
}
|
|
})
|
|
return mdsMTLSAutoConfigSource
|
|
}
|
|
|
|
// reuseMTLSConfigSource caches a valid version of mtlsConfig, and uses `src` to refresh upon config expiry.
|
|
// It implements the mtlsConfigSource interface, so calling Config() on it returns an mtlsConfig.
|
|
type reuseMTLSConfigSource struct {
|
|
src mtlsConfigSource // src.Config() is called when config is expired
|
|
mu sync.Mutex // mutex guards config
|
|
config *mtlsConfig // cached config
|
|
}
|
|
|
|
func (cs *reuseMTLSConfigSource) Config() (*mtlsConfig, error) {
|
|
cs.mu.Lock()
|
|
defer cs.mu.Unlock()
|
|
|
|
if cs.config.Valid() {
|
|
return cs.config, nil
|
|
}
|
|
c, err := cs.src.Config()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
cs.config = c
|
|
return c, nil
|
|
}
|
|
|
|
// metadataMTLSAutoConfig is an implementation of the interface mtlsConfigSource
|
|
// It has the logic to query MDS and return an mtlsConfig
|
|
type metadataMTLSAutoConfig struct{}
|
|
|
|
var httpGetMetadataMTLSConfig = func() (string, error) {
|
|
return metadata.Get(configEndpointSuffix)
|
|
}
|
|
|
|
func (cs *metadataMTLSAutoConfig) Config() (*mtlsConfig, error) {
|
|
resp, err := httpGetMetadataMTLSConfig()
|
|
if err != nil {
|
|
log.Printf("querying MTLS config from MDS endpoint failed: %v", err)
|
|
return defaultMTLSConfig(), nil
|
|
}
|
|
var config mtlsConfig
|
|
err = json.Unmarshal([]byte(resp), &config)
|
|
if err != nil {
|
|
log.Printf("unmarshalling MTLS config from MDS endpoint failed: %v", err)
|
|
return defaultMTLSConfig(), nil
|
|
}
|
|
|
|
if config.S2A == nil {
|
|
log.Printf("returned MTLS config from MDS endpoint is invalid: %v", config)
|
|
return defaultMTLSConfig(), nil
|
|
}
|
|
|
|
// set new expiry
|
|
config.Expiry = time.Now().Add(configExpiry)
|
|
return &config, nil
|
|
}
|
|
|
|
func defaultMTLSConfig() *mtlsConfig {
|
|
return &mtlsConfig{
|
|
S2A: &s2aAddresses{
|
|
PlaintextAddress: "",
|
|
MTLSAddress: "",
|
|
},
|
|
Expiry: time.Now().Add(configExpiry),
|
|
}
|
|
}
|
|
|
|
// s2aAddresses contains the plaintext and/or MTLS S2A addresses.
|
|
type s2aAddresses struct {
|
|
// PlaintextAddress is the plaintext address to reach S2A
|
|
PlaintextAddress string `json:"plaintext_address"`
|
|
// MTLSAddress is the MTLS address to reach S2A
|
|
MTLSAddress string `json:"mtls_address"`
|
|
}
|
|
|
|
// mtlsConfig contains the configuration for establishing MTLS connections with Google APIs.
|
|
type mtlsConfig struct {
|
|
S2A *s2aAddresses `json:"s2a"`
|
|
Expiry time.Time
|
|
}
|
|
|
|
func (c *mtlsConfig) Valid() bool {
|
|
return c != nil && c.S2A != nil && !c.expired()
|
|
}
|
|
func (c *mtlsConfig) expired() bool {
|
|
return c.Expiry.Before(time.Now())
|
|
}
|