// optionally sets up TLS for the server - if no TLS configuration is
// specified, TLS is not enabled.
func serverTLS(configuration *viper.Viper) (*tls.Config, error) {
tlsCertFile := configuration.GetString("server.tls_cert_file")
tlsKeyFile := configuration.GetString("server.tls_key_file")
if tlsCertFile == "" && tlsKeyFile == "" {
return nil, nil
} else if tlsCertFile == "" || tlsKeyFile == "" {
return nil, fmt.Errorf("Partial TLS configuration found. Either include both a cert and key file in the configuration, or include neither to disable TLS.")
}
tlsConfig, err := utils.ConfigureServerTLS(&utils.ServerTLSOpts{
ServerCertFile: tlsCertFile,
ServerKeyFile: tlsKeyFile,
})
if err != nil {
return nil, fmt.Errorf("Unable to set up TLS: %s", err.Error())
}
return tlsConfig, nil
}
// parses and sets up the TLS for the signer http + grpc server
func signerTLS(configuration *viper.Viper, printUsage bool) (*tls.Config, error) {
certFile := configuration.GetString("server.cert_file")
keyFile := configuration.GetString("server.key_file")
if certFile == "" || keyFile == "" {
if printUsage {
usage()
}
return nil, fmt.Errorf("Certificate and key are mandatory")
}
clientCAFile := configuration.GetString("server.client_ca_file")
tlsConfig, err := utils.ConfigureServerTLS(&utils.ServerTLSOpts{
ServerCertFile: certFile,
ServerKeyFile: keyFile,
RequireClientAuth: clientCAFile != "",
ClientCAFile: clientCAFile,
})
if err != nil {
return nil, fmt.Errorf("Unable to set up TLS: %s", err.Error())
}
return tlsConfig, nil
}
// get the address for the HTTP server, and parses the optional TLS
// configuration for the server - if no TLS configuration is specified,
// TLS is not enabled.
func getAddrAndTLSConfig(configuration *viper.Viper) (string, *tls.Config, error) {
httpAddr := configuration.GetString("server.http_addr")
if httpAddr == "" {
return "", nil, fmt.Errorf("http listen address required for server")
}
tlsOpts, err := utils.ParseServerTLS(configuration, false)
if err != nil {
return "", nil, fmt.Errorf(err.Error())
}
// do not support this yet since the client doesn't have client cert support
if tlsOpts != nil {
tlsOpts.ClientCAFile = ""
tlsConfig, err := utils.ConfigureServerTLS(tlsOpts)
if err != nil {
return "", nil, fmt.Errorf(
"unable to set up TLS for server: %s", err.Error())
}
return httpAddr, tlsConfig, nil
}
return httpAddr, nil, nil
}
func getAddrAndTLSConfig(configuration *viper.Viper) (string, string, *tls.Config, error) {
tlsOpts, err := utils.ParseServerTLS(configuration, true)
if err != nil {
return "", "", nil, fmt.Errorf("unable to set up TLS: %s", err.Error())
}
tlsConfig, err := utils.ConfigureServerTLS(tlsOpts)
if err != nil {
return "", "", nil, fmt.Errorf("unable to set up TLS: %s", err.Error())
}
grpcAddr := configuration.GetString("server.grpc_addr")
if grpcAddr == "" {
return "", "", nil, fmt.Errorf("grpc listen address required for server")
}
httpAddr := configuration.GetString("server.http_addr")
if httpAddr == "" {
return "", "", nil, fmt.Errorf("http listen address required for server")
}
return httpAddr, grpcAddr, tlsConfig, nil
}
