func checkForIsCa(name string, sec *keyStore.KeyStore) error {
if !sec.IsCA() {
return errors.New("It is not possible to generate a new certificate for service '%v' with a caretakerd certificate that is not a CA. "+
"Use trusted access for service '%v', configure caretakerd to generate its own certificate or provide a CA enabled certificate for caretakerd.", name, name)
}
return nil
}
func newGenerateToEnvironmentInstance(conf Config, name string, ks *keyStore.KeyStore) (*Access, error) {
if err := checkForIsCa(name, ks); err != nil {
return nil, err
}
pem, cert, err := ks.GeneratePem(name)
if err != nil {
return nil, errors.New("Could not generate pem for '%v'.", name).CausedBy(err)
}
return &Access{
t: GenerateToEnvironment,
permission: conf.Permission,
name: name,
pem: pem,
cert: cert,
}, nil
}
func newTrustedInstance(conf Config, name string, ks *keyStore.KeyStore) (*Access, error) {
if len(ks.CA()) == 0 {
return nil, errors.New("If there is valid caFile configured %v access could not work.", Trusted)
}
var cert *x509.Certificate
if !conf.PemFile.IsTrimmedEmpty() {
var err error
cert, err = keyStore.LoadCertificateFromFile(conf.PemFile.String())
if err != nil {
return nil, errors.New("Could not load certificate from pemFile %v of service %v.", conf.PemFile, name)
}
}
return &Access{
t: Trusted,
permission: conf.Permission,
name: name,
cert: cert,
}, nil
}
// NewAccess creates a new instance of Access using the given configuration.
func NewAccess(conf Config, name string, ks *keyStore.KeyStore) (*Access, error) {
err := conf.Validate()
if err != nil {
return nil, err
}
if !ks.IsEnabled() {
return newNoneInstance(name)
}
switch conf.Type {
case None:
return newNoneInstance(name)
case Trusted:
return newTrustedInstance(conf, name, ks)
case GenerateToEnvironment:
return newGenerateToEnvironmentInstance(conf, name, ks)
case GenerateToFile:
return newGenerateToFileInstance(conf, name, ks)
}
return nil, errors.New("Unknown access type %v.", conf.Type)
}
func newGenerateToFileInstance(conf Config, name string, ks *keyStore.KeyStore) (*Access, error) {
if err := checkForIsCa(name, ks); err != nil {
return nil, err
}
pem, cert, err := ks.GeneratePem(name)
if err != nil {
return nil, errors.New("Could not generate pem for '%v'.", name).CausedBy(err)
}
file, err := generateFileForPem(conf, pem)
if err != nil {
return nil, errors.New("Could not generate pem file for '%v'.", name).CausedBy(err)
}
return &Access{
t: GenerateToFile,
permission: conf.Permission,
name: name,
pem: pem,
cert: cert,
temporaryFilename: &file,
}, nil
}