// TODO: make this testable?
func VerifyOUs(validOUs []string) martini.Handler {
return func(res nethttp.ResponseWriter, req *nethttp.Request, c martini.Context) {
log.Debug("Verifying client OU")
if err := Verify(req, validOUs); err != nil {
nethttp.Error(res, err.Error(), nethttp.StatusUnauthorized)
}
}
}
// initOrchestratorDB attempts to create/upgrade the orchestrator backend database. It is created once in the
// application's lifetime.
func initOrchestratorDB(db *sql.DB) error {
log.Debug("Initializing orchestrator")
baseDeployments, patchDeployments, _ := readInternalDeployments()
deployIfNotAlreadyDeployed(db, generateSQLBase, baseDeployments, "base", true)
deployIfNotAlreadyDeployed(db, generateSQLPatches, patchDeployments, "patch", false)
return nil
}
// Verify that the OU of the presented client certificate matches the list
// of Valid OUs
func Verify(r *nethttp.Request, validOUs []string) error {
if strings.Contains(r.URL.String(), config.Config.StatusEndpoint) && !config.Config.StatusOUVerify {
return nil
}
if r.TLS == nil {
return errors.New("No TLS")
}
for _, chain := range r.TLS.VerifiedChains {
s := chain[0].Subject.OrganizationalUnit
log.Debug("All OUs:", strings.Join(s, " "))
for _, ou := range s {
log.Debug("Client presented OU:", ou)
if HasString(ou, validOUs) {
log.Debug("Found valid OU:", ou)
return nil
}
}
}
log.Error("No valid OUs found")
return errors.New("Invalid OU")
}
