// TODO: make this testable? func VerifyOUs(validOUs []string) martini.Handler { return func(res nethttp.ResponseWriter, req *nethttp.Request, c martini.Context) { log.Debug("Verifying client OU") if err := Verify(req, validOUs); err != nil { nethttp.Error(res, err.Error(), nethttp.StatusUnauthorized) } } }
// initOrchestratorDB attempts to create/upgrade the orchestrator backend database. It is created once in the // application's lifetime. func initOrchestratorDB(db *sql.DB) error { log.Debug("Initializing orchestrator") baseDeployments, patchDeployments, _ := readInternalDeployments() deployIfNotAlreadyDeployed(db, generateSQLBase, baseDeployments, "base", true) deployIfNotAlreadyDeployed(db, generateSQLPatches, patchDeployments, "patch", false) return nil }
// Verify that the OU of the presented client certificate matches the list // of Valid OUs func Verify(r *nethttp.Request, validOUs []string) error { if strings.Contains(r.URL.String(), config.Config.StatusEndpoint) && !config.Config.StatusOUVerify { return nil } if r.TLS == nil { return errors.New("No TLS") } for _, chain := range r.TLS.VerifiedChains { s := chain[0].Subject.OrganizationalUnit log.Debug("All OUs:", strings.Join(s, " ")) for _, ou := range s { log.Debug("Client presented OU:", ou) if HasString(ou, validOUs) { log.Debug("Found valid OU:", ou) return nil } } } log.Error("No valid OUs found") return errors.New("Invalid OU") }