Skip to content

Commit

Permalink
agent: split SSL/TLS entries by service
Browse files Browse the repository at this point in the history 
Each service has different styles of configuring
the SSL/TLS server key-certificate pair for the domain.
Split in separate files for easier handling.

Signed-off-by: Alexandru Ciobotaru <alcioa@amazon.com>
  • Loading branch information
@alcioa
alcioa committed Aug 25, 2022
1 parent d9489c1 commit 6dd8791
Show file tree
Hide file tree
Showing 2 changed files with 113 additions and 0 deletions.
68 changes: 68 additions & 0 deletions src/vtok_agent/src/agent/httpd.rs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
// Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

use super::mngtok::Error;
use nix::unistd;
use std::fs::OpenOptions;
use std::io::{BufRead, BufReader, Write};
use std::os::unix::fs::OpenOptionsExt;
use std::os::unix::io::AsRawFd;

pub struct HttpdService {}

impl HttpdService {
pub fn write_tls_entries(
path: &str,
uid: Option<nix::unistd::Uid>,
gid: Option<nix::unistd::Gid>,
key_uri: &str,
cert_path: Option<String>,
) -> Result<(), Error> {
let mut to_write = String::new();
OpenOptions::new()
.read(true)
.open(path)
.map_err(Error::TargetIoError)
.and_then(|file| {
let reader = BufReader::new(&file);
for line in reader.lines() {
if let Ok(l) = line {
let nl = {
if l.starts_with("SSLCertificateKeyFile") {
format!("SSLCertificateKeyFile \"{}\"", key_uri)
} else if l.starts_with("SSLCertificateFile") {
match cert_path {
Some(ref cp) => format!("SSLCertificateFile \"{}\"", cp),
None => l,
}
} else {
l
}
};
to_write.push_str(&nl);
to_write.push_str("\n");
}
}
Ok(())
})?;

OpenOptions::new()
.write(true)
.truncate(true)
.mode(0o440)
.open(path)
.map_err(Error::TargetIoError)
.and_then(|mut file| {
unistd::fchown(file.as_raw_fd(), uid, gid).map_err(Error::NixError)?;
nix::sys::stat::fchmod(
file.as_raw_fd(),
// Safe becase 0o440 is valid.
unsafe { nix::sys::stat::Mode::from_bits_unchecked(0o440) },
)
.map_err(Error::NixError)?;
write!(file, "{}", to_write).map_err(Error::TargetIoError)?;
Ok(())
})?;
Ok(())
}
}
45 changes: 45 additions & 0 deletions src/vtok_agent/src/agent/nginx.rs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
// Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

use super::mngtok::Error;
use nix::unistd;
use std::fs::OpenOptions;
use std::io::Write;
use std::os::unix::fs::OpenOptionsExt;
use std::os::unix::io::AsRawFd;

pub struct NginxService {}

impl NginxService {
pub fn write_tls_entries(
path: &str,
uid: Option<nix::unistd::Uid>,
gid: Option<nix::unistd::Gid>,
key_uri: &str,
cert_path: Option<String>,
) -> Result<(), Error> {
OpenOptions::new()
.write(true)
.create(true)
.truncate(true)
.mode(0o440)
.open(path)
.map_err(Error::TargetIoError)
.and_then(|mut file| {
unistd::fchown(file.as_raw_fd(), uid, gid).map_err(Error::NixError)?;
nix::sys::stat::fchmod(
file.as_raw_fd(),
// Safe becase 0o440 is valid.
unsafe { nix::sys::stat::Mode::from_bits_unchecked(0o440) },
)
.map_err(Error::NixError)?;
write!(file, "ssl_certificate_key \"engine:pkcs11:{}\";\n", key_uri)
.map_err(Error::TargetIoError)?;
if let Some(cp) = cert_path {
write!(file, "ssl_certificate \"{}\";\n", cp).map_err(Error::TargetIoError)?;
}
Ok(())
})?;
Ok(())
}
}

0 comments on commit 6dd8791

Please sign in to comment.