From 6dd87918ced7345c11f23304cccfe991f1bd424d Mon Sep 17 00:00:00 2001
From: Alexandru Ciobotaru <alcioa@amazon.com>
Date: Fri, 15 Apr 2022 13:02:58 +0300
Subject: [PATCH] agent: split SSL/TLS entries by service

Each service has different styles of configuring
the SSL/TLS server key-certificate pair for the domain.
Split in separate files for easier handling.

Signed-off-by: Alexandru Ciobotaru <alcioa@amazon.com>
---
 src/vtok_agent/src/agent/httpd.rs | 68 +++++++++++++++++++++++++++++++
 src/vtok_agent/src/agent/nginx.rs | 45 ++++++++++++++++++++
 2 files changed, 113 insertions(+)
 create mode 100644 src/vtok_agent/src/agent/httpd.rs
 create mode 100644 src/vtok_agent/src/agent/nginx.rs

diff --git a/src/vtok_agent/src/agent/httpd.rs b/src/vtok_agent/src/agent/httpd.rs
new file mode 100644
index 0000000..c164e37
--- /dev/null
+++ b/src/vtok_agent/src/agent/httpd.rs
@@ -0,0 +1,68 @@
+// Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+use super::mngtok::Error;
+use nix::unistd;
+use std::fs::OpenOptions;
+use std::io::{BufRead, BufReader, Write};
+use std::os::unix::fs::OpenOptionsExt;
+use std::os::unix::io::AsRawFd;
+
+pub struct HttpdService {}
+
+impl HttpdService {
+    pub fn write_tls_entries(
+        path: &str,
+        uid: Option<nix::unistd::Uid>,
+        gid: Option<nix::unistd::Gid>,
+        key_uri: &str,
+        cert_path: Option<String>,
+    ) -> Result<(), Error> {
+        let mut to_write = String::new();
+        OpenOptions::new()
+            .read(true)
+            .open(path)
+            .map_err(Error::TargetIoError)
+            .and_then(|file| {
+                let reader = BufReader::new(&file);
+                for line in reader.lines() {
+                    if let Ok(l) = line {
+                        let nl = {
+                            if l.starts_with("SSLCertificateKeyFile") {
+                                format!("SSLCertificateKeyFile \"{}\"", key_uri)
+                            } else if l.starts_with("SSLCertificateFile") {
+                                match cert_path {
+                                    Some(ref cp) => format!("SSLCertificateFile \"{}\"", cp),
+                                    None => l,
+                                }
+                            } else {
+                                l
+                            }
+                        };
+                        to_write.push_str(&nl);
+                        to_write.push_str("\n");
+                    }
+                }
+                Ok(())
+            })?;
+
+        OpenOptions::new()
+            .write(true)
+            .truncate(true)
+            .mode(0o440)
+            .open(path)
+            .map_err(Error::TargetIoError)
+            .and_then(|mut file| {
+                unistd::fchown(file.as_raw_fd(), uid, gid).map_err(Error::NixError)?;
+                nix::sys::stat::fchmod(
+                    file.as_raw_fd(),
+                    // Safe becase 0o440 is valid.
+                    unsafe { nix::sys::stat::Mode::from_bits_unchecked(0o440) },
+                )
+                .map_err(Error::NixError)?;
+                write!(file, "{}", to_write).map_err(Error::TargetIoError)?;
+                Ok(())
+            })?;
+        Ok(())
+    }
+}
diff --git a/src/vtok_agent/src/agent/nginx.rs b/src/vtok_agent/src/agent/nginx.rs
new file mode 100644
index 0000000..660cef1
--- /dev/null
+++ b/src/vtok_agent/src/agent/nginx.rs
@@ -0,0 +1,45 @@
+// Copyright 2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+use super::mngtok::Error;
+use nix::unistd;
+use std::fs::OpenOptions;
+use std::io::Write;
+use std::os::unix::fs::OpenOptionsExt;
+use std::os::unix::io::AsRawFd;
+
+pub struct NginxService {}
+
+impl NginxService {
+    pub fn write_tls_entries(
+        path: &str,
+        uid: Option<nix::unistd::Uid>,
+        gid: Option<nix::unistd::Gid>,
+        key_uri: &str,
+        cert_path: Option<String>,
+    ) -> Result<(), Error> {
+        OpenOptions::new()
+            .write(true)
+            .create(true)
+            .truncate(true)
+            .mode(0o440)
+            .open(path)
+            .map_err(Error::TargetIoError)
+            .and_then(|mut file| {
+                unistd::fchown(file.as_raw_fd(), uid, gid).map_err(Error::NixError)?;
+                nix::sys::stat::fchmod(
+                    file.as_raw_fd(),
+                    // Safe becase 0o440 is valid.
+                    unsafe { nix::sys::stat::Mode::from_bits_unchecked(0o440) },
+                )
+                .map_err(Error::NixError)?;
+                write!(file, "ssl_certificate_key \"engine:pkcs11:{}\";\n", key_uri)
+                    .map_err(Error::TargetIoError)?;
+                if let Some(cp) = cert_path {
+                    write!(file, "ssl_certificate \"{}\";\n", cp).map_err(Error::TargetIoError)?;
+                }
+                Ok(())
+            })?;
+        Ok(())
+    }
+}