Skip to content

Commit

Permalink
Fixes bug in config.go validations, changes JWT files structure, upda…
Browse files Browse the repository at this point in the history
…tes README.md.

Signed-off-by: JU4N98 <[email protected]>
  • Loading branch information
JU4N98 committed Nov 7, 2023
1 parent cde8290 commit f8172ef
Show file tree
Hide file tree
Showing 5 changed files with 11 additions and 64 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted f
|`svid_key_file_name` | File name to be used to store the X.509 SVID private key and public certificate in PEM format. | `"svid_key.pem"` |
|`svid_bundle_file_name` | File name to be used to store the X.509 SVID Bundle in PEM format. | `"svid_bundle.pem"` |
|`audience` | JWT SVID audience. | `"example.org"`|
|`jwt_file_name` | File name to be used to store JWT SVID certificate in JSON format. | `"jwt.json"` |
|`jwt_file_name` | File name to be used to store JWT SVID in JSON format. | `"jwt.json"` |
|`jwk_file_name` | File name to be used to store JWT SVID Bundle in JSON format. | `"jwk.json"` |

### Configuration example
Expand Down
13 changes: 2 additions & 11 deletions pkg/sidecar/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ type Config struct {
RenewSignalDeprecated string `hcl:"renewSignal"`

// JWT configuration
JWTAudience string `hcl:"audience"`
JWTAudience string `hcl:"jwt_audience"`
JWTFilename string `hcl:"jwt_file_name"`
JWKFilename string `hcl:"jwk_file_name"`

Expand Down Expand Up @@ -120,16 +120,7 @@ func ValidateConfig(c *Config) error {
c.RenewSignal = c.RenewSignalDeprecated
}

switch {
case c.SvidFileName == "":
return errors.New("svid_file_name is required")
case c.SvidKeyFileName == "":
return errors.New("svid_key_file_name is required")
case c.SvidBundleFileName == "":
return errors.New("svid_bundle_file_name is required")
default:
return nil
}
return nil
}

func getWarning(s1 string, s2 string) string {
Expand Down
28 changes: 0 additions & 28 deletions pkg/sidecar/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,34 +50,6 @@ func TestValidateConfig(t *testing.T) {
SvidBundleFileName: "bundle.pem",
},
},
{
name: "no SVID file",
config: &Config{
AgentAddress: "path",
SvidKeyFileName: "key.pem",
SvidBundleFileName: "bundle.pem",
},
expectError: "svid_file_name is required",
},
{
name: "no key file",
config: &Config{
AgentAddress: "path",
SvidFileName: "cert.pem",
SvidBundleFileName: "bundle.pem",
},
expectError: "svid_key_file_name is required",
},
{
name: "no bundle file",
config: &Config{
AgentAddress: "path",
SvidFileName: "cert.pem",
SvidKeyFileName: "key.pem",
},
expectError: "svid_bundle_file_name is required",
},

// Duplicated field error:
{
name: "Both agent_address & agentAddress in use",
Expand Down
31 changes: 8 additions & 23 deletions pkg/sidecar/sidecar.go
Original file line number Diff line number Diff line change
Expand Up @@ -189,22 +189,6 @@ func (s *Sidecar) dumpBundles(svidResponse *workloadapi.X509Context) error {
return nil
}

func (s *Sidecar) readJSON(fileName string) map[string]interface{} {
jsonPath := path.Join(s.config.CertDir, fileName)
file, err := os.ReadFile(jsonPath)
if err != nil {
s.config.Log.Warnf("Unable to read json file: %v", err)
}

certs := make(map[string]interface{})
err = json.Unmarshal(file, &certs)
if err != nil {
s.config.Log.Warnf("Unable to parse json: %v", err)
}

return certs
}

func (s *Sidecar) writeJSON(fileName string, certs map[string]interface{}) {
file, err := json.Marshal(certs)
if err != nil {
Expand All @@ -221,7 +205,7 @@ func (s *Sidecar) writeJSON(fileName string, certs map[string]interface{}) {
func (s *Sidecar) updateJWTBundle(jwkSet *jwtbundle.Set) {
s.config.Log.Info("Updating JWK bundles")

bundles := make(map[string]string)
bundles := make(map[string]interface{})
for _, bundle := range jwkSet.Bundles() {
bytes, err := bundle.Marshal()
if err != nil {
Expand All @@ -231,9 +215,7 @@ func (s *Sidecar) updateJWTBundle(jwkSet *jwtbundle.Set) {
bundles[bundle.TrustDomain().Name()] = base64.StdEncoding.EncodeToString(bytes)
}

certs := s.readJSON(s.config.JWKFilename)
certs["bundles"] = bundles
s.writeJSON(s.config.JWKFilename, certs)
s.writeJSON(s.config.JWKFilename, bundles)
}

func (s *Sidecar) fetchJWTSVID(options ...workloadapi.ClientOption) (*jwtsvid.SVID, error) {
Expand Down Expand Up @@ -274,9 +256,12 @@ func (s *Sidecar) updateJWTSVID(ctx context.Context, options ...workloadapi.Clie
continue
}

certs := s.readJSON(s.config.JWTFilename)
certs["svid"] = jwtSVID.Marshal()
s.writeJSON(s.config.JWTFilename, certs)
filePath := path.Join(s.config.CertDir, s.config.JWTFilename)
err = os.WriteFile(filePath, []byte(jwtSVID.Marshal()), os.ModePerm)
if err != nil {
s.config.Log.Warnf("Unable to write JWT SVID to a file: %v", err)
continue
}

s.config.Log.Infof("JWT SVID updated")
time.Sleep(time.Until(jwtSVID.Expiry)/2 + 1*time.Second)
Expand Down
1 change: 0 additions & 1 deletion pkg/sidecar/util_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,6 @@ func (s *Sidecar) RunDaemon(ctx context.Context) error {
go func() {
defer wg.Done()
s.updateJWTSVID(ctx, workloadapi.WithNamedPipeName(s.config.AgentAddress))
errch <- nil
}()
}

Expand Down

0 comments on commit f8172ef

Please sign in to comment.