diff --git a/app/apinto/config.yml b/app/apinto/config.yml index d1b4c1cd..5bf5485e 100644 --- a/app/apinto/config.yml +++ b/app/apinto/config.yml @@ -1,3 +1,4 @@ +version: 2 listen: - 8099 ssl: @@ -18,30 +19,26 @@ certificate: # 证书默认目录 dir: /etc/apinto/cert ## 下面为新配置 -cluster: - listen: - peer: - urls: - - "http://0.0.0.0:9401" - cert: apinto.crt - key: apinto.key - client: - urls: - - "http://0.0.0.0:9400" - cert: apinto-node1.crt - key: apinto.key +peer: + listens: + - "http://0.0.0.0:9401" + cert: apinto.crt + key: apinto.key advertise: - peers: - - "http://10.1.0.1:9401" - clients: - - "http://10.1.0.1:9400" -server: - listen: - urls: + - "http://10.1.0.1:9401" +client: + listens: + - "http://0.0.0.0:9400" + cert: apinto-node1.crt + key: apinto.key + advertise: + - "http://10.1.0.1:9400" +gateway: + listens: - "http://10.0.0.1:8099" - "http://0.0.0.0:8099" - "http://:8099" cert: apinto.demo.crt key: apinto.demo.key - advertise: - - "http://" \ No newline at end of file + advertise: + - "http://" \ No newline at end of file diff --git a/certs/cert.go b/certs/cert.go index 30762227..cf8faabd 100644 --- a/certs/cert.go +++ b/certs/cert.go @@ -2,7 +2,6 @@ package certs import ( "crypto/tls" - "crypto/x509" "errors" "github.com/eolinker/eosc/config" "sync" @@ -11,21 +10,16 @@ import ( var errorCertificateNotExit = errors.New("not exist cert") type ICert interface { - SaveCert(workerId string, cert *tls.Certificate, certificate *x509.Certificate) + SaveCert(workerId string, cert *tls.Certificate) DelCert(workerId string) } var ( - workerMaps = make(map[string]*info) + workerMaps = make(map[string]*tls.Certificate) lock = sync.RWMutex{} currentCert *config.Cert = nil ) -type info struct { - cert *tls.Certificate - certificate *x509.Certificate -} - func DelCert(workerId string) { lock.Lock() defer lock.Unlock() @@ -34,22 +28,19 @@ func DelCert(workerId string) { rebuild() } -func SaveCert(workerId string, cert *tls.Certificate, certificate *x509.Certificate) { +func SaveCert(workerId string, cert *tls.Certificate) { lock.Lock() defer lock.Unlock() - workerMaps[workerId] = &info{ - cert: cert, - certificate: certificate, - } + workerMaps[workerId] = cert rebuild() } func rebuild() { certsMap := make(map[string]*tls.Certificate) for _, i := range workerMaps { - certsMap[i.certificate.Subject.CommonName] = i.cert - for _, dnsName := range i.certificate.DNSNames { - certsMap[dnsName] = i.cert + certsMap[i.Leaf.Subject.CommonName] = i + for _, dnsName := range i.Leaf.DNSNames { + certsMap[dnsName] = i } } currentCert = config.NewCert(certsMap) diff --git a/drivers/certs/controller.go b/drivers/certs/controller.go index a466e41b..80d2e896 100644 --- a/drivers/certs/controller.go +++ b/drivers/certs/controller.go @@ -53,7 +53,7 @@ func (c *Controller) Check(cfg interface{}) (profession, name, driver, desc stri return } - _, _, err = parseCert(conf.Key, conf.Pem) + _, err = parseCert(conf.Key, conf.Pem) if err != nil { return "", "", "", "", err } diff --git a/drivers/certs/worker.go b/drivers/certs/worker.go index 8d5f11f2..376bd0d4 100644 --- a/drivers/certs/worker.go +++ b/drivers/certs/worker.go @@ -2,9 +2,6 @@ package certs import ( "crypto/tls" - "crypto/x509" - "encoding/pem" - "errors" "github.com/eolinker/apinto/certs" "github.com/eolinker/apinto/drivers" "github.com/eolinker/apinto/utils" @@ -37,13 +34,13 @@ func (w *Worker) Reset(conf interface{}, _ map[eosc.RequireId]eosc.IWorker) erro config := conf.(*Config) - cert, certificate, err := parseCert(config.Key, config.Pem) + cert, err := parseCert(config.Key, config.Pem) if err != nil { return err } w.config = config - certs.SaveCert(w.Id(), cert, certificate) + certs.SaveCert(w.Id(), cert) return nil } @@ -56,56 +53,19 @@ func (w *Worker) CheckSkill(string) bool { return false } -func parseCert(privateKey, pemValue string) (*tls.Certificate, *x509.Certificate, error) { - var err error - privateKey, err = utils.B64Decode(privateKey) - if err != nil { - return nil, nil, err - } - pemValue, err = utils.B64Decode(pemValue) - if err != nil { - return nil, nil, err - } +func parseCert(privateKey, pemValue string) (*tls.Certificate, error) { - var cert tls.Certificate - //获取下一个pem格式证书数据 -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- - certDERBlock, restPEMBlock := pem.Decode([]byte(pemValue)) - if certDERBlock == nil { - return nil, nil, errors.New("证书解析失败") - } - //附加数字证书到返回 - cert.Certificate = append(cert.Certificate, certDERBlock.Bytes) - //继续解析Certificate Chan,这里要明白证书链的概念 - certDERBlockChain, _ := pem.Decode(restPEMBlock) - if certDERBlockChain != nil { - //追加证书链证书到返回 - cert.Certificate = append(cert.Certificate, certDERBlockChain.Bytes) - } - - //解码pem格式的私钥------BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- - keyDERBlock, _ := pem.Decode([]byte(privateKey)) - if keyDERBlock == nil { - return nil, nil, errors.New("证书解析失败") - } - var key interface{} - var errParsePK error - if keyDERBlock.Type == "RSA PRIVATE KEY" { - //RSA PKCS1 - key, errParsePK = x509.ParsePKCS1PrivateKey(keyDERBlock.Bytes) - } else if keyDERBlock.Type == "PRIVATE KEY" { - //pkcs8格式的私钥解析 - key, errParsePK = x509.ParsePKCS8PrivateKey(keyDERBlock.Bytes) - } - - if errParsePK != nil { - return nil, nil, errors.New("证书解析失败") - } else { - cert.PrivateKey = key - } - //第一个叶子证书就是我们https中使用的证书 - x509Cert, err := x509.ParseCertificate(certDERBlock.Bytes) + keydata, err := utils.B64Decode(privateKey) if err != nil { - return nil, nil, err + return nil, err } - return &cert, x509Cert, nil + pem, err := utils.B64Decode(pemValue) + if err != nil { + return nil, err + } + certificate, err := tls.X509KeyPair(pem, keydata) + if err != nil { + return nil, err + } + return &certificate, nil } diff --git a/drivers/plugins/response-rewrite/driver.go b/drivers/plugins/response-rewrite/driver.go index 62a39e14..e81b396c 100644 --- a/drivers/plugins/response-rewrite/driver.go +++ b/drivers/plugins/response-rewrite/driver.go @@ -38,7 +38,7 @@ func Create(id, name string, conf *Config, workers map[eosc.RequireId]eosc.IWork //若body非空且需要base64转码 if conf.Body != "" && conf.BodyBase64 { - conf.Body, err = utils.B64Decode(conf.Body) + conf.Body, err = utils.B64DecodeString(conf.Body) if err != nil { return nil, err } diff --git a/drivers/plugins/response-rewrite/response-rewrite.go b/drivers/plugins/response-rewrite/response-rewrite.go index 60476b7f..9d30e288 100644 --- a/drivers/plugins/response-rewrite/response-rewrite.go +++ b/drivers/plugins/response-rewrite/response-rewrite.go @@ -37,7 +37,7 @@ func (r *ResponseRewrite) Reset(v interface{}, workers map[eosc.RequireId]eosc.I //若body非空且需要base64转码 if conf.Body != "" && conf.BodyBase64 { - conf.Body, err = utils.B64Decode(conf.Body) + conf.Body, err = utils.B64DecodeString(conf.Body) if err != nil { return err } diff --git a/utils/encode.go b/utils/encode.go index 54f97134..68019926 100644 --- a/utils/encode.go +++ b/utils/encode.go @@ -6,8 +6,15 @@ import ( "strings" ) -//B64Decode base64解密 -func B64Decode(input string) (string, error) { +// B64Decode base64解密 +func B64DecodeString(input string) (string, error) { + data, err := B64Decode(input) + if err != nil { + return "", err + } + return string(data), err +} +func B64Decode(input string) ([]byte, error) { remainder := len(input) % 4 // base64编码需要为4的倍数,如果不是4的倍数,则填充"="号 if remainder > 0 { @@ -17,17 +24,17 @@ func B64Decode(input string) (string, error) { // 将原字符串中的"_","-"分别用"/"和"+"替换 input = strings.Replace(strings.Replace(input, "_", "/", -1), "-", "+", -1) result, err := base64.StdEncoding.DecodeString(input) - return string(result), err + return result, err } -//B64Encode base64加密 +// B64Encode base64加密 func B64Encode(input string) string { result := base64.StdEncoding.EncodeToString([]byte(input)) result = strings.Replace(strings.Replace(strings.Replace(result, "=", "", -1), "/", "_", -1), "+", "-", -1) return result } -//QueryUrlEncode 对query进行url encode +// QueryUrlEncode 对query进行url encode func QueryUrlEncode(rawQuery string) string { queryList := strings.Split(rawQuery, "&") for i, query := range queryList {