security/pkg/nodeagent/util/util.go - dubbo-go-pixiu - Git at Google

 // Copyright Istio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package util

 import (
 	"bytes"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"os"
 	"path"
 	"time"
 )

 import (
 	"go.opencensus.io/stats/view"
 	"istio.io/pkg/env"
 )

 import (
 	"github.com/apache/dubbo-go-pixiu/pkg/file"
 )

 var k8sInCluster = env.RegisterStringVar("KUBERNETES_SERVICE_HOST", "",
 	"Kubernetes service host, set automatically when running in-cluster")

 // ParseCertAndGetExpiryTimestamp parses the first certificate in certByte and returns cert expire
 // time, or return error if fails to parse certificate.
 func ParseCertAndGetExpiryTimestamp(certByte []byte) (time.Time, error) {
 	block, _ := pem.Decode(certByte)
 	if block == nil {
 		return time.Time{}, fmt.Errorf("failed to decode certificate")
 	}
 	cert, err := x509.ParseCertificate(block.Bytes)
 	if err != nil {
 		return time.Time{}, fmt.Errorf("failed to parse certificate: %v", err)
 	}
 	return cert.NotAfter, nil
 }

 // GetMetricsCounterValueWithTags returns counter value in float64. For test purpose only.
 func GetMetricsCounterValueWithTags(metricName string, tags map[string]string) (float64, error) {
 	rows, err := view.RetrieveData(metricName)
 	if err != nil {
 		return float64(0), err
 	}
 	if len(rows) == 0 {
 		return 0, nil
 	}
 	for _, row := range rows {
 		need := len(tags)
 		for _, t := range row.Tags {
 			if tags[t.Key.Name()] == t.Value {
 				need--
 			}
 		}
 		if need == 0 {
 			return rows[0].Data.(*view.SumData).Value, nil
 		}
 	}
 	return float64(0), fmt.Errorf("no metrics matched tags %s: %d", metricName, len(rows))
 }

 // Output the key and certificate to the given directory.
 // If directory string is empty, return nil.
 func OutputKeyCertToDir(dir string, privateKey, certChain, rootCert []byte) error {
 	var err error
 	if len(dir) == 0 {
 		return nil
 	}

 	certFileMode := os.FileMode(0o600)
 	if k8sInCluster.Get() != "" {
 		// If this is running on k8s, give more permission to the file certs.
 		// This is typically used to share the certs with non-proxy containers in the pod which does not run as root or 1337.
 		// For example, prometheus server could use proxy provisioned certs to scrape application metrics through mTLS.
 		certFileMode = os.FileMode(0o644)
 	}
 	// Depending on the SDS resource to output, some fields may be nil
 	if privateKey == nil && certChain == nil && rootCert == nil {
 		return fmt.Errorf("the input private key, cert chain, and root cert are nil")
 	}

 	writeIfNotEqual := func(fileName string, newData []byte) error {
 		if newData == nil {
 			return nil
 		}
 		oldData, _ := os.ReadFile(path.Join(dir, fileName))
 		if !bytes.Equal(oldData, newData) {
 			if err := file.AtomicWrite(path.Join(dir, fileName), newData, certFileMode); err != nil {
 				return fmt.Errorf("failed to write data to file %v: %v", fileName, err)
 			}
 		}
 		return nil
 	}

 	if err = writeIfNotEqual("key.pem", privateKey); err != nil {
 		return err
 	}
 	if err = writeIfNotEqual("cert-chain.pem", certChain); err != nil {
 		return err
 	}
 	if err = writeIfNotEqual("root-cert.pem", rootCert); err != nil {
 		return err
 	}
 	return nil
 }
	// Copyright Istio Authors
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package util

	import (
	"bytes"
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"os"
	"path"
	"time"
	)

	import (
	"go.opencensus.io/stats/view"
	"istio.io/pkg/env"
	)

	import (
	"github.com/apache/dubbo-go-pixiu/pkg/file"
	)

	var k8sInCluster = env.RegisterStringVar("KUBERNETES_SERVICE_HOST", "",
	"Kubernetes service host, set automatically when running in-cluster")

	// ParseCertAndGetExpiryTimestamp parses the first certificate in certByte and returns cert expire
	// time, or return error if fails to parse certificate.
	func ParseCertAndGetExpiryTimestamp(certByte []byte) (time.Time, error) {
	block, _ := pem.Decode(certByte)
	if block == nil {
	return time.Time{}, fmt.Errorf("failed to decode certificate")
	}
	cert, err := x509.ParseCertificate(block.Bytes)
	if err != nil {
	return time.Time{}, fmt.Errorf("failed to parse certificate: %v", err)
	}
	return cert.NotAfter, nil
	}

	// GetMetricsCounterValueWithTags returns counter value in float64. For test purpose only.
	func GetMetricsCounterValueWithTags(metricName string, tags map[string]string) (float64, error) {
	rows, err := view.RetrieveData(metricName)
	if err != nil {
	return float64(0), err
	}
	if len(rows) == 0 {
	return 0, nil
	}
	for _, row := range rows {
	need := len(tags)
	for _, t := range row.Tags {
	if tags[t.Key.Name()] == t.Value {
	need--
	}
	}
	if need == 0 {
	return rows[0].Data.(*view.SumData).Value, nil
	}
	}
	return float64(0), fmt.Errorf("no metrics matched tags %s: %d", metricName, len(rows))
	}

	// Output the key and certificate to the given directory.
	// If directory string is empty, return nil.
	func OutputKeyCertToDir(dir string, privateKey, certChain, rootCert []byte) error {
	var err error
	if len(dir) == 0 {
	return nil
	}

	certFileMode := os.FileMode(0o600)
	if k8sInCluster.Get() != "" {
	// If this is running on k8s, give more permission to the file certs.
	// This is typically used to share the certs with non-proxy containers in the pod which does not run as root or 1337.
	// For example, prometheus server could use proxy provisioned certs to scrape application metrics through mTLS.
	certFileMode = os.FileMode(0o644)
	}
	// Depending on the SDS resource to output, some fields may be nil
	if privateKey == nil && certChain == nil && rootCert == nil {
	return fmt.Errorf("the input private key, cert chain, and root cert are nil")
	}

	writeIfNotEqual := func(fileName string, newData []byte) error {
	if newData == nil {
	return nil
	}
	oldData, _ := os.ReadFile(path.Join(dir, fileName))
	if !bytes.Equal(oldData, newData) {
	if err := file.AtomicWrite(path.Join(dir, fileName), newData, certFileMode); err != nil {
	return fmt.Errorf("failed to write data to file %v: %v", fileName, err)
	}
	}
	return nil
	}

	if err = writeIfNotEqual("key.pem", privateKey); err != nil {
	return err
	}
	if err = writeIfNotEqual("cert-chain.pem", certChain); err != nil {
	return err
	}
	if err = writeIfNotEqual("root-cert.pem", rootCert); err != nil {
	return err
	}
	return nil
	}