Merge pull request #10 from meltwater/tls

Added support for using TLS when starting daemon
meltwater · Mar 2, 2016 · 561bd83 · 561bd83
2 parents aa83413 + 7ef1b54
commit 561bd83
Show file tree

Hide file tree

Showing 6 changed files with 169 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -331,6 +331,13 @@ The daemon has an HTTP health check endpoint at `/v1/status` that will respond w
 `HTTP 200 OK` if all is well. This could be used to point a load balancers health check
 mechanism at.
 
+### TLS Support
+
+In order to enable end to end encryption, you can supply the ssl certificate with the following options:
+```
+secretary daemon --tls-key-file <path to key file> --tls-cert-file <path to cert file>
+```
+
 ### Systemd
 Create a [Systemd unit](http://www.freedesktop.org/software/systemd/man/systemd.unit.html) file
 in **/etc/systemd/system/secretary.service** with contents like below.

diff --git a/daemon.go b/daemon.go
@@ -165,17 +165,24 @@ func statusEndpointHandler() func(http.ResponseWriter, *http.Request) {
 		message := DaemonStatusResponse{Status: "OK"}
 		encoded, err := json.Marshal(message)
 		if err != nil {
-			errorResponse(w, r, fmt.Errorf("Failed to serialize json response", err), http.StatusInternalServerError)
+			errorResponse(w, r, fmt.Errorf("Failed to serialize json response (%s)", err), http.StatusInternalServerError)
 			return
 		}
 
 		w.Write(encoded)
 	}
 }
 
-func daemonCommand(listenAddress string, marathonURL string, masterKey *[32]byte, strategy DecryptionStrategy) {
+func daemonCommand(listenAddress string, marathonURL string, masterKey *[32]byte, tlsCertFile string, tlsKeyFile string, strategy DecryptionStrategy) {
 	http.HandleFunc("/v1/decrypt", decryptEndpointHandler(marathonURL, masterKey, strategy))
 	http.HandleFunc("/v1/status", statusEndpointHandler())
-	log.Printf("Daemon listening on %s", listenAddress)
-	log.Fatal(http.ListenAndServe(listenAddress, nil))
+
+	if tlsCertFile != "" && tlsKeyFile != "" {
+		log.Printf("Daemon listening on TLS %s", listenAddress)
+		log.Fatal(http.ListenAndServeTLS(listenAddress, tlsCertFile, tlsKeyFile, nil))
+	} else {
+		log.Printf("Daemon listening on %s", listenAddress)
+		log.Fatal(http.ListenAndServe(listenAddress, nil))
+	}
+
 }
diff --git a/daemon_test.go b/daemon_test.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -34,3 +35,40 @@ func TestDaemonStatus(t *testing.T) {
 	assert.Nil(t, err)
 	assert.Equal(t, "OK", parsedResponse.Status)
 }
+
+func TestTLSDaemonStatus(t *testing.T) {
+	// Start secretary daemon
+	handler := statusEndpointHandler()
+
+	daemon := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.URL.Path {
+		case "/v1/status":
+			handler(w, r)
+		default:
+			http.Error(w, fmt.Sprintf("Bad URL %s", r.URL.Path), http.StatusNotFound)
+		}
+	}))
+
+	cert, err := tls.LoadX509KeyPair("./resources/test/keys/tlscertfile.pem", "./resources/test/keys/tlskeyfile.pem")
+	daemon.TLS = &tls.Config{Certificates: []tls.Certificate{cert}}
+
+	daemon.StartTLS()
+	defer daemon.Close()
+
+	tr := &http.Transport{
+		TLSClientConfig:    &tls.Config{InsecureSkipVerify: true},
+		DisableCompression: true,
+	}
+	client := &http.Client{Transport: tr}
+	response, err := client.Get(daemon.URL + "/v1/status")
+	assert.Nil(t, err)
+
+	var parsedResponse DaemonStatusResponse
+
+	respBody, err := httpReadBody(response)
+
+	err = json.Unmarshal(respBody, &parsedResponse)
+	assert.Nil(t, err)
+	assert.Equal(t, "OK", parsedResponse.Status)
+}
diff --git a/main.go b/main.go
@@ -124,7 +124,7 @@ func main() {
 
 	// Daemon command
 	{
-		var marathonURL, configKeyFile, masterKeyFile, daemonIP string
+		var marathonURL, configKeyFile, masterKeyFile, tlsCertFile, tlsKeyFile, daemonIP string
 		var daemonPort int
 
 		cmdDaemon := &cobra.Command{
@@ -143,14 +143,16 @@ func main() {
 				}
 
 				listenAddress := fmt.Sprintf("%s:%d", daemonIP, daemonPort)
-				daemonCommand(listenAddress, marathonURL, masterKey, composite)
+				daemonCommand(listenAddress, marathonURL, masterKey, tlsCertFile, tlsKeyFile, composite)
 			},
 		}
 
 		cmdDaemon.Flags().StringVarP(&marathonURL, "marathon-url", "",
 			defaults(os.Getenv("MARATHON_URL"), "http://localhost:8080"), "URL of Marathon")
 		cmdDaemon.Flags().StringVarP(&configKeyFile, "config-key", "", "", "Config public key file")
 		cmdDaemon.Flags().StringVarP(&masterKeyFile, "master-key", "", "", "Master private key file")
+		cmdDaemon.Flags().StringVarP(&tlsCertFile, "tls-cert-file", "", "", "TLS cert file")
+		cmdDaemon.Flags().StringVarP(&tlsKeyFile, "tls-key-file", "", "", "TLS key file")
 
 		cmdDaemon.Flags().StringVarP(&daemonIP, "ip", "i", "0.0.0.0", "Interface to bind to")
 		cmdDaemon.Flags().IntVarP(&daemonPort, "port", "p", 5070, "Port to listen on")

diff --git a/resources/test/keys/tlscertfile.pem b/resources/test/keys/tlscertfile.pem
@@ -0,0 +1,81 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=localhost
+        Validity
+            Not Before: Mar  2 10:02:10 2016 GMT
+            Not After : Feb  7 10:02:10 2116 GMT
+        Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=localhost
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:b3:a9:90:47:8f:96:88:85:68:53:d8:d4:31:ef:
+                    b7:c0:a9:5a:84:39:b0:dd:05:88:b3:76:ec:d3:94:
+                    12:b7:b8:7d:52:0c:8f:0e:ab:67:00:ff:92:d6:e3:
+                    89:cd:3d:2d:e6:f1:45:60:36:b5:80:07:45:6e:12:
+                    f1:c2:ab:76:ac:1a:b6:2a:d4:1b:55:f6:b0:ad:f5:
+                    5a:4a:f0:0c:9e:ca:11:d3:f8:d6:03:96:80:8c:9b:
+                    c9:4d:2c:f4:4f:90:06:9a:16:40:60:a1:d2:d6:e0:
+                    df:13:e9:4b:e9:2c:00:20:ed:5a:ce:50:15:c6:f3:
+                    17:e3:bf:30:38:b6:54:e8:71:4b:a7:a1:b0:e8:45:
+                    ea:1d:3f:66:3a:2c:c7:ca:92:08:fd:58:a3:93:76:
+                    b6:0e:95:c8:89:b9:c8:da:11:23:04:ba:0b:6b:7a:
+                    d2:99:95:35:4d:fe:f7:8a:b9:16:54:44:b8:af:31:
+                    38:6e:e7:95:00:01:8b:45:a7:d1:b2:94:6a:f9:83:
+                    d4:62:98:fa:da:d0:9c:52:e3:17:ba:63:fa:54:e6:
+                    c0:23:5f:1a:88:f4:ad:13:b5:a8:37:10:07:64:48:
+                    13:fe:e1:cd:74:d9:2e:74:5d:80:c1:c6:6b:11:1e:
+                    cd:4b:c0:d5:49:51:ee:89:db:84:ed:b1:c2:9c:a3:
+                    94:61
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                24:EC:BE:C0:23:AC:87:83:BC:23:DD:A7:DE:8A:39:A0:46:3D:95:41
+            X509v3 Authority Key Identifier: 
+                keyid:3B:43:1E:82:89:DD:F7:87:3F:E5:E9:A1:03:B0:4E:D3:D3:6F:EE:9F
+
+    Signature Algorithm: sha256WithRSAEncryption
+         5f:d4:75:19:8a:1a:69:c5:f6:61:9f:fe:c3:67:b7:95:33:8f:
+         16:19:72:01:df:bf:a6:30:5b:17:ca:59:1e:39:8e:15:2e:7f:
+         db:25:f2:a3:9a:2e:6e:f3:ad:d5:97:dd:78:5c:2c:97:60:79:
+         f2:c9:3f:27:e8:3e:6f:0e:a4:c8:bb:2e:5c:07:f4:79:d2:0a:
+         07:fa:f6:76:eb:92:7a:5b:2b:c4:55:9d:a6:46:43:de:cb:ff:
+         e5:1f:5b:ba:54:b1:ec:82:a1:c3:c0:c1:a5:75:19:38:d1:e6:
+         ca:0b:aa:36:66:a1:3a:3a:fd:42:7f:1d:38:74:fa:93:63:fe:
+         be:44:b5:7d:f6:23:d3:bd:b2:dd:eb:6b:9e:69:df:da:79:dd:
+         60:21:ef:d6:42:b8:26:b1:3f:9b:19:75:1f:9f:12:61:5c:aa:
+         1b:ed:4e:7d:a9:69:27:80:d3:a7:71:14:2d:bc:9e:16:fb:eb:
+         cb:cb:1b:38:29:fd:66:5d:cd:00:0e:72:64:a2:89:59:6c:8d:
+         43:b0:02:97:45:b3:0a:2f:81:1b:e3:55:59:02:66:3b:93:5f:
+         08:d5:8d:eb:10:8a:98:bd:87:d7:62:a3:f9:df:bf:4e:c1:49:
+         8f:2b:0b:f2:3e:35:d0:be:b7:70:b5:62:77:de:0d:2f:d9:a7:
+         70:c6:62:88
+-----BEGIN CERTIFICATE-----
+MIIDqjCCApKgAwIBAgIBATANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJBVTET
+MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
+dHkgTHRkMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTYwMzAyMTAwMjEwWhgPMjEx
+NjAyMDcxMDAyMTBaMFkxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRl
+MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMMCWxv
+Y2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALOpkEePloiF
+aFPY1DHvt8CpWoQ5sN0FiLN27NOUEre4fVIMjw6rZwD/ktbjic09LebxRWA2tYAH
+RW4S8cKrdqwatirUG1X2sK31WkrwDJ7KEdP41gOWgIybyU0s9E+QBpoWQGCh0tbg
+3xPpS+ksACDtWs5QFcbzF+O/MDi2VOhxS6ehsOhF6h0/Zjosx8qSCP1Yo5N2tg6V
+yIm5yNoRIwS6C2t60pmVNU3+94q5FlREuK8xOG7nlQABi0Wn0bKUavmD1GKY+trQ
+nFLjF7pj+lTmwCNfGoj0rRO1qDcQB2RIE/7hzXTZLnRdgMHGaxEezUvA1UlR7onb
+hO2xwpyjlGECAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3Bl
+blNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFCTsvsAjrIeDvCPd
+p96KOaBGPZVBMB8GA1UdIwQYMBaAFDtDHoKJ3feHP+XpoQOwTtPTb+6fMA0GCSqG
+SIb3DQEBCwUAA4IBAQBf1HUZihppxfZhn/7DZ7eVM48WGXIB37+mMFsXylkeOY4V
+Ln/bJfKjmi5u863Vl914XCyXYHnyyT8n6D5vDqTIuy5cB/R50goH+vZ265J6WyvE
+VZ2mRkPey//lH1u6VLHsgqHDwMGldRk40ebKC6o2ZqE6Ov1Cfx04dPqTY/6+RLV9
+9iPTvbLd62uead/aed1gIe/WQrgmsT+bGXUfnxJhXKob7U59qWkngNOncRQtvJ4W
+++vLyxs4Kf1mXc0ADnJkoolZbI1DsAKXRbMKL4Eb41VZAmY7k18I1Y3rEIqYvYfX
+YqP5379OwUmPKwvyPjXQvrdwtWJ33g0v2adwxmKI
+-----END CERTIFICATE-----
diff --git a/resources/test/keys/tlskeyfile.pem b/resources/test/keys/tlskeyfile.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzqZBHj5aIhWhT
+2NQx77fAqVqEObDdBYizduzTlBK3uH1SDI8Oq2cA/5LW44nNPS3m8UVgNrWAB0Vu
+EvHCq3asGrYq1BtV9rCt9VpK8AyeyhHT+NYDloCMm8lNLPRPkAaaFkBgodLW4N8T
+6UvpLAAg7VrOUBXG8xfjvzA4tlTocUunobDoReodP2Y6LMfKkgj9WKOTdrYOlciJ
+ucjaESMEugtretKZlTVN/veKuRZURLivMThu55UAAYtFp9GylGr5g9RimPra0JxS
+4xe6Y/pU5sAjXxqI9K0Ttag3EAdkSBP+4c102S50XYDBxmsRHs1LwNVJUe6J24Tt
+scKco5RhAgMBAAECggEANW9lPiNyvkAPe4Ct+/w0RtUX2uPdup7+vYHNhlAwEPyK
+KXEay14nUKCy577dKXHcySdRXwBmkyGWgNqZlTCyJxX6wFo9lx+8BMFIjak/16p6
+CvWjkYWdzjQ3dwC72T4Y+JNNqm/26XoQXzewIDW6BBEURPCEyZtbq50dloCEWG16
+T03vhr3EY21mN+hSTjWHWYhE/eB29VVlw6WOBFZzUUo72vmpjiyPX+1ybE+jN6sj
+ZltZyKaG8cziiiY+9T7wacd56Nl149CG8/mYS5caegT4xnGFW/i//3L161CiZanr
+/8NnoiqS43CLZ76IbuQUaKs/bcTOYBnK9OPYqaUcwQKBgQDeVRYR2v84XLFTRZup
+b6TTErLVCFcT9e5jYZ719Kv05eqqig2kvywtRqW4ygsd7uHcnx1OPQ+raPco44bk
+UOx9rBwuAOfA1Nj16Zv03Ll7ao8ECNHRWrRqqcmB2XyUcVf0rYZ/uvDcYD3zWFTe
+NrHiK4EJe0Hx70ClgyGcSRmTzQKBgQDO3lYNNSH797FNkQiNfBP147fYcbr3Y3VK
+CQNsljhEjlH2vslRQ3OElNAZe5He35pLrb/2ik6lPQ0qBtBFwD7WIBG1MSinYhS3
+vbGDxrdkXux5tTxHy5BSfJX5u+ToR9RPT+S90Fz8UOm4RrFgjEzUQ4EYVYuml974
+OtM3OQnW5QKBgFHiUnuHBaJzeRerNlZj+PeIFnchWDjQxdiyVoJNd5t9pjzjFX1M
+r2+JanWxbAC9P1ArBfcPxBqkUQstKTwjlcX/Qm2rBa/edH21aSv4sxOCPmQE/4m0
+d2glWkLJn/ln+TXzRur6JcV0aLycFr20tTUQQrkEPVhmfo+2yQUvYw0tAoGAXFze
+1OTNOJ/d1QEVbX5htx6mPgiBbuVEP/sIQVpM4yccJ2wFnLfeAusigs4uUfFKBdIc
+7GnSNWqtzv7dzNbJ93a4EUtSmHFtSKB0ep6l0TWkpa6qrG+SD5I6sBcZXDB99a95
+NNqsOaeywqkllzLtNrSxFflT8dzLG8+/8F8SKpUCgYEAjQC1ICC1LePJmLL4WJjq
+aBCIRr6Ml0yBZYi6kBRPXnymLc2HcFcLX3kJA/9zm6n3H2uLZNg8dlWZYbSKEBil
+gUW9k6UvEPNgcNNLBdb4ogKRlFe7mL/MVcNy7UxLDe2Z96A1Uvq/62aPZPvq0kw6
+wO2IQOB/r5hQ8FnwUDBC4/w=
+-----END PRIVATE KEY-----