shadow0wolf
diff --git a/‎config.go‎
Lines changed: 8 additions & 3 deletions b/‎config.go‎
Lines changed: 8 additions & 3 deletions
diff --git a/‎config_test.go‎
Lines changed: 6 additions & 5 deletions b/‎config_test.go‎
Lines changed: 6 additions & 5 deletions
diff --git a/‎extension.go‎
Lines changed: 121 additions & 120 deletions b/‎extension.go‎
Lines changed: 121 additions & 120 deletions
@@ -1,13 +1,18 @@
 package infa_auth
 
+import "net/http"
+
 // Config has the configuration for the INFA AUTH Authenticator extension.
 type Config struct {
 	TimeOut            int    `mapstructure:"time_out"`
 	ClientSideSsl      bool   `mapstructure:"client_side_ssl"`
 	ValidationURL      string `mapstructure:"validation_url"`
 	Headerkey          string `mapstructure:"header_key"`
-	ClientCertPath     string `mapstructure:"client_cert_path"`
-	CACertPath         string `mapstructure:"ca_cert_path"`
+	ClientJksPath      string `mapstructure:"client_jks_path"`
+	ClientJksPassword  string `mapstructure:"client_jks_password"`
+	CAJksPath          string `mapstructure:"ca_jks_path"`
+	CAJksPassword      string `mapstructure:"ca_jks_password"`
 	InsecureSkipVerify bool   `mapstructure:"insecure_skip_verify"`
-	ClientKeyPath      string `mapstructure:"client_key_path"`
 }
+
+var sessionServiceClient *http.Client
@@ -26,14 +26,15 @@ func TestLoadConfig(t *testing.T) {
 	var tt = Aaa{
 		id: component.NewID(metadata.Type),
 		expected: &Config{
-			TimeOut:            2,
+			TimeOut:            1,
 			ClientSideSsl:      true,
 			ValidationURL:      "https://pod.ics.dev:444/session-service/api/v1/session/Agent",
 			Headerkey:          "IDS-AGENT-SESSION-ID",
-			ClientCertPath:     "/mnt/a/c1Client.crt",
-			CACertPath:         "/mnt/a/ca_cert_path.crt",
-			InsecureSkipVerify: true,
-			ClientKeyPath:      "/mnt/a/client_key_path.pem",
+			ClientJksPath:      "/mnt/a/c1Client.crt",
+			ClientJksPassword:  "changeit1",
+			CAJksPath:          "/mnt/a/ca_cert_path.crt",
+			CAJksPassword:      "changeit2",
+			InsecureSkipVerify: false,
 		},
 	}
 
 
@@ -3,35 +3,28 @@ package infa_auth
 import (
 	"context"
 	"crypto/tls"
-	"errors"
-	"io/ioutil"
-	"net/http"
-
 	"crypto/x509"
+	"errors"
 	"github.com/gofiber/fiber/v2/log"
+	"github.com/lwithers/minijks/jks"
 	"go.opentelemetry.io/collector/client"
 	"go.opentelemetry.io/collector/component"
 	"go.opentelemetry.io/collector/extension/auth"
 	"go.uber.org/zap"
+	"net/http"
 	"os"
+	"strings"
 	"time"
 )
 
 type infaAuthExtension struct {
-	cfg    *Config
-	logger *zap.Logger
+	cfg                  *Config
+	logger               *zap.Logger
+	sessionServiceClient *http.Client
 }
 
 func newExtension(ctx context.Context, cfg *Config, logger *zap.Logger) (auth.Server, error) {
-	/*
-		if cfg.ValidationURL == "" {
-			return nil, errors.New("validation url is empty")
-		}
 
-		if cfg.Headerkey == "" {
-			return nil, errors.New("header key is empty")
-		}
-	*/
 	oe := &infaAuthExtension{
 		cfg:    cfg,
 		logger: logger,
@@ -45,71 +38,76 @@ func (e *infaAuthExtension) start(context.Context, component.Host) error {
 	log.Debug("begin executing extension.start")
 
 	//validation url and header key must NOT be empty
-	if e.cfg.ValidationURL == "" {
+	if strings.TrimSpace(e.cfg.ValidationURL) == "" {
 		return errors.New("ValidationURL is empty")
 	}
 
-	if e.cfg.Headerkey == "" {
+	if strings.TrimSpace(e.cfg.Headerkey) == "" {
 		return errors.New("Headerkey is empty")
 	}
 
-	/*
-		if e.cfg.CACertPath == "" {
-			log.Debug("CACertPath is empty")
-			return errors.New("CACertPath is empty")
-		}
+	sessionServiceClient, err := getClient(e.cfg)
+	e.sessionServiceClient = sessionServiceClient
+	if err != nil {
+		log.Debug("error while creating client in extension.start")
+		return err
+	}
 
-		log.Debugf("CACertPath is : %s ", e.cfg.CACertPath)
-		_, error := os.Stat(e.cfg.CACertPath)
-		if error != nil {
-			log.Debugf("error reading CACertPath")
-			return errors.New("error reading CACertPath")
-		}
-	*/
+	log.Debugf("finished executing extension.start , sessionServiceClient : %A", sessionServiceClient)
+	return nil
+}
 
-	//validate client cert
-	log.Debugf("ClientSideSsl is : %s ", e.cfg.ClientSideSsl)
-	if e.cfg.ClientSideSsl {
-		log.Debugf("ClientCertPath is : %s ", e.cfg.ClientCertPath)
-		if e.cfg.ClientCertPath == "" {
-			log.Debug("ClientCertPath is empty")
-			return errors.New("ClientCertPath is empty")
-
-		} else {
-			_, error := os.Stat(e.cfg.ClientCertPath)
-			if error != nil {
-				log.Debugf("error reading ClientCert")
-				return errors.New("error reading ClientCert")
-			}
-		}
+func getJksKeystore(filename string, password string) (*jks.Keystore, error) {
 
-		log.Debugf("ClientKeyPath is : %s ", e.cfg.ClientKeyPath)
-		if e.cfg.ClientKeyPath == "" {
-			log.Debug("ClientKeyPath is empty")
-			return errors.New("ClientKeyPath is empty")
+	jksContent, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+	log.Debug("read keystorefile : " + filename)
 
-		} else {
-			_, error := os.Stat(e.cfg.ClientKeyPath)
-			if error != nil {
-				log.Debugf("error reading ClientKeyPath")
-				return errors.New("error reading ClientKeyPath")
-			}
+	var opts *jks.Options
+	if strings.TrimSpace(password) == "" {
+		log.Debug("password is empty , will use nil options")
+	} else {
+		opts = &jks.Options{
+			Password: password,
 		}
+	}
 
+	keyStore, err := jks.Parse(jksContent, opts)
+	if err != nil {
+		return nil, err
 	}
+	log.Debug("success read keystorefile : " + filename)
+	return keyStore, nil
+}
 
-	log.Debug("finished executing extension.start")
-	return nil
+func getClientCert(ks jks.Keystore) (*tls.Certificate, error) {
+	cert, err := tls.X509KeyPair(ks.Keypairs[0].CertChain[0].Cert.Raw, ks.Keypairs[0].RawKey)
+	if err != nil {
+		log.Debugf("getClientCert ERR %A", err)
+	}
+	return &cert, nil
+}
+
+func getCACertPool(ks jks.Keystore) (*x509.CertPool, error) {
+	pool := x509.NewCertPool()
+	for i := 0; i < len(ks.Certs); i++ {
+		log.Debugf("adding CA cert to pool : " + string(ks.Certs[i].Alias))
+		pool.AddCert(ks.Certs[i].Cert)
+	}
+	return pool, nil
 }
 
 // authenticate checks whether the given context contains valid auth data. Successfully authenticated calls will always return a nil error and a context with the auth data.
 // this associated to the Authenticate() method
 func (e *infaAuthExtension) authenticate(ctx context.Context, headers map[string][]string) (context.Context, error) {
 	log.Debug("executing extensions.authenticate() ")
-	log.Debugf("headers :: %A", headers)
-	log.Debugf("ctx :: %A", ctx)
-	log.Debugf("e.cfg :: %A", *e.cfg)
-
+	/*
+		log.Debugf("headers :: %A", headers)
+		log.Debugf("ctx :: %A", ctx)
+		log.Debugf("e.cfg :: %A", *e.cfg)
+	*/
 	var h []string
 
 	h = headers["Ids-Agent-Session-Id"]
@@ -134,81 +132,89 @@ func (e *infaAuthExtension) authenticate(ctx context.Context, headers map[string
 	}
 
 	cl := client.FromContext(ctx)
-	status, err := validateToken(e.cfg, token)
-	if err != nil || status == false {
+	status, err := validateToken(e, token)
+	if err != nil || !status {
 		return ctx, err
 	}
 
 	//success
 	return client.NewContext(ctx, cl), nil
 }
 
-// this method creates a HTTP client and makes HTTP/S request to session service, if http status is 200 , it returns
-// true with nil error , otherwise non-nil error is returned
-func validateToken(cfg *Config, sessionToken string) (bool, error) {
-	// Create an HTTP client
-	log.Debug("calling extension.validateToken() ")
-
+func getClient(cfg *Config) (*http.Client, error) {
+	var pool *x509.CertPool
+	var clientCert *tls.Certificate
+	client := &http.Client{
+		Timeout: func() time.Duration {
+			if cfg.TimeOut > 0 {
+				return time.Duration(cfg.TimeOut) * time.Second
+			}
+			return 2 * time.Second
+		}(),
+	}
 	tr := &http.Transport{}
+	client.Transport = tr
 
-	//read ca-cert file
-	pool := x509.NewCertPool()
-	if cfg.CACertPath != "" {
-		cert, err := ioutil.ReadFile(cfg.CACertPath)
-		if err != nil {
-			log.Debugf("Error reading CA certificate: %A", err)
-			return false, err
-		} else {
-			pool.AppendCertsFromPEM(cert)
-			tr = &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: cfg.InsecureSkipVerify, RootCAs: pool},
-			}
-		}
+	//create client with no TLS
+	if cfg.InsecureSkipVerify {
+		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+		log.Info("returning client block1 ")
+		return client, nil
 	} else {
-		tr = &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: cfg.InsecureSkipVerify},
-		}
-	}
+		//create client with TLS , CACert is mandatory clientCert is optional
+		caKs, err := getJksKeystore(cfg.CAJksPath, cfg.CAJksPassword)
 
-	// Load client certificate and private key
-	if cfg.ClientSideSsl {
-		cert, err := tls.LoadX509KeyPair(cfg.ClientCertPath, cfg.ClientKeyPath)
 		if err != nil {
-			log.Debugf("Error loading client certificate:", err)
-			return false, err
+			log.Info("error while reading CA jksKeystore : " + cfg.CAJksPath)
+			return nil, err
 		}
-		config := &tls.Config{
-			Certificates:       []tls.Certificate{cert},
-			RootCAs:            pool,
-			InsecureSkipVerify: cfg.InsecureSkipVerify,
+
+		pool, err = getCACertPool(*caKs)
+		if err != nil {
+			log.Info("error while generating CACertPool : " + cfg.CAJksPath)
+			return nil, err
 		}
-		tr = &http.Transport{
-			TLSClientConfig: config,
+
+		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: false, RootCAs: pool}
+
+		if cfg.ClientSideSsl {
+			clientKs, err := getJksKeystore(cfg.ClientJksPath, cfg.ClientJksPassword)
+			if err != nil {
+				log.Info("error while reading Client jksKeystore : " + cfg.ClientJksPath)
+				return nil, err
+			}
+
+			clientCert, err = getClientCert(*clientKs)
+			if err != nil {
+				log.Info("error while creating Client cert : " + cfg.ClientJksPath)
+				return nil, err
+			}
+
+			tr.TLSClientConfig.Certificates = []tls.Certificate{*clientCert}
 		}
-	}
 
-	client := &http.Client{}
-	if cfg.TimeOut > 0 {
-		client = &http.Client{
-			Timeout:   time.Duration(cfg.TimeOut) * time.Second,
-			Transport: tr}
-	} else {
-		client = &http.Client{
-			Timeout:   2 * time.Second,
-			Transport: tr}
+		log.Info("returning client block2 ")
+		client.Transport = tr
+		return client, nil
 	}
+}
 
-	req, err := http.NewRequest("GET", cfg.ValidationURL, nil)
+// this method creates a HTTP client and makes HTTP/S request to session service, if http status is 200 , it returns
+// true with nil error , otherwise non-nil error is returned
+func validateToken(e *infaAuthExtension, sessionToken string) (bool, error) {
+	// Create an HTTP client
+	log.Debug("calling extension.validateToken() ")
+	req, err := http.NewRequest("GET", e.cfg.ValidationURL, nil)
 	if err != nil {
 		log.Debugf("Error creating request:", err)
 		return false, err
 	}
 
-	req.Header.Add(cfg.Headerkey, sessionToken)
+	req.Header.Add(e.cfg.Headerkey, sessionToken)
 
 	// Make the request
 	log.Debugf("invoking http request : %A", req)
-	resp, err := client.Do(req)
+	resp, err := e.sessionServiceClient.Do(req)
 	log.Debugf("got response %A", resp)
 
 	if err != nil {
@@ -218,20 +224,15 @@ func validateToken(cfg *Config, sessionToken string) (bool, error) {
 
 	if resp.StatusCode != 200 {
 		log.Debug("http status is not 200 in response")
-		return false, errors.New("http status is not 200 in response")
+		body := make([]byte, 1024)
+		_, err := resp.Body.Read(body)
+		if err != nil {
+			log.Debugf("Error reading response body:", err)
+			return false, err
+		}
+		return false, errors.New("http status is not 200 in response response body is " + string(body))
 	}
 
 	defer resp.Body.Close()
-
-	// Read the response body
-	body, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		log.Debugf("Error reading response body:", err)
-		return false, err
-	}
-
-	// Print the response
-	log.Debugf("response body is %A", string(body))
 	return true, nil
-
 }