chore: optimize hijack ca format (#3418)

* chore: optimize hijack ca format Signed-off-by: Jim Ma <[email protected]> * chore: fix cert leaf Signed-off-by: Jim Ma <[email protected]> * fix: unit test Signed-off-by: Jim Ma <[email protected]> --------- Signed-off-by: Jim Ma <[email protected]>
dragonflyoss · Aug 6, 2024 · 9698903 · 9698903
1 parent 89e06a8
commit 9698903
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 14 deletions.
diff --git a/client/config/peerhost.go b/client/config/peerhost.go
@@ -920,8 +920,8 @@ func (r *Regexp) MarshalYAML() (any, error) {
 
 // HijackConfig represents how dfdaemon hijacks http requests.
 type HijackConfig struct {
-	Cert  string             `yaml:"cert" mapstructure:"cert"`
-	Key   string             `yaml:"key" mapstructure:"key"`
+	Cert  types.PEMContent   `yaml:"cert" mapstructure:"cert"`
+	Key   types.PEMContent   `yaml:"key" mapstructure:"key"`
 	Hosts []*HijackHost      `yaml:"hosts" mapstructure:"hosts"`
 	SNI   []*TCPListenOption `yaml:"sni" mapstructure:"sni"`
 }

diff --git a/client/config/peerhost_test.go b/client/config/peerhost_test.go
@@ -470,8 +470,8 @@ func TestPeerHostOption_Load(t *testing.T) {
 				},
 			},
 			HijackHTTPS: &HijackConfig{
-				Cert: "./testdata/certs/sca.crt",
-				Key:  "./testdata/certs/sca.key",
+				Cert: types.PEMContent(_cert),
+				Key:  types.PEMContent(_key),
 				Hosts: []*HijackHost{
 					{
 						Regx:     hijackExp,

diff --git a/client/config/testdata/certs/sca.crt b/client/config/testdata/certs/sca.crt
@@ -17,4 +17,4 @@ A5l000dtHekhk+DO2tjQgEKg5+EYMYoki5mEkSbyHkMMY8D6w5A130fpw10ZeN1z
 B/v/1PiVkZfu1kbnTZICQDsb4xI/2Sw2x0qKXp1oYzIDt8fZATNJgWhzv47xLLXF
 XQM7Yj0HQ3txAi6qOMDw1sYf/TEc1k4VC9J//QJb5/kNnWcAheLPCm3D1+CnAxcD
 vL928p4GmUIGbzxm3/WbWfLosSwxq5y4P5bbEd3niM4=
------END CERTIFICATE-----
+-----END CERTIFICATE-----
diff --git a/client/config/testdata/certs/sca.key b/client/config/testdata/certs/sca.key
@@ -24,4 +24,4 @@ fbR5XmFsuzmdL0zRIt6+mtDjfqHHYA2avzwvRaBWVprzS8/ISTqJSEs/NWSYuAsP
 tjPw2QKBgQCB+sS2lio/sTAQzsYTe/GNmxsL1lKO+yRsTPRRjzcm3ZdOsPgkFDx/
 ZCL9Lsp7TqOLOghLGdYj9a45GrXwmEeJo5P9c1y+G9PSzFDMBUyseWmDvrcvYwWo
 JMfrfs6pHtZ828AbnT2kfnFv6zok2ns6vE2gme/a9Z/RCjVXyJwF5w==
------END RSA PRIVATE KEY-----
+-----END RSA PRIVATE KEY-----
diff --git a/client/daemon/proxy/proxy_manager.go b/client/daemon/proxy/proxy_manager.go
@@ -98,20 +98,20 @@ func NewProxyManager(peerHost *schedulerv1.PeerHost, peerTaskManager peer.TaskMa
 			if r.Direct {
 				method = "directly"
 			}
-			scheme := ""
+			prompt := ""
 			if r.UseHTTPS {
-				scheme = "and force https"
+				prompt = " and force https"
 			}
-			logger.Infof("[%d] proxy %s %s %s", i+1, r.Regx, method, scheme)
+			logger.Infof("[%d] proxy %s %s%s", i+1, r.Regx, method, prompt)
 		}
 	}
 
 	if hijackHTTPS != nil {
 		options = append(options, WithHTTPSHosts(hijackHTTPS.Hosts...))
 		if hijackHTTPS.Cert != "" && hijackHTTPS.Key != "" {
-			cert, err := certFromFile(hijackHTTPS.Cert, hijackHTTPS.Key)
+			cert, err := certFromFile(string(hijackHTTPS.Cert), string(hijackHTTPS.Key))
 			if err != nil {
-				return nil, fmt.Errorf("cert from file: %w", err)
+				return nil, fmt.Errorf("load cert error: %w", err)
 			}
 			if cert.Leaf != nil && cert.Leaf.IsCA {
 				logger.Debugf("hijack https request with CA <%s>", cert.Leaf.Subject.CommonName)
@@ -174,13 +174,14 @@ func (pm *proxyManager) Watch(opt *config.ProxyOption) {
 	}
 }
 
-func certFromFile(certFile string, keyFile string) (*tls.Certificate, error) {
+func certFromFile(certPEM string, keyPEM string) (*tls.Certificate, error) {
 	// cert.Certificate is a chain of one or more certificates, leaf first.
-	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	cert, err := tls.X509KeyPair([]byte(certPEM), []byte(keyPEM))
 	if err != nil {
 		return nil, fmt.Errorf("load cert: %w", err)
 	}
-	logger.Infof("use self-signed certificate (%s, %s) for https hijacking", certFile, keyFile)
+
+	logger.Infof("use self-signed certificate for https hijacking")
 
 	// leaf is CA cert or server cert
 	leaf, err := x509.ParseCertificate(cert.Certificate[0])