Sign upLogin

nuts-foundation/nuts-auth

View on GitHub
Star
pkg/services/x509/crl.go

Summary

Maintainability
A
0 mins
Test Coverage
/*
 * Nuts auth
 * Copyright (C) 2020. Nuts community
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */

package x509

import (
    "crypto/x509"
    "crypto/x509/pkix"
    "fmt"
    "io/ioutil"
    "net/http"
    "time"
)

type CrlGetter interface {
    GetCrl(url string) (*pkix.CertificateList, error)
}

// Compiler check if HttpCrlService implements the CrlGetter
var _ CrlGetter = (*HttpCrlService)(nil)

type HttpCrlService struct {
}

// GetCrl accepts a url and will try to make a http request to that endpoint. The results will be parsed into a CertificateList.
// Note: The call is blocking. It is advisable to use this service behind a caching mechanism or use cachedHttpCrlService
func (h HttpCrlService) GetCrl(url string) (*pkix.CertificateList, error) {
    // TODO: this is a rather naive implementation of a http crl getter. It will not scale under high load and will
    // block requests when the crl endpoint is down.
    // https://github.com/nuts-foundation/nuts-auth/issues/136
    resp, err := http.Get(url)
    if err != nil {
        return nil, err
    } else if resp.StatusCode >= 300 {
        return nil, fmt.Errorf("failed to retrieve CRL: '%s' statuscode: %s", url, resp.Status)
    }

    body, err := ioutil.ReadAll(resp.Body)
    if err != nil {
        return nil, fmt.Errorf("could not read the crl response body: %w", err)
    }
    resp.Body.Close()

    return x509.ParseCRL(body)
}

var _ CrlGetter = (*memoryCrlService)(nil)

type memoryCrlService struct {
    crls map[string]*pkix.CertificateList
}

func NewMemoryCrlService() memoryCrlService {
    return memoryCrlService{
        crls: make(map[string]*pkix.CertificateList),
    }
}

func (m memoryCrlService) GetCrl(url string) (*pkix.CertificateList, error) {
    crl, ok := m.crls[url]
    if !ok {
        return nil, fmt.Errorf("unknown crl '%s'", url)
    }
    return crl, nil
}

var _ CrlGetter = (*cachedHttpCrlService)(nil)

type cachedHttpCrlService struct {
    httpCrlService   HttpCrlService
    memoryCrlService memoryCrlService
}

func NewCachedHttpCrlService() *cachedHttpCrlService {
    return &cachedHttpCrlService{
        httpCrlService:   HttpCrlService{},
        memoryCrlService: NewMemoryCrlService(),
    }
}

func (c *cachedHttpCrlService) GetCrl(url string) (crl *pkix.CertificateList, err error) {
    expiredOrErr := true

    crl, err = c.memoryCrlService.GetCrl(url)
    if err == nil {
        expiredOrErr = crl.HasExpired(time.Now())
    }

    if expiredOrErr {
        crl, err = c.httpCrlService.GetCrl(url)
        if err == nil {
            c.memoryCrlService.crls[url] = crl
        }
    }
    return
}