X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;f=service-exposure%2Frapps-jwt.go;h=d0e1d3d6b37744e49b366f99ceb8b9e1f83b6702;hb=ab476772c1e9c5affc54dd965bec715e13959a8c;hp=d220458b816ae14f23836bb153c37465ef368646;hpb=b8ae6c467edee10ef39f1b43097fd1ec426e86b7;p=nonrtric.git diff --git a/service-exposure/rapps-jwt.go b/service-exposure/rapps-jwt.go index d220458b..d0e1d3d6 100644 --- a/service-exposure/rapps-jwt.go +++ b/service-exposure/rapps-jwt.go @@ -1,25 +1,26 @@ // - -// ========================LICENSE_START================================= -// O-RAN-SC -// %% -// Copyright (C) 2022: Nordix Foundation -// %% -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at // -// http://www.apache.org/licenses/LICENSE-2.0 +// ========================LICENSE_START================================= +// O-RAN-SC +// %% +// Copyright (C) 2022-2023: Nordix Foundation +// %% +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at // -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// ========================LICENSE_END=================================== +// http://www.apache.org/licenses/LICENSE-2.0 // +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// ========================LICENSE_END=================================== package main import ( + "context" "crypto/tls" "crypto/x509" "encoding/json" @@ -29,11 +30,10 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" kubernetes "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" + "net" "net/http" "net/url" "rapps/utils/generatejwt" - "context" - "net" "time" ) @@ -55,6 +55,9 @@ var realmName string var clientId string var namespace string var authenticator string +var tlsCrt string +var tlsKey string +var caCrt string var healthy bool = true var jwt Jwttoken @@ -70,7 +73,10 @@ func getToken(res http.ResponseWriter, req *http.Request) { clientId = req.Header.Get("client") realmName = req.Header.Get("realm") namespace = req.Header.Get("ns") - keycloakUrl := "http://" + keycloakHost + ":" + keycloakPort + "/auth/realms/" + realmName + "/protocol/openid-connect/token" + tlsCrt = req.Header.Get("tlsCrt") + tlsKey = req.Header.Get("tlsKey") + caCrt = req.Header.Get("caCrt") + keycloakUrl := "http://" + keycloakHost + ":" + keycloakPort + "/realms/" + realmName + "/protocol/openid-connect/token" fmt.Printf("Making token request to %s\n", keycloakUrl) res.Header().Set("Content-type", "application/json") res.Header().Set("Authorization", "") @@ -78,7 +84,9 @@ func getToken(res http.ResponseWriter, req *http.Request) { if authenticator == "client-jwt" { resp, err = getJwtToken(keycloakUrl, clientId) } else if authenticator == "client-x509" { - resp, err = getx509Token(keycloakUrl, clientId) + keycloakPort = "443" + keycloakUrl := "https://" + keycloakAlias + ":" + keycloakPort + "/realms/" + realmName + "/protocol/openid-connect/token" + resp, err = getx509Token(keycloakUrl, clientId, tlsCrt, tlsKey, caCrt) } else { resp, err = getSecretToken(keycloakUrl, clientId) } @@ -119,12 +127,12 @@ func getJwtToken(keycloakUrl, clientId string) (*http.Response, error) { } func getClientAssertion() string { - realm := "http://" + keycloakHost + ":" + keycloakPort + "/auth/realms/" + realmName - clientAssertion := generatejwt.CreateJWT("/certs/client.key", "", clientId, realm) + aud := "https://keycloak:8443/realms/" + realmName + clientAssertion := generatejwt.CreateJWT(tlsKey, "", clientId, aud) return clientAssertion } -func getx509Token(keycloakUrl, clientId string) (*http.Response, error) { +func getx509Token(keycloakUrl, clientId, tlsCrt, tlsKey, caCrt string) (*http.Response, error) { var resp = &http.Response{} var err error @@ -135,11 +143,11 @@ func getx509Token(keycloakUrl, clientId string) (*http.Response, error) { } func getClient() *http.Client { - caCert, _ := ioutil.ReadFile("/certs/rootCA.crt") + caCert, _ := ioutil.ReadFile(caCrt) caCertPool := x509.NewCertPool() caCertPool.AppendCertsFromPEM(caCert) - cert, _ := tls.LoadX509KeyPair("/certs/client.crt", "/certs/client.key") + cert, _ := tls.LoadX509KeyPair(tlsCrt, tlsKey) dialer := &net.Dialer{ Timeout: 30 * time.Second, @@ -214,7 +222,7 @@ func health(res http.ResponseWriter, req *http.Request) { func main() { flag.StringVar(&keycloakHost, "keycloakHost", "istio-ingressgateway.istio-system", "Keycloak Host") flag.StringVar(&keycloakPort, "keycloakPort", "80", "Keycloak Port") - flag.StringVar(&keycloakAlias, "keycloakAlias", "keycloak.oran.org", "Keycloak URL Alias") + flag.StringVar(&keycloakAlias, "keycloakAlias", "keycloak.est.tech", "Keycloak URL Alias") flag.Parse() healthHandler := http.HandlerFunc(health)