first commit

.gitignore

@@ -0,0 +1,7 @@
+.idea
+cert
+.vscode
+bin
+.DS_store
+.history
+vendor

attrmgr/attrmgr.go

@@ -0,0 +1,231 @@
+/*
+Copyright 2022-present The ZTDBP Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package attrmgr
+
+import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"encoding/json"
+	"fmt"
+
+	"github.com/pkg/errors"
+)
+
+var (
+	// AttrOID is the ASN.1 object identifier for an attribute extension in an
+	// X509 certificate
+	AttrOID = asn1.ObjectIdentifier{1, 2, 3, 4, 5, 6, 7, 8, 1}
+	// AttrOIDString is the string version of AttrOID
+	AttrOIDString = "1.2.3.4.5.6.7.8.1"
+)
+
+// Attribute is a name/value pair
+type Attribute interface {
+	// GetName returns the name of the attribute
+	GetName() string
+	// GetValue returns the value of the attribute
+	GetValue() interface{}
+}
+
+// AttributeRequest is a request for an attribute
+type AttributeRequest interface {
+	// GetName returns the name of an attribute
+	GetName() string
+	// IsRequired returns true if the attribute is required
+	IsRequired() bool
+}
+
+// New constructs an attribute manager
+func New() *Mgr { return &Mgr{} }
+
+// Mgr is the attribute manager and is the main object for this package
+type Mgr struct{}
+
+// ProcessAttributeRequestsForCert add attributes to an X509 certificate, given
+// attribute requests and attributes.
+func (mgr *Mgr) ProcessAttributeRequestsForCert(requests []AttributeRequest, attributes []Attribute, cert *x509.Certificate) error {
+	attrs, err := mgr.ProcessAttributeRequests(requests, attributes)
+	if err != nil {
+		return err
+	}
+	return mgr.AddAttributesToCert(attrs, cert)
+}
+
+// ProcessAttributeRequests takes an array of attribute requests and an identity's attributes
+// and returns an Attributes object containing the requested attributes.
+func (mgr *Mgr) ProcessAttributeRequests(requests []AttributeRequest, attributes []Attribute) (*Attributes, error) {
+	attrsMap := map[string]interface{}{}
+	attrs := &Attributes{Attrs: attrsMap}
+	missingRequiredAttrs := []string{}
+	// For each of the attribute requests
+	for _, req := range requests {
+		// Get the attribute
+		name := req.GetName()
+		attr := getAttrByName(name, attributes)
+		if attr == nil {
+			if req.IsRequired() {
+				// Didn't find attribute and it was required; return error below
+				missingRequiredAttrs = append(missingRequiredAttrs, name)
+			}
+			// Skip attribute requests which aren't required
+			continue
+		}
+		attrsMap[name] = attr.GetValue()
+	}
+	if len(missingRequiredAttrs) > 0 {
+		return nil, errors.Errorf("The following required attributes are missing: %+v",
+			missingRequiredAttrs)
+	}
+	return attrs, nil
+}
+
+// ToPkixExtension ...
+func (mgr *Mgr) ToPkixExtension(attrs *Attributes) (pkix.Extension, error) {
+	buf, err := json.Marshal(attrs)
+	if err != nil {
+		return pkix.Extension{}, errors.Wrap(err, "Failed to marshal attributes")
+	}
+	ext := pkix.Extension{
+		Id:       AttrOID,
+		Critical: false,
+		Value:    buf,
+	}
+	return ext, nil
+}
+
+// AddAttributesToCertRequest ...
+func (mgr *Mgr) AddAttributesToCertRequest(attrs *Attributes, cert *x509.CertificateRequest) error {
+	buf, err := json.Marshal(attrs)
+	if err != nil {
+		return errors.Wrap(err, "Failed to marshal attributes")
+	}
+	ext := pkix.Extension{
+		Id:       AttrOID,
+		Critical: false,
+		Value:    buf,
+	}
+	cert.Extensions = append(cert.Extensions, ext)
+	return nil
+}
+
+// AddAttributesToCert adds public attribute info to an X509 certificate.
+func (mgr *Mgr) AddAttributesToCert(attrs *Attributes, cert *x509.Certificate) error {
+	buf, err := json.Marshal(attrs)
+	if err != nil {
+		return errors.Wrap(err, "Failed to marshal attributes")
+	}
+	ext := pkix.Extension{
+		Id:       AttrOID,
+		Critical: false,
+		Value:    buf,
+	}
+	cert.Extensions = append(cert.Extensions, ext)
+	return nil
+}
+
+// GetAttributesFromCert gets the attributes from a certificate.
+func (mgr *Mgr) GetAttributesFromCert(cert *x509.Certificate) (*Attributes, error) {
+	// Get certificate attributes from the certificate if it exists
+	buf, err := getAttributesFromCert(cert)
+	if err != nil {
+		return nil, err
+	}
+	// Unmarshal into attributes object
+	attrs := &Attributes{}
+	if buf != nil {
+		err := json.Unmarshal(buf, attrs)
+		if err != nil {
+			return nil, errors.Wrap(err, "Failed to unmarshal attributes from certificate")
+		}
+	}
+	return attrs, nil
+}
+
+// Attributes contains attribute names and values
+type Attributes struct {
+	Attrs map[string]interface{} `json:"attrs"`
+}
+
+// Names returns the names of the attributes
+func (a *Attributes) Names() []string {
+	i := 0
+	names := make([]string, len(a.Attrs))
+	for name := range a.Attrs {
+		names[i] = name
+		i++
+	}
+	return names
+}
+
+// Contains returns true if the named attribute is found
+func (a *Attributes) Contains(name string) bool {
+	_, ok := a.Attrs[name]
+	return ok
+}
+
+// Value returns an attribute's value
+func (a *Attributes) Value(name string) (interface{}, bool, error) {
+	attr, ok := a.Attrs[name]
+	return attr, ok, nil
+}
+
+// True returns nil if the value of attribute 'name' is true;
+// otherwise, an appropriate error is returned.
+func (a *Attributes) True(name string) error {
+	val, ok, err := a.Value(name)
+	if err != nil {
+		return err
+	}
+	if !ok {
+		return fmt.Errorf("Attribute '%s' was not found", name)
+	}
+	if val != "true" {
+		return fmt.Errorf("Attribute '%s' is not true", name)
+	}
+	return nil
+}
+
+// Get the attribute info from a certificate extension, or return nil if not found
+func getAttributesFromCert(cert *x509.Certificate) ([]byte, error) {
+	for _, ext := range cert.Extensions {
+		if isAttrOID(ext.Id) {
+			return ext.Value, nil
+		}
+	}
+	return nil, nil
+}
+
+// Is the object ID equal to the attribute info object ID?
+func isAttrOID(oid asn1.ObjectIdentifier) bool {
+	if len(oid) != len(AttrOID) {
+		return false
+	}
+	for idx, val := range oid {
+		if val != AttrOID[idx] {
+			return false
+		}
+	}
+	return true
+}
+
+// Get an attribute from 'attrs' by its name, or nil if not found
+func getAttrByName(name string, attrs []Attribute) Attribute {
+	for _, attr := range attrs {
+		if attr.GetName() == name {
+			return attr
+		}
+	}
+	return nil
+}

go.mod

@@ -0,0 +1,24 @@
+module github.com/ztalab/zta-tools
+
+go 1.19
+
+require (
+	github.com/LyricTian/queue v1.3.0
+	github.com/go-redis/redis v6.15.9+incompatible
+	github.com/pkg/errors v0.9.1
+	github.com/sirupsen/logrus v1.9.0
+	github.com/ztdbp/ZACA v0.0.0-20230130085917-758df0add0c1
+	github.com/ztdbp/ZASentinel v0.0.0-20230117034106-d7354bb47cc5
+)
+
+require (
+	github.com/garyburd/redigo v1.6.3 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/nxadm/tail v1.4.8 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/multierr v1.8.0 // indirect
+	go.uber.org/zap v1.24.0 // indirect
+	golang.org/x/sys v0.4.0 // indirect
+)

go.sum

@@ -0,0 +1,59 @@
+github.com/LyricTian/queue v1.3.0 h1:1xEFZlteW6iu5Qbrz7ZsiSKMKaxY1bQHsbx0jrB1pDA=
+github.com/LyricTian/queue v1.3.0/go.mod h1:pbkoplz/zRToCay3pRjz75P8fQAgvkRKJdEzVUQYhXY=
+github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI=
+github.com/garyburd/redigo v1.6.3 h1:HCeeRluvAgMusMomi1+6Y5dmFOdYV/JzoRrrbFlkGIc=
+github.com/garyburd/redigo v1.6.3/go.mod h1:rTb6epsqigu3kYKBnaF028A7Tf/Aw5s0cqA47doKKqw=
+github.com/go-redis/redis v6.15.9+incompatible h1:K0pv1D7EQUjfyoMql+r/jZqCLizCGKFlFgcHWWmHQjg=
+github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
+github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
+github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
+github.com/onsi/gomega v1.19.0 h1:4ieX6qQjPP/BfC3mpsAtIGGlxTWPeA3Inl/7DtXw1tw=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
+github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/ztdbp/ZACA v0.0.0-20230130085917-758df0add0c1 h1:++PKKjmPGMivF1f6wTyZmu4YkBfVhxQW3I1uH9AKrzo=
+github.com/ztdbp/ZACA v0.0.0-20230130085917-758df0add0c1/go.mod h1:DM+b+eGl8VRwit889SUB6ylBgfsrI9r7EUn3axB0K5I=
+github.com/ztdbp/ZASentinel v0.0.0-20230117034106-d7354bb47cc5 h1:NMoBEvuJ2/edm+GAg0dJyPhdvEy3qEjX2+s4YssyXF4=
+github.com/ztdbp/ZASentinel v0.0.0-20230117034106-d7354bb47cc5/go.mod h1:HLhrcqY4QjHdVR/VN+3CYPOH6cnBFjq2lOj0SLc3/Hg=
+go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
+go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk=
+go.uber.org/multierr v1.8.0 h1:dg6GjLku4EH+249NNmoIciG9N/jURbDG+pFlTkhzIC8=
+go.uber.org/multierr v1.8.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
+go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
+go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
+golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw=
+golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18=
+golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=