v0.6.0

v0.6.0

.github/workflows/main.yml

@@ -0,0 +1,33 @@
+name: Go
+
+on:
+  pull_request:
+    branches:
+      - main
+      - 'lspd-*'
+  push:
+    branches:
+      - 'build-*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.19
+    - name: Configure git for private modules
+      env:
+        TOKEN: ${{ secrets.GA_PERSONAL_ACCESS_TOKEN }}
+        GOPRIVATE: "github.com/nayutaco"
+      run: git config --global url."https://${TOKEN}:x-oauth-basic@github.com".insteadOf "https://github.com"
+    - name: Build
+      run: |
+        go mod tidy
+        go build -v ./...
+
+    - name: Test
+      run: go test -v ./...

.gitignore

@@ -0,0 +1,31 @@
+/NayutaHub2Lspd
+/cli
+lspd.env
+postgresql/init.sql
+config.sh
+cert/**/tls_ca.*
+cert/**/tls_lspd.*
+
+# Following section is based on https://github.com/github/gitignore/blob/main/Go.gitignore
+#
+# If you prefer the allow list template instead of the deny list, see community template:
+# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
+#
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+vendor/
+
+# Go workspace file
+go.work

Makefile

@@ -0,0 +1,22 @@
+MAJOR=0
+MINOR=6
+BUILD=0
+COMMIT=$(shell git log -n1 --abbrev-commit --abbrev=12 --format=format:%h)
+
+all: build cli
+
+build:
+	go build -ldflags "-X main.version=v$(MAJOR).$(MINOR).$(BUILD)-$(COMMIT)" .
+	./NayutaHub2Lspd -version
+
+cli: cmd/cli/main.go cmd/cli/client.go
+	go build ./cmd/cli
+
+install:
+	go install -ldflags "-X main.version=v$(MAJOR).$(MINOR).$(BUILD)-$(COMMIT)" .
+
+clean:
+	go clean .
+
+test:
+	go test -v

cert/README.md

@@ -0,0 +1,62 @@
+# CERT
+
+## Abstruct
+
+Execute `cert/mk-tls.sh` to create `LSP_KEY` and `LSP_CERT`.
+
+```bash
+cd cert
+vi mk-tls.sh
+...(edit)...
+
+./mk-tls.sh NayutaHub03
+```
+
+### note
+
+Created cert is for `localhost`.  
+If used on a client, it will need to be overwritten with "localhost".
+
+```javascript
+const client = new LspClient(
+  address,
+  credentials,
+  {'grpc.ssl_target_name_override': 'localhost'}
+)
+```
+
+```go
+creds := credentials.NewTLS(&tls.Config{
+	ServerName: "localhost",
+	RootCAs:    x509.NewCertPool(),
+})
+option = grpc.WithTransportCredentials(creds)
+client, err = grpc.Dial(address, option)
+```
+
+## usage
+
+### mk-tls.sh
+
+* Create CA key and cert if not exist "tls_ca_key".
+* Create server key if not exist "DIRNAME/tls_lspd.key".
+* Create server CERT if not exist "DIRNAME/tls_lspd.cert".
+
+```bash
+./mk-tls.sh <DIRNAME>
+```
+
+### read-tls.sh
+
+```bash
+./read-tls.sh <DIRNAME>
+```
+
+### update-lsp-cert.sh
+
+Update only `<DIRNAME>/tls_lspd.cert` and output `LSP_CERT`.  
+`LSP_CERT` is used to update lspd.env.
+
+```bash
+./update-lsp-cert.sh <DIRNAME>
+```

cert/mk-tls.sh

@@ -0,0 +1,81 @@
+#!/bin/bash -e
+
+CA_DAYS=3650
+SERVER_DAYS=365
+SUBJECT="/C=JP/ST=Fukuoka/L=Fukuoka/O=Nayuta/OU=Nayuta/CN=localhost"
+
+CA_KEY_PEM="tls_ca.key"
+CA_CERT_PEM="tls_ca.cert"
+SERVER_KEY_PEM="tls_lspd.key"
+SERVER_REQ_PEM="tls_lspd.req"
+SERVER_CERT_PEM="tls_lspd.cert"
+SERVER_EXT_CNF="tls.conf"
+
+if [ $# -ne 1 ]; then
+    echo "usage: $0 DIRNAME"
+    exit 0
+fi
+
+DIRNAME=$1
+if [ ! -d ${DIRNAME} ]; then
+    mkdir ${DIRNAME}
+fi
+
+function generateCA() {
+    echo "-------------------------------"
+    echo " generateCA"
+    echo "-------------------------------"
+    rm -f ${CA_KEY_PEM} ${CA_CERT_PEM}
+
+    # 1. Generate CA's private key and self-signed certificate
+    openssl req -x509 -newkey rsa:4096 -sha256 -days ${CA_DAYS} -nodes -keyout ${CA_KEY_PEM} -out ${CA_CERT_PEM} -subj ${SUBJECT} 2> /dev/null
+
+    #echo "CA's self-signed certificate"
+    #openssl x509 -in ${CA_CERT_PEM} -noout -text
+}
+
+function generateServerKey() {
+    echo "-------------------------------"
+    echo " generateServerKey"
+    echo "-------------------------------"
+    rm -f "${DIRNAME}/${SERVER_KEY_PEM}" "${DIRNAME}/${SERVER_REQ_PEM}" "${DIRNAME}/${SERVER_CERT_PEM}"
+
+    # 2. Generate web server's private key and certificate signing request (CSR)
+    openssl req -newkey rsa:4096 -sha256 -nodes -keyout "${DIRNAME}/${SERVER_KEY_PEM}" -out "${DIRNAME}/${SERVER_REQ_PEM}" -subj ${SUBJECT} 2> /dev/null
+}
+
+function generateServer() {
+    echo "-------------------------------"
+    echo " generateServer"
+    echo "-------------------------------"
+    rm -f "${DIRNAME}/${SERVER_CERT_PEM}"
+
+    # 3. Use CA's private key to sign web server's CSR and get back the signed certificate
+    openssl x509 -req -in "${DIRNAME}/${SERVER_REQ_PEM}" -sha256 -days ${SERVER_DAYS} -CA ${CA_CERT_PEM} -CAkey ${CA_KEY_PEM} -CAcreateserial -out "${DIRNAME}/${SERVER_CERT_PEM}" -extfile ${SERVER_EXT_CNF} 2> /dev/null
+
+    #echo "Server's signed certificate"
+    #openssl x509 -in ${SERVER_CERT_PEM} -noout -text
+}
+
+if [ ! -f ${CA_KEY_PEM} ]; then
+	generateCA
+else
+    echo "CA: use existing CERT"
+fi
+
+if [ ! -f "${DIRNAME}/${SERVER_KEY_PEM}" ]; then
+	generateServerKey
+else
+    echo "Server: use existing Server Key"
+fi
+
+if [ ! -f "${DIRNAME}/${SERVER_CERT_PEM}" ]; then
+    generateServer
+else
+    echo "Server: use existing Server CERT"
+fi
+
+echo '--------------------------------'
+./read_tls.sh ${DIRNAME}
+echo '--------------------------------'
+echo 'DONE'

cert/read_tls.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+SVR_KEY="tls_lspd.key"
+SVR_CERT="tls_lspd.cert"
+CA_CERT="tls_ca.cert"
+
+if [ $# -ne 1 ]; then
+    echo "usage: $0 DIRNAME"
+    exit 0
+fi
+
+DIRNAME=$1
+
+echo for server
+echo
+echo USE_LSP_TLS=TRUE
+echo "LSP_KEY=\"`cat "${DIRNAME}/${SVR_KEY}" | perl -pe 's/\n/\\\\n/g'`\""
+echo "LSP_CERT=\"`cat "${DIRNAME}/${SVR_CERT}" | perl -pe 's/\n/\\\\n/g'`\""
+echo
+echo
+echo for client
+echo
+echo \'`cat ${CA_CERT} | perl -pe 's/\n/\\\\n/g'`\'
+echo
+echo

cert/tls.conf

@@ -0,0 +1 @@
+subjectAltName=DNS:localhost,IP:0.0.0.0

cert/update-lsp-cert.sh

@@ -0,0 +1,41 @@
+#!/bin/bash -e
+
+SERVER_DAYS=365
+
+CA_KEY_PEM="tls_ca.key"
+CA_CERT_PEM="tls_ca.cert"
+SERVER_REQ_PEM="tls_lspd.req"
+SERVER_CERT_PEM="tls_lspd.cert"
+SERVER_EXT_CNF="tls.conf"
+
+if [ $# -ne 1 ]; then
+    echo "usage: $0 DIRNAME"
+    exit 1
+fi
+
+DIRNAME=$1
+if [ ! -d ${DIRNAME} ]; then
+    echo "not exist directory: $DIRNAME"
+    exit 1
+fi
+if [ ! -f "${DIRNAME}/${SERVER_CERT_PEM}" ]; then
+    echo "not exist CERT file: ${DIRNAME}/${SERVER_CERT_PEM}"
+    exit 1
+fi
+
+function generateServer() {
+    mv ${DIRNAME}/${SERVER_CERT_PEM} ${DIRNAME}/${SERVER_CERT_PEM}.bak.`date +"%Y%m%d%H%M%S"`
+
+    # Use CA's private key to sign web server's CSR and get back the signed certificate
+    openssl x509 -req -in "${DIRNAME}/${SERVER_REQ_PEM}" -sha256 -days ${SERVER_DAYS} -CA ${CA_CERT_PEM} -CAkey ${CA_KEY_PEM} -CAcreateserial -out "${DIRNAME}/${SERVER_CERT_PEM}" -extfile ${SERVER_EXT_CNF} 2> /dev/null
+
+    # Output new expiry date
+    openssl x509 -noout -dates -in ${DIRNAME}/${SERVER_CERT_PEM}
+}
+
+generateServer
+
+echo '--------------------------------'
+echo "LSP_CERT=\"`cat "${DIRNAME}/${SERVER_CERT_PEM}" | perl -pe 's/\n/\\\\n/g'`\""
+echo '--------------------------------'
+echo 'Please update LSP_CERT in lspd.env file.'