chore: optimize hijack ca format (#3418)

jim3ma · web-flow · commit 9698903499e5 · 2024-08-06T14:46:52.000+08:00
* chore: optimize hijack ca format

Signed-off-by: Jim Ma &lt;majinjing3@gmail.com&gt;

* chore: fix cert leaf

Signed-off-by: Jim Ma &lt;majinjing3@gmail.com&gt;

* fix: unit test

Signed-off-by: Jim Ma &lt;majinjing3@gmail.com&gt;

---------

Signed-off-by: Jim Ma &lt;majinjing3@gmail.com&gt;
diff --git a/client/config/peerhost.go b/client/config/peerhost.go
@@ -920,8 +920,8 @@ func (r *Regexp) MarshalYAML() (any, error) {
 
 // HijackConfig represents how dfdaemon hijacks http requests.
 type HijackConfig struct {
-	Cert  string             `yaml:"cert" mapstructure:"cert"`
-	Key   string             `yaml:"key" mapstructure:"key"`
+	Cert  types.PEMContent   `yaml:"cert" mapstructure:"cert"`
+	Key   types.PEMContent   `yaml:"key" mapstructure:"key"`
 	Hosts []*HijackHost      `yaml:"hosts" mapstructure:"hosts"`
 	SNI   []*TCPListenOption `yaml:"sni" mapstructure:"sni"`
 }
diff --git a/client/config/peerhost_test.go b/client/config/peerhost_test.go
@@ -470,8 +470,8 @@ func TestPeerHostOption_Load(t *testing.T) {
 				},
 			},
 			HijackHTTPS: &HijackConfig{
-				Cert: "./testdata/certs/sca.crt",
-				Key:  "./testdata/certs/sca.key",
+				Cert: types.PEMContent(_cert),
+				Key:  types.PEMContent(_key),
 				Hosts: []*HijackHost{
 					{
 						Regx:     hijackExp,
diff --git a/client/config/testdata/certs/sca.crt b/client/config/testdata/certs/sca.crt
@@ -17,4 +17,4 @@ A5l000dtHekhk+DO2tjQgEKg5+EYMYoki5mEkSbyHkMMY8D6w5A130fpw10ZeN1z
 B/v/1PiVkZfu1kbnTZICQDsb4xI/2Sw2x0qKXp1oYzIDt8fZATNJgWhzv47xLLXF
 XQM7Yj0HQ3txAi6qOMDw1sYf/TEc1k4VC9J//QJb5/kNnWcAheLPCm3D1+CnAxcD
 vL928p4GmUIGbzxm3/WbWfLosSwxq5y4P5bbEd3niM4=
------END CERTIFICATE-----
+-----END CERTIFICATE-----
diff --git a/client/config/testdata/certs/sca.key b/client/config/testdata/certs/sca.key
@@ -24,4 +24,4 @@ fbR5XmFsuzmdL0zRIt6+mtDjfqHHYA2avzwvRaBWVprzS8/ISTqJSEs/NWSYuAsP
 tjPw2QKBgQCB+sS2lio/sTAQzsYTe/GNmxsL1lKO+yRsTPRRjzcm3ZdOsPgkFDx/
 ZCL9Lsp7TqOLOghLGdYj9a45GrXwmEeJo5P9c1y+G9PSzFDMBUyseWmDvrcvYwWo
 JMfrfs6pHtZ828AbnT2kfnFv6zok2ns6vE2gme/a9Z/RCjVXyJwF5w==
------END RSA PRIVATE KEY-----
+-----END RSA PRIVATE KEY-----
diff --git a/client/daemon/proxy/proxy_manager.go b/client/daemon/proxy/proxy_manager.go
@@ -98,20 +98,20 @@ func NewProxyManager(peerHost *schedulerv1.PeerHost, peerTaskManager peer.TaskMa
 			if r.Direct {
 				method = "directly"
 			}
-			scheme := ""
+			prompt := ""
 			if r.UseHTTPS {
-				scheme = "and force https"
+				prompt = " and force https"
 			}
-			logger.Infof("[%d] proxy %s %s %s", i+1, r.Regx, method, scheme)
+			logger.Infof("[%d] proxy %s %s%s", i+1, r.Regx, method, prompt)
 		}
 	}
 
 	if hijackHTTPS != nil {
 		options = append(options, WithHTTPSHosts(hijackHTTPS.Hosts...))
 		if hijackHTTPS.Cert != "" && hijackHTTPS.Key != "" {
-			cert, err := certFromFile(hijackHTTPS.Cert, hijackHTTPS.Key)
+			cert, err := certFromFile(string(hijackHTTPS.Cert), string(hijackHTTPS.Key))
 			if err != nil {
-				return nil, fmt.Errorf("cert from file: %w", err)
+				return nil, fmt.Errorf("load cert error: %w", err)
 			}
 			if cert.Leaf != nil && cert.Leaf.IsCA {
 				logger.Debugf("hijack https request with CA <%s>", cert.Leaf.Subject.CommonName)
@@ -174,13 +174,14 @@ func (pm *proxyManager) Watch(opt *config.ProxyOption) {
 	}
 }
 
-func certFromFile(certFile string, keyFile string) (*tls.Certificate, error) {
+func certFromFile(certPEM string, keyPEM string) (*tls.Certificate, error) {
 	// cert.Certificate is a chain of one or more certificates, leaf first.
-	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	cert, err := tls.X509KeyPair([]byte(certPEM), []byte(keyPEM))
 	if err != nil {
 		return nil, fmt.Errorf("load cert: %w", err)
 	}
-	logger.Infof("use self-signed certificate (%s, %s) for https hijacking", certFile, keyFile)
+
+	logger.Infof("use self-signed certificate for https hijacking")
 
 	// leaf is CA cert or server cert
 	leaf, err := x509.ParseCertificate(cert.Certificate[0])

Original file line number	Diff line number	Diff line change
`@@ -98,20 +98,20 @@ func NewProxyManager(peerHost *schedulerv1.PeerHost, peerTaskManager peer.TaskMa`
`98`	`98`	`if r.Direct {`
`99`	`99`	`method = "directly"`
`100`	`100`	`}`
`101`		`- scheme := ""`
	`101`	`+ prompt := ""`
`102`	`102`	`if r.UseHTTPS {`
`103`		`- scheme = "and force https"`
	`103`	`+ prompt = " and force https"`
`104`	`104`	`}`
`105`		`- logger.Infof("[%d] proxy %s %s %s", i+1, r.Regx, method, scheme)`
	`105`	`+ logger.Infof("[%d] proxy %s %s%s", i+1, r.Regx, method, prompt)`
`106`	`106`	`}`
`107`	`107`	`}`
`108`	`108`
`109`	`109`	`if hijackHTTPS != nil {`
`110`	`110`	`options = append(options, WithHTTPSHosts(hijackHTTPS.Hosts...))`
`111`	`111`	`if hijackHTTPS.Cert != "" && hijackHTTPS.Key != "" {`
`112`		`- cert, err := certFromFile(hijackHTTPS.Cert, hijackHTTPS.Key)`
	`112`	`+ cert, err := certFromFile(string(hijackHTTPS.Cert), string(hijackHTTPS.Key))`
`113`	`113`	`if err != nil {`
`114`		`- return nil, fmt.Errorf("cert from file: %w", err)`
	`114`	`+ return nil, fmt.Errorf("load cert error: %w", err)`
`115`	`115`	`}`
`116`	`116`	`if cert.Leaf != nil && cert.Leaf.IsCA {`
`117`	`117`	`logger.Debugf("hijack https request with CA <%s>", cert.Leaf.Subject.CommonName)`
`@@ -174,13 +174,14 @@ func (pm proxyManager) Watch(opt config.ProxyOption) {`
`174`	`174`	`}`
`175`	`175`	`}`
`176`	`176`
`177`		`-func certFromFile(certFile string, keyFile string) (*tls.Certificate, error) {`
	`177`	`+func certFromFile(certPEM string, keyPEM string) (*tls.Certificate, error) {`
`178`	`178`	`// cert.Certificate is a chain of one or more certificates, leaf first.`
`179`		`- cert, err := tls.LoadX509KeyPair(certFile, keyFile)`
	`179`	`+ cert, err := tls.X509KeyPair([]byte(certPEM), []byte(keyPEM))`
`180`	`180`	`if err != nil {`
`181`	`181`	`return nil, fmt.Errorf("load cert: %w", err)`
`182`	`182`	`}`
`183`		`- logger.Infof("use self-signed certificate (%s, %s) for https hijacking", certFile, keyFile)`
	`183`	`+`
	`184`	`+ logger.Infof("use self-signed certificate for https hijacking")`
`184`	`185`
`185`	`186`	`// leaf is CA cert or server cert`
`186`	`187`	`leaf, err := x509.ParseCertificate(cert.Certificate[0])`