From 44ddbd789297f6c2379dd494308ec4b87fbd4af5 Mon Sep 17 00:00:00 2001
From: simonzhangsz <simonzhangsz@outlook.com>
Date: Wed, 10 Jan 2024 10:11:20 +0800
Subject: [PATCH] fix: https enhancement

---
 config/etc/default/restconf.yaml |  4 ++++
 restagent/config/config.go       | 26 ++++++++++++++------------
 restagent/etc/restconf.yaml      |  4 ++++
 restagent/restagent.go           | 20 ++++++++++----------
 4 files changed, 32 insertions(+), 22 deletions(-)

diff --git a/config/etc/default/restconf.yaml b/config/etc/default/restconf.yaml
index 85117d15..5d5d2bfe 100644
--- a/config/etc/default/restconf.yaml
+++ b/config/etc/default/restconf.yaml
@@ -10,6 +10,8 @@ logger:
 
 # rest agent listen ipv4/v6 and port, support multiple routines
 # ip: 0.0.0.0 or ::0, support IPv4/v6
+# clientAuthType: 0:NoClientCert (default), 1:RequestClientCert, 2:RequireAnyClientCert, 
+#                 3:VerifyClientCertIfGiven, 4:RequireAndVerifyClientCerts
 rest:
   - ipv4: 0.0.0.0
     ipv6: 
@@ -18,6 +20,7 @@ rest:
     ipv6: 
     port: 3443
     schema: https
+    clientAuthType: 0
     caFile: /usr/local/omc/etc/certs/omc-ca.crt
     certFile: /usr/local/omc/etc/certs/omc-server.crt
     keyFile: /usr/local/omc/etc/certs/omc-server.key
@@ -30,6 +33,7 @@ webServer:
       schema: http
     - addr: :443
       schema: https
+      clientAuthType: 0
       caFile: /usr/local/omc/etc/certs/omc-ca.crt
       certFile: /usr/local/omc/etc/certs/omc-server.crt
       keyFile: /usr/local/omc/etc/certs/omc-server.key
diff --git a/restagent/config/config.go b/restagent/config/config.go
index c4281b7b..e99724d8 100644
--- a/restagent/config/config.go
+++ b/restagent/config/config.go
@@ -31,24 +31,26 @@ type YamlConfig struct {
 	} `yaml:"logger"`
 
 	Rest []struct {
-		IPv4     string `yaml:"ipv4"`
-		IPv6     string `yaml:"ipv6"`
-		Port     uint16 `yaml:"port"`
-		Scheme   string `yaml:"scheme"`
-		CaFile   string `yaml:"caFile"`
-		CertFile string `yaml:"certFile"`
-		KeyFile  string `yaml:"keyFile"`
+		IPv4           string `yaml:"ipv4"`
+		IPv6           string `yaml:"ipv6"`
+		Port           uint16 `yaml:"port"`
+		Scheme         string `yaml:"scheme"`
+		ClientAuthType int    `yaml:"clientAuthType"`
+		CaFile         string `yaml:"caFile"`
+		CertFile       string `yaml:"certFile"`
+		KeyFile        string `yaml:"keyFile"`
 	} `yaml:"rest"`
 
 	WebServer struct {
 		Enabled bool   `yaml:"enabled"`
 		RootDir string `yaml:"rootDir"`
 		Listen  []struct {
-			Addr     string `yaml:"addr"`
-			Scheme   string `yaml:"scheme"`
-			CaFile   string `yaml:"caFile"`
-			CertFile string `yaml:"certFile"`
-			KeyFile  string `yaml:"keyFile"`
+			Addr           string `yaml:"addr"`
+			Scheme         string `yaml:"scheme"`
+			ClientAuthType int    `yaml:"clientAuthType"`
+			CaFile         string `yaml:"caFile"`
+			CertFile       string `yaml:"certFile"`
+			KeyFile        string `yaml:"keyFile"`
 		} `yaml:"listen"`
 	} `yaml:"webServer"`
 
diff --git a/restagent/etc/restconf.yaml b/restagent/etc/restconf.yaml
index 589955d6..e4c46c8d 100644
--- a/restagent/etc/restconf.yaml
+++ b/restagent/etc/restconf.yaml
@@ -10,6 +10,8 @@ logger:
 
 # rest agent listen ipv4/v6 and port, support multiple routines
 # ip: 0.0.0.0 or ::0, support IPv4/v6
+# clientAuthType: 0:NoClientCert (default), 1:RequestClientCert, 2:RequireAnyClientCert, 
+#                 3:VerifyClientCertIfGiven, 4:RequireAndVerifyClientCerts
 rest:
   - ipv4: 0.0.0.0
     ipv6: 
@@ -18,6 +20,7 @@ rest:
     ipv6: 
     port:  3443
     scheme: https
+    clientAuthType: 0
     caFile: ./etc/certs/omc-ca.crt
     certFile: ./etc/certs/omc-server.crt
     keyFile: ./etc/certs/omc-server.key
@@ -30,6 +33,7 @@ webServer:
       schema: http
     - addr: :443
       scheme: https
+      clientAuthType: 0      
       caFile: ./etc/certs/omc-ca.crt
       certFile: ./etc/certs/omc-server.crt
       keyFile: ./etc/certs/omc-server.key
diff --git a/restagent/restagent.go b/restagent/restagent.go
index bb8811c0..26be20ec 100644
--- a/restagent/restagent.go
+++ b/restagent/restagent.go
@@ -74,8 +74,8 @@ func HttpListen(addr string, router http.Handler) {
 	}
 }
 
-func HttpListenTLS(addr, caFile, certFile, keyFile string, router http.Handler) {
-	HttpListenConfigTLS(addr, caFile, certFile, keyFile, router)
+func HttpListenTLS(addr, caFile, certFile, keyFile string, clientAuthType int, router http.Handler) {
+	HttpListenConfigTLS(addr, caFile, certFile, keyFile, clientAuthType, router)
 	err := http.ListenAndServeTLS(addr, certFile, keyFile, router)
 	if err != nil {
 		fmt.Println("ListenAndServeTLS err:", err)
@@ -83,7 +83,7 @@ func HttpListenTLS(addr, caFile, certFile, keyFile string, router http.Handler)
 	}
 }
 
-func HttpListenConfigTLS(addr, caFile, certFile, keyFile string, router http.Handler) {
+func HttpListenConfigTLS(addr, caFile, certFile, keyFile string, clientAuthType int, router http.Handler) {
 	// 加载根证书
 	caCert, err := os.ReadFile(caFile)
 	if err != nil {
@@ -97,7 +97,7 @@ func HttpListenConfigTLS(addr, caFile, certFile, keyFile string, router http.Han
 		MinVersion: tls.VersionTLS10,
 		MaxVersion: tls.VersionTLS13,
 		ClientCAs:  caCertPool,
-		//ClientAuth: tls.RequireAndVerifyClientCert,
+		ClientAuth: tls.ClientAuthType(clientAuthType),
 	}
 
 	// 创建HTTP服务器
@@ -114,8 +114,8 @@ func HttpListenConfigTLS(addr, caFile, certFile, keyFile string, router http.Han
 	}
 }
 
-func HttpListenWebServerTLS(addr, caFile, certFile, keyFile string) {
-	HttpListenConfigTLS(addr, caFile, certFile, keyFile, nil)
+func HttpListenWebServerTLS(addr, caFile, certFile, keyFile string, clientAuthType int) {
+	HttpListenConfigTLS(addr, caFile, certFile, keyFile, clientAuthType, nil)
 	err := http.ListenAndServeTLS(addr, certFile, keyFile, nil)
 	if err != nil {
 		fmt.Println("ListenAndServeTLS err:", err)
@@ -194,7 +194,7 @@ func main() {
 		if rest.IPv4 != "" {
 			listen := rest.IPv4 + ":" + strconv.Itoa(int(rest.Port))
 			if strings.ToLower(rest.Scheme) == "https" {
-				go HttpListenTLS(listen, rest.CaFile, rest.CertFile, rest.KeyFile, app)
+				go HttpListenTLS(listen, rest.CaFile, rest.CertFile, rest.KeyFile, rest.ClientAuthType, app)
 			} else {
 				go HttpListen(listen, app)
 			}
@@ -203,7 +203,7 @@ func main() {
 			// 默认启动localhost侦听
 			listenLocal := "127.0.0.1" + ":" + strconv.Itoa(int(rest.Port))
 			if strings.ToLower(rest.Scheme) == "https" {
-				go HttpListenTLS(listenLocal, rest.CaFile, rest.CertFile, rest.KeyFile, app)
+				go HttpListenTLS(listenLocal, rest.CaFile, rest.CertFile, rest.KeyFile, rest.ClientAuthType, app)
 			} else {
 				go HttpListen(listenLocal, app)
 			}
@@ -212,7 +212,7 @@ func main() {
 		if rest.IPv6 != "" {
 			listenv6 := "[" + rest.IPv6 + "]" + ":" + strconv.Itoa(int(rest.Port))
 			if strings.ToLower(rest.Scheme) == "https" {
-				go HttpListenTLS(listenv6, rest.CaFile, rest.CertFile, rest.KeyFile, app)
+				go HttpListenTLS(listenv6, rest.CaFile, rest.CertFile, rest.KeyFile, rest.ClientAuthType, app)
 			} else {
 				go HttpListen(listenv6, app)
 			}
@@ -234,7 +234,7 @@ func main() {
 		http.Handle("/", fs)
 		for _, listen := range conf.WebServer.Listen {
 			if strings.ToLower(listen.Scheme) == "https" {
-				go HttpListenWebServerTLS(listen.Addr, listen.CaFile, listen.CertFile, listen.KeyFile)
+				go HttpListenWebServerTLS(listen.Addr, listen.CaFile, listen.CertFile, listen.KeyFile, listen.ClientAuthType)
 			} else {
 				go HttpListenWebServer(listen.Addr)
 			}