diff options
| author | Paul Cristian Sarbu <paul.cristian.sarbu@huawei.com> | 2024-07-02 16:47:13 +0200 |
|---|---|---|
| committer | Paul Cristian Sarbu <paul.cristian.sarbu@huawei.com> | 2024-07-04 16:05:08 +0200 |
| commit | c2f7ead468d5e65c57e7ecb49d7fbba4254c46b7 (patch) | |
| tree | b96ce2e63d9d6a2d486cb4133c290187156b97ac /src/buildtool/main/main.cpp | |
| parent | 0d60cd9ba4a5c18b01b6ef996434953071f0576e (diff) | |
| download | justbuild-c2f7ead468d5e65c57e7ecb49d7fbba4254c46b7.tar.gz | |
Replace the Auth and Auth::TLS singletons
Use a builder pattern for creation and validation, in a manner that
allows also other authentication methods to be added in the future
besides the current TLS/SSL.
The main Auth instances are built early and then passed by not_null
const pointers, to avoid passing temporaries, replacing the previous
Auth::TLS instances passed by simple nullable const pointers. Where
needed, these passed Auth instances are also stored, by const ref.
Tests also build Auth instances as needed, either with the default
'no certification' or from the test environment arguments.
Diffstat (limited to 'src/buildtool/main/main.cpp')
| -rw-r--r-- | src/buildtool/main/main.cpp | 94 |
1 files changed, 30 insertions, 64 deletions
diff --git a/src/buildtool/main/main.cpp b/src/buildtool/main/main.cpp index cd073847..0e72890a 100644 --- a/src/buildtool/main/main.cpp +++ b/src/buildtool/main/main.cpp @@ -184,66 +184,32 @@ void SetupExecutionConfig(EndpointArguments const& eargs, return std::nullopt; } -void SetupAuthConfig(CommonAuthArguments const& authargs, - ClientAuthArguments const& client_authargs, - ServerAuthArguments const& server_authargs) { - auto use_tls = false; - if (authargs.tls_ca_cert) { - use_tls = true; - if (not Auth::TLS::Instance().SetCACertificate(*authargs.tls_ca_cert)) { - Logger::Log(LogLevel::Error, - "Could not read '{}' certificate.", - authargs.tls_ca_cert->string()); - std::exit(kExitFailure); - } - } - if (client_authargs.tls_client_cert) { - use_tls = true; - if (not Auth::TLS::Instance().SetClientCertificate( - *client_authargs.tls_client_cert)) { - Logger::Log(LogLevel::Error, - "Could not read '{}' certificate.", - client_authargs.tls_client_cert->string()); - std::exit(kExitFailure); - } - } - if (client_authargs.tls_client_key) { - use_tls = true; - if (not Auth::TLS::Instance().SetClientKey( - *client_authargs.tls_client_key)) { - Logger::Log(LogLevel::Error, - "Could not read '{}' key.", - client_authargs.tls_client_key->string()); - std::exit(kExitFailure); +[[nodiscard]] auto CreateAuthConfig( + CommonAuthArguments const& authargs, + ClientAuthArguments const& client_authargs, + ServerAuthArguments const& server_authargs) noexcept + -> std::optional<Auth> { + Auth::TLS::Builder tls_builder; + tls_builder.SetCACertificate(authargs.tls_ca_cert) + .SetClientCertificate(client_authargs.tls_client_cert) + .SetClientKey(client_authargs.tls_client_key) + .SetServerCertificate(server_authargs.tls_server_cert) + .SetServerKey(server_authargs.tls_server_key); + + // create auth config (including validation) + auto result = tls_builder.Build(); + if (result) { + if (*result) { + // correctly configured TLS/SSL certification + return *std::move(*result); } + Logger::Log(LogLevel::Error, result->error()); + return std::nullopt; } - if (server_authargs.tls_server_cert) { - use_tls = true; - if (not Auth::TLS::Instance().SetServerCertificate( - *server_authargs.tls_server_cert)) { - Logger::Log(LogLevel::Error, - "Could not read '{}' certificate.", - server_authargs.tls_server_cert->string()); - std::exit(kExitFailure); - } - } - if (server_authargs.tls_server_key) { - use_tls = true; - if (not Auth::TLS::Instance().SetServerKey( - *server_authargs.tls_server_key)) { - Logger::Log(LogLevel::Error, - "Could not read '{}' key.", - server_authargs.tls_server_key->string()); - std::exit(kExitFailure); - } - } - - if (use_tls) { - if (not Auth::TLS::Instance().Validate()) { - std::exit(kExitFailure); - } - } + // no TLS/SSL configuration was given, and we currently support no other + // certification method, so return an empty config (no certification) + return Auth{}; } void SetupExecutionServiceConfig(ServiceArguments const& args) { @@ -812,10 +778,10 @@ auto main(int argc, char* argv[]) -> int { return kExitFailure; } - SetupAuthConfig(arguments.auth, arguments.cauth, arguments.sauth); - std::optional<Auth::TLS> auth = {}; - if (Auth::Instance().GetAuthMethod() == AuthMethod::kTLS) { - auth = Auth::TLS::Instance(); + auto auth_config = + CreateAuthConfig(arguments.auth, arguments.cauth, arguments.sauth); + if (not auth_config) { + return kExitFailure; } if (arguments.cmd == SubCommand::kGc) { @@ -829,7 +795,7 @@ auto main(int argc, char* argv[]) -> int { if (arguments.cmd == SubCommand::kExecute) { SetupExecutionServiceConfig(arguments.service); ApiBundle const exec_apis{/*repo_config=*/nullptr, - auth ? &*auth : nullptr, + &*auth_config, RemoteExecutionConfig::RemoteAddress()}; if (!ServerImpl::Instance().Run(exec_apis)) { return kExitFailure; @@ -846,7 +812,7 @@ auto main(int argc, char* argv[]) -> int { if (serve_server) { ApiBundle const serve_apis{ /*repo_config=*/nullptr, - auth ? &*auth : nullptr, + &*auth_config, RemoteExecutionConfig::RemoteAddress()}; auto serve = ServeApi::Create(*serve_config, &serve_apis); bool with_execute = not RemoteExecutionConfig::RemoteAddress(); @@ -899,7 +865,7 @@ auto main(int argc, char* argv[]) -> int { std::exit(kExitFailure); } ApiBundle const main_apis{&repo_config, - auth ? &*auth : nullptr, + &*auth_config, RemoteExecutionConfig::RemoteAddress()}; GraphTraverser const traverser{ {jobs, |