1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
|
// Copyright (c) 2019-2020, Sylabs Inc. All rights reserved.
// This software is licensed under a 3-clause BSD license. Please consult the LICENSE.md file
// distributed with the sources of this project regarding your rights to use or distribute this
// software.
package client
import (
"context"
"errors"
"fmt"
"io"
"net"
"net/http"
"net/url"
"strings"
)
const (
schemeHTTP = "http"
schemeHTTPS = "https"
schemeHKP = "hkp"
schemeHKPS = "hkps"
)
// errUnsupportedProtocolScheme is returned when an unsupported protocol scheme is encountered.
var errUnsupportedProtocolScheme = errors.New("unsupported protocol scheme")
// ErrTLSRequired is returned when an auth token is supplied with a non-TLS BaseURL.
var ErrTLSRequired = errors.New("TLS required when auth token provided")
// normalizeURL normalizes rawURL, translating HKP/HKPS schemes to HTTP/HTTPS respectively, and
// ensures the path component is terminated with a separator.
func normalizeURL(rawURL string) (*url.URL, error) {
u, err := url.Parse(rawURL)
if err != nil {
return nil, err
}
switch u.Scheme {
case schemeHTTP, schemeHTTPS:
break
case schemeHKP:
// The HKP scheme is HTTP and implies port 11371.
u.Scheme = schemeHTTP
if u.Port() == "" {
u.Host = net.JoinHostPort(u.Hostname(), "11371")
}
case schemeHKPS:
// The HKPS scheme is HTTPS and implies port 443.
u.Scheme = schemeHTTPS
default:
return nil, fmt.Errorf("%w %s", errUnsupportedProtocolScheme, u.Scheme)
}
// Ensure path is terminated with a separator, to prevent url.ResolveReference from stripping
// the final path component of BaseURL when constructing request URL from a relative path.
if !strings.HasSuffix(u.Path, "/") {
u.Path += "/"
}
return u, nil
}
// clientOptions describes the options for a Client.
type clientOptions struct {
baseURL string
bearerToken string
userAgent string
httpClient *http.Client
}
// Option are used to populate co.
type Option func(co *clientOptions) error
// OptBaseURL sets the base URL of the key server to url. The supported URL schemes are "http",
// "https", "hkp", and "hkps".
func OptBaseURL(url string) Option {
return func(co *clientOptions) error {
co.baseURL = url
return nil
}
}
// OptBearerToken sets the bearer token to include in the "Authorization" header of each request.
func OptBearerToken(token string) Option {
return func(co *clientOptions) error {
co.bearerToken = token
return nil
}
}
// OptUserAgent sets the HTTP user agent to include in the "User-Agent" header of each request.
func OptUserAgent(agent string) Option {
return func(co *clientOptions) error {
co.userAgent = agent
return nil
}
}
// OptHTTPClient sets the client to use to make HTTP requests.
func OptHTTPClient(c *http.Client) Option {
return func(co *clientOptions) error {
co.httpClient = c
return nil
}
}
const defaultBaseURL = "https://keys.openpgp.org/"
// Client describes the client details.
type Client struct {
baseURL *url.URL // Parsed base URL.
bearerToken string // Bearer token to include in "Authorization" header.
userAgent string // Value to include in "User-Agent" header.
httpClient *http.Client // Client to use for HTTP requests.
}
// NewClient returns a Client to interact with an HKP key server according to opts.
//
// By default, the Sylabs Key Service is used. To override this behaviour, use OptBaseURL. If the
// key server requires authentication, consider using OptBearerToken.
//
// If a bearer token is specified with a non-localhost base URL that does not utilize Transport
// Layer Security (TLS), an error wrapping ErrTLSRequired is returned.
func NewClient(opts ...Option) (*Client, error) {
co := clientOptions{
baseURL: defaultBaseURL,
httpClient: http.DefaultClient,
}
// Apply options.
for _, opt := range opts {
if err := opt(&co); err != nil {
return nil, fmt.Errorf("%w", err)
}
}
c := Client{
bearerToken: co.bearerToken,
userAgent: co.userAgent,
httpClient: co.httpClient,
}
// Normalize base URL.
u, err := normalizeURL(co.baseURL)
if err != nil {
return nil, fmt.Errorf("%w", err)
}
c.baseURL = u
// If auth token is used, verify TLS.
if c.bearerToken != "" && c.baseURL.Scheme != schemeHTTPS && c.baseURL.Hostname() != "localhost" {
return nil, fmt.Errorf("%w", ErrTLSRequired)
}
return &c, nil
}
// NewRequest returns a new Request given a method, ref, and optional body.
//
// The context controls the entire lifetime of a request and its response: obtaining a connection,
// sending the request, and reading the response headers and body.
func (c *Client) NewRequest(ctx context.Context, method string, ref *url.URL, body io.Reader) (*http.Request, error) {
u := c.baseURL.ResolveReference(ref)
r, err := http.NewRequestWithContext(ctx, method, u.String(), body)
if err != nil {
return nil, fmt.Errorf("%v", err)
}
if v := c.bearerToken; v != "" {
r.Header.Set("Authorization", fmt.Sprintf("BEARER %s", v))
}
if v := c.userAgent; v != "" {
r.Header.Set("User-Agent", v)
}
return r, nil
}
// Do sends an HTTP request and returns an HTTP response.
func (c *Client) Do(req *http.Request) (*http.Response, error) {
return c.httpClient.Do(req)
}
|
