in pkg/authority/v1alpha1/authority.go [38:106]
func (s *AuthorityServiceImpl) CreateIdentity(
c context.Context,
req *IdentityRequest,
) (*IdentityResponse, error) {
if req.Csr == "" {
return &IdentityResponse{
Success: false,
Message: "CSR is empty.",
}, nil
}
csr, err := cert.LoadCSR(req.Csr)
if csr == nil || err != nil {
return &IdentityResponse{
Success: false,
Message: "Decode csr failed.",
}, nil
}
p, _ := peer.FromContext(c)
endpoint, err := ExactEndpoint(c, s.CertStorage, s.Options, s.KubeClient)
if err != nil {
logger.Sugar().Warnf("Failed to exact endpoint from context: %v. RemoteAddr: %s", err, p.Addr.String())
return &IdentityResponse{
Success: false,
Message: err.Error(),
}, nil
}
certPem, err := cert.SignFromCSR(csr, endpoint, s.CertStorage.GetAuthorityCert(), s.Options.CertValidity)
if err != nil {
logger.Sugar().Warnf("Failed to sign certificate from csr: %v. RemoteAddr: %s", err, p.Addr.String())
return &IdentityResponse{
Success: false,
Message: err.Error(),
}, nil
}
logger.Sugar().Infof("Success to sign certificate from csr. RemoteAddr: %s", p.Addr.String())
token, err := jwt.NewClaims(endpoint.SpiffeID, endpoint.ToString(), endpoint.ID, s.Options.CertValidity).Sign(s.CertStorage.GetAuthorityCert().PrivateKey)
if err != nil {
logger.Sugar().Warnf("Failed to sign jwt token: %v. RemoteAddr: %s", err, p.Addr.String())
return &IdentityResponse{
Success: false,
Message: err.Error(),
}, nil
}
var trustedCerts []string
var trustedTokenPublicKeys []string
for _, c := range s.CertStorage.GetTrustedCerts() {
trustedCerts = append(trustedCerts, c.CertPem)
trustedTokenPublicKeys = append(trustedTokenPublicKeys, cert.EncodePublicKey(&c.PrivateKey.PublicKey))
}
return &IdentityResponse{
Success: true,
Message: "OK",
CertPem: certPem,
TrustCerts: trustedCerts,
Token: token,
TrustedTokenPublicKeys: trustedTokenPublicKeys,
RefreshTime: time.Now().UnixMilli() + (s.Options.CertValidity / 2),
ExpireTime: time.Now().UnixMilli() + s.Options.CertValidity,
}, nil
}