75b02dff3d
* op-signer: add to this repo * circleci: add op-signer jobs/workflows * ops: update tag service to include op-signer * readme: add op-signer one sentence description * ci: add op-signer option to github action * ops: add op-signer min version
45 lines
1.3 KiB
Go
45 lines
1.3 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
|
|
oprpc "github.com/ethereum-optimism/optimism/op-service/rpc"
|
|
optls "github.com/ethereum-optimism/optimism/op-service/tls"
|
|
)
|
|
|
|
type ClientInfo struct {
|
|
ClientName string
|
|
}
|
|
|
|
type clientInfoContextKey struct{}
|
|
|
|
func NewAuthMiddleware() oprpc.Middleware {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
clientInfo := ClientInfo{}
|
|
|
|
// PeerTLSInfo is attached to context by upstream op-service middleware
|
|
peerTlsInfo := optls.PeerTLSInfoFromContext(r.Context())
|
|
if peerTlsInfo.LeafCertificate == nil {
|
|
http.Error(w, "client certificate was not provided", 401)
|
|
return
|
|
}
|
|
// Note that the certificate is already verified by http server if we get here
|
|
if len(peerTlsInfo.LeafCertificate.DNSNames) < 1 {
|
|
http.Error(w, "client certificate verified but did not contain DNS SAN extension", 401)
|
|
return
|
|
}
|
|
clientInfo.ClientName = peerTlsInfo.LeafCertificate.DNSNames[0]
|
|
|
|
ctx := context.WithValue(r.Context(), clientInfoContextKey{}, clientInfo)
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
})
|
|
}
|
|
}
|
|
|
|
func ClientInfoFromContext(ctx context.Context) ClientInfo {
|
|
info, _ := ctx.Value(clientInfoContextKey{}).(ClientInfo)
|
|
return info
|
|
}
|