Source: default_cert.go in package google.golang.org/api/transport/cert

Package cert contains certificate tools for Google API clients. This package is intended to be used with crypto/tls.Config.GetClientCertificate. The certificates can be used to satisfy Google's Endpoint Validation. See https://cloud.google.com/endpoint-verification/docs/overview This package is not intended for use by end developers. Use the google.golang.org/api/option package to configure API clients.

package cert

import (
	"crypto/tls"
	"encoding/json"
	"errors"
	"fmt"
	"io/ioutil"
	"os"
	"os/exec"
	"os/user"
	"path/filepath"
	"sync"
)

const (
	metadataPath = ".secureConnect"
	metadataFile = "context_aware_metadata.json"
)

var (
	defaultSourceOnce sync.Once
	defaultSource     Source
	defaultSourceErr  error
)

Source is a function that can be passed into crypto/tls.Config.GetClientCertificate.

type Source func(*tls.CertificateRequestInfo) (*tls.Certificate, error)

DefaultSource returns a certificate source that execs the command specified in the file at ~/.secureConnect/context_aware_metadata.json If that file does not exist, a nil source is returned.

func DefaultSource() (Source, error) {
	defaultSourceOnce.Do(func() {
		defaultSource, defaultSourceErr = newSecureConnectSource()
	})
	return defaultSource, defaultSourceErr
}

type secureConnectSource struct {
	metadata secureConnectMetadata
}

type secureConnectMetadata struct {
	Cmd []string `json:"cert_provider_command"`
}

newSecureConnectSource creates a secureConnectSource by reading the well-known file.

func newSecureConnectSource() (Source, error) {
	user, err := user.Current()

Ignore.

		return nil, nil
	}
	filename := filepath.Join(user.HomeDir, metadataPath, metadataFile)
	file, err := ioutil.ReadFile(filename)

Ignore.

		return nil, nil
	}
	if err != nil {
		return nil, err
	}

	var metadata secureConnectMetadata
	if err := json.Unmarshal(file, &metadata); err != nil {
		return nil, fmt.Errorf("cert: could not parse JSON in %q: %v", filename, err)
	}
	if err := validateMetadata(metadata); err != nil {
		return nil, fmt.Errorf("cert: invalid config in %q: %v", filename, err)
	}
	return (&secureConnectSource{
		metadata: metadata,
	}).getClientCertificate, nil
}

func validateMetadata(metadata secureConnectMetadata) error {
	if len(metadata.Cmd) == 0 {
		return errors.New("empty cert_provider_command")
	}
	return nil
}

TODO(cbro): consider caching valid certificates rather than exec'ing every time.

	command := s.metadata.Cmd
	data, err := exec.Command(command[0], command[1:]...).Output()

TODO(cbro): read stderr for error message? Might contain sensitive info.

		return nil, err
	}
	cert, err := tls.X509KeyPair(data, data)
	if err != nil {
		return nil, err
	}
	return &cert, nil