created handlers for certificate manipulation in vault. Inserted device mTLS guards for public faced endpoints

2025-10-04 23:12:03 +03:00
parent 35e59c4879
commit 6a5ddd66ba
8 changed files with 555 additions and 5 deletions
--- a/server/internal/config/config.go
+++ b/server/internal/config/config.go
@@ -32,6 +32,7 @@ type Config struct {
 	}
 	MediaMTX  MediaMTXConfig
 	JWTSecret []byte
+	PkiIot    vault.PKIClient
 }

 func Load() (*Config, error) {
@@ -56,6 +57,10 @@ func Load() (*Config, error) {
 		return nil, fmt.Errorf("VAULT_ADDR, VAULT_TOKEN, VAULT_KV_MOUNT and VAULT_KV_KEY must be set (or provide legacy VAULT_KV_PATH)")
 	}

+	pki, err := vault.NewPKI(addr, token, "pki_iot", "device", 30*time.Second)
+	if err != nil {
+		return nil, err
+	}
 	raw, err := vault.ReadKVv2(addr, token, mount, key)
 	if err != nil {
 		return nil, err
@@ -193,6 +198,7 @@ func Load() (*Config, error) {
 		TokenTTL:      time.Duration(tokenTTL),
 	}

+	cfg.PkiIot = *pki
 	return cfg, nil
 }

@@ -204,6 +210,15 @@ func LoadDev() (*Config, error) {
 		}
 		return v, nil
 	}
+
+	addr := os.Getenv("VAULT_ADDR")
+	token := os.Getenv("VAULT_TOKEN")
+
+	pki, err := vault.NewPKI(addr, token, "pki_iot", "device", 30*time.Second)
+	if err != nil {
+		return nil, err
+	}
+
 	getBoolEnv := func(k string, def bool) bool {
 		v := strings.ToLower(strings.TrimSpace(os.Getenv(k)))
 		if v == "true" || v == "1" || v == "yes" {
@@ -286,5 +301,7 @@ func LoadDev() (*Config, error) {
 		PublicBaseURL: publicBase,
 		TokenTTL:      time.Duration(tokenTTL),
 	}
+
+	cfg.PkiIot = *pki
 	return cfg, nil
 }