Merge pull request #75 from shogo82148/update-cetificates-2023-08-30

update the certificates (2023-08-30)
shogo82148 · Aug 30, 2023 · f65880e · f65880e
2 parents 83b9cf5 + 20b6c55
commit f65880e
Show file tree

Hide file tree

Showing 8 changed files with 359 additions and 38 deletions.
diff --git a/.github/workflows/go.yml → .github/workflows/test.yml b/.github/workflows/go.yml → .github/workflows/test.yml
@@ -10,6 +10,7 @@ jobs:
     name: Test
     runs-on: ${{ matrix.os }}
     strategy:
+      fail-fast: false
       matrix:
         os:
           - ubuntu-latest
@@ -23,9 +24,6 @@ jobs:
           - "1.18"
           - "1.17"
           - "1.16"
-          - "1.15"
-          - "1.14"
-          - "1.13"
 
     steps:
       - name: Check out code into the Go module directory

diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
@@ -0,0 +1,25 @@
+name: update
+on:
+  schedule:
+    - cron: "23 6 * * *"
+  workflow_dispatch:
+
+jobs:
+  update:
+    name: update
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: stable
+
+      - name: Update the Certificates
+        run: go generate ./...
+
+      - name: Commit and Push Changes
+        uses: shogo82148/actions-commit-and-create-pr@v1
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/shogo82148/rdsmysql
 
-go 1.13
+go 1.16
 
 require (
 	github.com/aws/aws-sdk-go v1.44.313

diff --git a/go.sum b/go.sum
@@ -20,7 +20,6 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
 golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -36,15 +35,13 @@ golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
diff --git a/internal/certificate/certificate.go b/internal/certificate/certificate.go
@@ -1,3 +1,5 @@
+//go:generate go run ../cmd/update_certificate/main.go
+
 package certificate
 
 import (
@@ -9,9 +11,11 @@ import (
 )
 
 // Certificate is the certificates for connecting RDS MySQL with SSL/TLS.
-// It contains the intermediate and root certificates for RDS MySQL ( https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem ),
-// and the root certificates for RDS Proxy( https://www.amazontrust.com/repository/AmazonRootCA1.pem ).
-const Certificate = rdsProxyCertificate + rdsCertificates
+// It contains the intermediate and root certificates for [Amazon RDS MySQL] and [Amazon Aurora MySQL].
+//
+// [Amazon RDS MySQL]: https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
+// [Amazon Aurora MySQL]: https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html
+const Certificate = rdsCertificates
 
 var Config *tls.Config
 

diff --git a/internal/certificate/rds.go b/internal/certificate/rds.go
diff --git a/internal/certificate/rds_proxy.go b/internal/certificate/rds_proxy.go
diff --git a/internal/cmd/update_certificate/main.go b/internal/cmd/update_certificate/main.go
@@ -0,0 +1,121 @@
+package main
+
+import (
+	"bytes"
+	"context"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"go/format"
+	"io"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+)
+
+func main() {
+	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	defer cancel()
+
+	err := downloadCertificate(ctx, &options{
+		file: "rds.go",
+		pkg:  "certificate",
+		url:  "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem",
+		name: "rdsCertificates",
+		comment: `// rdsCertificates is the intermediate and root [certificates] for [Amazon RDS MySQL] and [Amazon Aurora MySQL].
+//
+// [Amazon RDS MySQL]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions
+// [Amazon Aurora MySQL]: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions
+// [certificates]: https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
+`,
+	})
+	if err != nil {
+		panic(err)
+	}
+}
+
+type options struct {
+	file    string
+	pkg     string
+	url     string
+	name    string
+	comment string
+}
+
+func downloadCertificate(ctx context.Context, opts *options) error {
+	pemCerts, err := download(ctx, opts.url)
+	if err != nil {
+		return err
+	}
+
+	certs, err := parseCertificate(pemCerts)
+	if err != nil {
+		return err
+	}
+
+	buf := &bytes.Buffer{}
+	buf.WriteString("// Code generated by cmd/update_certificate/main.go; DO NOT EDIT.\n\n")
+	buf.WriteString("package " + opts.pkg + "\n\n")
+	buf.WriteString(opts.comment)
+	buf.WriteString("const " + opts.name + " = `")
+	buf.Write(pemCerts)
+	buf.WriteString("`\n\n")
+
+	buf.WriteString("// " + opts.name + " contains:\n")
+	buf.WriteString("//\n")
+	for _, cert := range certs {
+		nbf := cert.NotBefore.Format(time.RFC3339)
+		naf := cert.NotAfter.Format(time.RFC3339)
+		fmt.Fprintf(buf, "// - %50s (not before: %s, not after: %s)\n", cert.Subject.CommonName, nbf, naf)
+	}
+
+	data, err := format.Source(buf.Bytes())
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(opts.file, data, 0644)
+}
+
+func download(ctx context.Context, url string) ([]byte, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("unexpected status code: %d", resp.StatusCode)
+	}
+
+	return io.ReadAll(resp.Body)
+}
+
+func parseCertificate(pemCerts []byte) ([]*x509.Certificate, error) {
+	var certs []*x509.Certificate
+	for len(pemCerts) > 0 {
+		var block *pem.Block
+		block, pemCerts = pem.Decode(pemCerts)
+		if block == nil {
+			break
+		}
+		if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
+			continue
+		}
+
+		certBytes := block.Bytes
+		cert, err := x509.ParseCertificate(certBytes)
+		if err != nil {
+			return nil, err
+		}
+		certs = append(certs, cert)
+	}
+	return certs, nil
+}