Create setting to allow to trust the system root CAs

Previously, when rootCA was set, the trusted system root CAs were ignored. Now, allow for both being able to be configured and used

Signed-off-by: Daniel Haus <dhaus@redhat.com>
This commit is contained in:
Daniel Haus 2021-11-26 21:27:25 +01:00
parent a322f42a10
commit 2b262ff5d6
No known key found for this signature in database
GPG key ID: 262B7643F39EB8A9
2 changed files with 47 additions and 36 deletions

View file

@ -35,6 +35,7 @@ type Config struct {
Groups []string `json:"groups"` Groups []string `json:"groups"`
InsecureCA bool `json:"insecureCA"` InsecureCA bool `json:"insecureCA"`
RootCA string `json:"rootCA"` RootCA string `json:"rootCA"`
IncludeSystemRootCAs bool `json:"includeSystemRootCAs"`
} }
var ( var (
@ -53,6 +54,7 @@ type openshiftConnector struct {
oauth2Config *oauth2.Config oauth2Config *oauth2.Config
insecureCA bool insecureCA bool
rootCA string rootCA string
includeSystemRootCAs bool
groups []string groups []string
} }
@ -81,10 +83,11 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
logger: logger, logger: logger,
redirectURI: c.RedirectURI, redirectURI: c.RedirectURI,
rootCA: c.RootCA, rootCA: c.RootCA,
includeSystemRootCAs: c.IncludeSystemRootCAs,
groups: c.Groups, groups: c.Groups,
} }
if openshiftConnector.httpClient, err = newHTTPClient(c.InsecureCA, c.RootCA); err != nil { if openshiftConnector.httpClient, err = newHTTPClient(c.InsecureCA, c.RootCA, c.IncludeSystemRootCAs); err != nil {
cancel() cancel()
return nil, fmt.Errorf("failed to create HTTP client: %v", err) return nil, fmt.Errorf("failed to create HTTP client: %v", err)
} }
@ -248,16 +251,24 @@ func validateAllowedGroups(userGroups, allowedGroups []string) bool {
} }
// newHTTPClient returns a new HTTP client // newHTTPClient returns a new HTTP client
func newHTTPClient(insecureCA bool, rootCA string) (*http.Client, error) { func newHTTPClient(insecureCA bool, rootCA string, includeSystemRootCAs bool) (*http.Client, error) {
tlsConfig := tls.Config{} tlsConfig := tls.Config{}
if insecureCA { if insecureCA {
tlsConfig = tls.Config{InsecureSkipVerify: true} tlsConfig = tls.Config{InsecureSkipVerify: true}
} else if rootCA != "" { } else if rootCA != "" {
if !includeSystemRootCAs {
tlsConfig = tls.Config{RootCAs: x509.NewCertPool()} tlsConfig = tls.Config{RootCAs: x509.NewCertPool()}
} else {
systemCAs, err := x509.SystemCertPool()
if err != nil {
return nil, fmt.Errorf("failed to read host CA: %w", err)
}
tlsConfig = tls.Config{RootCAs: systemCAs}
}
rootCABytes, err := os.ReadFile(rootCA) rootCABytes, err := os.ReadFile(rootCA)
if err != nil { if err != nil {
return nil, fmt.Errorf("failed to read root-ca: %v", err) return nil, fmt.Errorf("failed to read root-ca: %w", err)
} }
if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCABytes) { if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCABytes) {
return nil, fmt.Errorf("no certs found in root CA file %q", rootCA) return nil, fmt.Errorf("no certs found in root CA file %q", rootCA)

View file

@ -70,7 +70,7 @@ func TestGetUser(t *testing.T) {
_, err = http.NewRequest("GET", hostURL.String(), nil) _, err = http.NewRequest("GET", hostURL.String(), nil)
expectNil(t, err) expectNil(t, err)
h, err := newHTTPClient(true, "") h, err := newHTTPClient(true, "", false)
expectNil(t, err) expectNil(t, err)
@ -128,7 +128,7 @@ func TestVerifyGroup(t *testing.T) {
_, err = http.NewRequest("GET", hostURL.String(), nil) _, err = http.NewRequest("GET", hostURL.String(), nil)
expectNil(t, err) expectNil(t, err)
h, err := newHTTPClient(true, "") h, err := newHTTPClient(true, "", false)
expectNil(t, err) expectNil(t, err)
@ -164,7 +164,7 @@ func TestCallbackIdentity(t *testing.T) {
req, err := http.NewRequest("GET", hostURL.String(), nil) req, err := http.NewRequest("GET", hostURL.String(), nil)
expectNil(t, err) expectNil(t, err)
h, err := newHTTPClient(true, "") h, err := newHTTPClient(true, "", false)
expectNil(t, err) expectNil(t, err)
@ -198,7 +198,7 @@ func TestRefreshIdentity(t *testing.T) {
}) })
defer s.Close() defer s.Close()
h, err := newHTTPClient(true, "") h, err := newHTTPClient(true, "", false)
expectNil(t, err) expectNil(t, err)
oc := openshiftConnector{apiURL: s.URL, httpClient: h, oauth2Config: &oauth2.Config{ oc := openshiftConnector{apiURL: s.URL, httpClient: h, oauth2Config: &oauth2.Config{
@ -237,7 +237,7 @@ func TestRefreshIdentityFailure(t *testing.T) {
}) })
defer s.Close() defer s.Close()
h, err := newHTTPClient(true, "") h, err := newHTTPClient(true, "", false)
expectNil(t, err) expectNil(t, err)
oc := openshiftConnector{apiURL: s.URL, httpClient: h, oauth2Config: &oauth2.Config{ oc := openshiftConnector{apiURL: s.URL, httpClient: h, oauth2Config: &oauth2.Config{