cmd/dex: add option for gRPC client auth CA.

2016-11-02 14:07:05 -07:00 · 2016-11-02 14:07:05 -07:00 · 42dfd3ecec
parent 799b3f3ef5
commit 42dfd3ecec
4 changed files with 39 additions and 7 deletions
--- a/Documentation/api.md
+++ b/Documentation/api.md
@ -15,6 +15,8 @@ grpc:
  # Server certs. If TLS credentials aren't provided dex will generate self-signed ones.
  tlsCert: /etc/dex/grpc.crt
  tlsKey: /etc/dex/grpc.key
+  # Client auth CA.
+  tlsClientCA: /etc/dex/client.crt
 ```

 ## Generating clients
--- a/cmd/dex/config.go
+++ b/cmd/dex/config.go
@ -88,9 +88,10 @@ type Web struct {
 // GRPC is the config for the gRPC API.
 type GRPC struct {
 	// The port to listen on.
-	Addr    string `yaml:"addr"`
-	TLSCert string `yaml:"tlsCert"`
-	TLSKey  string `yaml:"tlsKey"`
+	Addr        string `yaml:"addr"`
+	TLSCert     string `yaml:"tlsCert"`
+	TLSKey      string `yaml:"tlsKey"`
+	TLSClientCA string `yaml:"tlsClientCA"`
 }

 // Storage holds app's storage configuration.
--- a/cmd/dex/serve.go
+++ b/cmd/dex/serve.go
@ -1,6 +1,8 @@
 package main

 import (
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"io/ioutil"
@ -67,6 +69,7 @@ func serve(cmd *cobra.Command, args []string) error {
 		{c.GRPC.TLSCert != "" && c.GRPC.Addr == "", "no address specified for gRPC"},
 		{c.GRPC.TLSKey != "" && c.GRPC.Addr == "", "no address specified for gRPC"},
 		{(c.GRPC.TLSCert == "") != (c.GRPC.TLSKey == ""), "must specific both a gRPC TLS cert and key"},
+		{c.GRPC.TLSCert == "" && c.GRPC.TLSClientCA != "", "cannot specify gRPC TLS client CA without a gRPC TLS cert"},
 	}

 	for _, check := range checks {
@ -77,11 +80,36 @@ func serve(cmd *cobra.Command, args []string) error {

 	var grpcOptions []grpc.ServerOption
 	if c.GRPC.TLSCert != "" {
-		opt, err := credentials.NewServerTLSFromFile(c.GRPC.TLSCert, c.GRPC.TLSKey)
-		if err != nil {
-			return fmt.Errorf("load grpc certs: %v", err)
+		if c.GRPC.TLSClientCA != "" {
+			// Parse certificates from certificate file and key file for server.
+			cert, err := tls.LoadX509KeyPair(c.GRPC.TLSCert, c.GRPC.TLSKey)
+			if err != nil {
+				return fmt.Errorf("parsing certificate file: %v", err)
+			}
+
+			// Parse certificates from client CA file to a new CertPool.
+			cPool := x509.NewCertPool()
+			clientCert, err := ioutil.ReadFile(c.GRPC.TLSClientCA)
+			if err != nil {
+				return fmt.Errorf("reading from client CA file: %v", err)
+			}
+			if cPool.AppendCertsFromPEM(clientCert) != true {
+				return errors.New("failed to parse client CA")
+			}
+
+			tlsConfig := tls.Config{
+				Certificates: []tls.Certificate{cert},
+				ClientAuth:   tls.RequireAndVerifyClientCert,
+				ClientCAs:    cPool,
+			}
+			grpcOptions = append(grpcOptions, grpc.Creds(credentials.NewTLS(&tlsConfig)))
+		} else {
+			opt, err := credentials.NewServerTLSFromFile(c.GRPC.TLSCert, c.GRPC.TLSKey)
+			if err != nil {
+				return fmt.Errorf("load grpc certs: %v", err)
+			}
+			grpcOptions = append(grpcOptions, grpc.Creds(opt))
 		}
-		grpcOptions = append(grpcOptions, grpc.Creds(opt))
 	}

 	connectors := make([]server.Connector, len(c.Connectors))
--- a/examples/config-dev.yaml
+++ b/examples/config-dev.yaml
@ -22,6 +22,7 @@ web:
 #   addr: 127.0.0.1:5557
 #   tlsCert: /etc/dex/grpc.crt
 #   tlsKey: /etc/dex/grpc.key
+#   tlsClientCA: /etc/dex/client.crt

 # Instead of reading from an external storage, use this list of clients.
 #