cmd/dex: add option for gRPC client auth CA.

This commit is contained in:
rithu leena john 2016-11-02 14:07:05 -07:00
parent 799b3f3ef5
commit 42dfd3ecec
4 changed files with 39 additions and 7 deletions

View file

@ -15,6 +15,8 @@ grpc:
# Server certs. If TLS credentials aren't provided dex will generate self-signed ones. # Server certs. If TLS credentials aren't provided dex will generate self-signed ones.
tlsCert: /etc/dex/grpc.crt tlsCert: /etc/dex/grpc.crt
tlsKey: /etc/dex/grpc.key tlsKey: /etc/dex/grpc.key
# Client auth CA.
tlsClientCA: /etc/dex/client.crt
``` ```
## Generating clients ## Generating clients

View file

@ -88,9 +88,10 @@ type Web struct {
// GRPC is the config for the gRPC API. // GRPC is the config for the gRPC API.
type GRPC struct { type GRPC struct {
// The port to listen on. // The port to listen on.
Addr string `yaml:"addr"` Addr string `yaml:"addr"`
TLSCert string `yaml:"tlsCert"` TLSCert string `yaml:"tlsCert"`
TLSKey string `yaml:"tlsKey"` TLSKey string `yaml:"tlsKey"`
TLSClientCA string `yaml:"tlsClientCA"`
} }
// Storage holds app's storage configuration. // Storage holds app's storage configuration.

View file

@ -1,6 +1,8 @@
package main package main
import ( import (
"crypto/tls"
"crypto/x509"
"errors" "errors"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
@ -67,6 +69,7 @@ func serve(cmd *cobra.Command, args []string) error {
{c.GRPC.TLSCert != "" && c.GRPC.Addr == "", "no address specified for gRPC"}, {c.GRPC.TLSCert != "" && c.GRPC.Addr == "", "no address specified for gRPC"},
{c.GRPC.TLSKey != "" && c.GRPC.Addr == "", "no address specified for gRPC"}, {c.GRPC.TLSKey != "" && c.GRPC.Addr == "", "no address specified for gRPC"},
{(c.GRPC.TLSCert == "") != (c.GRPC.TLSKey == ""), "must specific both a gRPC TLS cert and key"}, {(c.GRPC.TLSCert == "") != (c.GRPC.TLSKey == ""), "must specific both a gRPC TLS cert and key"},
{c.GRPC.TLSCert == "" && c.GRPC.TLSClientCA != "", "cannot specify gRPC TLS client CA without a gRPC TLS cert"},
} }
for _, check := range checks { for _, check := range checks {
@ -77,11 +80,36 @@ func serve(cmd *cobra.Command, args []string) error {
var grpcOptions []grpc.ServerOption var grpcOptions []grpc.ServerOption
if c.GRPC.TLSCert != "" { if c.GRPC.TLSCert != "" {
opt, err := credentials.NewServerTLSFromFile(c.GRPC.TLSCert, c.GRPC.TLSKey) if c.GRPC.TLSClientCA != "" {
if err != nil { // Parse certificates from certificate file and key file for server.
return fmt.Errorf("load grpc certs: %v", err) cert, err := tls.LoadX509KeyPair(c.GRPC.TLSCert, c.GRPC.TLSKey)
if err != nil {
return fmt.Errorf("parsing certificate file: %v", err)
}
// Parse certificates from client CA file to a new CertPool.
cPool := x509.NewCertPool()
clientCert, err := ioutil.ReadFile(c.GRPC.TLSClientCA)
if err != nil {
return fmt.Errorf("reading from client CA file: %v", err)
}
if cPool.AppendCertsFromPEM(clientCert) != true {
return errors.New("failed to parse client CA")
}
tlsConfig := tls.Config{
Certificates: []tls.Certificate{cert},
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: cPool,
}
grpcOptions = append(grpcOptions, grpc.Creds(credentials.NewTLS(&tlsConfig)))
} else {
opt, err := credentials.NewServerTLSFromFile(c.GRPC.TLSCert, c.GRPC.TLSKey)
if err != nil {
return fmt.Errorf("load grpc certs: %v", err)
}
grpcOptions = append(grpcOptions, grpc.Creds(opt))
} }
grpcOptions = append(grpcOptions, grpc.Creds(opt))
} }
connectors := make([]server.Connector, len(c.Connectors)) connectors := make([]server.Connector, len(c.Connectors))

View file

@ -22,6 +22,7 @@ web:
# addr: 127.0.0.1:5557 # addr: 127.0.0.1:5557
# tlsCert: /etc/dex/grpc.crt # tlsCert: /etc/dex/grpc.crt
# tlsKey: /etc/dex/grpc.key # tlsKey: /etc/dex/grpc.key
# tlsClientCA: /etc/dex/client.crt
# Instead of reading from an external storage, use this list of clients. # Instead of reading from an external storage, use this list of clients.
# #