mystiq/dex
Archived
4
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #661 from rithujohn191/gRPC-client-auth

Browse source 
cmd/dex: add option for gRPC client auth CA.
This commit is contained in:
Eric Chiang 2016-11-02 15:05:15 -07:00 committed by GitHub
commit 74eaec60cb
4 changed files with 39 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Documentation/api.md
View file

@ -15,6 +15,8 @@ grpc:
# Server certs. If TLS credentials aren't provided dex will generate self-signed ones. # Server certs. If TLS credentials aren't provided dex will generate self-signed ones.
tlsCert: /etc/dex/grpc.crt tlsCert: /etc/dex/grpc.crt
tlsKey: /etc/dex/grpc.key tlsKey: /etc/dex/grpc.key
# Client auth CA.
tlsClientCA: /etc/dex/client.crt
``` ```
## Generating clients ## Generating clients

1
cmd/dex/config.go
View file

@ -91,6 +91,7 @@ type GRPC struct {
Addr string `yaml:"addr"` Addr string `yaml:"addr"`
TLSCert string `yaml:"tlsCert"` TLSCert string `yaml:"tlsCert"`
TLSKey string `yaml:"tlsKey"` TLSKey string `yaml:"tlsKey"`
TLSClientCA string `yaml:"tlsClientCA"`
} }
// Storage holds app's storage configuration. // Storage holds app's storage configuration.

28
cmd/dex/serve.go
View file

@ -1,6 +1,8 @@
package main package main
import ( import (
"crypto/tls"
"crypto/x509"
"errors" "errors"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
@ -67,6 +69,7 @@ func serve(cmd *cobra.Command, args []string) error {
{c.GRPC.TLSCert != "" && c.GRPC.Addr == "", "no address specified for gRPC"}, {c.GRPC.TLSCert != "" && c.GRPC.Addr == "", "no address specified for gRPC"},
{c.GRPC.TLSKey != "" && c.GRPC.Addr == "", "no address specified for gRPC"}, {c.GRPC.TLSKey != "" && c.GRPC.Addr == "", "no address specified for gRPC"},
{(c.GRPC.TLSCert == "") != (c.GRPC.TLSKey == ""), "must specific both a gRPC TLS cert and key"}, {(c.GRPC.TLSCert == "") != (c.GRPC.TLSKey == ""), "must specific both a gRPC TLS cert and key"},
{c.GRPC.TLSCert == "" && c.GRPC.TLSClientCA != "", "cannot specify gRPC TLS client CA without a gRPC TLS cert"},
} }
for _, check := range checks { for _, check := range checks {
@ -77,12 +80,37 @@ func serve(cmd *cobra.Command, args []string) error {
var grpcOptions []grpc.ServerOption var grpcOptions []grpc.ServerOption
if c.GRPC.TLSCert != "" { if c.GRPC.TLSCert != "" {
if c.GRPC.TLSClientCA != "" {
// Parse certificates from certificate file and key file for server.
cert, err := tls.LoadX509KeyPair(c.GRPC.TLSCert, c.GRPC.TLSKey)
if err != nil {
return fmt.Errorf("parsing certificate file: %v", err)
}
// Parse certificates from client CA file to a new CertPool.
cPool := x509.NewCertPool()
clientCert, err := ioutil.ReadFile(c.GRPC.TLSClientCA)
if err != nil {
return fmt.Errorf("reading from client CA file: %v", err)
}
if cPool.AppendCertsFromPEM(clientCert) != true {
return errors.New("failed to parse client CA")
}
tlsConfig := tls.Config{
Certificates: []tls.Certificate{cert},
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: cPool,
}
grpcOptions = append(grpcOptions, grpc.Creds(credentials.NewTLS(&tlsConfig)))
} else {
opt, err := credentials.NewServerTLSFromFile(c.GRPC.TLSCert, c.GRPC.TLSKey) opt, err := credentials.NewServerTLSFromFile(c.GRPC.TLSCert, c.GRPC.TLSKey)
if err != nil { if err != nil {
return fmt.Errorf("load grpc certs: %v", err) return fmt.Errorf("load grpc certs: %v", err)
} }
grpcOptions = append(grpcOptions, grpc.Creds(opt)) grpcOptions = append(grpcOptions, grpc.Creds(opt))
} }
}
connectors := make([]server.Connector, len(c.Connectors)) connectors := make([]server.Connector, len(c.Connectors))
for i, conn := range c.Connectors { for i, conn := range c.Connectors {

1
examples/config-dev.yaml
View file

@ -22,6 +22,7 @@ web:
# addr: 127.0.0.1:5557 # addr: 127.0.0.1:5557
# tlsCert: /etc/dex/grpc.crt # tlsCert: /etc/dex/grpc.crt
# tlsKey: /etc/dex/grpc.key # tlsKey: /etc/dex/grpc.key
# tlsClientCA: /etc/dex/client.crt
# Instead of reading from an external storage, use this list of clients. # Instead of reading from an external storage, use this list of clients.
# #