refactor

Signed-off-by: Huabing Zhao <[email protected]>
envoyproxy · Dec 10, 2024 · 26ee93a · 26ee93a
1 parent 9350110
commit 26ee93a
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 20 deletions.
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
@@ -7,7 +7,6 @@ package gatewayapi
 
 import (
 	"crypto/tls"
-	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -710,8 +709,7 @@ func (t *Translator) buildOIDCProvider(policy *egv1a1.SecurityPolicy, resources
 		}
 	}
 
-	// Discover the token and authorization endpoints from the issuer's
-	// well-known url if not explicitly specified
+	// Discover the token and authorization endpoints from the issuer's well-known url if not explicitly specified.
 	// EG assumes that the issuer url uses the same protocol and CA as the token endpoint.
 	// If we need to support different protocols or CAs, we need to add more fields to the OIDCProvider CRD.
 	if provider.TokenEndpoint == nil || provider.AuthorizationEndpoint == nil {
@@ -785,25 +783,16 @@ type OpenIDConfig struct {
 }
 
 func fetchEndpointsFromIssuer(issuerURL string, providerTLS *ir.TLSUpstreamConfig) (string, string, error) {
-	var tlsConfig *tls.Config
+	var (
+		tlsConfig *tls.Config
+		err       error
+	)
 
 	if providerTLS != nil {
-		tlsConfig = &tls.Config{
-			ServerName: providerTLS.SNI,
-			MinVersion: tls.VersionTLS13,
-		}
-		if providerTLS.CACertificate != nil {
-			caCertPool := x509.NewCertPool()
-			caCertPool.AppendCertsFromPEM(providerTLS.CACertificate.Certificate)
-			tlsConfig.RootCAs = caCertPool
-		}
-		for _, cert := range providerTLS.ClientCertificates {
-			cert, err := tls.X509KeyPair(cert.Certificate, cert.PrivateKey)
-			if err != nil {
-				return "", "", err
-			}
-			tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
-		}
+		tlsConfig, err = providerTLS.ToTLSConfig()
+	}
+	if err != nil {
+		return "", "", err
 	}
 
 	// Fetch the OpenID configuration from the issuer URL

diff --git a/internal/ir/xds.go b/internal/ir/xds.go
@@ -7,6 +7,8 @@ package ir
 
 import (
 	"cmp"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding"
 	"encoding/json"
 	"errors"
@@ -359,6 +361,23 @@ const (
 	TLSv13 = TLSVersion(egv1a1.TLSv13)
 )
 
+func (t TLSVersion) Int() uint16 {
+	switch t {
+	case TLSAuto:
+		return tls.VersionTLS13
+	case TLSv10:
+		return tls.VersionTLS10
+	case TLSv11:
+		return tls.VersionTLS11
+	case TLSv12:
+		return tls.VersionTLS12
+	case TLSv13:
+		return tls.VersionTLS13
+	default:
+		return tls.VersionTLS13
+	}
+}
+
 // TLSConfig holds the configuration for downstream TLS context.
 // +k8s:deepcopy-gen=true
 type TLSConfig struct {
@@ -2539,6 +2558,28 @@ type TLSUpstreamConfig struct {
 	TLSConfig           `json:",inline"`
 }
 
+func (t *TLSUpstreamConfig) ToTLSConfig() (*tls.Config, error) {
+	// nolint:gosec
+	tlsConfig := &tls.Config{
+		ServerName: t.SNI,
+		MinVersion: t.MinVersion.Int(),
+		MaxVersion: t.MaxVersion.Int(),
+	}
+	if t.CACertificate != nil {
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(t.CACertificate.Certificate)
+		tlsConfig.RootCAs = caCertPool
+	}
+	for _, cert := range t.ClientCertificates {
+		cert, err := tls.X509KeyPair(cert.Certificate, cert.PrivateKey)
+		if err != nil {
+			return nil, err
+		}
+		tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
+	}
+	return tlsConfig, nil
+}
+
 // BackendConnection settings for upstream connections
 // +k8s:deepcopy-gen=true
 type BackendConnection struct {