From 1f82b087f7b02e51450afce95a985f10a3ca37c0 Mon Sep 17 00:00:00 2001 From: Jonathan Buch Date: Fri, 19 Aug 2022 12:05:11 +0200 Subject: [PATCH] Add support for self-signed minio deployments * Either by setting the environment variable MINIO_SSL_INSECURE to true * or providing a CA certificate via a file specified by MINIO_SSL_CACERT --- src/clients/clients.go | 93 +++++++++++++++++++++++++++++++++++++++--- src/config/config.go | 2 + 2 files changed, 89 insertions(+), 6 deletions(-) diff --git a/src/clients/clients.go b/src/clients/clients.go index 03bf341..72a97cb 100644 --- a/src/clients/clients.go +++ b/src/clients/clients.go @@ -1,6 +1,13 @@ package clients import ( + "crypto/tls" + "crypto/x509" + "encoding/pem" + "fmt" + "net/http" + "os" + minio "github.com/minio/minio-go/v7" "github.com/minio/minio-go/v7/pkg/credentials" @@ -10,14 +17,30 @@ import ( cnf "github.com/rzrbld/adminio-api/config" ) -var MadmClnt, MadmErr = madmin.New(cnf.Server, cnf.Maccess, cnf.Msecret, cnf.Ssl) +var MadmErr error +var MinioErr error +var MinioClnt *minio.Client +var MadmClnt *madmin.AdminClient + +func init() { + tr, err := customTransport() + if err != nil { + MadmErr = err + MinioErr = err + return + } -// var MinioClnt, MinioErr = minio.New(cnf.Server, cnf.Maccess, cnf.Msecret, cnf.Ssl) + MinioClnt, MinioErr = minio.New(cnf.Server, &minio.Options{ + Creds: credentials.NewStaticV4(cnf.Maccess, cnf.Msecret, ""), + Secure: cnf.Ssl, + Transport: tr, + }) -var MinioClnt, MinioErr = minio.New(cnf.Server, &minio.Options{ - Creds: credentials.NewStaticV4(cnf.Maccess, cnf.Msecret, ""), - Secure: cnf.Ssl, -}) + MadmClnt, MadmErr = madmin.New(cnf.Server, cnf.Maccess, cnf.Msecret, cnf.Ssl) + if err == nil { + MadmClnt.SetCustomTransport(tr) + } +} func main() { if MadmErr != nil { @@ -28,3 +51,61 @@ func main() { log.Fatalln("Error while connecting via minio client ", MinioErr) } } + +func customTransport() (*http.Transport, error) { + + if !cnf.Ssl { + return minio.DefaultTransport(cnf.Ssl) + } + + tlsConfig := &tls.Config{ + // Can't use SSLv3 because of POODLE and BEAST + // Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher + // Can't use TLSv1.1 because of RC4 cipher usage + MinVersion: tls.VersionTLS12, + } + + tr, err := minio.DefaultTransport(cnf.Ssl) + if err != nil { + return nil, err + } + + if cnf.SSLCACertFile != "" { + minioCACert, err := os.ReadFile(cnf.SSLCACertFile) + if err != nil { + return nil, err + } + + if !isValidCertificate(minioCACert) { + return nil, fmt.Errorf("minio CA Cert is not a valid x509 certificate") + } + + rootCAs, _ := x509.SystemCertPool() + if rootCAs == nil { + // In some systems (like Windows) system cert pool is + // not supported or no certificates are present on the + // system - so we create a new cert pool. + rootCAs = x509.NewCertPool() + } + rootCAs.AppendCertsFromPEM(minioCACert) + tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert + tlsConfig.RootCAs = rootCAs + } + + if cnf.SSLSkipVerify { + tlsConfig.InsecureSkipVerify = true + } + + tr.TLSClientConfig = tlsConfig + + return tr, nil +} + +func isValidCertificate(c []byte) bool { + p, _ := pem.Decode(c) + if p == nil { + return false + } + _, err := x509.ParseCertificates(p.Bytes) + return err == nil +} diff --git a/src/config/config.go b/src/config/config.go index f68e8b8..cf914ff 100644 --- a/src/config/config.go +++ b/src/config/config.go @@ -16,6 +16,8 @@ var ( // Enable object locking by default DefaultObjectLocking, _ = strconv.ParseBool(getEnv("MINIO_DEFAULT_LOCK_OBLECT_ENABLE", "false")) Ssl, _ = strconv.ParseBool(getEnv("MINIO_SSL", "false")) + SSLSkipVerify, _ = strconv.ParseBool(getEnv("MINIO_SSL_INSECURE", "false")) + SSLCACertFile = getEnv("MINIO_SSL_CACERT", "") ServerHostPort = getEnv("ADMINIO_HOST_PORT", "localhost:8080") AdminioCORS = getEnv("ADMINIO_CORS_DOMAIN", "*") // AES only supports key sizes of 16, 24 or 32 bytes.