Skip to content

Commit

Permalink
feat(auth): allow additional CA certs for OAuth2
Browse files Browse the repository at this point in the history
Allow specifying additional TLS CA certificates for OAuth2
authenticator.

This is useful when the cert for the OAuth2 services is not installed in
the system and needs to be specified explicitly.

Signed-off-by: Sergei Trofimov <[email protected]>
  • Loading branch information
setrofim authored and thomas-fossati committed Aug 7, 2024
1 parent 8a3a730 commit 9141ad3
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 22 deletions.
13 changes: 13 additions & 0 deletions auth/oauth2.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"context"
"errors"
"fmt"
"net/http"
"net/url"
"strings"
"time"
Expand All @@ -20,6 +21,7 @@ type Oauth2Authenticator struct {
ClientSecret string
Username string
Password string
CACerts []string

Token *oauth2.Token
}
Expand All @@ -31,6 +33,7 @@ func (o *Oauth2Authenticator) Configure(cfg map[string]interface{}) error {
ClientSecret string `mapstructure:"client_secret"`
Username string `mapstructure:"username"`
Password string `mapstructure:"password"`
CACerts []string `mapstructure:"ca_certs"`
Rest map[string]interface{} `mapstructure:",remain"`
}{}

Expand All @@ -43,6 +46,7 @@ func (o *Oauth2Authenticator) Configure(cfg map[string]interface{}) error {
o.TokenURL = decoded.TokenURL
o.Username = decoded.Username
o.Password = decoded.Password
o.CACerts = decoded.CACerts

if err := o.validate(); err != nil {
return err
Expand Down Expand Up @@ -90,6 +94,15 @@ func (o *Oauth2Authenticator) obtainToken() (*oauth2.Token, error) {
},
}

if len(o.CACerts) > 0 {
transport, err := NewTLSTransport(o.CACerts)
if err != nil {
return nil, err
}
client := &http.Client{Transport: transport}
ctx = context.WithValue(ctx, oauth2.HTTPClient, client)
}

return conf.PasswordCredentialsToken(ctx, o.Username, o.Password)
}

Expand Down
38 changes: 38 additions & 0 deletions auth/tls.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
// Copyright 2024 Contributors to the Veraison project.
// SPDX-License-Identifier: Apache-2.0
package auth

import (
"crypto/tls"
"crypto/x509"
"fmt"
"net/http"
"os"
)

// NewTLSTransport returns a pointer to a new http.Transport with TLS config
// initilaized with system certs as well as specified certPaths.
func NewTLSTransport(certPaths []string) (*http.Transport, error) {
certPool, err := x509.SystemCertPool()
if err != nil {
return nil, err
}

for _, certPath := range certPaths {
rawCert, err := os.ReadFile(certPath)
if err != nil {
return nil, fmt.Errorf("could not read cert: %w", err)
}

if ok := certPool.AppendCertsFromPEM(rawCert); !ok {
return nil, fmt.Errorf("invalid cert in %s", certPath)
}
}

return &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: certPool,
MinVersion: tls.VersionTLS12,
},
}, nil
}
24 changes: 2 additions & 22 deletions common/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,9 @@ package common
import (
"bytes"
"crypto/tls"
"crypto/x509"
"fmt"
"io"
"net/http"
"os"
"time"

"github.com/veraison/apiclient/auth"
Expand Down Expand Up @@ -50,30 +48,12 @@ func NewInsecureTLSClient(a auth.IAuthenticator) *Client {
// The client will use the provided IAuthenticator for requests, if it is not
// nil.
func NewTLSClient(a auth.IAuthenticator, certPaths []string) (*Client, error) {
certPool, err := x509.SystemCertPool()
transport, err := auth.NewTLSTransport(certPaths)
if err != nil {
return nil, err
}

for _, certPath := range certPaths {
rawCert, err := os.ReadFile(certPath)
if err != nil {
return nil, fmt.Errorf("could not read cert: %w", err)
}

if ok := certPool.AppendCertsFromPEM(rawCert); !ok {
return nil, fmt.Errorf("invalid cert in %s", certPath)
}
}

transport := http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: certPool,
MinVersion: tls.VersionTLS12,
},
}

return NewClientWithTransport(a, &transport), nil
return NewClientWithTransport(a, transport), nil
}

// NewClientWithTransport instantiates a new Client with the specified transport and a fixed
Expand Down

0 comments on commit 9141ad3

Please sign in to comment.