Skip to content

Allow the use of custom CA Certificates #162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
GauntletWizard wants to merge 4 commits into from
Closed

Allow the use of custom CA Certificates #162

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
576b769
Allow the use of custom CA Certificates
GauntletWizard Oct 14, 2022
b66430e
Add the ability to store CAFiles in contexts
GauntletWizard Oct 15, 2022
cb6bc75
f cacert -> cafile
GauntletWizard Oct 24, 2022
cde4c46
Fix name of certificate in storage
GauntletWizard Dec 6, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 22 additions & 4 deletions cmd/zed/context.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,18 @@ func contextListCmdFunc(cmd *cobra.Command, args []string) error {
return nil
}

// Reads the trusted certificate if it exists, returning byte form.
func getCertificate(cmd *cobra.Command) (certificate []byte, err error) {
cafile := cobrautil.MustGetString(cmd, "cafile")
if cafile != "" {
certificate, err = os.ReadFile(cafile)
if err != nil {
return nil, fmt.Errorf("Failed to read from CA Certificate File, %w")
}
}
return
}

func contextSetCmdFunc(cmd *cobra.Command, args []string) error {
var name, endpoint, apiToken string
err := stringz.Unpack(args, &name, &endpoint, &apiToken)
Expand All @@ -107,11 +119,17 @@ func contextSetCmdFunc(cmd *cobra.Command, args []string) error {

insecure := cobrautil.MustGetBool(cmd, "insecure")
cfgStore, secretStore := defaultStorage()

certificate, err := getCertificate(cmd)
if err != nil {
return err
}
err = storage.PutToken(storage.Token{
Name: name,
Endpoint: stringz.DefaultEmpty(endpoint, "grpc.authzed.com:443"),
APIToken: apiToken,
Insecure: &insecure,
Name: name,
Endpoint: stringz.DefaultEmpty(endpoint, "grpc.authzed.com:443"),
APIToken: apiToken,
Insecure: &insecure,
Certificate: certificate,
}, secretStore)
if err != nil {
return err
Expand Down
8 changes: 8 additions & 0 deletions cmd/zed/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,9 +51,16 @@ func dialOptsFromFlags(cmd *cobra.Command, token storage.Token) []grpc.DialOptio
grpc.WithChainUnaryInterceptor(interceptors...),
}

if cobrautil.MustGetBool(cmd, "insecure") && cobrautil.MustGetString(cmd, "cafile") != "" {
panic("cafile flag cannot be combined with insecure")
Copy link
Copy Markdown
Member

@jzelinskie jzelinskie Dec 5, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should definitely be checked somewhere else and return an error rather than panicking.

Copy link
Copy Markdown
Author

@GauntletWizard GauntletWizard Dec 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't seen an obvious place to put a "verify flags" precondition; I'm not that familiar with Cobra

Copy link
Copy Markdown
Member

@jzelinskie jzelinskie Jan 6, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that's pretty fair -- I think we should just ignore the CA flag if the insecure flag is set. The insecure flag description is "connect over a plaintext connection", so if you specify it, that's what we should do.

The real problem is that the grpcutil library panics if it cannot find a CA rather than returning an error.
I'll fix things upstream to improve the situation.

}

if cobrautil.MustGetBool(cmd, "insecure") || (token.IsInsecure()) {
opts = append(opts, grpc.WithTransportCredentials(insecure.NewCredentials()))
opts = append(opts, grpcutil.WithInsecureBearerToken(token.APIToken))
} else if cobrautil.MustGetString(cmd, "cafile") != "" {
opts = append(opts, grpcutil.WithBearerToken(token.APIToken))
opts = append(opts, grpcutil.WithCustomCerts(cobrautil.MustGetString(cmd, "cafile"), cobrautil.MustGetBool(cmd, "no-verify-ca")))
} else {
opts = append(opts, grpcutil.WithBearerToken(token.APIToken))
opts = append(opts, grpcutil.WithSystemCerts(cobrautil.MustGetBool(cmd, "no-verify-ca")))
Expand Down Expand Up @@ -83,6 +90,7 @@ func main() {
rootCmd.PersistentFlags().Bool("insecure", false, "connect over a plaintext connection")
rootCmd.PersistentFlags().Bool("skip-version-check", false, "if true, no version check is performed against the server")
rootCmd.PersistentFlags().Bool("no-verify-ca", false, "do not attempt to verify the server's certificate chain and host name")
rootCmd.PersistentFlags().String("cafile", "", "Use the contents of file as a CA Trust Bundle (PEM-formatted DER)")
rootCmd.PersistentFlags().Bool("debug", false, "enable debug logging")
_ = rootCmd.PersistentFlags().MarkHidden("debug") // This cannot return its error.

Expand Down
9 changes: 5 additions & 4 deletions internal/storage/secrets.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,11 @@ import (
var ErrTokenNotFound = errors.New("token does not exist")

type Token struct {
Name string
Endpoint string
APIToken string
Insecure *bool
Name string
Endpoint string
APIToken string
Insecure *bool
Certificate []byte
}

func (t Token) IsInsecure() bool {
Expand Down