Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CA file #323

Merged
merged 21 commits into from
Aug 2, 2023
Merged

CA file #323

merged 21 commits into from
Aug 2, 2023

Conversation

mmatczuk
Copy link
Contributor

Fixes #264

@mmatczuk
Copy link
Contributor Author

I still need to add e2e test for it.

@what-the-diff
Copy link

what-the-diff bot commented Jul 31, 2023

PR Summary

  • Inclusion of a new linter
    A linter called 'gochecknoglobals' was added to the configuration file in charge of quality checks (.golangci.yml) to ensure the code is consistent and following best practices.

  • New option for pac flag
    A new functionality has been added in bind/flag.go that enhances the use of the --pac flag allowing the use of data URI scheme.

  • Improvements in timeout handling
    In the http_proxy.go file, timeout management of the HTTP transport configuration has been revamped to provide better control.

  • Additional fields in TLSClientConfig
    TLSClientConfig (found in tls.go) has been enriched with new fields, 'HandshakeTimeout' and 'CAFiles'. These are meant for controlling the maximum time for a TLS handshake and specifying locations of CA certificate files respectively.

  • New Data-Handling Functions
    Two new utility functions ReadURLString and ReadFileOrBase64 have been introduced in the forwarder package. These functions deal with reading various types of data and making them available in appropriate formats.

  • Adding Unit Tests
    New tests have been added for verifying the correct operations of the ReadURLData and ReadFileOrBase64 functions.

  • New Structure to Represent Server-Side Connections
    A new struct TLSServerConfig has been introduced to represent and control TLS configuration for server-side connections.

  • Efficient Certificate and Key Loading
    The loadX509KeyPair function has been added in addition to replacing the CertFile and KeyFile fields in the TLSServerConfig struct with a call to loadCertificate. This is intended to improve and simplify the process of loading a TLS certificate and private key from files.

  • Broad replacement of ReadURL usage
    Several functions in the forwarder package have been updated to use the new ReadURLString function instead of ReadURL, showing our continuous efforts in refining and improving our codebase.

@Choraden
Copy link
Contributor

Choraden commented Aug 1, 2023

I would squash bind: update PAC with data scheme with readurl: add support for reading data scheme. The bind commit gives no info why, without the context from the other.

@Choraden
Copy link
Contributor

Choraden commented Aug 1, 2023

How about we also extract TLSServerConfig to separate bind function?

@mmatczuk
Copy link
Contributor Author

mmatczuk commented Aug 1, 2023

I would squash bind: update PAC with data scheme with readurl: add support for reading data scheme. The bind commit gives no info why, without the context from the other.

The changes are unrelated, I'd update the commit msg.

@mmatczuk
Copy link
Contributor Author

mmatczuk commented Aug 1, 2023

I squashed it.

@mmatczuk mmatczuk force-pushed the mmt/url_data branch 5 times, most recently from 8f78354 to 9559fc1 Compare August 1, 2023 15:47
"./certs/"+s.Name+".key:/etc/forwarder/private/"+s.Name+".key:ro",
)
}

return s
}

func (s *Service) WithUpstream(name, protocol string) *Service {
s.Environment["FORWARDER_PROXY"] = protocol + "://" + name + ":3128"
if protocol == "https" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's preserve the same condition as in WithProtocol.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if protocol != "http" {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's https and h2 but sure I can change it.

@Choraden
Copy link
Contributor

Choraden commented Aug 2, 2023

Great job removingInsecure option from e2e test. How about we mention the certificates generation in e2e/README?

@mmatczuk
Copy link
Contributor Author

mmatczuk commented Aug 2, 2023

I updated the generated certs

e2e/certs: CA signed certificate generation

The script generates CA and certificate key pair for each host name used in tests.
We generate X509v3 certificates based on ecdsa-with-SHA256 signing alg.

For developer convenience the certificates also work with localhost DNS name.

Sample generated key

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b1:b4:50:5f:59:1c:7b:9a
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, O=Sauce Labs Inc.
        Validity
            Not Before: Aug  2 10:00:27 2023 GMT
            Not After : Aug  1 10:00:27 2024 GMT
        Subject: C=US, O=Sauce Labs Inc., CN=httpbin
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:b4:80:60:3a:eb:00:e7:e0:ba:59:80:bf:c7:b8:
                    9c:f3:48:2b:ab:39:64:e0:8f:a3:ac:79:58:cf:2b:
                    ec:59:71:95:c0:11:a8:ca:b6:6b:a4:91:2f:fc:b0:
                    0c:ba:92:f8:f9:7e:d5:ba:cf:32:aa:c9:80:fd:7b:
                    5e:ad:1e:4b:7a
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                keyid:10:A7:85:A5:DD:41:80:3F:E5:FE:A3:F8:E9:F1:05:81:BE:B0:16:99

            X509v3 Subject Alternative Name:
                DNS:localhost, DNS:httpbin
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:d2:05:be:ea:10:20:62:3d:13:94:cd:cc:c8:
         37:93:45:1d:73:6a:45:e1:54:20:2a:7c:d3:66:27:93:f9:83:
         3b:02:20:05:e8:a9:94:a0:2f:6a:43:d8:f0:5e:de:33:e5:6b:
         15:26:f7:8e:93:3c:25:81:42:74:8f:e6:db:38:a2:83:b0

@mmatczuk mmatczuk force-pushed the mmt/url_data branch 4 times, most recently from f9cf201 to 9abb5b8 Compare August 2, 2023 11:01
The script generates CA and certificate key pair for each host name used in tests.
We generate X509v3 certificates based on ecdsa-with-SHA256 signing alg.

For developer convenience the certificates also work with localhost DNS name.

Sample generated key

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b1:b4:50:5f:59:1c:7b:9a
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, O=Sauce Labs Inc.
        Validity
            Not Before: Aug  2 10:00:27 2023 GMT
            Not After : Aug  1 10:00:27 2024 GMT
        Subject: C=US, O=Sauce Labs Inc., CN=httpbin
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:b4:80:60:3a:eb:00:e7:e0:ba:59:80:bf:c7:b8:
                    9c:f3:48:2b:ab:39:64:e0:8f:a3:ac:79:58:cf:2b:
                    ec:59:71:95:c0:11:a8:ca:b6:6b:a4:91:2f:fc:b0:
                    0c:ba:92:f8:f9:7e:d5:ba:cf:32:aa:c9:80:fd:7b:
                    5e:ad:1e:4b:7a
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                keyid:10:A7:85:A5:DD:41:80:3F:E5:FE:A3:F8:E9:F1:05:81:BE:B0:16:99

            X509v3 Subject Alternative Name:
                DNS:localhost, DNS:httpbin
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:d2:05:be:ea:10:20:62:3d:13:94:cd:cc:c8:
         37:93:45:1d:73:6a:45:e1:54:20:2a:7c:d3:66:27:93:f9:83:
         3b:02:20:05:e8:a9:94:a0:2f:6a:43:d8:f0:5e:de:33:e5:6b:
         15:26:f7:8e:93:3c:25:81:42:74:8f:e6:db:38:a2:83:b0
The curl command has --cacert <file> and --capath <dir> flags.

Forwarder implement the file based approach but supports specifying it multiple times.
With this patch the flag is --cacert-file <path or base64> (env FORWARDER_CACERT_FILE).
We preserve the file suffix for automatic file marking and compatibility with other Forwarder flags.
@mmatczuk mmatczuk merged commit b5fabbf into main Aug 2, 2023
3 checks passed
@mmatczuk mmatczuk deleted the mmt/url_data branch August 2, 2023 12:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add flag to specify Certificate Authority
2 participants