Skip to content

Commit 54983b9

Browse files
spbsolublespbsoluble
committed
fix(core): Support for CaCertFilePath
1 parent 73a9dc6 commit 54983b9

File tree

3 files changed

+267
-111
lines changed

3 files changed

+267
-111
lines changed

auth_providers/auth_core.go

Lines changed: 105 additions & 71 deletions
Original file line numberDiff line numberDiff line change
@@ -270,70 +270,70 @@ func (c *CommandAuthConfig) ValidateAuthConfig() error {
270270
c.HttpClientTimeout = DefaultClientTimeout
271271
}
272272
}
273-
c.SetClient(nil)
273+
274+
if c.CommandCACert == "" {
275+
// check if CommandCACert is set in environment
276+
if caCert, ok := os.LookupEnv(EnvKeyfactorCACert); ok {
277+
c.CommandCACert = caCert
278+
} else {
279+
return nil
280+
}
281+
}
274282

275283
// check for skip verify in environment
276284
if skipVerify, ok := os.LookupEnv(EnvKeyfactorSkipVerify); ok {
277285
c.SkipVerify = skipVerify == "true" || skipVerify == "1"
278286
}
279287

280-
if c.SkipVerify {
281-
c.HttpClient.Transport = &http.Transport{
282-
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
283-
}
284-
return nil
285-
}
286-
287-
caErr := c.updateCACerts()
288-
if caErr != nil {
289-
return caErr
290-
}
288+
//TODO: This should be part of BuildTransport
289+
//if c.SkipVerify {
290+
// c.HttpClient.Transport = &http.Transport{
291+
// TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
292+
// }
293+
// //return nil
294+
//}
295+
//
296+
//caErr := c.updateCACerts()
297+
//if caErr != nil {
298+
// return caErr
299+
//}
291300

292301
return nil
293302
}
294303

295304
// BuildTransport creates a custom http Transport for authentication to Keyfactor Command API.
296305
func (c *CommandAuthConfig) BuildTransport() (*http.Transport, error) {
297-
output := &http.Transport{
298-
Proxy: http.ProxyFromEnvironment,
299-
TLSClientConfig: &tls.Config{
300-
Renegotiation: tls.RenegotiateOnceAsClient,
301-
},
302-
TLSHandshakeTimeout: 10 * time.Second,
303-
}
304-
if c.SkipVerify {
305-
output.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
306+
var output *http.Transport
307+
if c.HttpClient == nil {
308+
c.SetClient(nil)
306309
}
307-
308-
// Load the system certs
309-
if c.CommandCACert != "" {
310-
rootCAs, pErr := x509.SystemCertPool()
311-
if pErr != nil {
312-
return nil, pErr
313-
}
314-
if rootCAs == nil {
315-
rootCAs = x509.NewCertPool()
316-
}
317-
318-
// check if CommandCACert is a file
319-
if _, err := os.Stat(c.CommandCACert); err == nil {
320-
cert, ioErr := os.ReadFile(c.CommandCACert)
321-
if ioErr != nil {
322-
return nil, ioErr
323-
}
324-
// Append your custom cert to the pool
325-
if ok := rootCAs.AppendCertsFromPEM(cert); !ok {
326-
return nil, fmt.Errorf("failed to append custom CA cert to pool")
327-
}
310+
// check if c already has a transport and if it does, assign it to output else create a new transport
311+
if c.HttpClient.Transport != nil {
312+
if transport, ok := c.HttpClient.Transport.(*http.Transport); ok {
313+
output = transport
328314
} else {
329-
// Append your custom cert to the pool
330-
if ok := rootCAs.AppendCertsFromPEM([]byte(c.CommandCACert)); !ok {
331-
return nil, fmt.Errorf("failed to append custom CA cert to pool")
315+
output = &http.Transport{
316+
TLSClientConfig: &tls.Config{},
332317
}
333318
}
319+
} else {
320+
output = &http.Transport{
321+
Proxy: http.ProxyFromEnvironment,
322+
TLSClientConfig: &tls.Config{
323+
Renegotiation: tls.RenegotiateOnceAsClient,
324+
},
325+
TLSHandshakeTimeout: 10 * time.Second,
326+
}
327+
}
328+
329+
if c.SkipVerify {
330+
output.TLSClientConfig.InsecureSkipVerify = true
331+
}
334332

335-
output.TLSClientConfig.RootCAs = rootCAs
333+
if c.CommandCACert != "" {
334+
_ = c.updateCACerts()
336335
}
336+
337337
return output, nil
338338
}
339339

@@ -343,7 +343,7 @@ func (c *CommandAuthConfig) SetClient(client *http.Client) *http.Client {
343343
c.HttpClient = client
344344
}
345345
if c.HttpClient == nil {
346-
c.HttpClient = &http.Client{}
346+
c.HttpClient = http.DefaultClient
347347
}
348348
return c.HttpClient
349349
}
@@ -389,20 +389,37 @@ func (c *CommandAuthConfig) updateCACerts() error {
389389
}
390390
}
391391

392-
// Trust the augmented cert pool in our Client
393-
c.HttpClient.Transport = &http.Transport{
394-
TLSClientConfig: &tls.Config{
395-
RootCAs: rootCAs,
396-
},
392+
//check if c already has a transport and if it does, update the RootCAs else create a new transport
393+
if c.HttpClient.Transport != nil {
394+
if transport, ok := c.HttpClient.Transport.(*http.Transport); ok {
395+
transport.TLSClientConfig.RootCAs = rootCAs
396+
} else {
397+
c.HttpClient.Transport = &http.Transport{
398+
TLSClientConfig: &tls.Config{
399+
RootCAs: rootCAs,
400+
},
401+
}
402+
}
403+
} else {
404+
c.HttpClient.Transport = &http.Transport{
405+
TLSClientConfig: &tls.Config{
406+
RootCAs: rootCAs,
407+
},
408+
}
397409
}
398410

411+
// Trust the augmented cert pool in our Client
412+
//c.HttpClient.Transport = &http.Transport{
413+
// TLSClientConfig: &tls.Config{
414+
// RootCAs: rootCAs,
415+
// },
416+
//}
417+
399418
return nil
400419
}
401420

402421
// Authenticate performs the authentication test to Keyfactor Command API and sets Command product version.
403422
func (c *CommandAuthConfig) Authenticate() error {
404-
// call /Status/Endpoints API to validate credentials
405-
c.SetClient(nil)
406423

407424
//create headers for request
408425
headers := map[string]string{
@@ -428,6 +445,7 @@ func (c *CommandAuthConfig) Authenticate() error {
428445
if rErr != nil {
429446
return rErr
430447
}
448+
431449
// Set headers from the map
432450
for key, value := range headers {
433451
req.Header.Set(key, value)
@@ -615,29 +633,45 @@ func (c *CommandAuthConfig) LoadConfig(profile string, configFilePath string, si
615633

616634
c.FileConfig = &server
617635

618-
if !silentLoad {
636+
if c.CommandHostName == "" {
619637
c.CommandHostName = server.Host
638+
}
639+
if c.CommandPort <= 0 {
620640
c.CommandPort = server.Port
641+
}
642+
if c.CommandAPIPath == "" {
621643
c.CommandAPIPath = server.APIPath
644+
}
645+
if c.CommandCACert == "" {
622646
c.CommandCACert = server.CACertPath
647+
}
648+
if c.SkipVerify {
623649
c.SkipVerify = server.SkipTLSVerify
624-
} else {
625-
if c.CommandHostName == "" {
626-
c.CommandHostName = server.Host
627-
}
628-
if c.CommandPort <= 0 {
629-
c.CommandPort = server.Port
630-
}
631-
if c.CommandAPIPath == "" {
632-
c.CommandAPIPath = server.APIPath
633-
}
634-
if c.CommandCACert == "" {
635-
c.CommandCACert = server.CACertPath
636-
}
637-
if c.SkipVerify {
638-
c.SkipVerify = server.SkipTLSVerify
639-
}
640650
}
651+
652+
//if !silentLoad {
653+
// c.CommandHostName = server.Host
654+
// c.CommandPort = server.Port
655+
// c.CommandAPIPath = server.APIPath
656+
// c.CommandCACert = server.CACertPath
657+
// c.SkipVerify = server.SkipTLSVerify
658+
//} else {
659+
// if c.CommandHostName == "" {
660+
// c.CommandHostName = server.Host
661+
// }
662+
// if c.CommandPort <= 0 {
663+
// c.CommandPort = server.Port
664+
// }
665+
// if c.CommandAPIPath == "" {
666+
// c.CommandAPIPath = server.APIPath
667+
// }
668+
// if c.CommandCACert == "" {
669+
// c.CommandCACert = server.CACertPath
670+
// }
671+
// if c.SkipVerify {
672+
// c.SkipVerify = server.SkipTLSVerify
673+
// }
674+
//}
641675
return &server, nil
642676
}
643677

0 commit comments

Comments
 (0)