Skip to content

Commit 4ebde7b

Browse files
SvenKeimpemaSvenKeimpema
authored
feat: Improved TLS configuration (#570)
This adds specialized features to choose between tls roots and tls pki roots. Refer to the cargo toml features.
1 parent da2dddf commit 4ebde7b

File tree

2 files changed

+22
-10
lines changed

2 files changed

+22
-10
lines changed

Cargo.toml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ include = [
1616
]
1717

1818
[features]
19-
default = []
19+
default = ["tls-roots"]
2020

2121
## Feature that enables support for the [actix framework](https://actix.rs/).
2222
actix = ["credentials", "oidc", "dep:actix-web"]
@@ -53,6 +53,9 @@ api-settings-v2 = ["api-common", "zitadel-settings-v2" ]
5353
api-user-v2 = ["api-common", "zitadel-user-v2" ]
5454
api-common = ["dep:prost", "dep:prost-types", "dep:tonic", "dep:tonic-types", "dep:pbjson-types" ]
5555

56+
tls-roots = ["tonic/tls-roots"]
57+
tls-webpki-roots = ["tonic/tls-webpki-roots"]
58+
5659

5760
## Feature that enables support for the [axum framework](https://docs.rs/axum/latest/axum/).
5861
axum = ["credentials", "oidc", "dep:axum", "dep:axum-extra"]
@@ -87,7 +90,7 @@ rocket = ["credentials", "oidc", "dep:rocket"]
8790
# @@protoc_deletion_point(features)
8891
# This section is automatically generated by protoc-gen-prost-crate.
8992
# Changes in this area may be lost on regeneration.
90-
proto_full = ["zitadel-action-v1","zitadel-admin-v1","zitadel-app-v1","zitadel-auth-v1","zitadel-authn-v1","zitadel-change-v1","zitadel-event-v1","zitadel-feature-v1","zitadel-feature-v2","zitadel-feature-v2beta","zitadel-idp-v1","zitadel-idp-v2","zitadel-instance-v1","zitadel-management-v1","zitadel-member-v1","zitadel-metadata-v1","zitadel-milestone-v1","zitadel-object-v2","zitadel-object-v2beta","zitadel-object-v3alpha","zitadel-oidc-v2","zitadel-oidc-v2beta","zitadel-org-v1","zitadel-org-v2","zitadel-org-v2beta","zitadel-policy-v1","zitadel-project-v1","zitadel-protoc_gen_zitadel-v2","zitadel-quota-v1","zitadel-resources-action-v3alpha","zitadel-resources-object-v3alpha","zitadel-resources-webkey-v3alpha","zitadel-session-v2","zitadel-session-v2beta","zitadel-settings-object-v3alpha","zitadel-settings-v1","zitadel-settings-v2","zitadel-settings-v2beta","zitadel-system-v1","zitadel-text-v1","zitadel-user-schema-v3alpha","zitadel-user-v1","zitadel-user-v2","zitadel-user-v2beta","zitadel-user-v3alpha","zitadel-v1","zitadel-v1-v1"]
93+
proto_full = ["zitadel-action-v1","zitadel-admin-v1","zitadel-app-v1","zitadel-auth-v1","zitadel-authn-v1","zitadel-change-v1","zitadel-event-v1","zitadel-feature-v1","zitadel-feature-v2","zitadel-feature-v2beta","zitadel-idp-v1","zitadel-idp-v2","zitadel-instance-v1","zitadel-management-v1","zitadel-member-v1","zitadel-metadata-v1","zitadel-milestone-v1","zitadel-object-v2","zitadel-object-v2beta","zitadel-object-v3alpha","zitadel-oidc-v2","zitadel-oidc-v2beta","zitadel-org-v1","zitadel-org-v2","zitadel-org-v2beta","zitadel-policy-v1","zitadel-project-v1","zitadel-protoc_gen_zitadel-v2","zitadel-quota-v1","zitadel-resources-action-v3alpha","zitadel-resources-object-v3alpha","zitadel-resources-user-v3alpha","zitadel-resources-userschema-v3alpha","zitadel-resources-webkey-v3alpha","zitadel-session-v2","zitadel-session-v2beta","zitadel-settings-object-v3alpha","zitadel-settings-v1","zitadel-settings-v2","zitadel-settings-v2beta","zitadel-system-v1","zitadel-text-v1","zitadel-user-v1","zitadel-user-v2","zitadel-user-v2beta","zitadel-v1","zitadel-v1-v1"]
9194
"zitadel-action-v1" = ["zitadel-v1"]
9295
"zitadel-admin-v1" = ["zitadel-event-v1","zitadel-idp-v1","zitadel-instance-v1","zitadel-management-v1","zitadel-member-v1","zitadel-milestone-v1","zitadel-org-v1","zitadel-policy-v1","zitadel-settings-v1","zitadel-text-v1","zitadel-v1","zitadel-v1-v1"]
9396
"zitadel-app-v1" = ["zitadel-v1"]
@@ -119,6 +122,8 @@ proto_full = ["zitadel-action-v1","zitadel-admin-v1","zitadel-app-v1","zitadel-a
119122
"zitadel-quota-v1" = []
120123
"zitadel-resources-action-v3alpha" = ["zitadel-object-v3alpha","zitadel-resources-object-v3alpha"]
121124
"zitadel-resources-object-v3alpha" = ["zitadel-object-v3alpha"]
125+
"zitadel-resources-user-v3alpha" = ["zitadel-object-v3alpha","zitadel-resources-object-v3alpha"]
126+
"zitadel-resources-userschema-v3alpha" = ["zitadel-object-v3alpha","zitadel-resources-object-v3alpha"]
122127
"zitadel-resources-webkey-v3alpha" = ["zitadel-object-v3alpha","zitadel-resources-object-v3alpha"]
123128
"zitadel-session-v2" = ["zitadel-object-v2","zitadel-v1"]
124129
"zitadel-session-v2beta" = ["zitadel-object-v2beta","zitadel-v1"]
@@ -128,11 +133,9 @@ proto_full = ["zitadel-action-v1","zitadel-admin-v1","zitadel-app-v1","zitadel-a
128133
"zitadel-settings-v2beta" = ["zitadel-object-v2beta"]
129134
"zitadel-system-v1" = ["zitadel-feature-v1","zitadel-instance-v1","zitadel-member-v1","zitadel-quota-v1","zitadel-v1"]
130135
"zitadel-text-v1" = ["zitadel-v1"]
131-
"zitadel-user-schema-v3alpha" = ["zitadel-object-v2"]
132136
"zitadel-user-v1" = ["zitadel-v1"]
133137
"zitadel-user-v2" = ["zitadel-object-v2"]
134138
"zitadel-user-v2beta" = ["zitadel-object-v2beta"]
135-
"zitadel-user-v3alpha" = ["zitadel-object-v2"]
136139
"zitadel-v1" = []
137140
"zitadel-v1-v1" = ["zitadel-authn-v1","zitadel-idp-v1","zitadel-management-v1","zitadel-org-v1","zitadel-v1"]
138141
# @@protoc_insertion_point(features)
@@ -163,7 +166,6 @@ tokio = { version = "1.37.0", optional = true, features = [
163166
] }
164167
tonic = { version = "0.12.1", features = [
165168
"tls",
166-
"tls-roots",
167169
], optional = true }
168170
tonic-types = { version = "0.12.1", optional = true }
169171

src/api/clients.rs

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ use std::error::Error;
88
use custom_error::custom_error;
99
use tonic::codegen::{Body, Bytes, InterceptedService, StdError};
1010
use tonic::service::Interceptor;
11+
1112
use tonic::transport::{Channel, ClientTlsConfig, Endpoint};
1213

1314
#[cfg(feature = "interceptors")]
@@ -284,19 +285,28 @@ where
284285
}
285286

286287
async fn get_channel(api_endpoint: &str) -> Result<Channel, ClientError> {
288+
let mut tls_config = ClientTlsConfig::default().assume_http2(true);
289+
290+
#[cfg(feature = "tls-roots")]
291+
{
292+
tls_config = tls_config.with_native_roots();
293+
}
294+
295+
#[cfg(feature = "tls-webpki-roots")]
296+
{
297+
tls_config = tls_config.with_enabled_roots();
298+
}
299+
287300
Endpoint::from_shared(api_endpoint.to_string())
288301
.map_err(|_| ClientError::InvalidUrl)?
289-
.tls_config(
290-
ClientTlsConfig::default()
291-
.assume_http2(true)
292-
.with_native_roots(),
293-
)
302+
.tls_config(tls_config)
294303
.map_err(|_| ClientError::TlsInitializationError)?
295304
.connect()
296305
.await
297306
.map_err(|_| ClientError::ConnectionError)
298307
}
299308

309+
300310
#[cfg(test)]
301311
mod tests {
302312
use super::*;

0 commit comments

Comments
 (0)