Add support for specifying root CA or ignoring SSL verification for keystone server

dhague · dhague · commit 7d1b4764b1ac · 2016-05-24T11:22:41.000+01:00
diff --git a/pkg/api/keystone/keystone_requests.go b/pkg/api/keystone/keystone_requests.go
@@ -2,9 +2,15 @@ package keystone
 
 import (
 	"bytes"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
+	"io/ioutil"
 	"net/http"
+
+	"github.com/grafana/grafana/pkg/log"
+	"github.com/grafana/grafana/pkg/setting"
 )
 
 ///////////////////////
@@ -166,8 +172,7 @@ func authenticate(data *Auth_data, b []byte) error {
 		return err
 	}
 
-	client := &http.Client{}
-	resp, err := client.Do(request)
+	resp, err := GetHttpClient().Do(request)
 	if err != nil {
 		return err
 	} else if resp.StatusCode != 201 {
@@ -203,8 +208,7 @@ func GetProjects(data *Projects_data) error {
 	}
 	request.Header.Add("X-Auth-Token", data.Token)
 
-	client := &http.Client{}
-	resp, err := client.Do(request)
+	resp, err := GetHttpClient().Do(request)
 	if err != nil {
 		return err
 	} else if resp.StatusCode != 200 {
@@ -224,3 +228,35 @@ func GetProjects(data *Projects_data) error {
 	}
 	return nil
 }
+
+// From https://golang.org/pkg/net/http:
+// "Clients and Transports are safe for concurrent use by multiple goroutines and for efficiency should only be created once and re-used."
+var client *http.Client
+
+func GetHttpClient() *http.Client {
+	if client != nil {
+		return client
+	} else {
+		var certPool *x509.CertPool
+		if pemfile := setting.KeystoneRootCAPEMFile; pemfile != "" {
+			certPool = x509.NewCertPool()
+			pemFileContent, err := ioutil.ReadFile(pemfile)
+			if err != nil {
+				panic(err)
+			}
+			if !certPool.AppendCertsFromPEM(pemFileContent) {
+				log.Error(3, "Failed to load any certificates from Root CA PEM file %s", pemfile)
+			} else {
+				log.Info("Successfully loaded certificate(s) from %s", pemfile)
+			}
+		}
+		tr := &http.Transport{
+			TLSClientConfig: &tls.Config{RootCAs: certPool,
+				InsecureSkipVerify: !setting.KeystoneVerifySSLCert},
+		}
+		tr.Proxy = http.ProxyFromEnvironment
+
+		client = &http.Client{Transport: tr}
+		return client
+	}
+}
diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
@@ -135,6 +135,8 @@ var (
 	KeystoneEditorRoles      []string
 	KeystoneAdminRoles       []string
 	KeystoneGlobalAdminRoles []string
+  KeystoneVerifySSLCert    bool
+  KeystoneRootCAPEMFile    []string
 
 	// SMTP email settings
 	Smtp SmtpSettings
@@ -487,6 +489,9 @@ func NewConfigContext(args *CommandLineArgs) error {
 	KeystoneAdminRoles = strings.Split(keystone.Key("admin_roles").String(), ",")
 	KeystoneGlobalAdminRoles = strings.Split(keystone.Key("global_admin_roles").String(), ",")
 
+	KeystoneVerifySSLCert = keystone.Key("verify_ssl_cert").MustBool(true)
+	KeystoneRootCAPEMFile = keystone.Key("root_ca_pem_file").String()
+
 	readSessionConfig()
 	readSmtpSettings()
 	readQuotaSettings()
