Merge pull request #27 from smallstep/mariano/renew-pool

SDK should update certificate pools safely
This commit is contained in:
Mariano Cano 2019-02-06 16:56:38 -08:00 committed by GitHub
commit 262a9d0978
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 415 additions and 126 deletions

View file

@ -2,6 +2,8 @@ package ca
import ( import (
"context" "context"
"crypto/tls"
"net"
"net/http" "net/http"
"strings" "strings"
@ -145,3 +147,54 @@ func BootstrapClient(ctx context.Context, token string, options ...TLSOption) (*
Transport: transport, Transport: transport,
}, nil }, nil
} }
// BootstrapListener is a helper function that using the given token returns a
// TLS listener which accepts connections from an inner listener and wraps each
// connection with Server.
//
// Without any extra option the server will be configured for mTLS, it will
// require and verify clients certificates, but options can be used to drop this
// requirement, the most common will be only verify the certs if given with
// ca.VerifyClientCertIfGiven(), or add extra CAs with
// ca.AddClientCA(*x509.Certificate).
//
// Usage:
// inner, err := net.Listen("tcp", ":443")
// if err != nil {
// return nil
// }
// ctx, cancel := context.WithCancel(context.Background())
// defer cancel()
// lis, err := ca.BootstrapListener(ctx, token, inner)
// if err != nil {
// return err
// }
// srv := grpc.NewServer()
// ... // register services
// srv.Serve(lis)
func BootstrapListener(ctx context.Context, token string, inner net.Listener, options ...TLSOption) (net.Listener, error) {
client, err := Bootstrap(token)
if err != nil {
return nil, err
}
req, pk, err := CreateSignRequest(token)
if err != nil {
return nil, err
}
sign, err := client.Sign(req)
if err != nil {
return nil, err
}
// Make sure the tlsConfig have all supported roots on ClientCAs and RootCAs
options = append(options, AddRootsToCAs())
tlsConfig, err := client.GetServerTLSConfig(ctx, sign, pk, options...)
if err != nil {
return nil, err
}
return tls.NewListener(inner, tlsConfig), nil
}

View file

@ -8,13 +8,13 @@ import (
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"reflect" "reflect"
"sync"
"testing" "testing"
"time" "time"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/smallstep/certificates/api" "github.com/smallstep/certificates/api"
"github.com/smallstep/certificates/authority" "github.com/smallstep/certificates/authority"
"github.com/smallstep/cli/crypto/randutil" "github.com/smallstep/cli/crypto/randutil"
stepJOSE "github.com/smallstep/cli/jose" stepJOSE "github.com/smallstep/cli/jose"
jose "gopkg.in/square/go-jose.v2" jose "gopkg.in/square/go-jose.v2"
@ -365,6 +365,7 @@ func TestBootstrapClientServerRotation(t *testing.T) {
// doTest does a request that requires mTLS // doTest does a request that requires mTLS
doTest := func(client *http.Client) error { doTest := func(client *http.Client) error {
time.Sleep(1 * time.Second)
// test with ca // test with ca
resp, err := client.Post(caURL+"/renew", "application/json", http.NoBody) resp, err := client.Post(caURL+"/renew", "application/json", http.NoBody)
if err != nil { if err != nil {
@ -532,3 +533,70 @@ func doReload(ca *CA) error {
newCA.srv.Addr = ca.srv.Addr newCA.srv.Addr = ca.srv.Addr
return ca.srv.Reload(newCA.srv) return ca.srv.Reload(newCA.srv)
} }
func TestBootstrapListener(t *testing.T) {
srv := startCABootstrapServer()
defer srv.Close()
token := func() string {
return generateBootstrapToken(srv.URL, "127.0.0.1", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
}
type args struct {
token string
}
tests := []struct {
name string
args args
wantErr bool
}{
{"ok", args{token()}, false},
{"fail", args{"bad-token"}, true},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
inner := newLocalListener()
defer inner.Close()
lis, err := BootstrapListener(context.Background(), tt.args.token, inner)
if (err != nil) != tt.wantErr {
t.Errorf("BootstrapListener() error = %v, wantErr %v", err, tt.wantErr)
return
}
if tt.wantErr {
if lis != nil {
t.Errorf("BootstrapListener() = %v, want nil", lis)
}
return
}
wg := new(sync.WaitGroup)
go func() {
wg.Add(1)
http.Serve(lis, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("ok"))
}))
wg.Done()
}()
defer wg.Wait()
defer lis.Close()
client, err := BootstrapClient(context.Background(), token())
if err != nil {
t.Errorf("BootstrapClient() error = %v", err)
return
}
resp, err := client.Get("https://" + lis.Addr().String())
if err != nil {
t.Errorf("client.Get() error = %v", err)
return
}
defer resp.Body.Close()
b, err := ioutil.ReadAll(resp.Body)
if err != nil {
t.Errorf("ioutil.ReadAll() error = %v", err)
return
}
if string(b) != "ok" {
t.Errorf("client.Get() = %s, want ok", string(b))
return
}
})
}
}

View file

@ -12,7 +12,6 @@ import (
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/hex" "encoding/hex"
"encoding/json" "encoding/json"
"encoding/pem"
"io" "io"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
@ -117,16 +116,10 @@ func getTransportFromFile(filename string) (http.RoundTripper, error) {
if err != nil { if err != nil {
return nil, errors.Wrapf(err, "error reading %s", filename) return nil, errors.Wrapf(err, "error reading %s", filename)
} }
block, _ := pem.Decode(data)
if block == nil {
return nil, errors.Errorf("error decoding %s", filename)
}
root, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, errors.Wrapf(err, "error parsing %s", filename)
}
pool := x509.NewCertPool() pool := x509.NewCertPool()
pool.AddCert(root) if !pool.AppendCertsFromPEM(data) {
return nil, errors.Errorf("error parsing %s: no certificates found", filename)
}
return getDefaultTransport(&tls.Config{ return getDefaultTransport(&tls.Config{
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
PreferServerCipherSuites: true, PreferServerCipherSuites: true,

109
ca/mutable_tls_config.go Normal file
View file

@ -0,0 +1,109 @@
package ca
import (
"crypto/tls"
"crypto/x509"
"sync"
"github.com/smallstep/certificates/api"
)
// mutableTLSConfig allows to use a tls.Config with mutable cert pools.
type mutableTLSConfig struct {
sync.RWMutex
config *tls.Config
clientCerts []*x509.Certificate
rootCerts []*x509.Certificate
mutClientCerts []*x509.Certificate
mutRootCerts []*x509.Certificate
}
// newMutableTLSConfig creates a new mutableTLSConfig that will be later
// initialized with a tls.Config.
func newMutableTLSConfig() *mutableTLSConfig {
return &mutableTLSConfig{
clientCerts: []*x509.Certificate{},
rootCerts: []*x509.Certificate{},
mutClientCerts: []*x509.Certificate{},
mutRootCerts: []*x509.Certificate{},
}
}
// Init initializes the mutable tls.Config with the given tls.Config.
func (c *mutableTLSConfig) Init(base *tls.Config) {
c.Lock()
c.config = base.Clone()
c.Unlock()
}
// TLSConfig returns the updated tls.Config it it has changed. It's used in the
// tls.Config GetConfigForClient.
func (c *mutableTLSConfig) TLSConfig() (config *tls.Config) {
c.RLock()
config = c.config
c.RUnlock()
return
}
// Reload reloads the tls.Config with the new CAs.
func (c *mutableTLSConfig) Reload() {
// Prepare new pools
c.RLock()
rootCAs := x509.NewCertPool()
clientCAs := x509.NewCertPool()
// Fixed certs
for _, cert := range c.rootCerts {
rootCAs.AddCert(cert)
}
for _, cert := range c.clientCerts {
clientCAs.AddCert(cert)
}
// Mutable certs
for _, cert := range c.mutRootCerts {
rootCAs.AddCert(cert)
}
for _, cert := range c.mutClientCerts {
clientCAs.AddCert(cert)
}
c.RUnlock()
// Set new pool
c.Lock()
c.config.RootCAs = rootCAs
c.config.ClientCAs = clientCAs
c.mutRootCerts = []*x509.Certificate{}
c.mutClientCerts = []*x509.Certificate{}
c.Unlock()
}
// AddImmutableClientCACert add an immutable cert to ClientCAs.
func (c *mutableTLSConfig) AddImmutableClientCACert(cert *x509.Certificate) {
c.Lock()
c.clientCerts = append(c.clientCerts, cert)
c.Unlock()
}
// AddImmutableRootCACert add an immutable cert to RootCas.
func (c *mutableTLSConfig) AddImmutableRootCACert(cert *x509.Certificate) {
c.Lock()
c.rootCerts = append(c.rootCerts, cert)
c.Unlock()
}
// AddClientCAs add mutable certs to ClientCAs.
func (c *mutableTLSConfig) AddClientCAs(certs []api.Certificate) {
c.Lock()
for _, cert := range certs {
c.mutClientCerts = append(c.mutClientCerts, cert.Certificate)
}
c.Unlock()
}
// AddRootCAs add mutable certs to RootCAs.
func (c *mutableTLSConfig) AddRootCAs(certs []api.Certificate) {
c.Lock()
for _, cert := range certs {
c.mutRootCerts = append(c.mutRootCerts, cert.Certificate)
}
c.Unlock()
}

View file

@ -21,13 +21,21 @@ import (
// sign certificate, and a new certificate pool with the sign root certificate. // sign certificate, and a new certificate pool with the sign root certificate.
// The client certificate will automatically rotate before expiring. // The client certificate will automatically rotate before expiring.
func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*tls.Config, error) { func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*tls.Config, error) {
cert, err := TLSCertificate(sign, pk) tlsConfig, _, err := c.getClientTLSConfig(ctx, sign, pk, options)
if err != nil { if err != nil {
return nil, err return nil, err
} }
return tlsConfig, nil
}
func (c *Client) getClientTLSConfig(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options []TLSOption) (*tls.Config, *http.Transport, error) {
cert, err := TLSCertificate(sign, pk)
if err != nil {
return nil, nil, err
}
renewer, err := NewTLSRenewer(cert, nil) renewer, err := NewTLSRenewer(cert, nil)
if err != nil { if err != nil {
return nil, err return nil, nil, err
} }
tlsConfig := getDefaultTLSConfig(sign) tlsConfig := getDefaultTLSConfig(sign)
@ -35,22 +43,20 @@ func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse,
// Without tlsConfig.Certificates there's not need to use tlsConfig.BuildNameToCertificate() // Without tlsConfig.Certificates there's not need to use tlsConfig.BuildNameToCertificate()
tlsConfig.GetClientCertificate = renewer.GetClientCertificate tlsConfig.GetClientCertificate = renewer.GetClientCertificate
tlsConfig.PreferServerCipherSuites = true tlsConfig.PreferServerCipherSuites = true
// Build RootCAs with given root certificate
if pool := getCertPool(sign); pool != nil {
tlsConfig.RootCAs = pool
}
// Apply options if given // Apply options and initialize mutable tls.Config
tlsCtx := newTLSOptionCtx(c, tlsConfig) tlsCtx := newTLSOptionCtx(c, tlsConfig, sign)
if err := tlsCtx.apply(options); err != nil { if err := tlsCtx.apply(options); err != nil {
return nil, err return nil, nil, err
} }
// Update renew function with transport // Update renew function with transport
tr, err := getDefaultTransport(tlsConfig) tr, err := getDefaultTransport(tlsConfig)
if err != nil { if err != nil {
return nil, err return nil, nil, err
} }
// Use mutable tls.Config on renew
tr.DialTLS = c.buildDialTLS(tlsCtx)
renewer.RenewCertificate = getRenewFunc(tlsCtx, c, tr, pk) renewer.RenewCertificate = getRenewFunc(tlsCtx, c, tr, pk)
// Update client transport // Update client transport
@ -58,7 +64,7 @@ func (c *Client) GetClientTLSConfig(ctx context.Context, sign *api.SignResponse,
// Start renewer // Start renewer
renewer.RunContext(ctx) renewer.RunContext(ctx)
return tlsConfig, nil return tlsConfig, tr, nil
} }
// GetServerTLSConfig returns a tls.Config for server use configured with the // GetServerTLSConfig returns a tls.Config for server use configured with the
@ -82,25 +88,26 @@ func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse,
tlsConfig.GetCertificate = renewer.GetCertificate tlsConfig.GetCertificate = renewer.GetCertificate
tlsConfig.GetClientCertificate = renewer.GetClientCertificate tlsConfig.GetClientCertificate = renewer.GetClientCertificate
tlsConfig.PreferServerCipherSuites = true tlsConfig.PreferServerCipherSuites = true
// Build RootCAs with given root certificate
if pool := getCertPool(sign); pool != nil {
tlsConfig.ClientCAs = pool
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
// Add RootCAs for refresh client
tlsConfig.RootCAs = pool
}
// Apply options if given // Apply options and initialize mutable tls.Config
tlsCtx := newTLSOptionCtx(c, tlsConfig) tlsCtx := newTLSOptionCtx(c, tlsConfig, sign)
if err := tlsCtx.apply(options); err != nil { if err := tlsCtx.apply(options); err != nil {
return nil, err return nil, err
} }
// GetConfigForClient allows seamless root and federated roots rotation.
// If the return of the callback is not-nil, it will use the returned
// tls.Config instead of the default one.
tlsConfig.GetConfigForClient = c.buildGetConfigForClient(tlsCtx)
// Update renew function with transport // Update renew function with transport
tr, err := getDefaultTransport(tlsConfig) tr, err := getDefaultTransport(tlsConfig)
if err != nil { if err != nil {
return nil, err return nil, err
} }
// Use mutable tls.Config on renew
tr.DialTLS = c.buildDialTLS(tlsCtx)
renewer.RenewCertificate = getRenewFunc(tlsCtx, c, tr, pk) renewer.RenewCertificate = getRenewFunc(tlsCtx, c, tr, pk)
// Update client transport // Update client transport
@ -113,17 +120,40 @@ func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse,
// Transport returns an http.Transport configured to use the client certificate from the sign response. // Transport returns an http.Transport configured to use the client certificate from the sign response.
func (c *Client) Transport(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*http.Transport, error) { func (c *Client) Transport(ctx context.Context, sign *api.SignResponse, pk crypto.PrivateKey, options ...TLSOption) (*http.Transport, error) {
tlsConfig, err := c.GetClientTLSConfig(ctx, sign, pk, options...) _, tr, err := c.getClientTLSConfig(ctx, sign, pk, options)
if err != nil { if err != nil {
return nil, err return nil, err
} }
return getDefaultTransport(tlsConfig) return tr, nil
}
// buildGetConfigForClient returns an implementation of GetConfigForClient
// callback in tls.Config.
//
// If the implementation returns a nil tls.Config, the original Config will be
// used, but if it's non-nil, the returned Config will be used to handle this
// connection.
func (c *Client) buildGetConfigForClient(ctx *TLSOptionCtx) func(*tls.ClientHelloInfo) (*tls.Config, error) {
return func(*tls.ClientHelloInfo) (*tls.Config, error) {
return ctx.mutableConfig.TLSConfig(), nil
}
}
// buildDialTLS returns an implementation of DialTLS callback in http.Transport.
func (c *Client) buildDialTLS(ctx *TLSOptionCtx) func(network, addr string) (net.Conn, error) {
return func(network, addr string) (net.Conn, error) {
return tls.DialWithDialer(&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
DualStack: true,
}, network, addr, ctx.mutableConfig.TLSConfig())
}
} }
// Certificate returns the server or client certificate from the sign response. // Certificate returns the server or client certificate from the sign response.
func Certificate(sign *api.SignResponse) (*x509.Certificate, error) { func Certificate(sign *api.SignResponse) (*x509.Certificate, error) {
if sign.ServerPEM.Certificate == nil { if sign.ServerPEM.Certificate == nil {
return nil, errors.New("ca: certificate does not exists") return nil, errors.New("ca: certificate does not exist")
} }
return sign.ServerPEM.Certificate, nil return sign.ServerPEM.Certificate, nil
} }
@ -132,19 +162,19 @@ func Certificate(sign *api.SignResponse) (*x509.Certificate, error) {
// response. // response.
func IntermediateCertificate(sign *api.SignResponse) (*x509.Certificate, error) { func IntermediateCertificate(sign *api.SignResponse) (*x509.Certificate, error) {
if sign.CaPEM.Certificate == nil { if sign.CaPEM.Certificate == nil {
return nil, errors.New("ca: certificate does not exists") return nil, errors.New("ca: certificate does not exist")
} }
return sign.CaPEM.Certificate, nil return sign.CaPEM.Certificate, nil
} }
// RootCertificate returns the root certificate from the sign response. // RootCertificate returns the root certificate from the sign response.
func RootCertificate(sign *api.SignResponse) (*x509.Certificate, error) { func RootCertificate(sign *api.SignResponse) (*x509.Certificate, error) {
if sign.TLS == nil || len(sign.TLS.VerifiedChains) == 0 { if sign == nil || sign.TLS == nil || len(sign.TLS.VerifiedChains) == 0 {
return nil, errors.New("ca: certificate does not exists") return nil, errors.New("ca: certificate does not exist")
} }
lastChain := sign.TLS.VerifiedChains[len(sign.TLS.VerifiedChains)-1] lastChain := sign.TLS.VerifiedChains[len(sign.TLS.VerifiedChains)-1]
if len(lastChain) == 0 { if len(lastChain) == 0 {
return nil, errors.New("ca: certificate does not exists") return nil, errors.New("ca: certificate does not exist")
} }
return lastChain[len(lastChain)-1], nil return lastChain[len(lastChain)-1], nil
} }
@ -178,17 +208,6 @@ func TLSCertificate(sign *api.SignResponse, pk crypto.PrivateKey) (*tls.Certific
return &cert, nil return &cert, nil
} }
// getCertPool returns the transport x509.CertPool or the one from the sign
// request.
func getCertPool(sign *api.SignResponse) *x509.CertPool {
if root, err := RootCertificate(sign); err == nil {
pool := x509.NewCertPool()
pool.AddCert(root)
return pool
}
return nil
}
func getDefaultTLSConfig(sign *api.SignResponse) *tls.Config { func getDefaultTLSConfig(sign *api.SignResponse) *tls.Config {
if sign.TLSOptions != nil { if sign.TLSOptions != nil {
return sign.TLSOptions.TLSConfig() return sign.TLSOptions.TLSConfig()

View file

@ -3,6 +3,8 @@ package ca
import ( import (
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"github.com/smallstep/certificates/api"
) )
// TLSOption defines the type of a function that modifies a tls.Config. // TLSOption defines the type of a function that modifies a tls.Config.
@ -12,14 +14,20 @@ type TLSOption func(ctx *TLSOptionCtx) error
type TLSOptionCtx struct { type TLSOptionCtx struct {
Client *Client Client *Client
Config *tls.Config Config *tls.Config
Sign *api.SignResponse
OnRenewFunc []TLSOption OnRenewFunc []TLSOption
mutableConfig *mutableTLSConfig
hasRootCA bool
hasClientCA bool
} }
// newTLSOptionCtx creates the TLSOption context. // newTLSOptionCtx creates the TLSOption context.
func newTLSOptionCtx(c *Client, config *tls.Config) *TLSOptionCtx { func newTLSOptionCtx(c *Client, config *tls.Config, sign *api.SignResponse) *TLSOptionCtx {
return &TLSOptionCtx{ return &TLSOptionCtx{
Client: c, Client: c,
Config: config, Config: config,
Sign: sign,
mutableConfig: newMutableTLSConfig(),
} }
} }
@ -29,6 +37,44 @@ func (ctx *TLSOptionCtx) apply(options []TLSOption) error {
return err return err
} }
} }
// Initialize mutable config with the fully configured tls.Config
ctx.mutableConfig.Init(ctx.Config)
// Build RootCAs and ClientCAs with given root certificate if necessary
if root, err := RootCertificate(ctx.Sign); err == nil {
if !ctx.hasRootCA {
if ctx.Config.RootCAs == nil {
ctx.Config.RootCAs = x509.NewCertPool()
}
ctx.Config.RootCAs.AddCert(root)
ctx.mutableConfig.AddImmutableRootCACert(root)
}
if !ctx.hasClientCA && ctx.Config.ClientAuth != tls.NoClientCert {
if ctx.Config.ClientCAs == nil {
ctx.Config.ClientCAs = x509.NewCertPool()
}
ctx.Config.ClientCAs.AddCert(root)
ctx.mutableConfig.AddImmutableClientCACert(root)
}
}
// Update tls.Config with mutable data
if ctx.Config.RootCAs == nil && len(ctx.mutableConfig.mutRootCerts) > 0 {
ctx.Config.RootCAs = x509.NewCertPool()
}
if ctx.Config.ClientCAs == nil && len(ctx.mutableConfig.mutClientCerts) > 0 {
ctx.Config.ClientCAs = x509.NewCertPool()
}
// Add mutable certificates
for _, cert := range ctx.mutableConfig.mutRootCerts {
ctx.Config.RootCAs.AddCert(cert)
}
for _, cert := range ctx.mutableConfig.mutClientCerts {
ctx.Config.ClientCAs.AddCert(cert)
}
ctx.mutableConfig.Reload()
return nil return nil
} }
@ -38,6 +84,8 @@ func (ctx *TLSOptionCtx) applyRenew() error {
return err return err
} }
} }
// Reload mutable config with the changes
ctx.mutableConfig.Reload()
return nil return nil
} }
@ -68,6 +116,7 @@ func AddRootCA(cert *x509.Certificate) TLSOption {
ctx.Config.RootCAs = x509.NewCertPool() ctx.Config.RootCAs = x509.NewCertPool()
} }
ctx.Config.RootCAs.AddCert(cert) ctx.Config.RootCAs.AddCert(cert)
ctx.mutableConfig.AddImmutableRootCACert(cert)
return nil return nil
} }
} }
@ -81,6 +130,7 @@ func AddClientCA(cert *x509.Certificate) TLSOption {
ctx.Config.ClientCAs = x509.NewCertPool() ctx.Config.ClientCAs = x509.NewCertPool()
} }
ctx.Config.ClientCAs.AddCert(cert) ctx.Config.ClientCAs.AddCert(cert)
ctx.mutableConfig.AddImmutableClientCACert(cert)
return nil return nil
} }
} }
@ -91,17 +141,14 @@ func AddClientCA(cert *x509.Certificate) TLSOption {
// //
// BootstrapServer and BootstrapClient methods include this option by default. // BootstrapServer and BootstrapClient methods include this option by default.
func AddRootsToRootCAs() TLSOption { func AddRootsToRootCAs() TLSOption {
// var once sync.Once
fn := func(ctx *TLSOptionCtx) error { fn := func(ctx *TLSOptionCtx) error {
certs, err := ctx.Client.Roots() certs, err := ctx.Client.Roots()
if err != nil { if err != nil {
return err return err
} }
if ctx.Config.RootCAs == nil { ctx.hasRootCA = true
ctx.Config.RootCAs = x509.NewCertPool() ctx.mutableConfig.AddRootCAs(certs.Certificates)
}
for _, cert := range certs.Certificates {
ctx.Config.RootCAs.AddCert(cert.Certificate)
}
return nil return nil
} }
return func(ctx *TLSOptionCtx) error { return func(ctx *TLSOptionCtx) error {
@ -117,17 +164,14 @@ func AddRootsToRootCAs() TLSOption {
// //
// BootstrapServer method includes this option by default. // BootstrapServer method includes this option by default.
func AddRootsToClientCAs() TLSOption { func AddRootsToClientCAs() TLSOption {
// var once sync.Once
fn := func(ctx *TLSOptionCtx) error { fn := func(ctx *TLSOptionCtx) error {
certs, err := ctx.Client.Roots() certs, err := ctx.Client.Roots()
if err != nil { if err != nil {
return err return err
} }
if ctx.Config.ClientCAs == nil { ctx.hasClientCA = true
ctx.Config.ClientCAs = x509.NewCertPool() ctx.mutableConfig.AddClientCAs(certs.Certificates)
}
for _, cert := range certs.Certificates {
ctx.Config.ClientCAs.AddCert(cert.Certificate)
}
return nil return nil
} }
return func(ctx *TLSOptionCtx) error { return func(ctx *TLSOptionCtx) error {
@ -145,12 +189,7 @@ func AddFederationToRootCAs() TLSOption {
if err != nil { if err != nil {
return err return err
} }
if ctx.Config.RootCAs == nil { ctx.mutableConfig.AddRootCAs(certs.Certificates)
ctx.Config.RootCAs = x509.NewCertPool()
}
for _, cert := range certs.Certificates {
ctx.Config.RootCAs.AddCert(cert.Certificate)
}
return nil return nil
} }
return func(ctx *TLSOptionCtx) error { return func(ctx *TLSOptionCtx) error {
@ -169,12 +208,7 @@ func AddFederationToClientCAs() TLSOption {
if err != nil { if err != nil {
return err return err
} }
if ctx.Config.ClientCAs == nil { ctx.mutableConfig.AddClientCAs(certs.Certificates)
ctx.Config.ClientCAs = x509.NewCertPool()
}
for _, cert := range certs.Certificates {
ctx.Config.ClientCAs.AddCert(cert.Certificate)
}
return nil return nil
} }
return func(ctx *TLSOptionCtx) error { return func(ctx *TLSOptionCtx) error {
@ -192,16 +226,10 @@ func AddRootsToCAs() TLSOption {
if err != nil { if err != nil {
return err return err
} }
if ctx.Config.ClientCAs == nil { ctx.hasRootCA = true
ctx.Config.ClientCAs = x509.NewCertPool() ctx.hasClientCA = true
} ctx.mutableConfig.AddRootCAs(certs.Certificates)
if ctx.Config.RootCAs == nil { ctx.mutableConfig.AddClientCAs(certs.Certificates)
ctx.Config.RootCAs = x509.NewCertPool()
}
for _, cert := range certs.Certificates {
ctx.Config.ClientCAs.AddCert(cert.Certificate)
ctx.Config.RootCAs.AddCert(cert.Certificate)
}
return nil return nil
} }
return func(ctx *TLSOptionCtx) error { return func(ctx *TLSOptionCtx) error {
@ -219,15 +247,20 @@ func AddFederationToCAs() TLSOption {
if err != nil { if err != nil {
return err return err
} }
if ctx.Config.ClientCAs == nil { if ctx.mutableConfig == nil {
ctx.Config.ClientCAs = x509.NewCertPool()
}
if ctx.Config.RootCAs == nil { if ctx.Config.RootCAs == nil {
ctx.Config.RootCAs = x509.NewCertPool() ctx.Config.RootCAs = x509.NewCertPool()
} }
if ctx.Config.ClientCAs == nil {
ctx.Config.ClientCAs = x509.NewCertPool()
}
for _, cert := range certs.Certificates { for _, cert := range certs.Certificates {
ctx.Config.ClientCAs.AddCert(cert.Certificate)
ctx.Config.RootCAs.AddCert(cert.Certificate) ctx.Config.RootCAs.AddCert(cert.Certificate)
ctx.Config.ClientCAs.AddCert(cert.Certificate)
}
} else {
ctx.mutableConfig.AddRootCAs(certs.Certificates)
ctx.mutableConfig.AddClientCAs(certs.Certificates)
} }
return nil return nil
} }

View file

@ -9,6 +9,8 @@ import (
"reflect" "reflect"
"sort" "sort"
"testing" "testing"
"github.com/smallstep/certificates/api"
) )
func Test_newTLSOptionCtx(t *testing.T) { func Test_newTLSOptionCtx(t *testing.T) {
@ -20,17 +22,18 @@ func Test_newTLSOptionCtx(t *testing.T) {
type args struct { type args struct {
c *Client c *Client
config *tls.Config config *tls.Config
sign *api.SignResponse
} }
tests := []struct { tests := []struct {
name string name string
args args args args
want *TLSOptionCtx want *TLSOptionCtx
}{ }{
{"ok", args{client, &tls.Config{}}, &TLSOptionCtx{Client: client, Config: &tls.Config{}}}, {"ok", args{client, &tls.Config{}, &api.SignResponse{}}, &TLSOptionCtx{Client: client, Config: &tls.Config{}, Sign: &api.SignResponse{}, mutableConfig: newMutableTLSConfig()}},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
if got := newTLSOptionCtx(tt.args.c, tt.args.config); !reflect.DeepEqual(got, tt.want) { if got := newTLSOptionCtx(tt.args.c, tt.args.config, tt.args.sign); !reflect.DeepEqual(got, tt.want) {
t.Errorf("newTLSOptionCtx() = %v, want %v", got, tt.want) t.Errorf("newTLSOptionCtx() = %v, want %v", got, tt.want)
} }
}) })
@ -64,6 +67,7 @@ func TestTLSOptionCtx_apply(t *testing.T) {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
ctx := &TLSOptionCtx{ ctx := &TLSOptionCtx{
Config: tt.fields.Config, Config: tt.fields.Config,
mutableConfig: newMutableTLSConfig(),
} }
if err := ctx.apply(tt.args.options); (err != nil) != tt.wantErr { if err := ctx.apply(tt.args.options); (err != nil) != tt.wantErr {
t.Errorf("TLSOptionCtx.apply() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("TLSOptionCtx.apply() error = %v, wantErr %v", err, tt.wantErr)
@ -83,6 +87,7 @@ func TestRequireAndVerifyClientCert(t *testing.T) {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
ctx := &TLSOptionCtx{ ctx := &TLSOptionCtx{
Config: &tls.Config{}, Config: &tls.Config{},
mutableConfig: newMutableTLSConfig(),
} }
if err := RequireAndVerifyClientCert()(ctx); err != nil { if err := RequireAndVerifyClientCert()(ctx); err != nil {
t.Errorf("RequireAndVerifyClientCert() error = %v", err) t.Errorf("RequireAndVerifyClientCert() error = %v", err)
@ -106,6 +111,7 @@ func TestVerifyClientCertIfGiven(t *testing.T) {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
ctx := &TLSOptionCtx{ ctx := &TLSOptionCtx{
Config: &tls.Config{}, Config: &tls.Config{},
mutableConfig: newMutableTLSConfig(),
} }
if err := VerifyClientCertIfGiven()(ctx); err != nil { if err := VerifyClientCertIfGiven()(ctx); err != nil {
t.Errorf("VerifyClientCertIfGiven() error = %v", err) t.Errorf("VerifyClientCertIfGiven() error = %v", err)
@ -137,6 +143,7 @@ func TestAddRootCA(t *testing.T) {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
ctx := &TLSOptionCtx{ ctx := &TLSOptionCtx{
Config: &tls.Config{}, Config: &tls.Config{},
mutableConfig: newMutableTLSConfig(),
} }
if err := AddRootCA(tt.args.cert)(ctx); err != nil { if err := AddRootCA(tt.args.cert)(ctx); err != nil {
t.Errorf("AddRootCA() error = %v", err) t.Errorf("AddRootCA() error = %v", err)
@ -168,6 +175,7 @@ func TestAddClientCA(t *testing.T) {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
ctx := &TLSOptionCtx{ ctx := &TLSOptionCtx{
Config: &tls.Config{}, Config: &tls.Config{},
mutableConfig: newMutableTLSConfig(),
} }
if err := AddClientCA(tt.args.cert)(ctx); err != nil { if err := AddClientCA(tt.args.cert)(ctx); err != nil {
t.Errorf("AddClientCA() error = %v", err) t.Errorf("AddClientCA() error = %v", err)
@ -221,12 +229,13 @@ func TestAddRootsToRootCAs(t *testing.T) {
ctx := &TLSOptionCtx{ ctx := &TLSOptionCtx{
Client: tt.args.client, Client: tt.args.client,
Config: tt.args.config, Config: tt.args.config,
mutableConfig: newMutableTLSConfig(),
} }
if err := AddRootsToRootCAs()(ctx); (err != nil) != tt.wantErr { if err := ctx.apply([]TLSOption{AddRootsToRootCAs()}); (err != nil) != tt.wantErr {
t.Errorf("AddRootsToRootCAs() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("AddRootsToRootCAs() error = %v, wantErr %v", err, tt.wantErr)
return return
} }
if !reflect.DeepEqual(ctx.Config, tt.want) { if !reflect.DeepEqual(ctx.Config.RootCAs, tt.want.RootCAs) {
t.Errorf("AddRootsToRootCAs() = %v, want %v", ctx.Config, tt.want) t.Errorf("AddRootsToRootCAs() = %v, want %v", ctx.Config, tt.want)
} }
}) })
@ -274,12 +283,13 @@ func TestAddRootsToClientCAs(t *testing.T) {
ctx := &TLSOptionCtx{ ctx := &TLSOptionCtx{
Client: tt.args.client, Client: tt.args.client,
Config: tt.args.config, Config: tt.args.config,
mutableConfig: newMutableTLSConfig(),
} }
if err := AddRootsToClientCAs()(ctx); (err != nil) != tt.wantErr { if err := ctx.apply([]TLSOption{AddRootsToClientCAs()}); (err != nil) != tt.wantErr {
t.Errorf("AddRootsToClientCAs() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("AddRootsToClientCAs() error = %v, wantErr %v", err, tt.wantErr)
return return
} }
if !reflect.DeepEqual(ctx.Config, tt.want) { if !reflect.DeepEqual(ctx.Config.ClientCAs, tt.want.ClientCAs) {
t.Errorf("AddRootsToClientCAs() = %v, want %v", ctx.Config, tt.want) t.Errorf("AddRootsToClientCAs() = %v, want %v", ctx.Config, tt.want)
} }
}) })
@ -334,8 +344,9 @@ func TestAddFederationToRootCAs(t *testing.T) {
ctx := &TLSOptionCtx{ ctx := &TLSOptionCtx{
Client: tt.args.client, Client: tt.args.client,
Config: tt.args.config, Config: tt.args.config,
mutableConfig: newMutableTLSConfig(),
} }
if err := AddFederationToRootCAs()(ctx); (err != nil) != tt.wantErr { if err := ctx.apply([]TLSOption{AddFederationToRootCAs()}); (err != nil) != tt.wantErr {
t.Errorf("AddFederationToRootCAs() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("AddFederationToRootCAs() error = %v, wantErr %v", err, tt.wantErr)
return return
} }
@ -397,8 +408,9 @@ func TestAddFederationToClientCAs(t *testing.T) {
ctx := &TLSOptionCtx{ ctx := &TLSOptionCtx{
Client: tt.args.client, Client: tt.args.client,
Config: tt.args.config, Config: tt.args.config,
mutableConfig: newMutableTLSConfig(),
} }
if err := AddFederationToClientCAs()(ctx); (err != nil) != tt.wantErr { if err := ctx.apply([]TLSOption{AddFederationToClientCAs()}); (err != nil) != tt.wantErr {
t.Errorf("AddFederationToClientCAs() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("AddFederationToClientCAs() error = %v, wantErr %v", err, tt.wantErr)
return return
} }
@ -453,12 +465,13 @@ func TestAddRootsToCAs(t *testing.T) {
ctx := &TLSOptionCtx{ ctx := &TLSOptionCtx{
Client: tt.args.client, Client: tt.args.client,
Config: tt.args.config, Config: tt.args.config,
mutableConfig: newMutableTLSConfig(),
} }
if err := AddRootsToCAs()(ctx); (err != nil) != tt.wantErr { if err := ctx.apply([]TLSOption{AddRootsToCAs()}); (err != nil) != tt.wantErr {
t.Errorf("AddRootsToCAs() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("AddRootsToCAs() error = %v, wantErr %v", err, tt.wantErr)
return return
} }
if !reflect.DeepEqual(ctx.Config, tt.want) { if !reflect.DeepEqual(ctx.Config.RootCAs, tt.want.RootCAs) || !reflect.DeepEqual(ctx.Config.ClientCAs, tt.want.ClientCAs) {
t.Errorf("AddRootsToCAs() = %v, want %v", ctx.Config, tt.want) t.Errorf("AddRootsToCAs() = %v, want %v", ctx.Config, tt.want)
} }
}) })
@ -513,8 +526,9 @@ func TestAddFederationToCAs(t *testing.T) {
ctx := &TLSOptionCtx{ ctx := &TLSOptionCtx{
Client: tt.args.client, Client: tt.args.client,
Config: tt.args.config, Config: tt.args.config,
mutableConfig: newMutableTLSConfig(),
} }
if err := AddFederationToCAs()(ctx); (err != nil) != tt.wantErr { if err := ctx.apply([]TLSOption{AddFederationToCAs()}); (err != nil) != tt.wantErr {
t.Errorf("AddFederationToCAs() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("AddFederationToCAs() error = %v, wantErr %v", err, tt.wantErr)
return return
} }