From 09b9673a60467956a941b6b81837f43cb9cf3418 Mon Sep 17 00:00:00 2001 From: Brandon Weeks Date: Tue, 7 Jun 2022 19:04:16 -0700 Subject: [PATCH] Run on plaintext HTTP to support Cloud Run --- authority/config/config.go | 8 +++--- authority/config/config_test.go | 13 --------- ca/ca.go | 50 ++++++++++++++------------------- 3 files changed, 25 insertions(+), 46 deletions(-) diff --git a/authority/config/config.go b/authority/config/config.go index c764e8f9..6d641e18 100644 --- a/authority/config/config.go +++ b/authority/config/config.go @@ -200,8 +200,6 @@ func (c *Config) Save(filename string) error { // Validate validates the configuration. func (c *Config) Validate() error { switch { - case c.Address == "": - return errors.New("address cannot be empty") case len(c.DNSNames) == 0: return errors.New("dnsNames cannot be empty") case c.AuthorityConfig == nil: @@ -223,8 +221,10 @@ func (c *Config) Validate() error { } // Validate address (a port is required) - if _, _, err := net.SplitHostPort(c.Address); err != nil { - return errors.Errorf("invalid address %s", c.Address) + if c.Address != "" { + if _, _, err := net.SplitHostPort(c.Address); err != nil { + return errors.Errorf("invalid address %s", c.Address) + } } if c.TLS == nil { diff --git a/authority/config/config_test.go b/authority/config/config_test.go index 5a05b3f6..357c1ea6 100644 --- a/authority/config/config_test.go +++ b/authority/config/config_test.go @@ -38,19 +38,6 @@ func TestConfigValidate(t *testing.T) { tls TLSOptions } tests := map[string]func(*testing.T) ConfigValidateTest{ - "empty-address": func(t *testing.T) ConfigValidateTest { - return ConfigValidateTest{ - config: &Config{ - Root: []string{"../testdata/secrets/root_ca.crt"}, - IntermediateCert: "../testdata/secrets/intermediate_ca.crt", - IntermediateKey: "../testdata/secrets/intermediate_ca_key", - DNSNames: []string{"test.smallstep.com"}, - Password: "pass", - AuthorityConfig: ac, - }, - err: errors.New("address cannot be empty"), - } - }, "invalid-address": func(t *testing.T) ConfigValidateTest { return ConfigValidateTest{ config: &Config{ diff --git a/ca/ca.go b/ca/ca.go index 7c00bb6b..878c27a3 100644 --- a/ca/ca.go +++ b/ca/ca.go @@ -169,9 +169,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) { mux := chi.NewRouter() handler := http.Handler(mux) - insecureMux := chi.NewRouter() - insecureHandler := http.Handler(insecureMux) - // Add regular CA api endpoints in / and /1.0 api.Route(mux) mux.Route("/1.0", func(r chi.Router) { @@ -232,13 +229,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) { return nil, errors.Wrap(err, "error creating SCEP authority") } - // According to the RFC (https://tools.ietf.org/html/rfc8894#section-7.10), - // SCEP operations are performed using HTTP, so that's why the API is mounted - // to the insecure mux. - insecureMux.Route("/"+scepPrefix, func(r chi.Router) { - scepAPI.Route(r) - }) - // The RFC also mentions usage of HTTPS, but seems to advise // against it, because of potential interoperability issues. // Currently I think it's not bad to use HTTPS also, so that's @@ -260,7 +250,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) { return nil, err } handler = m.Middleware(handler) - insecureHandler = m.Middleware(insecureHandler) } // Add logger if configured @@ -270,25 +259,24 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) { return nil, err } handler = logger.Middleware(handler) - insecureHandler = logger.Middleware(insecureHandler) } // Create context with all the necessary values. baseContext := buildContext(auth, scepAuthority, acmeDB, acmeLinker) - ca.srv = server.New(cfg.Address, handler, tlsConfig) - ca.srv.BaseContext = func(net.Listener) context.Context { - return baseContext + if cfg.Address != "" { + ca.srv = server.New(cfg.Address, handler, tlsConfig) + ca.srv.BaseContext = func(net.Listener) context.Context { + return baseContext + } } - // only start the insecure server if the insecure address is configured - // and, currently, also only when it should serve SCEP endpoints. - if ca.shouldServeSCEPEndpoints() && cfg.InsecureAddress != "" { + if cfg.InsecureAddress != "" { // TODO: instead opt for having a single server.Server but two // http.Servers handling the HTTP and HTTPS handler? The latter // will probably introduce more complexity in terms of graceful // reload. - ca.insecureSrv = server.New(cfg.InsecureAddress, insecureHandler, nil) + ca.insecureSrv = server.New(cfg.InsecureAddress, handler, nil) ca.insecureSrv.BaseContext = func(net.Listener) context.Context { return baseContext } @@ -329,11 +317,13 @@ func (ca *CA) Run() error { log.Printf("Current context: %s", step.Contexts().GetCurrent().Name) } log.Printf("Config file: %s", ca.opts.configFile) - baseURL := fmt.Sprintf("https://%s%s", - authorityInfo.DNSNames[0], - ca.config.Address[strings.LastIndex(ca.config.Address, ":"):]) - log.Printf("The primary server URL is %s", baseURL) - log.Printf("Root certificates are available at %s/roots.pem", baseURL) + if ca.config.Address != "" { + baseURL := fmt.Sprintf("https://%s%s", + authorityInfo.DNSNames[0], + ca.config.Address[strings.LastIndex(ca.config.Address, ":"):]) + log.Printf("The primary server URL is %s", baseURL) + log.Printf("Root certificates are available at %s/roots.pem", baseURL) + } if len(authorityInfo.DNSNames) > 1 { log.Printf("Additional configured hostnames: %s", strings.Join(authorityInfo.DNSNames[1:], ", ")) @@ -357,11 +347,13 @@ func (ca *CA) Run() error { }() } - wg.Add(1) - go func() { - defer wg.Done() - errs <- ca.srv.ListenAndServe() - }() + if ca.srv != nil { + wg.Add(1) + go func() { + defer wg.Done() + errs <- ca.srv.ListenAndServe() + }() + } // wait till error occurs; ensures the servers keep listening err := <-errs