Run on plaintext HTTP to support Cloud Run

This commit is contained in:
Brandon Weeks 2022-06-07 19:04:16 -07:00
parent 860baeb1c5
commit 09b9673a60
3 changed files with 25 additions and 46 deletions

View file

@ -200,8 +200,6 @@ func (c *Config) Save(filename string) error {
// Validate validates the configuration.
func (c *Config) Validate() error {
switch {
case c.Address == "":
return errors.New("address cannot be empty")
case len(c.DNSNames) == 0:
return errors.New("dnsNames cannot be empty")
case c.AuthorityConfig == nil:
@ -223,9 +221,11 @@ func (c *Config) Validate() error {
}
// Validate address (a port is required)
if c.Address != "" {
if _, _, err := net.SplitHostPort(c.Address); err != nil {
return errors.Errorf("invalid address %s", c.Address)
}
}
if c.TLS == nil {
c.TLS = &DefaultTLSOptions

View file

@ -38,19 +38,6 @@ func TestConfigValidate(t *testing.T) {
tls TLSOptions
}
tests := map[string]func(*testing.T) ConfigValidateTest{
"empty-address": func(t *testing.T) ConfigValidateTest {
return ConfigValidateTest{
config: &Config{
Root: []string{"../testdata/secrets/root_ca.crt"},
IntermediateCert: "../testdata/secrets/intermediate_ca.crt",
IntermediateKey: "../testdata/secrets/intermediate_ca_key",
DNSNames: []string{"test.smallstep.com"},
Password: "pass",
AuthorityConfig: ac,
},
err: errors.New("address cannot be empty"),
}
},
"invalid-address": func(t *testing.T) ConfigValidateTest {
return ConfigValidateTest{
config: &Config{

View file

@ -169,9 +169,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
mux := chi.NewRouter()
handler := http.Handler(mux)
insecureMux := chi.NewRouter()
insecureHandler := http.Handler(insecureMux)
// Add regular CA api endpoints in / and /1.0
api.Route(mux)
mux.Route("/1.0", func(r chi.Router) {
@ -232,13 +229,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
return nil, errors.Wrap(err, "error creating SCEP authority")
}
// According to the RFC (https://tools.ietf.org/html/rfc8894#section-7.10),
// SCEP operations are performed using HTTP, so that's why the API is mounted
// to the insecure mux.
insecureMux.Route("/"+scepPrefix, func(r chi.Router) {
scepAPI.Route(r)
})
// The RFC also mentions usage of HTTPS, but seems to advise
// against it, because of potential interoperability issues.
// Currently I think it's not bad to use HTTPS also, so that's
@ -260,7 +250,6 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
return nil, err
}
handler = m.Middleware(handler)
insecureHandler = m.Middleware(insecureHandler)
}
// Add logger if configured
@ -270,25 +259,24 @@ func (ca *CA) Init(cfg *config.Config) (*CA, error) {
return nil, err
}
handler = logger.Middleware(handler)
insecureHandler = logger.Middleware(insecureHandler)
}
// Create context with all the necessary values.
baseContext := buildContext(auth, scepAuthority, acmeDB, acmeLinker)
if cfg.Address != "" {
ca.srv = server.New(cfg.Address, handler, tlsConfig)
ca.srv.BaseContext = func(net.Listener) context.Context {
return baseContext
}
}
// only start the insecure server if the insecure address is configured
// and, currently, also only when it should serve SCEP endpoints.
if ca.shouldServeSCEPEndpoints() && cfg.InsecureAddress != "" {
if cfg.InsecureAddress != "" {
// TODO: instead opt for having a single server.Server but two
// http.Servers handling the HTTP and HTTPS handler? The latter
// will probably introduce more complexity in terms of graceful
// reload.
ca.insecureSrv = server.New(cfg.InsecureAddress, insecureHandler, nil)
ca.insecureSrv = server.New(cfg.InsecureAddress, handler, nil)
ca.insecureSrv.BaseContext = func(net.Listener) context.Context {
return baseContext
}
@ -329,11 +317,13 @@ func (ca *CA) Run() error {
log.Printf("Current context: %s", step.Contexts().GetCurrent().Name)
}
log.Printf("Config file: %s", ca.opts.configFile)
if ca.config.Address != "" {
baseURL := fmt.Sprintf("https://%s%s",
authorityInfo.DNSNames[0],
ca.config.Address[strings.LastIndex(ca.config.Address, ":"):])
log.Printf("The primary server URL is %s", baseURL)
log.Printf("Root certificates are available at %s/roots.pem", baseURL)
}
if len(authorityInfo.DNSNames) > 1 {
log.Printf("Additional configured hostnames: %s",
strings.Join(authorityInfo.DNSNames[1:], ", "))
@ -357,11 +347,13 @@ func (ca *CA) Run() error {
}()
}
if ca.srv != nil {
wg.Add(1)
go func() {
defer wg.Done()
errs <- ca.srv.ListenAndServe()
}()
}
// wait till error occurs; ensures the servers keep listening
err := <-errs