From 5b578146644cb946729bbd92c11fca46d0a6e1cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Budai?= Date: Wed, 23 Sep 2020 09:50:12 +0200 Subject: [PATCH] api/worker, koji: change CA logic for client certificates Prior this commit, /etc/osbuild-composer/ca-crt.pem certificate was used as an authority to validate client certificates. After this commit, the host's trusted certificates are used to do the validation. Ability to override this behaviour is also introduced: In osbuild-composer config file, under koji and worker sections, a new CA option is now available. If set, osbuild-composer uses it as a path to certificate used to validate client certificates instead of the default ones. With this feature, it's possible to restore the validation behaviour used before this change. Just put following lines in /etc/osbuild-composer/osbuild-composer.toml: [koji] ca = "/etc/osbuild-composer/ca-crt.pem" [worker] ca = "/etc/osbuild-composer/ca-crt.pem" --- cmd/osbuild-composer/main.go | 30 ++++++++++++++++---------- test/image-tests/osbuild-composer.toml | 2 ++ 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/cmd/osbuild-composer/main.go b/cmd/osbuild-composer/main.go index df36f640e..20455bb2b 100644 --- a/cmd/osbuild-composer/main.go +++ b/cmd/osbuild-composer/main.go @@ -32,22 +32,28 @@ import ( const configFile = "/etc/osbuild-composer/osbuild-composer.toml" type connectionConfig struct { - CACertFile string + // CA used for client certificate validation. If nil, then the CAs + // trusted by the host system are used. + CACertFile *string ServerKeyFile string ServerCertFile string AllowedDomains []string } func createTLSConfig(c *connectionConfig) (*tls.Config, error) { - caCertPEM, err := ioutil.ReadFile(c.CACertFile) - if err != nil { - return nil, err - } + var roots *x509.CertPool - roots := x509.NewCertPool() - ok := roots.AppendCertsFromPEM(caCertPEM) - if !ok { - panic("failed to parse root certificate") + if c.CACertFile != nil { + caCertPEM, err := ioutil.ReadFile(*c.CACertFile) + if err != nil { + return nil, err + } + + roots = x509.NewCertPool() + ok := roots.AppendCertsFromPEM(caCertPEM) + if !ok { + panic("failed to parse root certificate") + } } cert, err := tls.LoadX509KeyPair(c.ServerCertFile, c.ServerKeyFile) @@ -82,9 +88,11 @@ func main() { } `toml:"kerberos,omitempty"` } `toml:"servers"` AllowedDomains []string `toml:"allowed_domains"` + CA *string `toml:"ca"` } `toml:"koji"` Worker *struct { AllowedDomains []string `toml:"allowed_domains"` + CA *string `toml:"ca"` } `toml:"worker,omitempty"` } var verbose bool @@ -213,7 +221,7 @@ func main() { kojiServer := kojiapi.NewServer(logger, workers, rpm, distros, kojiServers) tlsConfig, err := createTLSConfig(&connectionConfig{ - CACertFile: "/etc/osbuild-composer/ca-crt.pem", + CACertFile: config.Koji.CA, ServerKeyFile: "/etc/osbuild-composer/composer-key.pem", ServerCertFile: "/etc/osbuild-composer/composer-crt.pem", AllowedDomains: config.Koji.AllowedDomains, @@ -245,7 +253,7 @@ func main() { } tlsConfig, err := createTLSConfig(&connectionConfig{ - CACertFile: "/etc/osbuild-composer/ca-crt.pem", + CACertFile: config.Worker.CA, ServerKeyFile: "/etc/osbuild-composer/composer-key.pem", ServerCertFile: "/etc/osbuild-composer/composer-crt.pem", AllowedDomains: config.Worker.AllowedDomains, diff --git a/test/image-tests/osbuild-composer.toml b/test/image-tests/osbuild-composer.toml index 51f9014fd..df44527ce 100644 --- a/test/image-tests/osbuild-composer.toml +++ b/test/image-tests/osbuild-composer.toml @@ -1,5 +1,6 @@ [koji] allowed_domains = [ "localhost", "worker.osbuild.org" ] +ca = "/etc/osbuild-composer/ca-crt.pem" [koji.servers.localhost.kerberos] principal = "osbuild-krb@LOCAL" @@ -7,3 +8,4 @@ keytab = "/etc/osbuild-composer/client.keytab" [worker] allowed_domains = [ "localhost", "worker.osbuild.org" ] +ca = "/etc/osbuild-composer/ca-crt.pem"