api/worker, koji: change CA logic for client certificates
Prior this commit, /etc/osbuild-composer/ca-crt.pem certificate was used as an authority to validate client certificates. After this commit, the host's trusted certificates are used to do the validation. Ability to override this behaviour is also introduced: In osbuild-composer config file, under koji and worker sections, a new CA option is now available. If set, osbuild-composer uses it as a path to certificate used to validate client certificates instead of the default ones. With this feature, it's possible to restore the validation behaviour used before this change. Just put following lines in /etc/osbuild-composer/osbuild-composer.toml: [koji] ca = "/etc/osbuild-composer/ca-crt.pem" [worker] ca = "/etc/osbuild-composer/ca-crt.pem"
This commit is contained in:
Ondřej Budai
Tom Gundersen
parent
68be242850
commit
5b57814664
2 changed files with 21 additions and 11 deletions
|
|
@ -32,22 +32,28 @@ import (
|
|||
const configFile = "/etc/osbuild-composer/osbuild-composer.toml"
|
||||
|
||||
type connectionConfig struct {
|
||||
CACertFile string
|
||||
// CA used for client certificate validation. If nil, then the CAs
|
||||
// trusted by the host system are used.
|
||||
CACertFile *string
|
||||
ServerKeyFile string
|
||||
ServerCertFile string
|
||||
AllowedDomains []string
|
||||
}
|
||||
|
||||
func createTLSConfig(c *connectionConfig) (*tls.Config, error) {
|
||||
caCertPEM, err := ioutil.ReadFile(c.CACertFile)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var roots *x509.CertPool
|
||||
|
||||
roots := x509.NewCertPool()
|
||||
ok := roots.AppendCertsFromPEM(caCertPEM)
|
||||
if !ok {
|
||||
panic("failed to parse root certificate")
|
||||
if c.CACertFile != nil {
|
||||
caCertPEM, err := ioutil.ReadFile(*c.CACertFile)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
roots = x509.NewCertPool()
|
||||
ok := roots.AppendCertsFromPEM(caCertPEM)
|
||||
if !ok {
|
||||
panic("failed to parse root certificate")
|
||||
}
|
||||
}
|
||||
|
||||
cert, err := tls.LoadX509KeyPair(c.ServerCertFile, c.ServerKeyFile)
|
||||
|
|
@ -82,9 +88,11 @@ func main() {
|
|||
} `toml:"kerberos,omitempty"`
|
||||
} `toml:"servers"`
|
||||
AllowedDomains []string `toml:"allowed_domains"`
|
||||
CA *string `toml:"ca"`
|
||||
} `toml:"koji"`
|
||||
Worker *struct {
|
||||
AllowedDomains []string `toml:"allowed_domains"`
|
||||
CA *string `toml:"ca"`
|
||||
} `toml:"worker,omitempty"`
|
||||
}
|
||||
var verbose bool
|
||||
|
|
@ -213,7 +221,7 @@ func main() {
|
|||
kojiServer := kojiapi.NewServer(logger, workers, rpm, distros, kojiServers)
|
||||
|
||||
tlsConfig, err := createTLSConfig(&connectionConfig{
|
||||
CACertFile: "/etc/osbuild-composer/ca-crt.pem",
|
||||
CACertFile: config.Koji.CA,
|
||||
ServerKeyFile: "/etc/osbuild-composer/composer-key.pem",
|
||||
ServerCertFile: "/etc/osbuild-composer/composer-crt.pem",
|
||||
AllowedDomains: config.Koji.AllowedDomains,
|
||||
|
|
@ -245,7 +253,7 @@ func main() {
|
|||
}
|
||||
|
||||
tlsConfig, err := createTLSConfig(&connectionConfig{
|
||||
CACertFile: "/etc/osbuild-composer/ca-crt.pem",
|
||||
CACertFile: config.Worker.CA,
|
||||
ServerKeyFile: "/etc/osbuild-composer/composer-key.pem",
|
||||
ServerCertFile: "/etc/osbuild-composer/composer-crt.pem",
|
||||
AllowedDomains: config.Worker.AllowedDomains,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue