From cb5acbac748ffbbc59c155abf8cc209f0a80a382 Mon Sep 17 00:00:00 2001
From: sanne <sanne.raymaekers@gmail.com>
Date: Tue, 12 Oct 2021 13:32:34 +0200
Subject: [PATCH] worker: Prefix https always

Also, with oauth, add a root CA if present.
---
 cmd/osbuild-worker/main.go | 65 +++++++++++++++++++++-----------------
 test/cases/api.sh          |  6 ++--
 2 files changed, 39 insertions(+), 32 deletions(-)

diff --git a/cmd/osbuild-worker/main.go b/cmd/osbuild-worker/main.go
index c511896d3..b52eaa249 100644
--- a/cmd/osbuild-worker/main.go
+++ b/cmd/osbuild-worker/main.go
@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
-	"os/exec"
 	"path"
 	"strings"
 	"time"
@@ -49,14 +48,18 @@ func createTLSConfig(config *connectionConfig) (*tls.Config, error) {
 		return nil, errors.New("failed to append root certificate")
 	}
 
-	cert, err := tls.LoadX509KeyPair(config.ClientCertFile, config.ClientKeyFile)
-	if err != nil {
-		return nil, err
+	var certs []tls.Certificate
+	if config.ClientKeyFile != "" && config.ClientCertFile != "" {
+		cert, err := tls.LoadX509KeyPair(config.ClientCertFile, config.ClientKeyFile)
+		if err != nil {
+			return nil, err
+		}
+		certs = append(certs, cert)
 	}
 
 	return &tls.Config{
 		RootCAs:      roots,
-		Certificates: []tls.Certificate{cert},
+		Certificates: certs,
 	}, nil
 }
 
@@ -156,33 +159,37 @@ func main() {
 	var client *worker.Client
 	if unix {
 		client = worker.NewClientUnix(address, config.BasePath)
-	} else {
-		var token *string
-		var oAuthURL *string
-		if config.Authentication != nil && config.Authentication.OfflineTokenPath != "" {
-			t, err := ioutil.ReadFile(config.Authentication.OfflineTokenPath)
+	} else if config.Authentication != nil && config.Authentication.OfflineTokenPath != "" {
+		var conf *tls.Config
+		conConf := &connectionConfig{
+			CACertFile: "/etc/osbuild-composer/ca-crt.pem",
+		}
+		if _, err = os.Stat(conConf.CACertFile); err == nil {
+			conf, err = createTLSConfig(conConf)
 			if err != nil {
-				logrus.Fatalf("Could not read offline token: %v", err)
-			}
-			t2 := strings.TrimSpace(string(t))
-			token = &t2
-
-			if config.Authentication.OAuthURL == "" {
-				logrus.Fatal("OAuth URL should be specified together with the offline token")
-			}
-			oAuthURL = &config.Authentication.OAuthURL
-
-			if strings.HasPrefix(address, "http") {
-				out, err := exec.Command("systemd-escape", "-u", address).Output()
-				if err != nil {
-					logrus.Fatalf("Could not escape remote worker address: %v", err)
-				}
-				address = strings.TrimSpace(string(out))
-			} else {
-				address = fmt.Sprintf("https://%s", address)
+				logrus.Fatalf("Error creating TLS config: %v", err)
 			}
 		}
 
+		var token *string
+		var oAuthURL *string
+		t, err := ioutil.ReadFile(config.Authentication.OfflineTokenPath)
+		if err != nil {
+			logrus.Fatalf("Could not read offline token: %v", err)
+		}
+		t2 := strings.TrimSpace(string(t))
+		token = &t2
+
+		if config.Authentication.OAuthURL == "" {
+			logrus.Fatal("OAuth URL should be specified together with the offline token")
+		}
+		oAuthURL = &config.Authentication.OAuthURL
+
+		client, err = worker.NewClient(fmt.Sprintf("https://%s", address), conf, token, oAuthURL, config.BasePath)
+		if err != nil {
+			logrus.Fatalf("Error creating worker client: %v", err)
+		}
+	} else {
 		var conf *tls.Config
 		conConf := &connectionConfig{
 			CACertFile:     "/etc/osbuild-composer/ca-crt.pem",
@@ -196,7 +203,7 @@ func main() {
 			}
 		}
 
-		client, err = worker.NewClient(address, conf, token, oAuthURL, config.BasePath)
+		client, err = worker.NewClient(fmt.Sprintf("https://%s", address), conf, nil, nil, config.BasePath)
 		if err != nil {
 			logrus.Fatalf("Error creating worker client: %v", err)
 		}
diff --git a/test/cases/api.sh b/test/cases/api.sh
index f31cfd523..db99872b0 100755
--- a/test/cases/api.sh
+++ b/test/cases/api.sh
@@ -1179,7 +1179,7 @@ pg_database = "osbuildcomposer"
 pg_user = "postgres"
 pg_password = "foobar"
 pg_ssl_mode = "disable"
-enable_tls = false
+enable_tls = true
 enable_mtls = false
 enable_jwt = true
 jwt_keys_url = "https://localhost:8080/certs"
@@ -1224,7 +1224,7 @@ TOKEN="$(curl localhost:8081/token | jq -r .access_token)"
         --header "Authorization: Bearer badtoken" \
         http://localhost:443/api/composer/v1/version)" = "401" ]
 
-sudo systemctl start osbuild-remote-worker@http:--localhost:8700.service
-sudo systemctl is-active --quiet osbuild-remote-worker@http:--localhost:8700.service
+sudo systemctl start osbuild-remote-worker@localhost:8700.service
+sudo systemctl is-active --quiet osbuild-remote-worker@localhost:8700.service
 
 exit 0