Allow multiple certs/keys in settings (#100)

* Allow multiple certs/keys om settings * Update example config
Netflix · Nov 3, 2021 · a229532 · a229532
1 parent 43ee64d
commit a229532
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 26 deletions.
diff --git a/configs/example-config.yaml b/configs/example-config.yaml
@@ -25,8 +25,12 @@ swag: # Optionally use SWAG (https://github.com/Netflix-Skunkworks/swag-api) for
 #  user: you@example.com
 mtls_settings: # only needed if authentication_method is mtls
   old_cert_message: mTLS certificate is too old, please run [refresh command]
-  cert: mtls.crt
-  key: mtls.key
+  certs:
+    - mtls1.crt
+    - mtls2.crt
+  keys:
+    - mtls1.key
+    - mtls2.key
   catrust: mtlsCA.pem
   insecure: false
   darwin: # weep will look in platform-specific directories for the three files specified above

diff --git a/pkg/httpAuth/mtls/mtls.go b/pkg/httpAuth/mtls/mtls.go
@@ -153,38 +153,58 @@ func getTLSDirs() ([]string, error) {
 }
 
 func getClientCertificatePaths(configDirs []string) (string, string, string, bool, error) {
-	// If cert, key, and catrust are paths that exist, we'll just use those
+	certs := viper.GetStringSlice("mtls_settings.certs")
+	if certs == nil {
+		certs = make([]string, 0)
+	}
+	// Backward compatibility, still allow the old key
 	cert := viper.GetString("mtls_settings.cert")
+	if cert != "" {
+		certs = append(certs, cert)
+	}
+	keys := viper.GetStringSlice("mtls_settings.keys")
+	if keys == nil {
+		keys = make([]string, 0)
+	}
+	// Backward compatibility, still allow the old key
 	key := viper.GetString("mtls_settings.key")
+	if key != "" {
+		keys = append(keys, key)
+	}
 	caFile := viper.GetString("mtls_settings.catrust")
 	insecure := viper.GetBool("mtls_settings.insecure")
-	if util.FileExists(cert) && util.FileExists(key) && util.FileExists(caFile) {
-		return cert, key, caFile, insecure, nil
-	}
 
-	var foundCertPath, foundKeyPath, foundCaPath string
-	// Otherwise, look for the files in the list of dirs from the config
-	for _, metatronDir := range configDirs {
-		certPath := filepath.Join(metatronDir, cert)
-		if foundCertPath == "" && util.FileExists(certPath) {
-			foundCertPath = certPath
-		}
+	for _, cert := range certs {
+		for _, key := range keys {
+			// If cert, key, and catrust are paths that exist, we'll just use those
+			if util.FileExists(cert) && util.FileExists(key) && util.FileExists(caFile) {
+				return cert, key, caFile, insecure, nil
+			}
 
-		keyPath := filepath.Join(metatronDir, key)
-		if foundKeyPath == "" && util.FileExists(keyPath) {
-			foundKeyPath = keyPath
-		}
+			var foundCertPath, foundKeyPath, foundCaPath string
+			// Otherwise, look for the files in the list of dirs from the config
+			for _, metatronDir := range configDirs {
+				certPath := filepath.Join(metatronDir, cert)
+				if foundCertPath == "" && util.FileExists(certPath) {
+					foundCertPath = certPath
+				}
 
-		caPath := filepath.Join(metatronDir, caFile)
-		if foundCaPath == "" && util.FileExists(caPath) {
-			foundCaPath = caPath
-		}
-	}
+				keyPath := filepath.Join(metatronDir, key)
+				if foundKeyPath == "" && util.FileExists(keyPath) {
+					foundKeyPath = keyPath
+				}
 
-	if foundCertPath != "" && foundKeyPath != "" && foundCaPath != "" {
-		// We have all the files we need!
-		return foundCertPath, foundKeyPath, foundCaPath, insecure, nil
-	}
+				caPath := filepath.Join(metatronDir, caFile)
+				if foundCaPath == "" && util.FileExists(caPath) {
+					foundCaPath = caPath
+				}
+			}
 
+			if foundCertPath != "" && foundKeyPath != "" && foundCaPath != "" {
+				// We have all the files we need!
+				return foundCertPath, foundKeyPath, foundCaPath, insecure, nil
+			}
+		}
+	}
 	return "", "", "", false, config.ClientCertificatesNotFoundError
 }