From a229532daab60a7f6b6d21f9fa24bdf3bdc71c3d Mon Sep 17 00:00:00 2001 From: Jay Dhulia <46459060+jaydhulia@users.noreply.github.com> Date: Wed, 3 Nov 2021 14:19:17 -0600 Subject: [PATCH] Allow multiple certs/keys in settings (#100) * Allow multiple certs/keys om settings * Update example config --- configs/example-config.yaml | 8 +++-- pkg/httpAuth/mtls/mtls.go | 68 ++++++++++++++++++++++++------------- 2 files changed, 50 insertions(+), 26 deletions(-) diff --git a/configs/example-config.yaml b/configs/example-config.yaml index 8c28604..f6f66e6 100644 --- a/configs/example-config.yaml +++ b/configs/example-config.yaml @@ -25,8 +25,12 @@ swag: # Optionally use SWAG (https://github.com/Netflix-Skunkworks/swag-api) for # user: you@example.com mtls_settings: # only needed if authentication_method is mtls old_cert_message: mTLS certificate is too old, please run [refresh command] - cert: mtls.crt - key: mtls.key + certs: + - mtls1.crt + - mtls2.crt + keys: + - mtls1.key + - mtls2.key catrust: mtlsCA.pem insecure: false darwin: # weep will look in platform-specific directories for the three files specified above diff --git a/pkg/httpAuth/mtls/mtls.go b/pkg/httpAuth/mtls/mtls.go index 5cc8ed8..3949640 100644 --- a/pkg/httpAuth/mtls/mtls.go +++ b/pkg/httpAuth/mtls/mtls.go @@ -153,38 +153,58 @@ func getTLSDirs() ([]string, error) { } func getClientCertificatePaths(configDirs []string) (string, string, string, bool, error) { - // If cert, key, and catrust are paths that exist, we'll just use those + certs := viper.GetStringSlice("mtls_settings.certs") + if certs == nil { + certs = make([]string, 0) + } + // Backward compatibility, still allow the old key cert := viper.GetString("mtls_settings.cert") + if cert != "" { + certs = append(certs, cert) + } + keys := viper.GetStringSlice("mtls_settings.keys") + if keys == nil { + keys = make([]string, 0) + } + // Backward compatibility, still allow the old key key := viper.GetString("mtls_settings.key") + if key != "" { + keys = append(keys, key) + } caFile := viper.GetString("mtls_settings.catrust") insecure := viper.GetBool("mtls_settings.insecure") - if util.FileExists(cert) && util.FileExists(key) && util.FileExists(caFile) { - return cert, key, caFile, insecure, nil - } - var foundCertPath, foundKeyPath, foundCaPath string - // Otherwise, look for the files in the list of dirs from the config - for _, metatronDir := range configDirs { - certPath := filepath.Join(metatronDir, cert) - if foundCertPath == "" && util.FileExists(certPath) { - foundCertPath = certPath - } + for _, cert := range certs { + for _, key := range keys { + // If cert, key, and catrust are paths that exist, we'll just use those + if util.FileExists(cert) && util.FileExists(key) && util.FileExists(caFile) { + return cert, key, caFile, insecure, nil + } - keyPath := filepath.Join(metatronDir, key) - if foundKeyPath == "" && util.FileExists(keyPath) { - foundKeyPath = keyPath - } + var foundCertPath, foundKeyPath, foundCaPath string + // Otherwise, look for the files in the list of dirs from the config + for _, metatronDir := range configDirs { + certPath := filepath.Join(metatronDir, cert) + if foundCertPath == "" && util.FileExists(certPath) { + foundCertPath = certPath + } - caPath := filepath.Join(metatronDir, caFile) - if foundCaPath == "" && util.FileExists(caPath) { - foundCaPath = caPath - } - } + keyPath := filepath.Join(metatronDir, key) + if foundKeyPath == "" && util.FileExists(keyPath) { + foundKeyPath = keyPath + } - if foundCertPath != "" && foundKeyPath != "" && foundCaPath != "" { - // We have all the files we need! - return foundCertPath, foundKeyPath, foundCaPath, insecure, nil - } + caPath := filepath.Join(metatronDir, caFile) + if foundCaPath == "" && util.FileExists(caPath) { + foundCaPath = caPath + } + } + if foundCertPath != "" && foundKeyPath != "" && foundCaPath != "" { + // We have all the files we need! + return foundCertPath, foundKeyPath, foundCaPath, insecure, nil + } + } + } return "", "", "", false, config.ClientCertificatesNotFoundError }