Merge pull request mintel#27 from hightoxicity/feat-add-rootca

Provide extra rootca
pgagnon · Jun 4, 2018 · 30babd8 · 30babd8
2 parents f63d72c + 8909370
commit 30babd8
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 10 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.9.4-alpine3.7
+FROM golang:1.10.1-alpine3.7
 
 RUN apk add --no-cache --update alpine-sdk bash
 

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 if [ ! -z "$(ls -A /certs)" ]; then
-  cp /certs/*.crt /usr/local/share/ca-certificates/ 2>/dev/null
+  cp -L /certs/*.crt /certs/*.pem /usr/local/share/ca-certificates/ 2>/dev/null
   update-ca-certificates
 fi
 

diff --git a/main.go b/main.go
@@ -3,6 +3,8 @@ package main
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"io/ioutil"
 	"log"
@@ -75,18 +77,18 @@ type Config struct {
 	Clusters []Cluster
 	Listen   string
 
-	TLS_Cert   string
-	TLS_Key    string
-	IDP_Ca_URI string
-	Logo_Uri   string
+	TLS_Cert        string
+	TLS_Key         string
+	IDP_Ca_URI      string
+	Logo_Uri        string
+	Trusted_Root_Ca []string
 }
 
 func substituteEnvVars(text string) string {
 	re := regexp.MustCompile("\\${([a-zA-Z0-9\\-_]+)}")
 	matches := re.FindAllStringSubmatch(text, -1)
 	for _, val := range matches {
 		envVar := os.Getenv(val[1])
-		// fmt.Printf("%q %q %q\n", val[0], val[1], envVar)
 		text = strings.Replace(text, val[0], envVar, -1)
 	}
 	return text
@@ -108,19 +110,37 @@ func start_app(config Config) {
 		ScopesSupported []string `json:"scopes_supported"`
 	}
 
+	certp, err := x509.SystemCertPool()
+	for _, cert := range config.Trusted_Root_Ca {
+		ok := certp.AppendCertsFromPEM([]byte(cert))
+		if !ok {
+			log.Fatalf("Failed to parse a trusted cert, pem format expected")
+		}
+	}
+
+	mTlsConfig := &tls.Config{}
+	mTlsConfig.PreferServerCipherSuites = true
+	mTlsConfig.MinVersion = tls.VersionTLS10
+	mTlsConfig.MaxVersion = tls.VersionTLS12
+	mTlsConfig.RootCAs = certp
+
+	tr := &http.Transport{
+		TLSClientConfig: mTlsConfig,
+	}
+
 	// Generate handlers for each cluster
 	for i, _ := range config.Clusters {
 		cluster := config.Clusters[i]
 		if debug {
 			if cluster.Client == nil {
 				cluster.Client = &http.Client{
-					Transport: debugTransport{http.DefaultTransport},
+					Transport: debugTransport{tr},
 				}
 			} else {
-				cluster.Client.Transport = debugTransport{cluster.Client.Transport}
+				cluster.Client.Transport = debugTransport{tr}
 			}
 		} else {
-			cluster.Client = http.DefaultClient
+			cluster.Client = &http.Client{Transport: tr}
 		}
 
 		ctx := oidc.ClientContext(context.Background(), cluster.Client)
@@ -260,6 +280,7 @@ var RootCmd = &cobra.Command{
 		copy := reflect.New(original.Type()).Elem()
 		substituteEnvVarsRecursive(copy, original)
 
+
 		// Start the app
 		start_app(copy.Interface().(Config))