Ana Sayfa Keşfet Yardım
Üye Ol Giriş Yap
oscarleiva
/
energylink
1
0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Kaynağa Gözat

feat(dataproxy): TLS CA Cert for self-signed certs

For self-signed TLS Certificates, authentication
with InsecureSkipVerify set to false then this
error will occur:

x509: certificate signed by unknown authority

The solution is to allow the user to upload the
CA cert as well.
Daniel Lee 9 yıl önce
ebeveyn
c9b2c694f1
işleme
387f8cc0c6
2 değiştirilmiş dosya ile 31 ekleme ve 0 silme
Görünümü Böl Farklılık Durumunu Göster
  1. 10 0
      pkg/api/dataproxy.go
  2. 21 0
      pkg/api/dataproxy_test.go

+ 10 - 0
pkg/api/dataproxy.go
Dosyayı Görüntüle 

@@ -2,6 +2,7 @@ package api
 
 
 import (
 
 	"crypto/tls"
 
+	"crypto/x509"
 
 	"net"
 
 	"net/http"
 
 	"net/http/httputil"
 
@@ -40,6 +41,15 @@ func DataProxyTransport(ds *m.DataSource) (*http.Transport, error) {
 
 		transport.TLSClientConfig.InsecureSkipVerify = false
 
 
 		decrypted := ds.SecureJsonData.Decrypt()
 
+
 
+		if len(decrypted["tlsCACert"]) > 0 {
 
+			caPool := x509.NewCertPool()
 
+			ok := caPool.AppendCertsFromPEM([]byte(decrypted["tlsCACert"]))
 
+			if ok {
 
+				transport.TLSClientConfig.RootCAs = caPool
 
+			}
 
+		}
 
+
 
 		cert, err := tls.X509KeyPair([]byte(decrypted["tlsClientCert"]), []byte(decrypted["tlsClientKey"]))
 
 		if err != nil {
 
 			return nil, err

+ 21 - 0
pkg/api/dataproxy_test.go
Dosyayı Görüntüle 

@@ -75,6 +75,7 @@ func TestDataSourceProxy(t *testing.T) {
 
 			Type:     "Kubernetes",
 
 			JsonData: json,
 
 			SecureJsonData: map[string][]byte{
 
+				"tlsCACert":     util.Encrypt([]byte(caCert), "password"),
 
 				"tlsClientCert": util.Encrypt([]byte(clientCert), "password"),
 
 				"tlsClientKey":  util.Encrypt([]byte(clientKey), "password"),
 
 			},
 
@@ -95,6 +96,26 @@ func TestDataSourceProxy(t *testing.T) {
 
 
 }
 
 
+const caCert string = `-----BEGIN CERTIFICATE-----
 
+MIIDATCCAemgAwIBAgIJAMQ5hC3CPDTeMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV
 
+BAMMDGNhLWs4cy1zdGhsbTAeFw0xNjEwMjcwODQyMjdaFw00NDAzMTQwODQyMjda
 
+MBcxFTATBgNVBAMMDGNhLWs4cy1zdGhsbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
 
+ADCCAQoCggEBAMLe2AmJ6IleeUt69vgNchOjjmxIIxz5sp1vFu94m1vUip7CqnOg
 
+QkpUsHeBPrGYv8UGloARCL1xEWS+9FVZeXWQoDmbC0SxXhFwRIESNCET7Q8KMi/4
 
+4YPvnMLGZi3Fjwxa8BdUBCN1cx4WEooMVTWXm7RFMtZgDfuOAn3TNXla732sfT/d
 
+1HNFrh48b0wA+HhmA3nXoBnBEblA665hCeo7lIAdRr0zJxJpnFnWXkyTClsAUTMN
 
+iL905LdBiiIRenojipfKXvMz88XSaWTI7JjZYU3BvhyXndkT6f12cef3I96NY3WJ
 
+0uIK4k04WrbzdYXMU3rN6NqlvbHqnI+E7aMCAwEAAaNQME4wHQYDVR0OBBYEFHHx
 
+2+vSPw9bECHj3O51KNo5VdWOMB8GA1UdIwQYMBaAFHHx2+vSPw9bECHj3O51KNo5
 
+VdWOMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAH2eV5NcV3LBJHs9
 
+I+adbiTPg2vyumrGWwy73T0X8Dtchgt8wU7Q9b9Ucg2fOTmSSyS0iMqEu1Yb2ORB
 
+CknM9mixHC9PwEBbkGCom3VVkqdLwSP6gdILZgyLoH4i8sTUz+S1yGPepi+Vzhs7
 
+adOXtryjcGnwft6HdfKPNklMOHFnjw6uqpho54oj/z55jUpicY/8glDHdrr1bh3k
 
+MHuiWLGewHXPvxfG6UoUx1te65IhifVcJGFZDQwfEmhBflfCmtAJlZEsgTLlBBCh
 
+FHoXIyGOdq1chmRVocdGBCF8fUoGIbuF14r53rpvcbEKtKnnP8+96luKAZLq0a4n
 
+3lb92xM=
 
+-----END CERTIFICATE-----`
 
+
 
 const clientCert string = `-----BEGIN CERTIFICATE-----
 
 MIICsjCCAZoCCQCcd8sOfstQLzANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxj
 
 YS1rOHMtc3RobG0wHhcNMTYxMTAyMDkyNTE1WhcNMTcxMTAyMDkyNTE1WjAfMR0w