Use x509 key pair for request

SimonBaeumer · Feb 20, 2019 · 8f9abe9 · 8f9abe9
1 parent 65feb9c
commit 8f9abe9
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 15 deletions.
diff --git a/development/ssl/generate-ceritifactes.sh b/development/ssl/generate-ceritifactes.sh
@@ -1,15 +1,17 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
+HOST="localhost"
+
 echo ""
 echo "++++++++ GENERATE CA KEY AND CERTIFICATES +++++++"
 openssl genrsa -out ca.key 4096 > /dev/null
-openssl req -new -x509 -days 365 -key ca.key -out ca.crt --subj "/C=DE/ST=NRW/O=goss/OU=IT/CN=localhost:8081" > /dev/null
+openssl req -new -x509 -days 365 -key ca.key -out ca.crt --subj "/C=DE/ST=NRW/O=goss/OU=IT/CN=${HOST}" > /dev/null
 
 echo ""
 echo "++++++++ GENERATE SERVER KEY AND CSR++++++++++++"
 openssl genrsa -out server.key 1024 > /dev/null
-openssl req -new -key server.key -out server.csr --subj "/C=DE/ST=NRW/O=goss/OU=IT/CN=localhost:8081" > /dev/null
+openssl req -new -key server.key -out server.csr --subj "/C=DE/ST=NRW/O=goss/OU=IT/CN=${HOST}" > /dev/null
 
 echo ""
 echo "+++++++ SIGN SERVER CSR +++++++++++++++++"
@@ -19,7 +21,7 @@ openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial
 echo ""
 echo "++++++++ GENERATE CLIENT KEY AND CSR++++++++++++"
 openssl genrsa -out client.key 1024 > /dev/null
-openssl req -new -key client.key -out client.csr -subj "/C=DE/ST=NRW/O=goss/OU=IT/CN=localhost:8081" > /dev/null
+openssl req -new -key client.key -out client.csr -subj "/C=DE/ST=NRW/O=goss/OU=IT/CN=${HOST}" > /dev/null
 
 echo ""
 echo "++++++++ SIGN CLIENT CERTIFICATE REQUEST ++++++++++++"

diff --git a/docs/manual.md b/docs/manual.md
@@ -578,7 +578,9 @@ http:
     body: [] # Check http response content for these patterns
     username: "" # username for basic auth
     password: "" # password for basic auth
-    headers: # Check for http headers, is not support for add command
+    cert: /home/example/client.crt # Client certificate file which can be used for cert authentication
+    key: /home/example/client.key # Client private key file
+    headers: # Check for http headers
       key:
         - value
         - another value

diff --git a/resource/http.go b/resource/http.go
@@ -1,9 +1,11 @@
 package resource
 
 import (
-    "github.com/SimonBaeumer/goss/system"
+	"crypto/tls"
+	"github.com/SimonBaeumer/goss/system"
     "github.com/SimonBaeumer/goss/util"
-    "reflect"
+	"log"
+	"reflect"
     "strings"
     "time"
 )
@@ -23,6 +25,8 @@ type HTTP struct {
 	Password          string   			  	`json:"password,omitempty" yaml:"password,omitempty"`
 	Headers			  map[string][]string   `json:"headers,omitempty" yaml:"headers,omitempty"`
 	RequestHeaders 	  map[string][]string   `json:"request-headers,omitempty" yaml:"request-headers,omitempty"`
+	Cert              string                `json:"cert,omitempty" yaml:"cert,omitempty"`
+	Key               string                `json:"key,omitempty" yaml:"key,omitempty"`
 }
 
 func (u *HTTP) ID() string      { return u.HTTP }
@@ -35,12 +39,13 @@ func (u *HTTP) Validate(sys *system.System) []TestResult {
 	skip := false
 
 	conf := util.Config{
-		AllowInsecure: u.AllowInsecure,
+		AllowInsecure:     u.AllowInsecure,
 		NoFollowRedirects: u.NoFollowRedirects,
-		Timeout: u.Timeout,
-		Username: u.Username,
-		Password: u.Password,
-		RequestHeaders: u.RequestHeaders,
+		Timeout:           u.Timeout,
+		Username:          u.Username,
+		Password:          u.Password,
+		RequestHeaders:    u.RequestHeaders,
+		Certificate:       u.loadClientCertificate(),
 	}
 
 	sysHTTP := sys.NewHTTP(
@@ -69,6 +74,18 @@ func (u *HTTP) Validate(sys *system.System) []TestResult {
 	return results
 }
 
+func (u *HTTP) loadClientCertificate() tls.Certificate {
+    if u.Cert == "" || u.Key == "" {
+        return tls.Certificate{}
+    }
+
+	cert, err := tls.LoadX509KeyPair(u.Cert, u.Key)
+	if err != nil {
+		log.Fatal(err)
+	}
+	return cert
+}
+
 func NewHTTP(sysHTTP system.HTTP, config util.Config) (*HTTP, error) {
 	if config.Timeout == 0 {
 		config.Timeout = TimeoutMS

diff --git a/system/http.go b/system/http.go
@@ -2,10 +2,10 @@ package system
 
 import (
 	"crypto/tls"
+	"github.com/SimonBaeumer/goss/util"
 	"io"
 	"net/http"
 	"time"
-	"github.com/SimonBaeumer/goss/util"
 )
 
 // Header is an alias for the header type
@@ -34,6 +34,7 @@ type DefHTTP struct {
 	Username          string
 	Password          string
 	RequestHeaders    Header
+	ClientCertificate tls.Certificate
 }
 
 // NewDefHTTP is the constructor of the DefHTTP struct
@@ -46,6 +47,7 @@ func NewDefHTTP(http string, system *System, config util.Config) HTTP {
 		Username:		   config.Username,
 		Password:          config.Password,
 		RequestHeaders:    config.RequestHeaders,
+		ClientCertificate: config.Certificate,
 	}
 }
 
@@ -56,8 +58,12 @@ func (u *DefHTTP) setup() error {
 	}
 	u.loaded = true
 
-	tr := &http.Transport{
-		TLSClientConfig:   &tls.Config{InsecureSkipVerify: u.allowInsecure},
+
+    tr := &http.Transport{
+		TLSClientConfig:   &tls.Config{
+			InsecureSkipVerify: u.allowInsecure,
+            Certificates: []tls.Certificate{u.ClientCertificate},
+	    },
 		DisableKeepAlives: true,
 	}
 	client := &http.Client{
@@ -90,7 +96,7 @@ func (u *DefHTTP) setup() error {
 	return u.err
 }
 
-//
+// Exists checks if the given uri is reachable
 func (u *DefHTTP) Exists() (bool, error) {
 	if _, err := u.Status(); err != nil {
 		return false, err

diff --git a/util/config.go b/util/config.go
@@ -1,6 +1,7 @@
 package util
 
 import (
+	"crypto/tls"
 	"fmt"
 	"reflect"
 	"strings"
@@ -19,6 +20,7 @@ type Config struct {
 	Password          string
 	Header            map[string][]string
 	RequestHeaders    map[string][]string
+	Certificate       tls.Certificate
 }
 
 type Request struct {