Skip to content

Commit

Permalink
Allow setting CA file for backend proxy
Browse files Browse the repository at this point in the history
  • Loading branch information
AlessandroPatti committed Aug 17, 2023
1 parent ddf4182 commit 054cfca
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 3 deletions.
8 changes: 8 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,10 @@ OPTIONS:
grpc_proxy.key_file must also be specified.
[BAZEL_REMOTE_GRPC_PROXY_CERT_FILE]
--grpc_proxy.ca_file value Path to a certificate autority used to validate
the proxy backend certificate.
[BAZEL_REMOTE_GRPC_PROXY_CA_FILE]
--http_proxy.url value The base URL to use for a http proxy backend.
[$BAZEL_REMOTE_HTTP_PROXY_URL]
Expand All @@ -270,6 +274,10 @@ OPTIONS:
http_proxy.key_file must also be specified.
[$BAZEL_REMOTE_HTTP_PROXY_CERT_FILE]
--http_proxy.ca_file value Path to a certificate autority used to validate
the http proxy backend certificate
[BAZEL_REMOTE_HTTP_PROXY_CA_FILE]
--gcs_proxy.bucket value The bucket to use for the Google Cloud Storage
proxy backend. [$BAZEL_REMOTE_GCS_BUCKET]
Expand Down
6 changes: 6 additions & 0 deletions config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ type URLBackendConfig struct {
BaseURL *url.URL `yaml:"url"`
CertFile string `yaml:"cert_file"`
KeyFile string `yaml:"key_file"`
CaFile string `yaml:"ca_file"`
}

func (c *URLBackendConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
Expand Down Expand Up @@ -72,6 +73,9 @@ func (c *URLBackendConfig) validate(protocol string) error {
return fmt.Errorf("When mTLS is enabled, the %[1]s proxy backend protocol must be %[1]ss", protocol)
}
}
if c.CaFile != "" && c.BaseURL.Scheme != "grpcs" {
return errors.New("When TLS is enabled, the grpc proxy backend protocol must be grpcs")
}
return nil
}

Expand Down Expand Up @@ -530,6 +534,7 @@ func get(ctx *cli.Context) (*Config, error) {
BaseURL: u,
KeyFile: ctx.String("http_proxy.key_file"),
CertFile: ctx.String("http_proxy.cert_file"),
CaFile: ctx.String("http_proxy.ca_file"),
}
}

Expand All @@ -544,6 +549,7 @@ func get(ctx *cli.Context) (*Config, error) {
BaseURL: u,
KeyFile: ctx.String("grpc_proxy.key_file"),
CertFile: ctx.String("grpc_proxy.cert_file"),
CaFile: ctx.String("grpc_proxy.ca_file"),
}
}

Expand Down
19 changes: 16 additions & 3 deletions config/proxy.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@ package config

import (
"crypto/tls"
"crypto/x509"
"fmt"
"net/http"
"os"

"github.com/buchgr/bazel-remote/v2/cache/azblobproxy"
"github.com/buchgr/bazel-remote/v2/cache/gcsproxy"
Expand All @@ -19,7 +21,7 @@ import (
prom "github.com/prometheus/client_golang/prometheus"
)

func getTLSConfig(certFile, keyFile string) (*tls.Config, error) {
func getTLSConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
config := &tls.Config{}
if certFile != "" && keyFile != "" {
readCert, err := tls.LoadX509KeyPair(certFile, keyFile)
Expand All @@ -29,6 +31,17 @@ func getTLSConfig(certFile, keyFile string) (*tls.Config, error) {

config.Certificates = []tls.Certificate{readCert}
}
if caFile != "" {
caCert, err := os.ReadFile(caFile)
if err != nil {
return nil, err
}
caCertPool := x509.NewCertPool()
if added := caCertPool.AppendCertsFromPEM(caCert); !added {
return nil, fmt.Errorf("Failed to add ca cert to cert pool.")
}
config.RootCAs = caCertPool
}
return config, nil
}

Expand All @@ -48,7 +61,7 @@ func (c *Config) setProxy() error {
if c.GRPCBackend != nil {
var opts []grpc.DialOption
if c.GRPCBackend.BaseURL.Scheme == "grpcs" {
config, err := getTLSConfig(c.GRPCBackend.CertFile, c.GRPCBackend.KeyFile)
config, err := getTLSConfig(c.GRPCBackend.CertFile, c.GRPCBackend.KeyFile, c.GRPCBackend.CaFile)
if err != nil {
return err
}
Expand Down Expand Up @@ -84,7 +97,7 @@ func (c *Config) setProxy() error {
if c.HTTPBackend != nil {
httpClient := &http.Client{}
if c.HTTPBackend.BaseURL.Scheme == "https" {
config, err := getTLSConfig(c.HTTPBackend.CertFile, c.HTTPBackend.KeyFile)
config, err := getTLSConfig(c.HTTPBackend.CertFile, c.HTTPBackend.KeyFile, c.HTTPBackend.CaFile)
if err != nil {
return err
}
Expand Down
12 changes: 12 additions & 0 deletions utils/flags/flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,12 @@ func GetCliFlags() []cli.Flag {
Usage: "Path to a certificate used to authenticate with the proxy backend using mTLS. If this flag is provided, then grpc_proxy.key_file must also be specified.",
EnvVars: []string{"BAZEL_REMOTE_GRPC_PROXY_CERT_FILE"},
},
&cli.StringFlag{
Name: "grpc_proxy.ca_file",
Value: "",
Usage: "Path to a certificate autority used to validate the grpc proxy backend certificate.",
EnvVars: []string{"BAZEL_REMOTE_GRPC_PROXY_CA_FILE"},
},
&cli.StringFlag{
Name: "http_proxy.url",
Value: "",
Expand All @@ -219,6 +225,12 @@ func GetCliFlags() []cli.Flag {
Usage: "Path to a certificate used to authenticate with the proxy backend using mTLS. If this flag is provided, then http_proxy.key_file must also be specified.",
EnvVars: []string{"BAZEL_REMOTE_HTTP_PROXY_CERT_FILE"},
},
&cli.StringFlag{
Name: "http_proxy.ca_file",
Value: "",
Usage: "Path to a certificate autority used to validate the http proxy backend certificate.",
EnvVars: []string{"BAZEL_REMOTE_HTTP_PROXY_CA_FILE"},
},
&cli.StringFlag{
Name: "gcs_proxy.bucket",
Value: "",
Expand Down

0 comments on commit 054cfca

Please sign in to comment.