Skip to content

Commit

Permalink
improve: fix prompt for TLS certificate
Browse files Browse the repository at this point in the history
On darwin the error was of the wrong type when using the system cert pool
  • Loading branch information
dnephin committed Jun 15, 2022
1 parent 8c2561b commit 84c21c1
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 6 deletions.
2 changes: 1 addition & 1 deletion internal/cmd/cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ func httpTransportForHostConfig(config *ClientHostConfig) *http.Transport {
if config.TrustedCertificate != "" {
ok := pool.AppendCertsFromPEM([]byte(config.TrustedCertificate))
if !ok {
logging.S.Warnf("Failed to read trusted certificates for server: %v", err)
logging.S.Warnf("Failed to read trusted certificates for server")
}
}

Expand Down
38 changes: 33 additions & 5 deletions internal/cmd/login.go
Original file line number Diff line number Diff line change
Expand Up @@ -421,7 +421,7 @@ func newLoginClient(cli *CLI, options loginCmdOptions) (loginClient, error) {
}

// Prompt user only if server fails the TLS verification
if err := attemptTLSRequest(c.APIClient); err != nil {
if err := attemptTLSRequest(options); err != nil {
var uaErr x509.UnknownAuthorityError
if !errors.As(err, &uaErr) {
return c, err
Expand Down Expand Up @@ -459,15 +459,43 @@ func newLoginClient(cli *CLI, options loginCmdOptions) (loginClient, error) {
return c, nil
}

func attemptTLSRequest(client *api.Client) error {
req, err := http.NewRequestWithContext(context.TODO(), http.MethodGet, client.URL, nil)
func attemptTLSRequest(options loginCmdOptions) error {
reqURL := "https://" + options.Server
// First attempt with the system cert pool
req, err := http.NewRequestWithContext(context.TODO(), http.MethodGet, reqURL, nil)
if err != nil {
return fmt.Errorf("failed to create request: %w", err)
}

logging.S.Debugf("call server: test tls for %q", client.URL)
logging.S.Debugf("call server: test tls for %q", reqURL)
httpClient := http.Client{Timeout: 60 * time.Second}
res, err := httpClient.Do(req)
if err == nil {
res.Body.Close()
return nil
}

// Second attempt with an empty cert pool. This is necessary because at least
// on darwin, the error is the wrong type when using the system cert pool.
// See https://github.com/golang/go/issues/53401.
req, err = http.NewRequestWithContext(context.TODO(), http.MethodGet, reqURL, nil)
if err != nil {
return fmt.Errorf("failed to create request: %w", err)
}

pool := x509.NewCertPool()
if options.TrustedCertificate != "" {
pool.AppendCertsFromPEM([]byte(options.TrustedCertificate))
}

httpClient = http.Client{
Timeout: 60 * time.Second,
Transport: &http.Transport{
TLSClientConfig: &tls.Config{RootCAs: pool, MinVersion: tls.VersionTLS12},
},
}
res, err = httpClient.Do(req)
urlErr := &url.Error{}
res, err := client.HTTP.Do(req)
switch {
case err == nil:
res.Body.Close()
Expand Down

0 comments on commit 84c21c1

Please sign in to comment.