Aligned TLS options with hydra: allow cert&key to be specified with file #114
Conversation
cmd/serve_proxy.go
Outdated
| - HTTP_TLS_KEY: Base64 encoded (without padding) string of the private key (PEM encoded) to be used for HTTP over TLS (HTTPS). | ||
| If not set, HTTPS will be disabled and instead HTTP will be served. | ||
| Example: HTTPS_TLS_CERT="-----BEGIN CERTIFICATE-----\nMIIDZTCCAk2gAwIBAgIEV5xOtDANBgkqhkiG9w0BAQ0FADA0MTIwMAYDVQQDDClP..." |
There was a problem hiding this comment.
This is mixed up, should probably be the key?
cmd/serve_proxy.go
Outdated
|
|
||
| - HTTP_TLS_CERT: Base64 encoded (without padding) string of the TLS certificate (PEM encoded) to be used for HTTP over TLS (HTTPS). | ||
| If not set, HTTPS will be disabled and instead HTTP will be served. | ||
| Example: HTTPS_TLS_KEY="-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDg..." |
cmd/serve_proxy.go
Outdated
| If not set, HTTPS will be disabled and instead HTTP will be served. | ||
| Example: HTTPS_TLS_KEY="-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDg..." | ||
|
|
||
| NOTE: configure TLS params both as PATH or as string. If no TLS pair is set, HTTPS will be disabled and instead HTTP will be served. |
There was a problem hiding this comment.
This should probably be at the top of this section?
cmd/serve_proxy.go
Outdated
| certPath := viper.GetString("HTTP_TLS_CERT_PATH") | ||
| keyPath := viper.GetString("HTTP_TLS_KEY_PATH") | ||
| if cert, err = tls.LoadX509KeyPair(certPath, keyPath); err != nil { | ||
| logger.WithError(err).Fatalln("Could not load x509 key pair files") |
There was a problem hiding this comment.
if all four variables are empty, this will always fatal, no?
There was a problem hiding this comment.
yep. Let me fix this...
|
ok I changed a bit to factorize this, in view of TLS addition to serve api |
cmd/helper_server.go
Outdated
| tlsCert := viper.GetString("HTTP_TLS_CERT") | ||
| tlsKey := viper.GetString("HTTP_TLS_KEY") | ||
|
|
||
| if tlsCert == "" && tlsKey == "" { |
There was a problem hiding this comment.
Can we improve this block? It does not have any tests and since it's difficult to read I'd love to see some reduction in complexity here. Also, I think that the naming of the variables is quite misleading and easy to misunderstand. A very simple way to improve this is with something like this:
var cert tls.Certificate
if certPath, keyPath := viper.GetString(), viper.GetString(); certPath == "" && keyPath == "" {
cert, err := ...
if err != nil ...
return cert
}
if certString, keyString := viper.GetString(), viper.GetString(); certString== "" && keyString == "" {
cert, err := ...
if err != nil ...
return cert
}
And then just check if cert != nil before ListenAndServe
There was a problem hiding this comment.
ok I'll do that. Please bear that the original section was terrible style, with variables shadowing at every corner... I'll try to add a test as well.
There was a problem hiding this comment.
My comment was not intended to be critical of you. I don't care who wrote the code - I write terrible code all the time. But while we work on this, let's improve it too! :)
There was a problem hiding this comment.
I used a boolean because this is a struct: the func cannot return nil, and testing that the returned value is an empty structure is ugly. However, I agree the if cascade if bad.
There was a problem hiding this comment.
You can return a pointer *tls.Certificate which can evaluate to nil instead
There was a problem hiding this comment.
why not. This just incurs some more changes in the existing code...
|
@aeneasr how about this instead? [now with pointer] func getTLSCertAndKey() (*tls.Certificate, error) {
certString, keyString := viper.GetString("HTTP_TLS_CERT"), viper.GetString("HTTP_TLS_KEY")
certPath, keyPath := viper.GetString("HTTP_TLS_CERT_PATH"), viper.GetString("HTTP_TLS_KEY_PATH")
if certString == "" && keyString == "" && certPath == "" && keyPath == "" {
// serve http
return nil, nil
}
if certString != "" && keyString != "" {
tlsCertBytes, err := base64.StdEncoding.DecodeString(certString)
if err != nil {
return nil, fmt.Errorf("unable to base64 decode the TLS certificate: %v", err)
}
tlsKeyBytes, err := base64.StdEncoding.DecodeString(keyString)
if err != nil {
return nil, fmt.Errorf("unable to base64 decode the TLS private key: %v", err)
}
cert, err := tls.X509KeyPair(tlsCertBytes, tlsKeyBytes)
if err != nil {
return nil, fmt.Errorf("unable to load X509 key pair: %v", err)
}
return &cert, nil
}
if certPath != "" && keyPath != "" {
cert, err := tls.LoadX509KeyPair(certPath, keyPath)
if err != nil {
return nil, fmt.Errorf("unable to load X509 key pair from files: %v", err)
}
return &cert, nil
}
// serve http
logger.Warnln("TLS requires both cert and key to be specified. Fall back to serving HTTP")
return nil, nil
} |
|
Nice! This looks much cleaner. I think the if logic can be nested: |
|
|
|
Feel free to choose either one. You can also do |
* allows cert&key to be specified with file Signed-off-by: Frederic BIDON <[email protected]>
|
Awesome! Thank you :) |
Signed-off-by: Frederic BIDON [email protected]