Add support of TLS configuration

outscale · Nov 16, 2022 · 63b28aa · 63b28aa
1 parent 9ac609b
commit 63b28aa
Show file tree

Hide file tree

Showing 3 changed files with 356 additions and 8 deletions.
diff --git a/.osc-patches/2022-11-16-add-cert-conf.patch b/.osc-patches/2022-11-16-add-cert-conf.patch
@@ -0,0 +1,215 @@
+diff --git a/v2/config_env.go b/v2/config_env.go
+index 773a9720..1fe70c64 100644
+--- a/v2/config_env.go
++++ b/v2/config_env.go
+@@ -2,7 +2,10 @@ package osc
+
+ import (
+ 	"context"
++	"crypto/tls"
++	b64 "encoding/base64"
+ 	"errors"
++	"net/http"
+ 	"os"
+ )
+
+@@ -13,7 +16,9 @@ type ConfigEnv struct {
+ 	ProfileName         *string
+ 	Region              *string
+ 	X509ClientCert      *string
++	X509ClientCertB64   *string
+ 	X509ClientKey       *string
++	X509ClientKeyB64    *string
+ }
+
+ func NewConfigEnv() *ConfigEnv {
+@@ -36,9 +41,15 @@ func NewConfigEnv() *ConfigEnv {
+ 	if value, present := os.LookupEnv("OSC_X509_CLIENT_CERT"); present {
+ 		configEnv.X509ClientCert = &value
+ 	}
++	if value, present := os.LookupEnv("OSC_X509_CLIENT_CERT_B64"); present {
++		configEnv.X509ClientCertB64 = &value
++	}
+ 	if value, present := os.LookupEnv("OSC_X509_CLIENT_KEY"); present {
+ 		configEnv.X509ClientKey = &value
+ 	}
++	if value, present := os.LookupEnv("OSC_X509_CLIENT_KEY_B64"); present {
++		configEnv.X509ClientKeyB64 = &value
++	}
+ 	return &configEnv
+ }
+
+@@ -87,6 +98,64 @@ func (configEnv *ConfigEnv) Configuration() (*Configuration, error) {
+ 			EnumValues:   []string{*configEnv.Region},
+ 		}
+ 	}
++
++	tlsConfigured := false
++	if len(*configEnv.X509ClientCert) > 0 && len(*configEnv.X509ClientKey) > 0 {
++		tlsConfigured = true
++		cert, err := tls.LoadX509KeyPair(*configEnv.X509ClientCert, *configEnv.X509ClientKey)
++		if err != nil {
++			return nil, errors.New("error while loading client certificate and key")
++		}
++
++		tlsconfig := &tls.Config{
++			InsecureSkipVerify: false,
++			Certificates:       []tls.Certificate{cert},
++		}
++
++		httpClient := &http.Client{
++			Transport: &http.Transport{
++				TLSClientConfig: tlsconfig,
++				Proxy:           http.ProxyFromEnvironment,
++			},
++		}
++
++		config.HTTPClient = httpClient
++	}
++
++	if len(*configEnv.X509ClientCertB64) > 0 && len(*configEnv.X509ClientKeyB64) > 0 {
++		if tlsConfigured {
++			return nil, errors.New("cannot configure client certificate with both file and base64")
++		}
++
++		clientCertificate, err := b64.StdEncoding.DecodeString(*configEnv.X509ClientCertB64)
++		if err != nil {
++			return nil, errors.New("error while decoding client certificate from base64")
++		}
++
++		clientKey, err := b64.StdEncoding.DecodeString(*configEnv.X509ClientKeyB64)
++		if err != nil {
++			return nil, errors.New("error while decoding client key from base64")
++		}
++		cert, err := tls.X509KeyPair(clientCertificate, clientKey)
++		if err != nil {
++			return nil, errors.New("error while loading client certificate and key")
++		}
++
++		tlsconfig := &tls.Config{
++			InsecureSkipVerify: false,
++			Certificates:       []tls.Certificate{cert},
++		}
++
++		httpClient := &http.Client{
++			Transport: &http.Transport{
++				TLSClientConfig: tlsconfig,
++				Proxy:           http.ProxyFromEnvironment,
++			},
++		}
++
++		config.HTTPClient = httpClient
++	}
++
+ 	return config, nil
+ }
+
+diff --git a/v2/config_file.go b/v2/config_file.go
+index a0ca79f0..774879f7 100644
+--- a/v2/config_file.go
++++ b/v2/config_file.go
+@@ -2,10 +2,13 @@ package osc
+
+ import (
+ 	"context"
++	"crypto/tls"
++	b64 "encoding/base64"
+ 	"encoding/json"
+ 	"errors"
+ 	"fmt"
+ 	"io/ioutil"
++	"net/http"
+ 	"os"
+ 	"path"
+ )
+@@ -15,14 +18,16 @@ type ConfigFile struct {
+ }
+
+ type Profile struct {
+-	AccessKey       string   `json:"access_key"`
+-	SecretKey       string   `json:"secret_key"`
+-	X509ClientCert  string   `json:"x509_client_cert"`
+-	X509_client_key string   `json:"x509_client_key"`
+-	Protocol        string   `json:"protocol"`
+-	Method          string   `json:"method"`
+-	Region          string   `json:"region"`
+-	Endpoints       Endpoint `json:"endpoints"`
++	AccessKey         string   `json:"access_key"`
++	SecretKey         string   `json:"secret_key"`
++	X509ClientCert    string   `json:"x509_client_cert"`
++	X509ClientCertB64 string   `json:"x509_client_cert_b64"`
++	X509ClientKey     string   `json:"x509_client_key"`
++	X509ClientKeyB64  string   `json:"x509_client_key_b64"`
++	Protocol          string   `json:"protocol"`
++	Method            string   `json:"method"`
++	Region            string   `json:"region"`
++	Endpoints         Endpoint `json:"endpoints"`
+ }
+
+ type Endpoint struct {
+@@ -108,6 +113,65 @@ func (configFile *ConfigFile) Configuration(profileName string) (*Configuration,
+ 			},
+ 		},
+ 	}
++
++	tlsConfigured := false
++	if len(profile.X509ClientCert) > 0 && len(profile.X509ClientKey) > 0 {
++		tlsConfigured = true
++		cert, err := tls.LoadX509KeyPair(profile.X509ClientCert, profile.X509ClientKey)
++		if err != nil {
++			return nil, errors.New("error while loading client certificate and key")
++		}
++
++		tlsconfig := &tls.Config{
++			InsecureSkipVerify: false,
++			Certificates:       []tls.Certificate{cert},
++		}
++
++		httpClient := &http.Client{
++			Transport: &http.Transport{
++				TLSClientConfig: tlsconfig,
++				Proxy:           http.ProxyFromEnvironment,
++			},
++		}
++
++		config.HTTPClient = httpClient
++	}
++
++	if len(profile.X509ClientCertB64) > 0 && len(profile.X509ClientKeyB64) > 0 {
++		if tlsConfigured {
++			return nil, errors.New("cannot configure client certificate with both file and base64")
++		}
++
++		clientCertificate, err := b64.StdEncoding.DecodeString(profile.X509ClientCertB64)
++		if err != nil {
++			return nil, errors.New("error while decoding client certificate from base64")
++		}
++
++		clientKey, err := b64.StdEncoding.DecodeString(profile.X509ClientKeyB64)
++		if err != nil {
++			return nil, errors.New("error while decoding client key from base64")
++		}
++
++		cert, err := tls.X509KeyPair(clientCertificate, clientKey)
++		if err != nil {
++			return nil, errors.New("error while loading client certificate and key")
++		}
++
++		tlsconfig := &tls.Config{
++			InsecureSkipVerify: false,
++			Certificates:       []tls.Certificate{cert},
++		}
++
++		httpClient := &http.Client{
++			Transport: &http.Transport{
++				TLSClientConfig: tlsconfig,
++				Proxy:           http.ProxyFromEnvironment,
++			},
++		}
++
++		config.HTTPClient = httpClient
++	}
++
+ 	return config, nil
+ }
+
diff --git a/v2/config_env.go b/v2/config_env.go
@@ -2,7 +2,10 @@ package osc
 
 import (
 	"context"
+	"crypto/tls"
+	b64 "encoding/base64"
 	"errors"
+	"net/http"
 	"os"
 )
 
@@ -13,7 +16,9 @@ type ConfigEnv struct {
 	ProfileName         *string
 	Region              *string
 	X509ClientCert      *string
+	X509ClientCertB64   *string
 	X509ClientKey       *string
+	X509ClientKeyB64    *string
 }
 
 func NewConfigEnv() *ConfigEnv {
@@ -36,9 +41,15 @@ func NewConfigEnv() *ConfigEnv {
 	if value, present := os.LookupEnv("OSC_X509_CLIENT_CERT"); present {
 		configEnv.X509ClientCert = &value
 	}
+	if value, present := os.LookupEnv("OSC_X509_CLIENT_CERT_B64"); present {
+		configEnv.X509ClientCertB64 = &value
+	}
 	if value, present := os.LookupEnv("OSC_X509_CLIENT_KEY"); present {
 		configEnv.X509ClientKey = &value
 	}
+	if value, present := os.LookupEnv("OSC_X509_CLIENT_KEY_B64"); present {
+		configEnv.X509ClientKeyB64 = &value
+	}
 	return &configEnv
 }
 
@@ -87,6 +98,64 @@ func (configEnv *ConfigEnv) Configuration() (*Configuration, error) {
 			EnumValues:   []string{*configEnv.Region},
 		}
 	}
+
+	tlsConfigured := false
+	if len(*configEnv.X509ClientCert) > 0 && len(*configEnv.X509ClientKey) > 0 {
+		tlsConfigured = true
+		cert, err := tls.LoadX509KeyPair(*configEnv.X509ClientCert, *configEnv.X509ClientKey)
+		if err != nil {
+			return nil, errors.New("error while loading client certificate and key")
+		}
+
+		tlsconfig := &tls.Config{
+			InsecureSkipVerify: false,
+			Certificates:       []tls.Certificate{cert},
+		}
+
+		httpClient := &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: tlsconfig,
+				Proxy:           http.ProxyFromEnvironment,
+			},
+		}
+
+		config.HTTPClient = httpClient
+	}
+
+	if len(*configEnv.X509ClientCertB64) > 0 && len(*configEnv.X509ClientKeyB64) > 0 {
+		if tlsConfigured {
+			return nil, errors.New("cannot configure client certificate with both file and base64")
+		}
+
+		clientCertificate, err := b64.StdEncoding.DecodeString(*configEnv.X509ClientCertB64)
+		if err != nil {
+			return nil, errors.New("error while decoding client certificate from base64")
+		}
+
+		clientKey, err := b64.StdEncoding.DecodeString(*configEnv.X509ClientKeyB64)
+		if err != nil {
+			return nil, errors.New("error while decoding client key from base64")
+		}
+		cert, err := tls.X509KeyPair(clientCertificate, clientKey)
+		if err != nil {
+			return nil, errors.New("error while loading client certificate and key")
+		}
+
+		tlsconfig := &tls.Config{
+			InsecureSkipVerify: false,
+			Certificates:       []tls.Certificate{cert},
+		}
+
+		httpClient := &http.Client{
+			Transport: &http.Transport{
+				TLSClientConfig: tlsconfig,
+				Proxy:           http.ProxyFromEnvironment,
+			},
+		}
+
+		config.HTTPClient = httpClient
+	}
+
 	return config, nil
 }