aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPatrick O'Doherty <p@trickod.com>2016-05-28 21:22:38 +0100
committerNiall Sheridan <nsheridan@gmail.com>2016-05-29 00:14:34 +0100
commita5783a4ea89a1a7e7469bcb75b9276d81d7b3aee (patch)
tree27d49aa2bf1b6957dbea21e7659ccbd9c91eaabf
parentf04bfc498bced76485f8c164f9969e0ed9de7519 (diff)
Add validate_tls_certificate option to client config
To allow for easier development on localhost where one cannot get a root-CA signed TLS certificate, add a new validate_tls_certificate option to the configuration file which optionally allows for certificate chain checking to be disabled.
-rw-r--r--cmd/cashier/config.go10
-rw-r--r--cmd/cashier/main.go10
2 files changed, 13 insertions, 7 deletions
diff --git a/cmd/cashier/config.go b/cmd/cashier/config.go
index b6e583a..1196cbd 100644
--- a/cmd/cashier/config.go
+++ b/cmd/cashier/config.go
@@ -5,10 +5,11 @@ import (
)
type config struct {
- CA string `mapstructure:"ca"`
- Keytype string `mapstructure:"key_type"`
- Keysize int `mapstructure:"key_size"`
- Validity string `mapstructure:"validity"`
+ CA string `mapstructure:"ca"`
+ Keytype string `mapstructure:"key_type"`
+ Keysize int `mapstructure:"key_size"`
+ Validity string `mapstructure:"validity"`
+ ValidateTLSCertificate bool `mapstructure:"validate_tls_certificate"`
}
func setDefaults() {
@@ -16,6 +17,7 @@ func setDefaults() {
viper.SetDefault("key_type", "rsa")
viper.SetDefault("key_size", 2048)
viper.SetDefault("validity", "24h")
+ viper.SetDefault("validateTLSCertificate", true)
}
func readConfig(path string) (*config, error) {
diff --git a/cmd/cashier/main.go b/cmd/cashier/main.go
index 2bac63a..564664c 100644
--- a/cmd/cashier/main.go
+++ b/cmd/cashier/main.go
@@ -2,6 +2,7 @@ package main
import (
"bytes"
+ "crypto/tls"
"encoding/json"
"flag"
"fmt"
@@ -37,7 +38,11 @@ func installCert(a agent.Agent, cert *ssh.Certificate, key key) error {
return nil
}
-func send(s []byte, token, ca string) (*lib.SignResponse, error) {
+func send(s []byte, token, ca string, ValidateTLSCertificate bool) (*lib.SignResponse, error) {
+ transport := &http.Transport{
+ TLSClientConfig: &tls.Config{InsecureSkipVerify: !ValidateTLSCertificate},
+ }
+ client := &http.Client{Transport: transport}
req, err := http.NewRequest("POST", ca+"/sign", bytes.NewReader(s))
if err != nil {
return nil, err
@@ -45,7 +50,6 @@ func send(s []byte, token, ca string) (*lib.SignResponse, error) {
req.Header.Set("Content-Type", "application/json")
req.Header.Add("Accept", "application/json")
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
- client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
return nil, err
@@ -79,7 +83,7 @@ func sign(pub ssh.PublicKey, token string, conf *config) (*ssh.Certificate, erro
if err != nil {
return nil, err
}
- resp, err := send(s, token, conf.CA)
+ resp, err := send(s, token, conf.CA, conf.ValidateTLSCertificate)
if err != nil {
return nil, err
}