diff options
| author | Patrick O'Doherty <p@trickod.com> | 2016-05-28 21:22:38 +0100 |
|---|---|---|
| committer | Niall Sheridan <nsheridan@gmail.com> | 2016-05-29 00:14:34 +0100 |
| commit | a5783a4ea89a1a7e7469bcb75b9276d81d7b3aee (patch) | |
| tree | 27d49aa2bf1b6957dbea21e7659ccbd9c91eaabf /cmd | |
| parent | f04bfc498bced76485f8c164f9969e0ed9de7519 (diff) | |
Add validate_tls_certificate option to client config
To allow for easier development on localhost where one cannot get a
root-CA signed TLS certificate, add a new validate_tls_certificate
option to the configuration file which optionally allows for certificate
chain checking to be disabled.
Diffstat (limited to 'cmd')
| -rw-r--r-- | cmd/cashier/config.go | 10 | ||||
| -rw-r--r-- | cmd/cashier/main.go | 10 |
2 files changed, 13 insertions, 7 deletions
diff --git a/cmd/cashier/config.go b/cmd/cashier/config.go index b6e583a..1196cbd 100644 --- a/cmd/cashier/config.go +++ b/cmd/cashier/config.go @@ -5,10 +5,11 @@ import ( ) type config struct { - CA string `mapstructure:"ca"` - Keytype string `mapstructure:"key_type"` - Keysize int `mapstructure:"key_size"` - Validity string `mapstructure:"validity"` + CA string `mapstructure:"ca"` + Keytype string `mapstructure:"key_type"` + Keysize int `mapstructure:"key_size"` + Validity string `mapstructure:"validity"` + ValidateTLSCertificate bool `mapstructure:"validate_tls_certificate"` } func setDefaults() { @@ -16,6 +17,7 @@ func setDefaults() { viper.SetDefault("key_type", "rsa") viper.SetDefault("key_size", 2048) viper.SetDefault("validity", "24h") + viper.SetDefault("validateTLSCertificate", true) } func readConfig(path string) (*config, error) { diff --git a/cmd/cashier/main.go b/cmd/cashier/main.go index 2bac63a..564664c 100644 --- a/cmd/cashier/main.go +++ b/cmd/cashier/main.go @@ -2,6 +2,7 @@ package main import ( "bytes" + "crypto/tls" "encoding/json" "flag" "fmt" @@ -37,7 +38,11 @@ func installCert(a agent.Agent, cert *ssh.Certificate, key key) error { return nil } -func send(s []byte, token, ca string) (*lib.SignResponse, error) { +func send(s []byte, token, ca string, ValidateTLSCertificate bool) (*lib.SignResponse, error) { + transport := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: !ValidateTLSCertificate}, + } + client := &http.Client{Transport: transport} req, err := http.NewRequest("POST", ca+"/sign", bytes.NewReader(s)) if err != nil { return nil, err @@ -45,7 +50,6 @@ func send(s []byte, token, ca string) (*lib.SignResponse, error) { req.Header.Set("Content-Type", "application/json") req.Header.Add("Accept", "application/json") req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token)) - client := &http.Client{} resp, err := client.Do(req) if err != nil { return nil, err @@ -79,7 +83,7 @@ func sign(pub ssh.PublicKey, token string, conf *config) (*ssh.Certificate, erro if err != nil { return nil, err } - resp, err := send(s, token, conf.CA) + resp, err := send(s, token, conf.CA, conf.ValidateTLSCertificate) if err != nil { return nil, err } |