From a5783a4ea89a1a7e7469bcb75b9276d81d7b3aee Mon Sep 17 00:00:00 2001
From: Patrick O'Doherty <p@trickod.com>
Date: Sat, 28 May 2016 21:22:38 +0100
Subject: Add validate_tls_certificate option to client config

To allow for easier development on localhost where one cannot get a
root-CA signed TLS certificate, add a new validate_tls_certificate
option to the configuration file which optionally allows for certificate
chain checking to be disabled.
---
 cmd/cashier/config.go | 10 ++++++----
 cmd/cashier/main.go   | 10 +++++++---
 2 files changed, 13 insertions(+), 7 deletions(-)

(limited to 'cmd')

diff --git a/cmd/cashier/config.go b/cmd/cashier/config.go
index b6e583a..1196cbd 100644
--- a/cmd/cashier/config.go
+++ b/cmd/cashier/config.go
@@ -5,10 +5,11 @@ import (
 )
 
 type config struct {
-	CA       string `mapstructure:"ca"`
-	Keytype  string `mapstructure:"key_type"`
-	Keysize  int    `mapstructure:"key_size"`
-	Validity string `mapstructure:"validity"`
+	CA                     string `mapstructure:"ca"`
+	Keytype                string `mapstructure:"key_type"`
+	Keysize                int    `mapstructure:"key_size"`
+	Validity               string `mapstructure:"validity"`
+	ValidateTLSCertificate bool   `mapstructure:"validate_tls_certificate"`
 }
 
 func setDefaults() {
@@ -16,6 +17,7 @@ func setDefaults() {
 	viper.SetDefault("key_type", "rsa")
 	viper.SetDefault("key_size", 2048)
 	viper.SetDefault("validity", "24h")
+	viper.SetDefault("validateTLSCertificate", true)
 }
 
 func readConfig(path string) (*config, error) {
diff --git a/cmd/cashier/main.go b/cmd/cashier/main.go
index 2bac63a..564664c 100644
--- a/cmd/cashier/main.go
+++ b/cmd/cashier/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"bytes"
+	"crypto/tls"
 	"encoding/json"
 	"flag"
 	"fmt"
@@ -37,7 +38,11 @@ func installCert(a agent.Agent, cert *ssh.Certificate, key key) error {
 	return nil
 }
 
-func send(s []byte, token, ca string) (*lib.SignResponse, error) {
+func send(s []byte, token, ca string, ValidateTLSCertificate bool) (*lib.SignResponse, error) {
+	transport := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: !ValidateTLSCertificate},
+	}
+	client := &http.Client{Transport: transport}
 	req, err := http.NewRequest("POST", ca+"/sign", bytes.NewReader(s))
 	if err != nil {
 		return nil, err
@@ -45,7 +50,6 @@ func send(s []byte, token, ca string) (*lib.SignResponse, error) {
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Add("Accept", "application/json")
 	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
-	client := &http.Client{}
 	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
@@ -79,7 +83,7 @@ func sign(pub ssh.PublicKey, token string, conf *config) (*ssh.Certificate, erro
 	if err != nil {
 		return nil, err
 	}
-	resp, err := send(s, token, conf.CA)
+	resp, err := send(s, token, conf.CA, conf.ValidateTLSCertificate)
 	if err != nil {
 		return nil, err
 	}
-- 
cgit v1.2.3