cmd/dex: add option for gRPC client auth CA.

42dfd3ec · rithu leena john · 799b3f3e · 42dfd3ec · 42dfd3ec · 42dfd3ec
Commit 42dfd3ec authored Nov 02, 2016 by rithu leena john
Show whitespace changes
Inline Side-by-side

Showing with 32 additions and 0 deletions

api.md Documentation/api.md +2 -0

config.go cmd/dex/config.go +1 -0

serve.go cmd/dex/serve.go +28 -0

config-dev.yaml examples/config-dev.yaml +1 -0

No files found.
--- a/Documentation/api.md
+++ b/Documentation/api.md
@@ -15,6 +15,8 @@ grpc:
  # Server certs. If TLS credentials aren't provided dex will generate self-signed ones.
  tlsCert: /etc/dex/grpc.crt
  tlsKey: /etc/dex/grpc.key
+  # Client auth CA.
+  tlsClientCA: /etc/dex/client.crt
 ```
 ## Generating clients

--- a/cmd/dex/config.go
+++ b/cmd/dex/config.go
@@ -91,6 +91,7 @@ type GRPC struct {
 	Addr        string `yaml:"addr"`
 	TLSCert     string `yaml:"tlsCert"`
 	TLSKey      string `yaml:"tlsKey"`
+	TLSClientCA string `yaml:"tlsClientCA"`
 }
 // Storage holds app's storage configuration.

--- a/cmd/dex/serve.go
+++ b/cmd/dex/serve.go
 package main
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"io/ioutil"
@@ -67,6 +69,7 @@ func serve(cmd *cobra.Command, args []string) error {
 		{c.GRPC.TLSCert != "" && c.GRPC.Addr == "", "no address specified for gRPC"},
 		{c.GRPC.TLSKey != "" && c.GRPC.Addr == "", "no address specified for gRPC"},
 		{(c.GRPC.TLSCert == "") != (c.GRPC.TLSKey == ""), "must specific both a gRPC TLS cert and key"},
+		{c.GRPC.TLSCert == "" && c.GRPC.TLSClientCA != "", "cannot specify gRPC TLS client CA without a gRPC TLS cert"},
 	}
 	for _, check := range checks {
@@ -77,12 +80,37 @@ func serve(cmd *cobra.Command, args []string) error {
 	var grpcOptions []grpc.ServerOption
 	if c.GRPC.TLSCert != "" {
+		if c.GRPC.TLSClientCA != "" {
+			// Parse certificates from certificate file and key file for server.
+			cert, err := tls.LoadX509KeyPair(c.GRPC.TLSCert, c.GRPC.TLSKey)
+			if err != nil {
+				return fmt.Errorf("parsing certificate file: %v", err)
+			}
+			// Parse certificates from client CA file to a new CertPool.
+			cPool := x509.NewCertPool()
+			clientCert, err := ioutil.ReadFile(c.GRPC.TLSClientCA)
+			if err != nil {
+				return fmt.Errorf("reading from client CA file: %v", err)
+			}
+			if cPool.AppendCertsFromPEM(clientCert) != true {
+				return errors.New("failed to parse client CA")
+			}
+			tlsConfig := tls.Config{
+				Certificates: []tls.Certificate{cert},
+				ClientAuth:   tls.RequireAndVerifyClientCert,
+				ClientCAs:    cPool,
+			}
+			grpcOptions = append(grpcOptions, grpc.Creds(credentials.NewTLS(&tlsConfig)))
+		} else {
 			opt, err := credentials.NewServerTLSFromFile(c.GRPC.TLSCert, c.GRPC.TLSKey)
 			if err != nil {
 				return fmt.Errorf("load grpc certs: %v", err)
 			}
 			grpcOptions = append(grpcOptions, grpc.Creds(opt))
 		}
+	}
 	connectors := make([]server.Connector, len(c.Connectors))
 	for i, conn := range c.Connectors {

--- a/examples/config-dev.yaml
+++ b/examples/config-dev.yaml
@@ -22,6 +22,7 @@ web:
 #   addr: 127.0.0.1:5557
 #   tlsCert: /etc/dex/grpc.crt
 #   tlsKey: /etc/dex/grpc.key
+#   tlsClientCA: /etc/dex/client.crt
 # Instead of reading from an external storage, use this list of clients.
 #