Commit 74eaec60 authored by Eric Chiang's avatar Eric Chiang Committed by GitHub

Merge pull request #661 from rithujohn191/gRPC-client-auth

cmd/dex: add option for gRPC client auth CA.
parents 799b3f3e 42dfd3ec
......@@ -15,6 +15,8 @@ grpc:
# Server certs. If TLS credentials aren't provided dex will generate self-signed ones.
tlsCert: /etc/dex/grpc.crt
tlsKey: /etc/dex/grpc.key
# Client auth CA.
tlsClientCA: /etc/dex/client.crt
```
## Generating clients
......
......@@ -91,6 +91,7 @@ type GRPC struct {
Addr string `yaml:"addr"`
TLSCert string `yaml:"tlsCert"`
TLSKey string `yaml:"tlsKey"`
TLSClientCA string `yaml:"tlsClientCA"`
}
// Storage holds app's storage configuration.
......
package main
import (
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"io/ioutil"
......@@ -67,6 +69,7 @@ func serve(cmd *cobra.Command, args []string) error {
{c.GRPC.TLSCert != "" && c.GRPC.Addr == "", "no address specified for gRPC"},
{c.GRPC.TLSKey != "" && c.GRPC.Addr == "", "no address specified for gRPC"},
{(c.GRPC.TLSCert == "") != (c.GRPC.TLSKey == ""), "must specific both a gRPC TLS cert and key"},
{c.GRPC.TLSCert == "" && c.GRPC.TLSClientCA != "", "cannot specify gRPC TLS client CA without a gRPC TLS cert"},
}
for _, check := range checks {
......@@ -77,12 +80,37 @@ func serve(cmd *cobra.Command, args []string) error {
var grpcOptions []grpc.ServerOption
if c.GRPC.TLSCert != "" {
if c.GRPC.TLSClientCA != "" {
// Parse certificates from certificate file and key file for server.
cert, err := tls.LoadX509KeyPair(c.GRPC.TLSCert, c.GRPC.TLSKey)
if err != nil {
return fmt.Errorf("parsing certificate file: %v", err)
}
// Parse certificates from client CA file to a new CertPool.
cPool := x509.NewCertPool()
clientCert, err := ioutil.ReadFile(c.GRPC.TLSClientCA)
if err != nil {
return fmt.Errorf("reading from client CA file: %v", err)
}
if cPool.AppendCertsFromPEM(clientCert) != true {
return errors.New("failed to parse client CA")
}
tlsConfig := tls.Config{
Certificates: []tls.Certificate{cert},
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: cPool,
}
grpcOptions = append(grpcOptions, grpc.Creds(credentials.NewTLS(&tlsConfig)))
} else {
opt, err := credentials.NewServerTLSFromFile(c.GRPC.TLSCert, c.GRPC.TLSKey)
if err != nil {
return fmt.Errorf("load grpc certs: %v", err)
}
grpcOptions = append(grpcOptions, grpc.Creds(opt))
}
}
connectors := make([]server.Connector, len(c.Connectors))
for i, conn := range c.Connectors {
......
......@@ -22,6 +22,7 @@ web:
# addr: 127.0.0.1:5557
# tlsCert: /etc/dex/grpc.crt
# tlsKey: /etc/dex/grpc.key
# tlsClientCA: /etc/dex/client.crt
# Instead of reading from an external storage, use this list of clients.
#
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment