Merge pull request #26 from conduktor/ignore_untrusted_cert

ignore untrusted certs
conduktor · Mar 25, 2024 · ff09344 · ff09344
2 parents e66d3ed + 3c39c4a
commit ff09344
Show file tree

Hide file tree

Showing 4 changed files with 76 additions and 22 deletions.
diff --git a/README.md b/README.md
@@ -37,6 +37,7 @@ How to run integration test:
 First login to your teleport proxy, for example:
 ```
 tsh login --proxy=teleport-01.prd.tooling.cdkt.dev --auth=github
+tsh apps login my_app
 export CDK_CERT=$(tsh apps config --format=cert)
 export CDK_KEY=$(tsh apps config --format=key)
 conduktor get application

diff --git a/client/client.go b/client/client.go
@@ -18,13 +18,23 @@ type Client struct {
 	client  *resty.Client
 }
 
-func Make(token string, baseUrl string, debug bool, key, cert string) *Client {
-	certificate, _ := tls.LoadX509KeyPair(cert, key)
+func Make(token string, baseUrl string, debug bool, key, cert string) (*Client, error) {
+	restyClient := resty.New().SetDebug(debug).SetHeader("Authorization", "Bearer "+token)
+	if (key == "" && cert != "") || (key != "" && cert == "") {
+		return nil, fmt.Errorf("key and cert must be provided together")
+	} else if key != "" && cert != "" {
+		certificate, err := tls.LoadX509KeyPair(cert, key)
+		restyClient.SetCertificates(certificate)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	return &Client{
 		token:   token,
 		baseUrl: baseUrl,
-		client:  resty.New().SetDebug(debug).SetHeader("Authorization", "Bearer "+token).SetCertificates(certificate),
-	}
+		client:  restyClient,
+	}, nil
 }
 
 func MakeFromEnv() *Client {
@@ -42,13 +52,26 @@ func MakeFromEnv() *Client {
 	key := os.Getenv("CDK_KEY")
 	cert := os.Getenv("CDK_CERT")
 
-	return Make(token, baseUrl, debug, key, cert)
+	client, err := Make(token, baseUrl, debug, key, cert)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Cannot create client: %s", err)
+		os.Exit(3)
+	}
+	insecure := strings.ToLower(os.Getenv("CDK_INSECURE")) == "true"
+	if insecure {
+		client.IgnoreUntrustedCertificate()
+	}
+	return client
 }
 
 type UpsertResponse struct {
 	UpsertResult string
 }
 
+func (c *Client) IgnoreUntrustedCertificate() {
+	c.client.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true})
+}
+
 func extractApiError(resp *resty.Response) string {
 	var apiError ApiError
 	jsonError := json.Unmarshal(resp.Body(), &apiError)

diff --git a/client/client_test.go b/client/client_test.go
@@ -11,7 +11,10 @@ func TestApplyShouldWork(t *testing.T) {
 	defer httpmock.Reset()
 	baseUrl := "http://baseUrl"
 	token := "aToken"
-	client := Make(token, baseUrl, false, "", "")
+	client, err := Make(token, baseUrl, false, "", "")
+	if err != nil {
+		panic(err)
+	}
 	httpmock.ActivateNonDefault(
 		client.client.GetClient(),
 	)
@@ -46,7 +49,10 @@ func TestApplyWithDryModeShouldWork(t *testing.T) {
 	defer httpmock.Reset()
 	baseUrl := "http://baseUrl"
 	token := "aToken"
-	client := Make(token, baseUrl, false, "", "")
+	client, err := Make(token, baseUrl, false, "", "")
+	if err != nil {
+		panic(err)
+	}
 	httpmock.ActivateNonDefault(
 		client.client.GetClient(),
 	)
@@ -81,7 +87,10 @@ func TestApplyShouldFailIfNo2xx(t *testing.T) {
 	defer httpmock.Reset()
 	baseUrl := "http://baseUrl"
 	token := "aToken"
-	client := Make(token, baseUrl, false, "", "")
+	client, err := Make(token, baseUrl, false, "", "")
+	if err != nil {
+		panic(err)
+	}
 	httpmock.ActivateNonDefault(
 		client.client.GetClient(),
 	)
@@ -116,7 +125,10 @@ func TestGetShouldWork(t *testing.T) {
 	defer httpmock.Reset()
 	baseUrl := "http://baseUrl"
 	token := "aToken"
-	client := Make(token, baseUrl, false, "", "")
+	client, err := Make(token, baseUrl, false, "", "")
+	if err != nil {
+		panic(err)
+	}
 	httpmock.ActivateNonDefault(
 		client.client.GetClient(),
 	)
@@ -143,7 +155,10 @@ func TestGetShouldApplyCaseTransformation(t *testing.T) {
 	defer httpmock.Reset()
 	baseUrl := "http://baseUrl"
 	token := "aToken"
-	client := Make(token, baseUrl, false, "", "")
+	client, err := Make(token, baseUrl, false, "", "")
+	if err != nil {
+		panic(err)
+	}
 	httpmock.ActivateNonDefault(
 		client.client.GetClient(),
 	)
@@ -170,7 +185,11 @@ func TestGetShouldKeepCase(t *testing.T) {
 	defer httpmock.Reset()
 	baseUrl := "http://baseUrl"
 	token := "aToken"
-	client := Make(token, baseUrl, false, "", "")
+	client, err := Make(token, baseUrl, false, "", "")
+	if err != nil {
+		panic(err)
+	}
+
 	httpmock.ActivateNonDefault(
 		client.client.GetClient(),
 	)
@@ -197,7 +216,10 @@ func TestGetShouldFailIfN2xx(t *testing.T) {
 	defer httpmock.Reset()
 	baseUrl := "http://baseUrl"
 	token := "aToken"
-	client := Make(token, baseUrl, false, "", "")
+	client, err := Make(token, baseUrl, false, "", "")
+	if err != nil {
+		panic(err)
+	}
 	httpmock.ActivateNonDefault(
 		client.client.GetClient(),
 	)
@@ -224,7 +246,10 @@ func TestDescribeShouldWork(t *testing.T) {
 	defer httpmock.Reset()
 	baseUrl := "http://baseUrl"
 	token := "aToken"
-	client := Make(token, baseUrl, false, "", "")
+	client, err := Make(token, baseUrl, false, "", "")
+	if err != nil {
+		panic(err)
+	}
 	httpmock.ActivateNonDefault(
 		client.client.GetClient(),
 	)
@@ -251,7 +276,10 @@ func TestDescribeShouldFailIfNo2xx(t *testing.T) {
 	defer httpmock.Reset()
 	baseUrl := "http://baseUrl/api"
 	token := "aToken"
-	client := Make(token, baseUrl, false, "", "")
+	client, err := Make(token, baseUrl, false, "", "")
+	if err != nil {
+		panic(err)
+	}
 	httpmock.ActivateNonDefault(
 		client.client.GetClient(),
 	)
@@ -278,7 +306,10 @@ func TestDeleteShouldWork(t *testing.T) {
 	defer httpmock.Reset()
 	baseUrl := "http://baseUrl"
 	token := "aToken"
-	client := Make(token, baseUrl, false, "", "")
+	client, err := Make(token, baseUrl, false, "", "")
+	if err != nil {
+		panic(err)
+	}
 	httpmock.ActivateNonDefault(
 		client.client.GetClient(),
 	)
@@ -304,7 +335,10 @@ func TestDeleteShouldFailOnNot2XX(t *testing.T) {
 	defer httpmock.Reset()
 	baseUrl := "http://baseUrl"
 	token := "aToken"
-	client := Make(token, baseUrl, false, "", "")
+	client, err := Make(token, baseUrl, false, "", "")
+	if err != nil {
+		panic(err)
+	}
 	httpmock.ActivateNonDefault(
 		client.client.GetClient(),
 	)

diff --git a/cmd/root.go b/cmd/root.go
@@ -22,20 +22,17 @@ var rootCmd = &cobra.Command{
 	Use:   "conduktor",
 	Short: "command line tools for conduktor",
 	Long: `You need to define the CDK_TOKEN and CDK_BASE_URL environment variables to use this tool.
-You can also use the CDK_KEY,CDK_CERT instead of --key and --cert flags to use a certificate for tls authentication.`,
+You can also use the CDK_KEY,CDK_CERT instead of --key and --cert flags to use a certificate for tls authentication.
+If you have an untrusted certificate you can use the CDK_INSECURE=true variable to disable tls verification`,
 	PersistentPreRun: func(cmd *cobra.Command, args []string) {
 		if *debug {
 			apiClient.ActivateDebug()
 		}
 	},
 	Run: func(cmd *cobra.Command, args []string) {
-		// Root command does nothing
 		cmd.Help()
 		os.Exit(1)
 	},
-	// Uncomment the following line if your bare application
-	// has an action associated with it:
-	// Run: func(cmd *cobra.Command, args []string) { },
 }
 
 // Execute adds all child commands to the root command and sets flags appropriately.
@@ -45,7 +42,6 @@ func Execute() {
 	if err != nil {
 		os.Exit(1)
 	}
-
 }
 
 func init() {