From 3c39c4a700c46c927abf3de69c95066dd987b1f9 Mon Sep 17 00:00:00 2001 From: Luc DUZAN Date: Mon, 25 Mar 2024 12:50:16 +0100 Subject: [PATCH] ignore untrusted certs --- README.md | 1 + client/client.go | 33 +++++++++++++++++++++---- client/client_test.go | 56 ++++++++++++++++++++++++++++++++++--------- cmd/root.go | 8 ++----- 4 files changed, 76 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 1f93ec5..48a5d64 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,7 @@ How to run integration test: First login to your teleport proxy, for example: ``` tsh login --proxy=teleport-01.prd.tooling.cdkt.dev --auth=github +tsh apps login my_app export CDK_CERT=$(tsh apps config --format=cert) export CDK_KEY=$(tsh apps config --format=key) conduktor get application diff --git a/client/client.go b/client/client.go index cd5a993..1dab5b4 100644 --- a/client/client.go +++ b/client/client.go @@ -18,13 +18,23 @@ type Client struct { client *resty.Client } -func Make(token string, baseUrl string, debug bool, key, cert string) *Client { - certificate, _ := tls.LoadX509KeyPair(cert, key) +func Make(token string, baseUrl string, debug bool, key, cert string) (*Client, error) { + restyClient := resty.New().SetDebug(debug).SetHeader("Authorization", "Bearer "+token) + if (key == "" && cert != "") || (key != "" && cert == "") { + return nil, fmt.Errorf("key and cert must be provided together") + } else if key != "" && cert != "" { + certificate, err := tls.LoadX509KeyPair(cert, key) + restyClient.SetCertificates(certificate) + if err != nil { + return nil, err + } + } + return &Client{ token: token, baseUrl: baseUrl, - client: resty.New().SetDebug(debug).SetHeader("Authorization", "Bearer "+token).SetCertificates(certificate), - } + client: restyClient, + }, nil } func MakeFromEnv() *Client { @@ -42,13 +52,26 @@ func MakeFromEnv() *Client { key := os.Getenv("CDK_KEY") cert := os.Getenv("CDK_CERT") - return Make(token, baseUrl, debug, key, cert) + client, err := Make(token, baseUrl, debug, key, cert) + if err != nil { + fmt.Fprintf(os.Stderr, "Cannot create client: %s", err) + os.Exit(3) + } + insecure := strings.ToLower(os.Getenv("CDK_INSECURE")) == "true" + if insecure { + client.IgnoreUntrustedCertificate() + } + return client } type UpsertResponse struct { UpsertResult string } +func (c *Client) IgnoreUntrustedCertificate() { + c.client.SetTLSClientConfig(&tls.Config{InsecureSkipVerify: true}) +} + func extractApiError(resp *resty.Response) string { var apiError ApiError jsonError := json.Unmarshal(resp.Body(), &apiError) diff --git a/client/client_test.go b/client/client_test.go index 6300377..c36a986 100644 --- a/client/client_test.go +++ b/client/client_test.go @@ -11,7 +11,10 @@ func TestApplyShouldWork(t *testing.T) { defer httpmock.Reset() baseUrl := "http://baseUrl" token := "aToken" - client := Make(token, baseUrl, false, "", "") + client, err := Make(token, baseUrl, false, "", "") + if err != nil { + panic(err) + } httpmock.ActivateNonDefault( client.client.GetClient(), ) @@ -46,7 +49,10 @@ func TestApplyWithDryModeShouldWork(t *testing.T) { defer httpmock.Reset() baseUrl := "http://baseUrl" token := "aToken" - client := Make(token, baseUrl, false, "", "") + client, err := Make(token, baseUrl, false, "", "") + if err != nil { + panic(err) + } httpmock.ActivateNonDefault( client.client.GetClient(), ) @@ -81,7 +87,10 @@ func TestApplyShouldFailIfNo2xx(t *testing.T) { defer httpmock.Reset() baseUrl := "http://baseUrl" token := "aToken" - client := Make(token, baseUrl, false, "", "") + client, err := Make(token, baseUrl, false, "", "") + if err != nil { + panic(err) + } httpmock.ActivateNonDefault( client.client.GetClient(), ) @@ -116,7 +125,10 @@ func TestGetShouldWork(t *testing.T) { defer httpmock.Reset() baseUrl := "http://baseUrl" token := "aToken" - client := Make(token, baseUrl, false, "", "") + client, err := Make(token, baseUrl, false, "", "") + if err != nil { + panic(err) + } httpmock.ActivateNonDefault( client.client.GetClient(), ) @@ -143,7 +155,10 @@ func TestGetShouldApplyCaseTransformation(t *testing.T) { defer httpmock.Reset() baseUrl := "http://baseUrl" token := "aToken" - client := Make(token, baseUrl, false, "", "") + client, err := Make(token, baseUrl, false, "", "") + if err != nil { + panic(err) + } httpmock.ActivateNonDefault( client.client.GetClient(), ) @@ -170,7 +185,11 @@ func TestGetShouldKeepCase(t *testing.T) { defer httpmock.Reset() baseUrl := "http://baseUrl" token := "aToken" - client := Make(token, baseUrl, false, "", "") + client, err := Make(token, baseUrl, false, "", "") + if err != nil { + panic(err) + } + httpmock.ActivateNonDefault( client.client.GetClient(), ) @@ -197,7 +216,10 @@ func TestGetShouldFailIfN2xx(t *testing.T) { defer httpmock.Reset() baseUrl := "http://baseUrl" token := "aToken" - client := Make(token, baseUrl, false, "", "") + client, err := Make(token, baseUrl, false, "", "") + if err != nil { + panic(err) + } httpmock.ActivateNonDefault( client.client.GetClient(), ) @@ -224,7 +246,10 @@ func TestDescribeShouldWork(t *testing.T) { defer httpmock.Reset() baseUrl := "http://baseUrl" token := "aToken" - client := Make(token, baseUrl, false, "", "") + client, err := Make(token, baseUrl, false, "", "") + if err != nil { + panic(err) + } httpmock.ActivateNonDefault( client.client.GetClient(), ) @@ -251,7 +276,10 @@ func TestDescribeShouldFailIfNo2xx(t *testing.T) { defer httpmock.Reset() baseUrl := "http://baseUrl/api" token := "aToken" - client := Make(token, baseUrl, false, "", "") + client, err := Make(token, baseUrl, false, "", "") + if err != nil { + panic(err) + } httpmock.ActivateNonDefault( client.client.GetClient(), ) @@ -278,7 +306,10 @@ func TestDeleteShouldWork(t *testing.T) { defer httpmock.Reset() baseUrl := "http://baseUrl" token := "aToken" - client := Make(token, baseUrl, false, "", "") + client, err := Make(token, baseUrl, false, "", "") + if err != nil { + panic(err) + } httpmock.ActivateNonDefault( client.client.GetClient(), ) @@ -304,7 +335,10 @@ func TestDeleteShouldFailOnNot2XX(t *testing.T) { defer httpmock.Reset() baseUrl := "http://baseUrl" token := "aToken" - client := Make(token, baseUrl, false, "", "") + client, err := Make(token, baseUrl, false, "", "") + if err != nil { + panic(err) + } httpmock.ActivateNonDefault( client.client.GetClient(), ) diff --git a/cmd/root.go b/cmd/root.go index e40f985..1025e7a 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -22,20 +22,17 @@ var rootCmd = &cobra.Command{ Use: "conduktor", Short: "command line tools for conduktor", Long: `You need to define the CDK_TOKEN and CDK_BASE_URL environment variables to use this tool. -You can also use the CDK_KEY,CDK_CERT instead of --key and --cert flags to use a certificate for tls authentication.`, +You can also use the CDK_KEY,CDK_CERT instead of --key and --cert flags to use a certificate for tls authentication. +If you have an untrusted certificate you can use the CDK_INSECURE=true variable to disable tls verification`, PersistentPreRun: func(cmd *cobra.Command, args []string) { if *debug { apiClient.ActivateDebug() } }, Run: func(cmd *cobra.Command, args []string) { - // Root command does nothing cmd.Help() os.Exit(1) }, - // Uncomment the following line if your bare application - // has an action associated with it: - // Run: func(cmd *cobra.Command, args []string) { }, } // Execute adds all child commands to the root command and sets flags appropriately. @@ -45,7 +42,6 @@ func Execute() { if err != nil { os.Exit(1) } - } func init() {