LoadClientTLSConfig loads the TLS config into the client with the given parameters.
(v *viper.Viper)
| 164 | |
| 165 | // LoadClientTLSConfig loads the TLS config into the client with the given parameters. |
| 166 | func LoadClientTLSConfig(v *viper.Viper) (*tls.Config, error) { |
| 167 | if v.GetString("slash_grpc_endpoint") != "" { |
| 168 | return SlashTLSConfig(v.GetString("slash_grpc_endpoint")) |
| 169 | } |
| 170 | |
| 171 | tlsFlag := z.NewSuperFlag(v.GetString("tls")).MergeAndCheckDefault(TLSDefaults) |
| 172 | |
| 173 | // When the --tls ca-cert="..."; option is specified, the connection will be set up using TLS |
| 174 | // instead of plaintext. However the client cert files are optional, depending on whether the |
| 175 | // server requires a client certificate. |
| 176 | caCert := tlsFlag.GetPath("ca-cert") |
| 177 | if caCert != "" { |
| 178 | tlsCfg := tls.Config{ |
| 179 | MinVersion: tls.VersionTLS12, |
| 180 | } |
| 181 | |
| 182 | // 1. set up the root CA |
| 183 | pool, err := generateCertPool(caCert, tlsFlag.GetBool("use-system-ca")) |
| 184 | if err != nil { |
| 185 | return nil, err |
| 186 | } |
| 187 | tlsCfg.RootCAs = pool |
| 188 | |
| 189 | // 2. set up the server name for verification |
| 190 | tlsCfg.ServerName = tlsFlag.GetString("server-name") |
| 191 | |
| 192 | // 3. optionally load the client cert files |
| 193 | certFile := tlsFlag.GetPath("client-cert") |
| 194 | keyFile := tlsFlag.GetPath("client-key") |
| 195 | if certFile != "" && keyFile != "" { |
| 196 | cert, err := tls.LoadX509KeyPair(certFile, keyFile) |
| 197 | if err != nil { |
| 198 | return nil, err |
| 199 | } |
| 200 | tlsCfg.Certificates = []tls.Certificate{cert} |
| 201 | } |
| 202 | |
| 203 | return &tlsCfg, nil |
| 204 | } else |
| 205 | // Attempt to determine if user specified *any* TLS option. Unfortunately and contrary to |
| 206 | // Viper's own documentation, there's no way to tell whether an option value came from a |
| 207 | // command-line option or a built-it default. |
| 208 | if tlsFlag.GetString("server-name") != "" || |
| 209 | tlsFlag.GetPath("client-cert") != "" || |
| 210 | tlsFlag.GetPath("client-key") != "" { |
| 211 | return nil, errors.Errorf(`--tls "ca-cert=...;" is required for enabling TLS`) |
| 212 | } |
| 213 | return nil, nil |
| 214 | } |
| 215 | |
| 216 | func generateCertPool(certPath string, useSystemCA bool) (*x509.CertPool, error) { |
| 217 | var pool *x509.CertPool |
no test coverage detected