From a49f86d0232c10feead5504607d49b40dbf841b6 Mon Sep 17 00:00:00 2001 From: Denis Mishin Date: Tue, 27 Dec 2022 11:55:36 -0500 Subject: [PATCH] use tlsClientConfig instead of custom dialer (#3830) * use tlsClientConfig instead of custom dialer * rm debug log --- .vscode/launch.json | 3 ++- authorize/state.go | 10 ++++++++-- config/config.go | 13 +++++++++++++ config/http.go | 12 ++++++++++++ pkg/hpke/jwks.go | 7 +++++-- proxy/state.go | 11 +++++++++-- 6 files changed, 49 insertions(+), 7 deletions(-) diff --git a/.vscode/launch.json b/.vscode/launch.json index 3259ed702..2ea0d8c80 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -7,7 +7,8 @@ "request": "launch", "mode": "debug", "program": "${workspaceRoot}/cmd/pomerium", - "args": ["-config", "${workspaceRoot}/.config.yaml"] + "args": ["-config", "${workspaceRoot}/.config.yaml"], + "cwd": "${workspaceRoot}", }, { "name": "Connect to server", diff --git a/authorize/state.go b/authorize/state.go index 46c9384f2..dd3506c52 100644 --- a/authorize/state.go +++ b/authorize/state.go @@ -84,9 +84,15 @@ func newAuthorizeStateFromConfig(cfg *config.Config, store *store.Store) (*autho } state.hpkePrivateKey = hpke.DerivePrivateKey(sharedKey) - state.authenticateKeyFetcher = hpke.NewKeyFetcher(authenticateURL.ResolveReference(&url.URL{ + + jwksURL := authenticateURL.ResolveReference(&url.URL{ Path: "/.well-known/pomerium/jwks.json", - }).String()) + }).String() + transport, err := config.GetTLSClientTransport(cfg) + if err != nil { + return nil, fmt.Errorf("authorize: get tls client config: %w", err) + } + state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport) return state, nil } diff --git a/config/config.go b/config/config.go index 2669c4548..c1cd2effa 100644 --- a/config/config.go +++ b/config/config.go @@ -5,6 +5,7 @@ import ( "github.com/pomerium/pomerium/internal/hashutil" "github.com/pomerium/pomerium/internal/telemetry/metrics" + "github.com/pomerium/pomerium/pkg/cryptutil" ) // MetricsScrapeEndpoint defines additional metrics endpoints that would be scraped and exposed by pomerium @@ -86,3 +87,15 @@ func (cfg *Config) AllocatePorts(ports [6]string) { cfg.DebugPort = ports[4] cfg.ACMETLSALPNPort = ports[5] } + +// GetTLSClientConfig returns TLS configuration that accounts for additional CA entries +func (cfg *Config) GetTLSClientConfig() (*tls.Config, error) { + roots, err := cryptutil.GetCertPool(cfg.Options.CA, cfg.Options.CAFile) + if err != nil { + return nil, err + } + return &tls.Config{ + RootCAs: roots, + MinVersion: tls.VersionTLS12, + }, nil +} diff --git a/config/http.go b/config/http.go index 170f38bbb..88ad54bdd 100644 --- a/config/http.go +++ b/config/http.go @@ -117,3 +117,15 @@ func NewPolicyHTTPTransport(options *Options, policy *Policy, disableHTTP2 bool) } return c.Then(transport) } + +// GetTLSClientTransport returns http transport accounting for custom CAs from config +func GetTLSClientTransport(cfg *Config) (*http.Transport, error) { + tlsConfig, err := cfg.GetTLSClientConfig() + if err != nil { + return nil, err + } + return &http.Transport{ + TLSClientConfig: tlsConfig, + ForceAttemptHTTP2: true, + }, nil +} diff --git a/pkg/hpke/jwks.go b/pkg/hpke/jwks.go index 3e71676ee..9fcaf9246 100644 --- a/pkg/hpke/jwks.go +++ b/pkg/hpke/jwks.go @@ -81,9 +81,12 @@ func (fetcher *jwksKeyFetcher) FetchPublicKey(ctx context.Context) (*PublicKey, } // NewKeyFetcher returns a new KeyFetcher which fetches keys using an in-memory HTTP cache. -func NewKeyFetcher(endpoint string) KeyFetcher { +func NewKeyFetcher(endpoint string, transport http.RoundTripper) KeyFetcher { return &jwksKeyFetcher{ - client: httpcache.NewMemoryCacheTransport().Client(), + client: (&httpcache.Transport{ + Transport: transport, + Cache: httpcache.NewMemoryCache(), + }).Client(), endpoint: endpoint, } } diff --git a/proxy/state.go b/proxy/state.go index 709ea2db8..9a9d79b3e 100644 --- a/proxy/state.go +++ b/proxy/state.go @@ -3,6 +3,7 @@ package proxy import ( "context" "crypto/cipher" + "fmt" "net/url" "github.com/pomerium/pomerium/config" @@ -61,9 +62,15 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) { if err != nil { return nil, err } - state.authenticateKeyFetcher = hpke.NewKeyFetcher(authenticateURL.ResolveReference(&url.URL{ + + jwksURL := authenticateURL.ResolveReference(&url.URL{ Path: "/.well-known/pomerium/jwks.json", - }).String()) + }).String() + transport, err := config.GetTLSClientTransport(cfg) + if err != nil { + return nil, fmt.Errorf("authorize: get tls client config: %w", err) + } + state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport) state.sharedCipher, err = cryptutil.NewAEADCipher(state.sharedKey) if err != nil {