3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-20 19:48:08 +02:00
Code Issues Projects Releases Packages Wiki Activity

proxy: only set validation context if trusted_ca is used (#863)

Browse source 
* proxy: only set validation context if trusted_ca is used

* fix test
This commit is contained in:
Caleb Doxsey 2020-06-09 13:45:03 -06:00 committed by GitHub
parent 9e711b4612
commit fe2369400c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

17
internal/controlplane/xds_listeners.go
View file

@ -348,17 +348,22 @@ func buildDownstreamTLSContext(options *config.Options, domain string) *envoy_ex
trustedCA = inlineFilename(options.ClientCAFile) trustedCA = inlineFilename(options.ClientCAFile)
} }
var validationContext *envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext
if trustedCA != nil {
validationContext = &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext{
ValidationContext: &envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext{
TrustedCa: trustedCA,
TrustChainVerification: envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext_ACCEPT_UNTRUSTED,
},
}
}
envoyCert := envoyTLSCertificateFromGoTLSCertificate(cert) envoyCert := envoyTLSCertificateFromGoTLSCertificate(cert)
return &envoy_extensions_transport_sockets_tls_v3.DownstreamTlsContext{ return &envoy_extensions_transport_sockets_tls_v3.DownstreamTlsContext{
CommonTlsContext: &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext{ CommonTlsContext: &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext{
TlsCertificates: []*envoy_extensions_transport_sockets_tls_v3.TlsCertificate{envoyCert}, TlsCertificates: []*envoy_extensions_transport_sockets_tls_v3.TlsCertificate{envoyCert},
AlpnProtocols: []string{"h2", "http/1.1"}, AlpnProtocols: []string{"h2", "http/1.1"},
ValidationContextType: &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext{ ValidationContextType: validationContext,
ValidationContext: &envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext{
TrustedCa: trustedCA,
TrustChainVerification: envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext_ACCEPT_UNTRUSTED,
},
},
}, },
} }
} }

5
internal/controlplane/xds_listeners_test.go
View file

@ -313,10 +313,7 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
"filename": "`+keyFileName+`" "filename": "`+keyFileName+`"
} }
} }
], ]
"validationContext": {
"trustChainVerification": "ACCEPT_UNTRUSTED"
}
} }
}`, downstreamTLSContext) }`, downstreamTLSContext)
} }