mirror of
https://github.com/drakkan/sftpgo.git
synced 2024-11-25 09:00:27 +00:00
web hooks: add mutual TLS support
This commit is contained in:
parent
1129a868a5
commit
a21ccad174
12 changed files with 170 additions and 24 deletions
|
@ -90,7 +90,10 @@ Command-line flags should be specified in the Subsystem declaration.
|
|||
os.Exit(1)
|
||||
}
|
||||
httpConfig := config.GetHTTPConfig()
|
||||
httpConfig.Initialize(configDir)
|
||||
if err := httpConfig.Initialize(configDir); err != nil {
|
||||
logger.Error(logSender, connectionID, "unable to initialize http client: %v", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
user, err := dataprovider.UserExists(username)
|
||||
if err == nil {
|
||||
if user.HomeDir != filepath.Clean(homedir) && !preserveHomeDir {
|
||||
|
|
|
@ -109,7 +109,7 @@ func TestMain(m *testing.M) {
|
|||
httpConfig := httpclient.Config{
|
||||
Timeout: 5,
|
||||
}
|
||||
httpConfig.Initialize(configDir)
|
||||
httpConfig.Initialize(configDir) //nolint:errcheck
|
||||
|
||||
go func() {
|
||||
// start a test HTTP server to receive action notifications
|
||||
|
|
|
@ -222,6 +222,7 @@ func Init() {
|
|||
RetryWaitMax: 30,
|
||||
RetryMax: 3,
|
||||
CACertificates: nil,
|
||||
Certificates: nil,
|
||||
SkipTLSVerify: false,
|
||||
},
|
||||
KMSConfig: kms.Configuration{
|
||||
|
@ -577,6 +578,7 @@ func loadBindingsFromEnv() {
|
|||
getFTPDBindingFromEnv(idx)
|
||||
getWebDAVDBindingFromEnv(idx)
|
||||
getHTTPDBindingFromEnv(idx)
|
||||
getHTTPClientCertificatesFromEnv(idx)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -756,6 +758,28 @@ func getHTTPDBindingFromEnv(idx int) {
|
|||
}
|
||||
}
|
||||
|
||||
func getHTTPClientCertificatesFromEnv(idx int) {
|
||||
tlsCert := httpclient.TLSKeyPair{}
|
||||
|
||||
cert, ok := os.LookupEnv(fmt.Sprintf("SFTPGO_HTTP__CERTIFICATES__%v__CERT", idx))
|
||||
if ok {
|
||||
tlsCert.Cert = cert
|
||||
}
|
||||
|
||||
key, ok := os.LookupEnv(fmt.Sprintf("SFTPGO_HTTP__CERTIFICATES__%v__KEY", idx))
|
||||
if ok {
|
||||
tlsCert.Key = key
|
||||
}
|
||||
|
||||
if tlsCert.Cert != "" && tlsCert.Key != "" {
|
||||
if len(globalConf.HTTPConfig.Certificates) > idx {
|
||||
globalConf.HTTPConfig.Certificates[idx] = tlsCert
|
||||
} else {
|
||||
globalConf.HTTPConfig.Certificates = append(globalConf.HTTPConfig.Certificates, tlsCert)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func setViperDefaults() {
|
||||
viper.SetDefault("common.idle_timeout", globalConf.Common.IdleTimeout)
|
||||
viper.SetDefault("common.upload_mode", globalConf.Common.UploadMode)
|
||||
|
|
|
@ -667,6 +667,67 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
|
|||
require.Equal(t, 1, bindings[2].ClientAuthType)
|
||||
}
|
||||
|
||||
func TestHTTPClientCertificatesFromEnv(t *testing.T) {
|
||||
reset()
|
||||
|
||||
configDir := ".."
|
||||
confName := tempConfigName + ".json"
|
||||
configFilePath := filepath.Join(configDir, confName)
|
||||
err := config.LoadConfig(configDir, "")
|
||||
assert.NoError(t, err)
|
||||
httpConf := config.GetHTTPConfig()
|
||||
httpConf.Certificates = append(httpConf.Certificates, httpclient.TLSKeyPair{
|
||||
Cert: "cert",
|
||||
Key: "key",
|
||||
})
|
||||
c := make(map[string]httpclient.Config)
|
||||
c["http"] = httpConf
|
||||
jsonConf, err := json.Marshal(c)
|
||||
require.NoError(t, err)
|
||||
err = ioutil.WriteFile(configFilePath, jsonConf, os.ModePerm)
|
||||
require.NoError(t, err)
|
||||
err = config.LoadConfig(configDir, confName)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, config.GetHTTPConfig().Certificates, 1)
|
||||
require.Equal(t, "cert", config.GetHTTPConfig().Certificates[0].Cert)
|
||||
require.Equal(t, "key", config.GetHTTPConfig().Certificates[0].Key)
|
||||
|
||||
os.Setenv("SFTPGO_HTTP__CERTIFICATES__0__CERT", "cert0")
|
||||
os.Setenv("SFTPGO_HTTP__CERTIFICATES__0__KEY", "key0")
|
||||
os.Setenv("SFTPGO_HTTP__CERTIFICATES__8__CERT", "cert8")
|
||||
os.Setenv("SFTPGO_HTTP__CERTIFICATES__9__CERT", "cert9")
|
||||
os.Setenv("SFTPGO_HTTP__CERTIFICATES__9__KEY", "key9")
|
||||
|
||||
t.Cleanup(func() {
|
||||
os.Unsetenv("SFTPGO_HTTP__CERTIFICATES__0__CERT")
|
||||
os.Unsetenv("SFTPGO_HTTP__CERTIFICATES__0__KEY")
|
||||
os.Unsetenv("SFTPGO_HTTP__CERTIFICATES__8__CERT")
|
||||
os.Unsetenv("SFTPGO_HTTP__CERTIFICATES__9__CERT")
|
||||
os.Unsetenv("SFTPGO_HTTP__CERTIFICATES__9__KEY")
|
||||
})
|
||||
|
||||
err = config.LoadConfig(configDir, confName)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, config.GetHTTPConfig().Certificates, 2)
|
||||
require.Equal(t, "cert0", config.GetHTTPConfig().Certificates[0].Cert)
|
||||
require.Equal(t, "key0", config.GetHTTPConfig().Certificates[0].Key)
|
||||
require.Equal(t, "cert9", config.GetHTTPConfig().Certificates[1].Cert)
|
||||
require.Equal(t, "key9", config.GetHTTPConfig().Certificates[1].Key)
|
||||
|
||||
err = os.Remove(configFilePath)
|
||||
assert.NoError(t, err)
|
||||
|
||||
config.Init()
|
||||
|
||||
err = config.LoadConfig(configDir, "")
|
||||
require.NoError(t, err)
|
||||
require.Len(t, config.GetHTTPConfig().Certificates, 2)
|
||||
require.Equal(t, "cert0", config.GetHTTPConfig().Certificates[0].Cert)
|
||||
require.Equal(t, "key0", config.GetHTTPConfig().Certificates[0].Key)
|
||||
require.Equal(t, "cert9", config.GetHTTPConfig().Certificates[1].Cert)
|
||||
require.Equal(t, "key9", config.GetHTTPConfig().Certificates[1].Key)
|
||||
}
|
||||
|
||||
func TestConfigFromEnv(t *testing.T) {
|
||||
reset()
|
||||
|
||||
|
|
|
@ -215,6 +215,9 @@ The configuration file contains the following sections:
|
|||
- `retry_wait_max`, integer. Defines the maximum waiting time between attempts in seconds. The backoff algorithm will perform exponential backoff based on the attempt number and limited by the provided minimum and maximum durations.
|
||||
- `retry_max`, integer. Defines the maximum number of retries if the first request fails.
|
||||
- `ca_certificates`, list of strings. List of paths to extra CA certificates to trust. The paths can be absolute or relative to the config dir. Adding trusted CA certificates is a convenient way to use self-signed certificates without defeating the purpose of using TLS.
|
||||
- `certificates`, list of certificate for mutual TLS. Each certificate is a struct with the following fields:
|
||||
- `cert`, string. Path to the certificate file. The path can be absolute or relative to the config dir.
|
||||
- `key`, string. Path to the key file. The path can be absolute or relative to the config dir.
|
||||
- `skip_tls_verify`, boolean. if enabled the HTTP client accepts any TLS certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing.
|
||||
- **kms**, configuration for the Key Management Service, more details can be found [here](./kms.md)
|
||||
- `secrets`
|
||||
|
|
|
@ -140,7 +140,7 @@ func TestMain(m *testing.M) {
|
|||
}
|
||||
|
||||
httpConfig := config.GetHTTPConfig()
|
||||
httpConfig.Initialize(configDir)
|
||||
httpConfig.Initialize(configDir) //nolint:errcheck
|
||||
|
||||
kmsConfig := config.GetKMSConfig()
|
||||
err = kmsConfig.Initialize()
|
||||
|
|
|
@ -3,6 +3,7 @@ package httpclient
|
|||
import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"path/filepath"
|
||||
|
@ -14,6 +15,12 @@ import (
|
|||
"github.com/drakkan/sftpgo/utils"
|
||||
)
|
||||
|
||||
// TLSKeyPair defines the paths for a TLS key pair
|
||||
type TLSKeyPair struct {
|
||||
Cert string `json:"cert" mapstructure:"cert"`
|
||||
Key string `json:"key" mapstructure:"key"`
|
||||
}
|
||||
|
||||
// Config defines the configuration for HTTP clients.
|
||||
// HTTP clients are used for executing hooks such as the ones used for
|
||||
// custom actions, external authentication and pre-login user modifications
|
||||
|
@ -31,6 +38,8 @@ type Config struct {
|
|||
// Adding trusted CA certificates is a convenient way to use self-signed
|
||||
// certificates without defeating the purpose of using TLS
|
||||
CACertificates []string `json:"ca_certificates" mapstructure:"ca_certificates"`
|
||||
// Certificates defines the certificates to use for mutual TLS
|
||||
Certificates []TLSKeyPair `json:"certificates" mapstructure:"certificates"`
|
||||
// if enabled the HTTP client accepts any TLS certificate presented by
|
||||
// the server and any host name in that certificate.
|
||||
// In this mode, TLS is susceptible to man-in-the-middle attacks.
|
||||
|
@ -45,25 +54,35 @@ const logSender = "httpclient"
|
|||
var httpConfig Config
|
||||
|
||||
// Initialize configures HTTP clients
|
||||
func (c Config) Initialize(configDir string) {
|
||||
httpConfig = c
|
||||
rootCAs := c.loadCACerts(configDir)
|
||||
func (c *Config) Initialize(configDir string) error {
|
||||
rootCAs, err := c.loadCACerts(configDir)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
customTransport := http.DefaultTransport.(*http.Transport).Clone()
|
||||
if customTransport.TLSClientConfig != nil {
|
||||
customTransport.TLSClientConfig.RootCAs = rootCAs
|
||||
} else {
|
||||
customTransport.TLSClientConfig = &tls.Config{
|
||||
RootCAs: rootCAs,
|
||||
RootCAs: rootCAs,
|
||||
NextProtos: []string{"h2", "http/1.1"},
|
||||
}
|
||||
}
|
||||
customTransport.TLSClientConfig.InsecureSkipVerify = c.SkipTLSVerify
|
||||
httpConfig.customTransport = customTransport
|
||||
httpConfig.tlsConfig = customTransport.TLSClientConfig
|
||||
c.customTransport = customTransport
|
||||
c.tlsConfig = customTransport.TLSClientConfig
|
||||
|
||||
err = c.loadCertificates(configDir)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
httpConfig = *c
|
||||
return nil
|
||||
}
|
||||
|
||||
// loadCACerts returns system cert pools and try to add the configured
|
||||
// CA certificates to it
|
||||
func (c Config) loadCACerts(configDir string) *x509.CertPool {
|
||||
func (c *Config) loadCACerts(configDir string) (*x509.CertPool, error) {
|
||||
rootCAs, err := x509.SystemCertPool()
|
||||
if err != nil {
|
||||
rootCAs = x509.NewCertPool()
|
||||
|
@ -71,26 +90,52 @@ func (c Config) loadCACerts(configDir string) *x509.CertPool {
|
|||
|
||||
for _, ca := range c.CACertificates {
|
||||
if !utils.IsFileInputValid(ca) {
|
||||
logger.Warn(logSender, "", "unable to load invalid CA certificate: %#v", ca)
|
||||
logger.WarnToConsole("unable to load invalid CA certificate: %#v", ca)
|
||||
continue
|
||||
return nil, fmt.Errorf("unable to load invalid CA certificate: %#v", ca)
|
||||
}
|
||||
if !filepath.IsAbs(ca) {
|
||||
ca = filepath.Join(configDir, ca)
|
||||
}
|
||||
certs, err := ioutil.ReadFile(ca)
|
||||
if err != nil {
|
||||
logger.Warn(logSender, "", "unable to load CA certificate: %v", err)
|
||||
logger.WarnToConsole("unable to load CA certificate: %#v", err)
|
||||
return nil, fmt.Errorf("unable to load CA certificate: %v", err)
|
||||
}
|
||||
if rootCAs.AppendCertsFromPEM(certs) {
|
||||
logger.Debug(logSender, "", "CA certificate %#v added to the trusted certificates", ca)
|
||||
} else {
|
||||
logger.Warn(logSender, "", "unable to add CA certificate %#v to the trusted cetificates", ca)
|
||||
logger.WarnToConsole("unable to add CA certificate %#v to the trusted cetificates", ca)
|
||||
return nil, fmt.Errorf("unable to add CA certificate %#v to the trusted cetificates", ca)
|
||||
}
|
||||
}
|
||||
return rootCAs
|
||||
return rootCAs, nil
|
||||
}
|
||||
|
||||
func (c *Config) loadCertificates(configDir string) error {
|
||||
if len(c.Certificates) == 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
for _, keyPair := range c.Certificates {
|
||||
cert := keyPair.Cert
|
||||
key := keyPair.Key
|
||||
if !utils.IsFileInputValid(cert) {
|
||||
return fmt.Errorf("unable to load invalid certificate: %#v", cert)
|
||||
}
|
||||
if !utils.IsFileInputValid(key) {
|
||||
return fmt.Errorf("unable to load invalid key: %#v", key)
|
||||
}
|
||||
if !filepath.IsAbs(cert) {
|
||||
cert = filepath.Join(configDir, cert)
|
||||
}
|
||||
if !filepath.IsAbs(key) {
|
||||
key = filepath.Join(configDir, key)
|
||||
}
|
||||
tlsCert, err := tls.LoadX509KeyPair(cert, key)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to load key pair %#v, %#v: %v", cert, key, err)
|
||||
}
|
||||
logger.Debug(logSender, "", "client certificate %#v and key %#v successfully loaded", cert, key)
|
||||
c.tlsConfig.Certificates = append(c.tlsConfig.Certificates, tlsCert)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetHTTPClient returns an HTTP client with the configured parameters
|
||||
|
|
|
@ -177,7 +177,7 @@ func TestMain(m *testing.M) {
|
|||
}
|
||||
|
||||
httpConfig := config.GetHTTPConfig()
|
||||
httpConfig.Initialize(configDir)
|
||||
httpConfig.Initialize(configDir) //nolint:errcheck
|
||||
kmsConfig := config.GetKMSConfig()
|
||||
err = kmsConfig.Initialize()
|
||||
if err != nil {
|
||||
|
|
|
@ -47,8 +47,7 @@ type Service struct {
|
|||
Error error
|
||||
}
|
||||
|
||||
// Start initializes the service
|
||||
func (s *Service) Start() error {
|
||||
func (s *Service) initLogger() {
|
||||
logLevel := zerolog.DebugLevel
|
||||
if !s.LogVerbose {
|
||||
logLevel = zerolog.InfoLevel
|
||||
|
@ -63,6 +62,11 @@ func (s *Service) Start() error {
|
|||
logger.DisableLogger()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Start initializes the service
|
||||
func (s *Service) Start() error {
|
||||
s.initLogger()
|
||||
logger.Info(logSender, "", "starting SFTPGo %v, config dir: %v, config file: %v, log max size: %v log max backups: %v "+
|
||||
"log max age: %v log verbose: %v, log compress: %v, load data from: %#v", version.GetAsString(), s.ConfigDir, s.ConfigFile,
|
||||
s.LogMaxSize, s.LogMaxBackups, s.LogMaxAge, s.LogVerbose, s.LogCompress, s.LoadDataFrom)
|
||||
|
@ -120,7 +124,12 @@ func (s *Service) Start() error {
|
|||
}
|
||||
|
||||
httpConfig := config.GetHTTPConfig()
|
||||
httpConfig.Initialize(s.ConfigDir)
|
||||
err = httpConfig.Initialize(s.ConfigDir)
|
||||
if err != nil {
|
||||
logger.Error(logSender, "", "error initializing http client: %v", err)
|
||||
logger.ErrorToConsole("error initializing http client: %v", err)
|
||||
return err
|
||||
}
|
||||
|
||||
s.startServices()
|
||||
|
||||
|
|
|
@ -184,7 +184,7 @@ func TestMain(m *testing.M) {
|
|||
}
|
||||
|
||||
httpConfig := config.GetHTTPConfig()
|
||||
httpConfig.Initialize(configDir)
|
||||
httpConfig.Initialize(configDir) //nolint:errcheck
|
||||
kmsConfig := config.GetKMSConfig()
|
||||
err = kmsConfig.Initialize()
|
||||
if err != nil {
|
||||
|
|
|
@ -178,6 +178,7 @@
|
|||
"retry_wait_max": 30,
|
||||
"retry_max": 3,
|
||||
"ca_certificates": [],
|
||||
"certificates": [],
|
||||
"skip_tls_verify": false
|
||||
},
|
||||
"kms": {
|
||||
|
|
|
@ -133,7 +133,7 @@ func TestMain(m *testing.M) {
|
|||
}
|
||||
|
||||
httpConfig := config.GetHTTPConfig()
|
||||
httpConfig.Initialize(configDir)
|
||||
httpConfig.Initialize(configDir) //nolint:errcheck
|
||||
kmsConfig := config.GetKMSConfig()
|
||||
err = kmsConfig.Initialize()
|
||||
if err != nil {
|
||||
|
|
Loading…
Reference in a new issue