Add possibility to skip TLS server certificate verification

This commit is contained in:
Alex 2022-08-24 17:53:33 +02:00
parent 698236cdb4
commit 5007077f1d
Signed by untrusted user: lx
GPG key ID: 0E496D15096376BE
2 changed files with 34 additions and 13 deletions

View file

@ -11,6 +11,7 @@ use serde::{Deserialize, Serialize};
pub struct ConsulConfig { pub struct ConsulConfig {
pub addr: String, pub addr: String,
pub ca_cert: Option<String>, pub ca_cert: Option<String>,
pub tls_skip_verify: bool,
pub client_cert: Option<String>, pub client_cert: Option<String>,
pub client_key: Option<String>, pub client_key: Option<String>,
} }
@ -88,26 +89,41 @@ pub struct Consul {
impl Consul { impl Consul {
pub fn new(config: ConsulConfig, kv_prefix: &str, local_node: &str) -> Result<Self> { pub fn new(config: ConsulConfig, kv_prefix: &str, local_node: &str) -> Result<Self> {
let client = match (&config.ca_cert, &config.client_cert, &config.client_key) { let client = match (&config.client_cert, &config.client_key) {
(Some(ca_cert), Some(client_cert), Some(client_key)) => { (Some(client_cert), Some(client_key)) => {
let mut ca_cert_buf = vec![];
File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?;
let mut client_cert_buf = vec![]; let mut client_cert_buf = vec![];
File::open(client_cert)?.read_to_end(&mut client_cert_buf)?; File::open(client_cert)?.read_to_end(&mut client_cert_buf)?;
let mut client_key_buf = vec![]; let mut client_key_buf = vec![];
File::open(client_key)?.read_to_end(&mut client_key_buf)?; File::open(client_key)?.read_to_end(&mut client_key_buf)?;
let identity = reqwest::Identity::from_pem(
&[&client_cert_buf[..], &client_key_buf[..]].concat()[..],
)?;
if config.tls_skip_verify {
reqwest::Client::builder()
.use_rustls_tls()
.danger_accept_invalid_certs(true)
.identity(identity)
.build()?
} else if let Some(ca_cert) = &config.ca_cert {
let mut ca_cert_buf = vec![];
File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?;
reqwest::Client::builder() reqwest::Client::builder()
.use_rustls_tls() .use_rustls_tls()
.add_root_certificate(reqwest::Certificate::from_pem(&ca_cert_buf[..])?) .add_root_certificate(reqwest::Certificate::from_pem(&ca_cert_buf[..])?)
.identity(reqwest::Identity::from_pem( .identity(identity)
&[&client_cert_buf[..], &client_key_buf[..]].concat()[..], .build()?
)?) } else {
reqwest::Client::builder()
.use_rustls_tls()
.identity(identity)
.build()? .build()?
} }
(None, None, None) => reqwest::Client::new(), }
(None, None) => reqwest::Client::new(),
_ => bail!("Incomplete Consul TLS configuration parameters"), _ => bail!("Incomplete Consul TLS configuration parameters"),
}; };

View file

@ -40,6 +40,10 @@ struct Opt {
#[structopt(long = "consul-ca-cert", env = "TRICOT_CONSUL_CA_CERT")] #[structopt(long = "consul-ca-cert", env = "TRICOT_CONSUL_CA_CERT")]
pub consul_ca_cert: Option<String>, pub consul_ca_cert: Option<String>,
/// Skip TLS verification for Consul
#[structopt(long = "consul-tls-skip-verify", env = "TRICOT_CONSUL_TLS_SKIP_VERIFY")]
pub consul_tls_skip_verify: bool,
/// Client certificate for Consul server with TLS /// Client certificate for Consul server with TLS
#[structopt(long = "consul-client-cert", env = "TRICOT_CONSUL_CLIENT_CERT")] #[structopt(long = "consul-client-cert", env = "TRICOT_CONSUL_CLIENT_CERT")]
pub consul_client_cert: Option<String>, pub consul_client_cert: Option<String>,
@ -122,6 +126,7 @@ async fn main() {
let consul_config = consul::ConsulConfig { let consul_config = consul::ConsulConfig {
addr: opt.consul_addr.clone(), addr: opt.consul_addr.clone(),
ca_cert: opt.consul_ca_cert.clone(), ca_cert: opt.consul_ca_cert.clone(),
tls_skip_verify: opt.consul_tls_skip_verify,
client_cert: opt.consul_client_cert.clone(), client_cert: opt.consul_client_cert.clone(),
client_key: opt.consul_client_key.clone(), client_key: opt.consul_client_key.clone(),
}; };