From aafcf7731719e609f3dd158ea3825bb6f3f5d9e9 Mon Sep 17 00:00:00 2001 From: Sergei Trofimov Date: Thu, 30 May 2024 09:22:18 +0100 Subject: [PATCH] feat: add TLS support - Automatically use TLS API client if URL scheme specified to --api-server is HTTPS. - Add -i/--insecure flag to suppress cert validation for TLS. - Add -E/--ca-cert flag to allow specifying additional CA cert(s) to be used in TLS cert validation (by default, the system CA certs are used). Signed-off-by: Sergei Trofimov --- cocli/cmd/corimSubmit.go | 45 ++++++++++++++++++++--------------- cocli/cmd/corimSubmit_test.go | 7 ++++++ cocli/cmd/isubmitter.go | 5 ++++ go.mod | 4 ++-- go.sum | 2 ++ 5 files changed, 42 insertions(+), 21 deletions(-) diff --git a/cocli/cmd/corimSubmit.go b/cocli/cmd/corimSubmit.go index f231d18e..80c1bd3a 100644 --- a/cocli/cmd/corimSubmit.go +++ b/cocli/cmd/corimSubmit.go @@ -1,4 +1,4 @@ -// Copyright 2021 Contributors to the Veraison project. +// Copyright 2021-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package cmd @@ -7,17 +7,21 @@ import ( "errors" "fmt" "net/url" + "strings" "github.com/spf13/afero" "github.com/spf13/cobra" + "github.com/spf13/pflag" "github.com/spf13/viper" "github.com/veraison/apiclient/provisioning" ) var ( - corimFile *string - mediaType *string - apiServer string + corimFile *string + mediaType *string + apiServer string + isInsecure bool + certPaths []string ) var ( @@ -72,21 +76,18 @@ func NewCorimSubmitCmd(submitter ISubmitter) *cobra.Command { cmd.Flags().StringP("token-url", "T", "", "token URL of the OAuth2 service") cmd.Flags().StringP("username", "U", "", "service username") cmd.Flags().StringP("password", "P", "", "service password") - - err := viper.BindPFlag("api_server", cmd.Flags().Lookup("api-server")) - cobra.CheckErr(err) - err = viper.BindPFlag("auth", cmd.Flags().Lookup("auth")) - cobra.CheckErr(err) - err = viper.BindPFlag("client_id", cmd.Flags().Lookup("client-id")) - cobra.CheckErr(err) - err = viper.BindPFlag("client_secret", cmd.Flags().Lookup("client-secret")) - cobra.CheckErr(err) - err = viper.BindPFlag("username", cmd.Flags().Lookup("username")) - cobra.CheckErr(err) - err = viper.BindPFlag("password", cmd.Flags().Lookup("password")) - cobra.CheckErr(err) - err = viper.BindPFlag("token_url", cmd.Flags().Lookup("token-url")) - cobra.CheckErr(err) + cmd.Flags().BoolP( + "insecure", "i", false, "Allow insecure connections (e.g. do not verify TLS certs)", + ) + cmd.Flags().StringArrayP( + "ca-cert", "E", nil, "path to a CA cert that will be used in addition to system certs; may be specified multiple times", + ) + + cmd.Flags().VisitAll(func(flag *pflag.Flag) { + cfgName := strings.ReplaceAll(flag.Name, "-", "_") + err := viper.BindPFlag(cfgName, flag) + cobra.CheckErr(err) + }) return cmd } @@ -109,6 +110,9 @@ func checkSubmitArgs() error { return errors.New("no media type supplied") } + isInsecure = viper.GetBool("insecure") + certPaths = viper.GetStringSlice("ca_cert") + return nil } @@ -119,6 +123,9 @@ func provisionData(data []byte, submitter ISubmitter, uri string, mediaType stri return fmt.Errorf("unable to set submit URI: %w", err) } + submitter.SetIsInsecure(isInsecure) + submitter.SetCerts(certPaths) + submitter.SetDeleteSession(true) if err := submitter.Run(data, mediaType); err != nil { return fmt.Errorf("run failed: %w", err) diff --git a/cocli/cmd/corimSubmit_test.go b/cocli/cmd/corimSubmit_test.go index 5fa29d20..b5ee04a1 100644 --- a/cocli/cmd/corimSubmit_test.go +++ b/cocli/cmd/corimSubmit_test.go @@ -1,3 +1,6 @@ +// Copyright 2021-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + package cmd import ( @@ -133,6 +136,8 @@ func Test_CorimSubmitCmd_submit_ok(t *testing.T) { require.NoError(t, err) ms.EXPECT().SetAuth(gomock.Any()) ms.EXPECT().SetSubmitURI("http://veraison.example/endorsement-provisioning/v1/submit").Return(nil) + ms.EXPECT().SetIsInsecure(false) + ms.EXPECT().SetCerts([]string{}) ms.EXPECT().SetDeleteSession(true) ms.EXPECT().Run(testSignedCorimValid, "application/corim-unsigned+cbor; profile=http://arm.com/psa/iot/1").Return(nil) err = cmd.Execute() @@ -158,6 +163,8 @@ func Test_CorimSubmitCmd_submit_not_ok(t *testing.T) { require.NoError(t, err) ms.EXPECT().SetAuth(gomock.Any()) ms.EXPECT().SetSubmitURI("http://veraison.example/endorsement-provisioning/v1/submit").Return(nil) + ms.EXPECT().SetIsInsecure(false) + ms.EXPECT().SetCerts([]string{}) ms.EXPECT().SetDeleteSession(true) err = errors.New(`unexpected HTTP response code 404`) diff --git a/cocli/cmd/isubmitter.go b/cocli/cmd/isubmitter.go index 823e0ac8..cc9734ed 100644 --- a/cocli/cmd/isubmitter.go +++ b/cocli/cmd/isubmitter.go @@ -1,3 +1,6 @@ +// Copyright 2021-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + package cmd import ( @@ -11,4 +14,6 @@ type ISubmitter interface { SetAuth(a auth.IAuthenticator) SetSubmitURI(uri string) error SetDeleteSession(session bool) + SetIsInsecure(v bool) + SetCerts(paths []string) } diff --git a/go.mod b/go.mod index 96a5aa49..8b008732 100644 --- a/go.mod +++ b/go.mod @@ -10,9 +10,10 @@ require ( github.com/spf13/afero v1.9.2 github.com/spf13/cast v1.4.1 github.com/spf13/cobra v1.2.1 + github.com/spf13/pflag v1.0.5 github.com/spf13/viper v1.9.0 github.com/stretchr/testify v1.8.2 - github.com/veraison/apiclient v0.2.0 + github.com/veraison/apiclient v0.2.1-0.20240531100343-8a3a730a1e94 github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff github.com/veraison/go-cose v1.1.1-0.20230825153510-da0f9a62ade7 github.com/veraison/swid v1.1.1-0.20230911094910-8ffdd07a22ca @@ -37,7 +38,6 @@ require ( github.com/pelletier/go-toml v1.9.4 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect - github.com/spf13/pflag v1.0.5 // indirect github.com/subosito/gotenv v1.2.0 // indirect github.com/x448/float16 v0.8.4 // indirect golang.org/x/crypto v0.12.0 // indirect diff --git a/go.sum b/go.sum index e1ae4e55..dec21edf 100644 --- a/go.sum +++ b/go.sum @@ -323,6 +323,8 @@ github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/veraison/apiclient v0.2.0 h1:QELvZ+eEfzh9v0ORe9B2UTMpiA7aONHpZIfwSfcRR6s= github.com/veraison/apiclient v0.2.0/go.mod h1:LCXFZ3D/tJ3HLAOHUg8bnAKGvgTl53e1ntwdwjVbQ5A= +github.com/veraison/apiclient v0.2.1-0.20240531100343-8a3a730a1e94 h1:0d7vTs3K9Y4bskTtI3pvkFE0HiSHc4vWA3M6Fc0lWRM= +github.com/veraison/apiclient v0.2.1-0.20240531100343-8a3a730a1e94/go.mod h1:LCXFZ3D/tJ3HLAOHUg8bnAKGvgTl53e1ntwdwjVbQ5A= github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff h1:r6I2eJL/z8dp5flsQIKHMeDjyV6UO8If3MaVBLvTjF4= github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff/go.mod h1:+kxt8iuFiVvKRs2VQ1Ho7bbAScXAB/kHFFuP5Biw19I= github.com/veraison/go-cose v1.1.1-0.20230825153510-da0f9a62ade7 h1:KcKzBthSrSZIUEWBjVvkuk/DE3PyYFbXZxhx5byGFtc=