Merge pull request #3903 from reasonerjt/uaa-ca-config

Enable configuring the CA Certificate for UAA
This commit is contained in:
Daniel Jiang 2018-01-03 17:28:39 +08:00 committed by GitHub
commit 1a7f6f36e2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 31 additions and 11 deletions

View File

@ -76,7 +76,7 @@ services:
volumes:
- ./common/config/ui/app.conf:/etc/ui/app.conf:z
- ./common/config/ui/private_key.pem:/etc/ui/private_key.pem:z
- ./common/config/ui/certificates/:/etc/ui/certifates/
- ./common/config/ui/certificates/:/etc/ui/certificates/
- /data/secretkey:/etc/ui/key:z
- /data/ca_download/:/etc/ui/ca/:z
- /data/psc/:/etc/ui/token/:z

View File

@ -142,4 +142,5 @@ uaa_endpoint = uaa.mydomain.org
uaa_clientid = id
uaa_clientsecret = secret
uaa_verify_cert = true
uaa_ca_cert = /path/to/ca.pem
#############

View File

@ -250,6 +250,7 @@ uaa_endpoint = rcp.get("configuration", "uaa_endpoint")
uaa_clientid = rcp.get("configuration", "uaa_clientid")
uaa_clientsecret = rcp.get("configuration", "uaa_clientsecret")
uaa_verify_cert = rcp.get("configuration", "uaa_verify_cert")
uaa_ca_cert = rcp.get("configuration", "uaa_ca_cert")
secret_key = get_secret_key(secretkey_path)
log_rotate_count = rcp.get("configuration", "log_rotate_count")
@ -280,6 +281,7 @@ log_config_dir = prep_conf_dir (config_dir, "log")
adminserver_conf_env = os.path.join(config_dir, "adminserver", "env")
ui_conf_env = os.path.join(config_dir, "ui", "env")
ui_conf = os.path.join(config_dir, "ui", "app.conf")
ui_cert_dir = os.path.join(config_dir, "ui", "certificates")
jobservice_conf = os.path.join(config_dir, "jobservice", "app.conf")
registry_conf = os.path.join(config_dir, "registry", "config.yml")
db_conf_env = os.path.join(config_dir, "db", "env")
@ -387,6 +389,16 @@ shutil.copyfile(os.path.join(templates_dir, "jobservice", "app.conf"), jobservic
print("Generated configuration file: %s" % ui_conf)
shutil.copyfile(os.path.join(templates_dir, "ui", "app.conf"), ui_conf)
if auth_mode == "uaa_auth":
if os.path.isfile(uaa_ca_cert):
if not os.path.isdir(ui_cert_dir):
os.makedirs(ui_cert_dir, mode=0o600)
ui_uaa_ca = os.path.join(ui_cert_dir, "uaa_ca.pem")
print("Copying UAA CA cert to %s" % ui_uaa_ca)
shutil.copyfile(uaa_ca_cert, ui_uaa_ca)
else:
print("Can not find UAA CA cert: %s, skip" % uaa_ca_cert)
def validate_crt_subj(dirty_subj):
subj_list = [item for item in dirty_subj.strip().split("/") \

View File

@ -22,6 +22,7 @@ import (
"fmt"
"io/ioutil"
"net/http"
"os"
"strings"
"github.com/vmware/harbor/src/common/utils/log"
@ -179,16 +180,20 @@ func NewDefaultClient(cfg *ClientConfig) (Client, error) {
InsecureSkipVerify: cfg.SkipTLSVerify,
}
if !cfg.SkipTLSVerify && len(cfg.CARootPath) > 0 {
content, err := ioutil.ReadFile(cfg.CARootPath)
if err != nil {
return nil, err
}
pool := x509.NewCertPool()
//Do not throw error if the certificate is malformed, so we can put a place holder.
if ok := pool.AppendCertsFromPEM(content); !ok {
log.Warningf("Failed to append certificate to cert pool, cert path: %s", cfg.CARootPath)
if _, err := os.Stat(cfg.CARootPath); !os.IsNotExist(err) {
content, err := ioutil.ReadFile(cfg.CARootPath)
if err != nil {
return nil, err
}
pool := x509.NewCertPool()
//Do not throw error if the certificate is malformed, so we can put a place holder.
if ok := pool.AppendCertsFromPEM(content); !ok {
log.Warningf("Failed to append certificate to cert pool, cert path: %s", cfg.CARootPath)
} else {
tc.RootCAs = pool
}
} else {
tc.RootCAs = pool
log.Warningf("The root certificate file %s is not found, skip configuring root cert in UAA client.", cfg.CARootPath)
}
}
hc := &http.Client{

View File

@ -98,7 +98,7 @@ func TestNewClientWithCACert(t *testing.T) {
CARootPath: "/notexist",
}
_, err := NewDefaultClient(cfg)
assert.NotNil(err)
assert.Nil(err)
//Skip if it's malformed.
cfg.CARootPath = path.Join(currPath(), "test", "non-ca.pem")
_, err = NewDefaultClient(cfg)

View File

@ -16,6 +16,7 @@ package uaa
import (
"fmt"
"os"
"strings"
"sync"
@ -38,6 +39,7 @@ func CreateClient() (uaa.Client, error) {
ClientSecret: UAASettings.ClientSecret,
Endpoint: UAASettings.Endpoint,
SkipTLSVerify: !UAASettings.VerifyCert,
CARootPath: os.Getenv("UAA_CA_ROOT"),
}
return uaa.NewDefaultClient(cfg)
}