mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
a7e867a699
This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
86 lines
2.8 KiB
Go
86 lines
2.8 KiB
Go
package utils
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"path/filepath"
|
|
"strings"
|
|
|
|
"github.com/authelia/authelia/internal/configuration/schema"
|
|
"github.com/authelia/authelia/internal/logging"
|
|
)
|
|
|
|
// NewTLSConfig generates a tls.Config from a schema.TLSConfig and a x509.CertPool.
|
|
func NewTLSConfig(config *schema.TLSConfig, defaultMinVersion uint16, certPool *x509.CertPool) (tlsConfig *tls.Config) {
|
|
minVersion, err := TLSStringToTLSConfigVersion(config.MinimumVersion)
|
|
if err != nil {
|
|
minVersion = defaultMinVersion
|
|
}
|
|
|
|
return &tls.Config{
|
|
ServerName: config.ServerName,
|
|
InsecureSkipVerify: config.SkipVerify, //nolint:gosec // Informed choice by user. Off by default.
|
|
MinVersion: minVersion,
|
|
RootCAs: certPool,
|
|
}
|
|
}
|
|
|
|
// NewX509CertPool generates a x509.CertPool from the system PKI and the directory specified.
|
|
func NewX509CertPool(directory string) (certPool *x509.CertPool, warnings []error, errors []error) {
|
|
certPool, err := x509.SystemCertPool()
|
|
if err != nil {
|
|
warnings = append(warnings, fmt.Errorf("could not load system certificate pool which may result in untrusted certificate issues: %v", err))
|
|
certPool = x509.NewCertPool()
|
|
}
|
|
|
|
logger := logging.Logger()
|
|
|
|
logger.Tracef("Starting scan of directory %s for certificates", directory)
|
|
|
|
if directory != "" {
|
|
certsFileInfo, err := ioutil.ReadDir(directory)
|
|
if err != nil {
|
|
errors = append(errors, fmt.Errorf("could not read certificates from directory %v", err))
|
|
} else {
|
|
for _, certFileInfo := range certsFileInfo {
|
|
nameLower := strings.ToLower(certFileInfo.Name())
|
|
|
|
if !certFileInfo.IsDir() && (strings.HasSuffix(nameLower, ".cer") || strings.HasSuffix(nameLower, ".crt") || strings.HasSuffix(nameLower, ".pem")) {
|
|
certPath := filepath.Join(directory, certFileInfo.Name())
|
|
|
|
logger.Tracef("Found possible cert %s, attempting to add it to the pool", certPath)
|
|
|
|
certBytes, err := ioutil.ReadFile(certPath)
|
|
if err != nil {
|
|
errors = append(errors, fmt.Errorf("could not read certificate %v", err))
|
|
} else if ok := certPool.AppendCertsFromPEM(certBytes); !ok {
|
|
errors = append(errors, fmt.Errorf("could not import certificate %s", certFileInfo.Name()))
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
logger.Tracef("Finished scan of directory %s for certificates", directory)
|
|
|
|
return certPool, warnings, errors
|
|
}
|
|
|
|
// TLSStringToTLSConfigVersion returns a go crypto/tls version for a tls.Config based on string input.
|
|
func TLSStringToTLSConfigVersion(input string) (version uint16, err error) {
|
|
switch strings.ToUpper(input) {
|
|
case "TLS1.3", TLS13:
|
|
return tls.VersionTLS13, nil
|
|
case "TLS1.2", TLS12:
|
|
return tls.VersionTLS12, nil
|
|
case "TLS1.1", TLS11:
|
|
return tls.VersionTLS11, nil
|
|
case "TLS1.0", TLS10:
|
|
return tls.VersionTLS10, nil
|
|
}
|
|
|
|
return 0, ErrTLSVersionNotSupported
|
|
}
|