Skip to content

Commit

Permalink
cmd: added --cacert flag and client code
Browse files Browse the repository at this point in the history
  • Loading branch information
davidallendj committed Dec 3, 2024
1 parent 13c2351 commit 8fa64f9
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 6 deletions.
4 changes: 3 additions & 1 deletion cmd/cloud-init-server/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ var (
jwksUrl = "" // jwt keyserver URL for secure-route token validation
insecure = false
accessToken = ""
certPath = ""
store ciStore
)

Expand All @@ -36,6 +37,7 @@ func main() {
flag.StringVar(&smdEndpoint, "smd-url", smdEndpoint, "http IP/url and port for running SMD")
flag.StringVar(&jwksUrl, "jwks-url", jwksUrl, "JWT keyserver URL, required to enable secure route")
flag.StringVar(&accessToken, "access-token", accessToken, "encoded JWT access token")
flag.StringVar(&certPath, "cacert", certPath, "Path to CA cert. (defaults to system CAs)")
flag.BoolVar(&insecure, "insecure", insecure, "Set to bypass TLS verification for requests")
flag.Parse()

Expand Down Expand Up @@ -80,7 +82,7 @@ func main() {
fakeSm.Summary()
sm = fakeSm
} else {
sm = smdclient.NewSMDClient(smdEndpoint, tokenEndpoint, accessToken, insecure)
sm = smdclient.NewSMDClient(smdEndpoint, tokenEndpoint, accessToken, certPath, insecure)
}

// Unsecured datastore and router
Expand Down
39 changes: 34 additions & 5 deletions internal/smdclient/SMDclient.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,19 @@ package smdclient

import (
"crypto/tls"
"crypto/x509"
"encoding/json"
"errors"
"io"
"log"
"net"
"net/http"
"os"
"strings"
"time"

base "github.com/Cray-HPE/hms-base"
"github.com/OpenCHAMI/smd/v2/pkg/sm"
"github.com/rs/zerolog/log"
)

// Create an SMDClient Interface which can be more easily tested and mocked
Expand Down Expand Up @@ -42,14 +44,41 @@ type SMDClient struct {

// NewSMDClient creates a new SMDClient which connects to the SMD server at baseurl
// and uses the provided JWT server for authentication
func NewSMDClient(baseurl string, jwtURL string, accessToken string, insecure bool) *SMDClient {
func NewSMDClient(baseurl string, jwtURL string, accessToken string, certPath string, insecure bool) *SMDClient {
c := &http.Client{Timeout: 2 * time.Second}
if insecure {
c.Transport = &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
}
} else {
cacert, err := os.ReadFile(certPath)
if err != nil {
log.Error().Err(err).Msgf("failed to read cert from path %s", certPath)
return nil
}
certPool := x509.NewCertPool()
certPool.AppendCertsFromPEM(cacert)

// add cert pool to client if valid
if certPool != nil {
// make sure that we can access the internal client
c.Transport = &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: certPool,
InsecureSkipVerify: true,
},
DisableKeepAlives: true,
Dial: (&net.Dialer{
Timeout: 120 * time.Second,
KeepAlive: 120 * time.Second,
}).Dial,
TLSHandshakeTimeout: 120 * time.Second,
ResponseHeaderTimeout: 120 * time.Second,
}
}

}
return &SMDClient{
smdClient: c,
Expand Down Expand Up @@ -78,13 +107,13 @@ func (s *SMDClient) getSMD(ep string, smd interface{}) error {
if resp.StatusCode == http.StatusUnauthorized {
// Request failed; handle appropriately (based on whether or not
// this was a fresh JWT)
log.Println("Cached JWT was rejected by SMD")
log.Info().Msg("Cached JWT was rejected by SMD")
if !freshToken {
log.Println("Fetching new JWT and retrying...")
log.Info().Msg("Fetching new JWT and retrying...")
s.RefreshToken()
freshToken = true
} else {
log.Fatalln("SMD authentication failed, even with a fresh" +
log.Info().Msg("SMD authentication failed, even with a fresh" +
" JWT. Something has gone terribly wrong; exiting to" +
" avoid invalid request spam.")
os.Exit(2)
Expand Down

0 comments on commit 8fa64f9

Please sign in to comment.