fix: codeql for disabled TLS cert check (#109)

togashidm · web-flow · commit 2189b6c39102 · 2025-08-26T10:03:11.000+01:00
diff --git a/cmd/connect-gateway/main.go b/cmd/connect-gateway/main.go
@@ -28,7 +28,7 @@ var (
 func main() {
 	var gatewayAddress, logLevel, opaAddress, oidcIssuerURL, externalHost, tunnelAuthMode string
 	var gatewayPort, opaPort int
-	var enableAuth, enableMetrics, oidcInsecureSkipVerify bool
+	var enableAuth, enableMetrics, oidcInsecureSkipVerify, tlsInsecureSkipVerify bool
 	var connectionProbeInterval time.Duration
 	flag.StringVar(&gatewayAddress, "address", "0.0.0.0", "Address to listen on for edge connection gateway")
 	flag.IntVar(&gatewayPort, "port", 8080, "Port to listen on for edge connection gateway")
@@ -37,6 +37,7 @@ func main() {
 	flag.StringVar(&logLevel, "log-level", "info", "Log levels: info, debug, trace, warn")
 	flag.StringVar(&oidcIssuerURL, "oidc-issuer-url", "", "OIDC Issuer URL")
 	flag.BoolVar(&oidcInsecureSkipVerify, "oidc-insecure-skip-verify", false, "OIDC Insecure Skip Verify")
+	flag.BoolVar(&tlsInsecureSkipVerify, "tls-insecure-skip-verify", false, "Skip TLS certificate verification for client connections")
 	flag.StringVar(&externalHost, "external-host", "", "External host for the gateway")
 
 	flag.StringVar(&opaAddress, "opa-address", "http://localhost", "Address to opa")
@@ -77,6 +78,7 @@ func main() {
 		server.WithExternalHost(externalHost),
 		server.WithOIDCIssuerURL(oidcIssuerURL),
 		server.WithOIDCInsecureSkipVerify(oidcInsecureSkipVerify),
+		server.WithTLSInsecureSkipVerify(tlsInsecureSkipVerify),
 		server.WithCleanupTicker(clientCleanupTicker),
 		server.WithConnectionProbeTicker(connectionProbeTicker),
 	)
diff --git a/internal/server/server.go b/internal/server/server.go
@@ -39,6 +39,7 @@ type Server struct {
 	externalHost           string
 	oidcIssuerURL          string
 	oidcInsecureSkipVerify bool
+	tlsInsecureSkipVerify  bool
 	opaAddress             string
 	opaPort                int
 	cleanupTicker          *time.Ticker
@@ -124,6 +125,12 @@ func WithOIDCInsecureSkipVerify(insecureSkipVerify bool) ServerOptions {
 	}
 }
 
+func WithTLSInsecureSkipVerify(insecureSkipVerify bool) ServerOptions {
+	return func(s *Server) {
+		s.tlsInsecureSkipVerify = insecureSkipVerify
+	}
+}
+
 // Build creates a new Server with the configured options
 func NewServer(options ...ServerOptions) (s *Server, err error) {
 	server := &Server{
@@ -203,19 +210,22 @@ func (s *Server) GetClient(tunnelID string, timeout string) (*http.Client, error
 		return nil, err
 	}
 
-	// If the CA pool is not nil or the client cert is not empty, set the TLS config
+	// Set up TLS configuration based on available certs and security settings
 	if caPool != nil || len(cca.Certificate) != 0 {
 		tlsConfig := &tls.Config{
 			RootCAs:            caPool,
 			Certificates:       []tls.Certificate{cca},
-			InsecureSkipVerify: true,
+			InsecureSkipVerify: s.tlsInsecureSkipVerify,
+		}
+		transport.TLSClientConfig = tlsConfig
+	} else {
+		// set up basic TLS config
+		tlsConfig := &tls.Config{
+			InsecureSkipVerify: s.tlsInsecureSkipVerify,
 		}
 		transport.TLSClientConfig = tlsConfig
 	}
 
-	// TODO: Read insecure skip verify from the config
-	// And add it to the TLS config regardless of the existence of the CA pool
-
 	client := &http.Client{
 		Transport: transport,
 	}
