Merge pull request #32 from exoscale/mtls

Add support for client side TLS

Author: danielgtaylor

cli/apiconfig.go

@@ -19,6 +19,14 @@ type APIAuth struct {
 	Params map[string]string `json:"params"`
 }
 
+// TLSConfig contains the TLS setup for the HTTP client
+type TLSConfig struct {
+	InsecureSkipVerify bool   `json:"insecure" mapstructure:"insecure"`
+	Cert               string `json:"cert"`
+	Key                string `json:"key"`
+	CACert             string `json:"ca_cert" mapstructure:"ca_cert"`
+}
+
 // APIProfile contains account-specific API information
 type APIProfile struct {
 	Headers map[string]string `json:"headers,omitempty"`
@@ -33,6 +41,7 @@ type APIConfig struct {
 	Base      string                 `json:"base"`
 	SpecFiles []string               `json:"spec_files,omitempty" mapstructure:"spec_files,omitempty"`
 	Profiles  map[string]*APIProfile `json:"profiles,omitempty" mapstructure:",omitempty"`
+	TLS       *TLSConfig             `json:"tls,omitempty" mapstructure:",omitempty"`
 }
 
 // Save the API configuration to disk.

cli/cli.go

@@ -19,12 +19,18 @@ import (
 	"github.com/mattn/go-colorable"
 	"github.com/mattn/go-isatty"
 	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
 )
 
 // Root command (entrypoint) of the CLI.
 var Root *cobra.Command
 
+// GlobalFlags contains all the fixed up front flags
+// This allows us to parse them before we hand over control
+// to cobra
+var GlobalFlags *pflag.FlagSet
+
 // Cache is used to store temporary data between runs.
 var Cache *viper.Viper
 
@@ -135,16 +141,6 @@ func Init(name string, version string) {
 		PersistentPreRun: func(cmd *cobra.Command, args []string) {
 			settings := viper.AllSettings()
 			LogDebug("Configuration: %v", settings)
-
-			if viper.GetBool("rsh-insecure") {
-				if t, ok := http.DefaultTransport.(*http.Transport); ok {
-					LogWarning("Disabling TLS security checks")
-					if t.TLSClientConfig == nil {
-						t.TLSClientConfig = &tls.Config{}
-					}
-					t.TLSClientConfig.InsecureSkipVerify = true
-				}
-			}
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			generic(http.MethodGet, args[0], args[1:])
@@ -317,6 +313,14 @@ Not after (expires): %s (%s)
 	}
 	Root.AddCommand(linkCmd)
 
+	GlobalFlags = pflag.NewFlagSet("eager-flags", pflag.ContinueOnError)
+	GlobalFlags.ParseErrorsWhitelist.UnknownFlags = true
+	// GlobalFlags are 'hidden', don't print anything on error
+	GlobalFlags.Usage = func() {}
+	// Ensure parsing doesn't stop if the help flag is set
+	// (help seems to be special cased from ParseErrorsWhitelist.UnknownFlags)
+	GlobalFlags.BoolP("help", "h", false, "")
+
 	AddGlobalFlag("rsh-verbose", "v", "Enable verbose log output", false, false)
 	AddGlobalFlag("rsh-output-format", "o", "Output format [auto, json, yaml]", "auto", false)
 	AddGlobalFlag("rsh-filter", "f", "Filter / project results using JMESPath Plus", "", false)
@@ -328,6 +332,9 @@ Not after (expires): %s (%s)
 	AddGlobalFlag("rsh-profile", "p", "API auth profile", "default", false)
 	AddGlobalFlag("rsh-no-cache", "", "Disable HTTP cache", false, false)
 	AddGlobalFlag("rsh-insecure", "", "Disable SSL verification", false, false)
+	AddGlobalFlag("rsh-client-cert", "", "Path to a PEM encoded client certificate", "", false)
+	AddGlobalFlag("rsh-client-key", "", "Path to a PEM encoded private key", "", false)
+	AddGlobalFlag("rsh-ca-cert", "", "Path to a PEM encoded CA cert", "", false)
 
 	initAPIConfig()
 }
@@ -427,15 +434,34 @@ func Run() {
 		if !strings.HasPrefix(arg, "-") {
 			args = append(args, arg)
 		}
+	}
 
-		// Try to detect if verbose mode is enabled via a flag.
-		if arg == "-v" || arg == "--rsh-verbose" {
-			enableVerbose = true
+	// Because we may be doing HTTP calls before cobra has parsed the flags
+	// we parse the GlobalFlags here and already set some config values
+	// to ensure they are available
+	if err := GlobalFlags.Parse(os.Args[1:]); err != nil {
+		if err != pflag.ErrHelp {
+			panic(err)
 		}
 	}
+	if verbose, _ := GlobalFlags.GetBool("rsh-verbose"); verbose {
+		viper.Set("rsh-verbose", true)
+	}
+	if insecure, _ := GlobalFlags.GetBool("rsh-insecure"); insecure {
+		viper.Set("rsh-insecure", true)
+	}
+	if cert, _ := GlobalFlags.GetString("rsh-client-cert"); cert != "" {
+		viper.Set("rsh-client-cert", cert)
+	}
+	if key, _ := GlobalFlags.GetString("rsh-client-key"); key != "" {
+		viper.Set("rsh-client-key", key)
+	}
+	if caCert, _ := GlobalFlags.GetString("rsh-ca-cert"); caCert != "" {
+		viper.Set("rsh-ca-cert", caCert)
+	}
 
-	// Now that flags are parsed we can enable verbose mode if requested.
-	if enableVerbose || viper.GetBool("rsh-verbose") {
+	// Now that global flags are parsed we can enable verbose mode if requested.
+	if viper.GetBool("rsh-verbose") {
 		enableVerbose = true
 	}
 

cli/flag.go

@@ -16,20 +16,25 @@ func AddGlobalFlag(name, short, description string, defaultValue interface{}, mu
 	case bool:
 		if multi {
 			flags.BoolSliceP(name, short, viper.Get(name).([]bool), description)
+			GlobalFlags.BoolSliceP(name, short, viper.Get(name).([]bool), description)
 		} else {
 			flags.BoolP(name, short, viper.GetBool(name), description)
+			GlobalFlags.BoolP(name, short, viper.GetBool(name), description)
 		}
 	case int, int16, int32, int64, uint16, uint32, uint64:
 		if multi {
 			flags.IntSliceP(name, short, viper.Get(name).([]int), description)
+			GlobalFlags.IntSliceP(name, short, viper.Get(name).([]int), description)
 		} else {
 			flags.IntP(name, short, viper.GetInt(name), description)
+			GlobalFlags.IntP(name, short, viper.GetInt(name), description)
 		}
 	case float32, float64:
 		if multi {
 			panic(fmt.Errorf("unsupported float slice param"))
 		} else {
 			flags.Float64P(name, short, viper.GetFloat64(name), description)
+			GlobalFlags.Float64P(name, short, viper.GetFloat64(name), description)
 		}
 	default:
 		if multi {
@@ -40,8 +45,10 @@ func AddGlobalFlag(name, short, description string, defaultValue interface{}, mu
 				viper.Set(name, v)
 			}
 			flags.StringSliceP(name, short, v.([]string), description)
+			GlobalFlags.StringSliceP(name, short, v.([]string), description)
 		} else {
 			flags.StringP(name, short, fmt.Sprintf("%v", viper.Get(name)), description)
+			GlobalFlags.StringP(name, short, fmt.Sprintf("%v", viper.Get(name)), description)
 		}
 	}
 

cli/interactive.go

@@ -8,6 +8,7 @@ import (
 	"github.com/AlecAivazis/survey/v2"
 	"github.com/AlecAivazis/survey/v2/terminal"
 	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
 )
 
 var surveyOpts = []survey.AskOpt{}
@@ -291,11 +292,83 @@ func askAddProfile(a asker, config *APIConfig) {
 	askEditProfile(a, name, config.Profiles[name])
 }
 
+func askTLSConfig(a asker, config *APIConfig) {
+	if config.TLS == nil {
+		config.TLS = &TLSConfig{}
+	}
+
+	for {
+		options := make([]string, 0, 7)
+
+		if config.TLS.InsecureSkipVerify {
+			options = append(options, "Delete insecure")
+		} else {
+			options = append(options, "Set insecure")
+		}
+
+		if config.TLS.Cert == "" {
+			options = append(options, "Set certificate")
+		} else {
+			options = append(options, "Edit certificate", "Delete certificate")
+		}
+
+		if config.TLS.Key == "" {
+			options = append(options, "Set key")
+		} else {
+			options = append(options, "Edit key", "Delete key")
+		}
+
+		if config.TLS.CACert == "" {
+			options = append(options, "Set CA certificate")
+		} else {
+			options = append(options, "Edit CA certificate", "Delete CA certificate")
+		}
+
+		options = append(options, "Finished with TLS configuration")
+
+		switch choice := a.askSelect("Select TLS configuration options", options, nil, ""); choice {
+		case "Delete insecure":
+			config.TLS.InsecureSkipVerify = false
+		case "Set insecure":
+			config.TLS.InsecureSkipVerify = true
+		case "Set certificate":
+			config.TLS.Cert = a.askInput("Certificate path", "", false, "")
+		case "Edit certificate":
+			config.TLS.Cert = a.askInput("Certificate path", config.TLS.Cert, false, "")
+		case "Delete certificate":
+			config.TLS.Cert = ""
+		case "Set key":
+			config.TLS.Key = a.askInput("Key path", "", false, "")
+		case "Edit key":
+			config.TLS.Key = a.askInput("Key path", config.TLS.Key, false, "")
+		case "Delete key":
+			config.TLS.Key = ""
+		case "Set CA certificate":
+			config.TLS.CACert = a.askInput("CA Certificate path", "", false, "")
+		case "Edit CA certificate":
+			config.TLS.CACert = a.askInput("CA Certificate path", config.TLS.CACert, false, "")
+		case "Delete CA certificate":
+			config.TLS.CACert = ""
+		case "Finished with TLS configuration":
+			return
+		}
+	}
+}
+
 func askInitAPI(a asker, cmd *cobra.Command, args []string) {
 	var config *APIConfig = configs[args[0]]
 
 	if config == nil {
-		config = &APIConfig{name: args[0], Profiles: map[string]*APIProfile{}}
+		config = &APIConfig{
+			name:     args[0],
+			Profiles: map[string]*APIProfile{},
+			TLS: &TLSConfig{
+				InsecureSkipVerify: viper.GetBool("rsh-insecure"),
+				Cert:               viper.GetString("rsh-client-cert"),
+				Key:                viper.GetString("rsh-client-key"),
+				CACert:             viper.GetString("rsh-ca-cert"),
+			},
+		}
 		configs[args[0]] = config
 
 		// Do an initial setup with a default profile first.
@@ -324,6 +397,10 @@ func askInitAPI(a asker, cmd *cobra.Command, args []string) {
 			options = append(options, "Edit profile "+k)
 		}
 
+		if (config.TLS != nil) && (*config.TLS != TLSConfig{}) {
+			options = append(options, "Edit TLS configuration")
+		}
+
 		options = append(options, "Save and exit")
 
 		choice := a.askSelect("Select option", options, nil, "")
@@ -336,6 +413,8 @@ func askInitAPI(a asker, cmd *cobra.Command, args []string) {
 		case strings.HasPrefix(choice, "Edit profile"):
 			profile := strings.SplitN(choice, " ", 3)[2]
 			askEditProfile(a, profile, config.Profiles[profile])
+		case choice == "Edit TLS configuration":
+			askTLSConfig(a, config)
 		case choice == "Save and exit":
 			config.Save()
 			return

cli/request.go

@@ -1,6 +1,8 @@
 package cli
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"io/ioutil"
 	"net/http"
@@ -161,6 +163,58 @@ func MakeRequest(req *http.Request, options ...requestOption) (*http.Response, e
 		}
 	}
 
+	// The assumption is that all Transport implementations eventually use the
+	// default HTTP transport.
+	// We can therefore inject the TLS config once here, along with all the other
+	// config options, instead of modifying all the places where Transports are
+	// created
+	LogDebug("Adding TLS configuration")
+	if t, ok := http.DefaultTransport.(*http.Transport); ok {
+		if t.TLSClientConfig == nil {
+			t.TLSClientConfig = &tls.Config{}
+		}
+		if config.TLS == nil {
+			config.TLS = &TLSConfig{}
+		}
+
+		// CLI flags overwrite profile options
+		if viper.GetBool("rsh-insecure") {
+			config.TLS.InsecureSkipVerify = true
+		}
+		if cert := viper.GetString("rsh-client-cert"); cert != "" {
+			config.TLS.Cert = cert
+		}
+		if key := viper.GetString("rsh-client-key"); key != "" {
+			config.TLS.Key = key
+		}
+		if caCert := viper.GetString("rsh-ca-cert"); caCert != "" {
+			config.TLS.CACert = caCert
+		}
+
+		if config.TLS.InsecureSkipVerify {
+			LogWarning("Disabling TLS security checks")
+			t.TLSClientConfig.InsecureSkipVerify = config.TLS.InsecureSkipVerify
+		}
+		if config.TLS.Cert != "" {
+			cert, err := tls.LoadX509KeyPair(config.TLS.Cert, config.TLS.Key)
+			if err != nil {
+				return nil, err
+			}
+			t.TLSClientConfig.Certificates = append(t.TLSClientConfig.Certificates, cert)
+		}
+		if config.TLS.CACert != "" {
+			caCert, err := ioutil.ReadFile(config.TLS.CACert)
+			if err != nil {
+				return nil, err
+			}
+			systemCerts := BestEffortSystemCertPool()
+			if !systemCerts.AppendCertsFromPEM(caCert) {
+				return nil, fmt.Errorf("Failed to append CACert %s RootCA list", config.TLS.CACert)
+			}
+			t.TLSClientConfig.RootCAs = systemCerts
+		}
+	}
+
 	if log {
 		LogDebugRequest(req)
 	}
@@ -348,3 +402,12 @@ func MakeRequestAndFormat(req *http.Request) {
 		panic(err)
 	}
 }
+
+// BestEffortSystemCertPool returns system cert pool as best effort, otherwise an empty cert pool
+func BestEffortSystemCertPool() *x509.CertPool {
+	rootCAs, _ := x509.SystemCertPool()
+	if rootCAs == nil {
+		return x509.NewCertPool()
+	}
+	return rootCAs
+}

docs/configuration.md

@@ -15,19 +15,21 @@ Global configuration affects all commands and can be set in one of three ways, g
 
 The global options in addition to `--help` and `--version` are:
 
-| Argument                    | Env Var             | Example           | Description                                                                      |
-| --------------------------- | ------------------- | ----------------- | -------------------------------------------------------------------------------- |
-| `-f`, `--rsh-filter`        | `RSH_FILTER`        | `body.users[].id` | [JMESPath Plus](https://github.com/danielgtaylor/go-jmespath-plus#readme) filter |
-| `-H`, `--rsh-header`        | `RSH_HEADER`        | `Version:2020-05` | Set a header name/value                                                          |
-| `--rsh-insecure`            | `RSH_INSECURE`      |                   | Disable TLS certificate checks                                                   |
-| `--rsh-no-cache`            | `RSH_NO_CACHE`      |                   | Disable HTTP caching                                                             |
-| `--rsh-no-paginate`         | `RSH_NO_PAGINATE`   |                   | Disable automatic `next` link pagination                                         |
-| `-o`, `--rsh-output-format` | `RSH_OUTPUT_FORMAT` | `json`            | [Output format](/output.md), defaults to `auto`                                  |
-| `-p`, `--rsh-profile`       | `RSH_PROFILE`       | `testing`         | Auth profile name, defaults to `default`                                         |
-| `-q`, `--rsh-query`         | `RSH_QUERY`         | `search=foo`      | Set a query parameter                                                            |
-| `-r`, `--rsh-raw`           | `RSH_RAW`           |                   | Raw output for shell processing                                                  |
-| `-s`, `--rsh-server`        | `RSH_SERVER`        | `https://foo.com` | Override API server base URL                                                     |
-| `-v`, `--rsh-verbose`       | `RSH_VERBOSE`       |                   | Enable verbose output                                                            |
+| Argument                    | Env Var             | Example             | Description                                                                      |
+| --------------------------- | ------------------- | ------------------- | -------------------------------------------------------------------------------- |
+| `-f`, `--rsh-filter`        | `RSH_FILTER`        | `body.users[].id`   | [JMESPath Plus](https://github.com/danielgtaylor/go-jmespath-plus#readme) filter |
+| `-H`, `--rsh-header`        | `RSH_HEADER`        | `Version:2020-05`   | Set a header name/value                                                          |
+| `--rsh-insecure`            | `RSH_INSECURE`      |                     | Disable TLS certificate checks                                                   |
+| `--rsh-client-cert`         | `RSH_CLIENT_CERT`   | `/etc/ssl/cert.pem` | Path to a PEM encoded client certificate                                         |
+| `--rsh-client-key`          | `RSH_CLIENT_KEY`    | `/etc/ssl/key.pem`  | Path to a PEM encoded private key                                                |
+| `--rsh-ca-cert`             | `RSH_CA_CERT`       | `/etc/ssl/ca.pem`   | Path to a PEM encoded CA certificate                                             |
+| `--rsh-no-paginate`         | `RSH_NO_PAGINATE`   |                     | Disable automatic `next` link pagination                                         |
+| `-o`, `--rsh-output-format` | `RSH_OUTPUT_FORMAT` | `json`              | [Output format](/output.md), defaults to `auto`                                  |
+| `-p`, `--rsh-profile`       | `RSH_PROFILE`       | `testing`           | Auth profile name, defaults to `default`                                         |
+| `-q`, `--rsh-query`         | `RSH_QUERY`         | `search=foo`        | Set a query parameter                                                            |
+| `-r`, `--rsh-raw`           | `RSH_RAW`           |                     | Raw output for shell processing                                                  |
+| `-s`, `--rsh-server`        | `RSH_SERVER`        | `https://foo.com`   | Override API server base URL                                                     |
+| `-v`, `--rsh-verbose`       | `RSH_VERBOSE`       |                     | Enable verbose output                                                            |
 
 Configuration file keys are the same as long-form arguments without the `--` prefix.