From b69389d7873269b237c3c95a3380b2394bdb7a86 Mon Sep 17 00:00:00 2001 From: Sergei Trofimov Date: Thu, 30 May 2024 09:22:18 +0100 Subject: [PATCH 1/2] feat: add TLS support - Automatically use TLS API client if URL scheme specified to --api-server is HTTPS. - Add -i/--insecure flag to suppress cert validation for TLS. - Add -E/--ca-cert flag to allow specifying additional CA cert(s) to be used in TLS cert validation (by default, the system CA certs are used). Signed-off-by: Sergei Trofimov --- cocli/README.md | 9 +++++++ cocli/cmd/corimSubmit.go | 45 ++++++++++++++++++++--------------- cocli/cmd/corimSubmit_test.go | 7 ++++++ cocli/cmd/isubmitter.go | 5 ++++ go.mod | 4 ++-- go.sum | 2 ++ 6 files changed, 51 insertions(+), 21 deletions(-) diff --git a/cocli/README.md b/cocli/README.md index 0ec8c012..7d0e3969 100644 --- a/cocli/README.md +++ b/cocli/README.md @@ -560,6 +560,15 @@ path (usually `~/.config/cocli/config.yaml` on XDG-compliant systems). Please see `./data/config/example-config.yaml` file for details of the configuration that needs to be provided. +#### Note on TLS + +If the scheme in the API server URL is HTTPS, `cocli` will attempt to establish +a TLS connection to the server, validating the server certificate using system CA +certs. It is possible to disable server certificate validation with +`-i`/`--insecure` flag. Alternatively, if the CA cert for the server is +available but is not installed in the system, it may be specified using +`-E`/`--ca-cert` flag. + ## Visual Synopsis of the Available Commands ```mermaid diff --git a/cocli/cmd/corimSubmit.go b/cocli/cmd/corimSubmit.go index f231d18e..80c1bd3a 100644 --- a/cocli/cmd/corimSubmit.go +++ b/cocli/cmd/corimSubmit.go @@ -1,4 +1,4 @@ -// Copyright 2021 Contributors to the Veraison project. +// Copyright 2021-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package cmd @@ -7,17 +7,21 @@ import ( "errors" "fmt" "net/url" + "strings" "github.com/spf13/afero" "github.com/spf13/cobra" + "github.com/spf13/pflag" "github.com/spf13/viper" "github.com/veraison/apiclient/provisioning" ) var ( - corimFile *string - mediaType *string - apiServer string + corimFile *string + mediaType *string + apiServer string + isInsecure bool + certPaths []string ) var ( @@ -72,21 +76,18 @@ func NewCorimSubmitCmd(submitter ISubmitter) *cobra.Command { cmd.Flags().StringP("token-url", "T", "", "token URL of the OAuth2 service") cmd.Flags().StringP("username", "U", "", "service username") cmd.Flags().StringP("password", "P", "", "service password") - - err := viper.BindPFlag("api_server", cmd.Flags().Lookup("api-server")) - cobra.CheckErr(err) - err = viper.BindPFlag("auth", cmd.Flags().Lookup("auth")) - cobra.CheckErr(err) - err = viper.BindPFlag("client_id", cmd.Flags().Lookup("client-id")) - cobra.CheckErr(err) - err = viper.BindPFlag("client_secret", cmd.Flags().Lookup("client-secret")) - cobra.CheckErr(err) - err = viper.BindPFlag("username", cmd.Flags().Lookup("username")) - cobra.CheckErr(err) - err = viper.BindPFlag("password", cmd.Flags().Lookup("password")) - cobra.CheckErr(err) - err = viper.BindPFlag("token_url", cmd.Flags().Lookup("token-url")) - cobra.CheckErr(err) + cmd.Flags().BoolP( + "insecure", "i", false, "Allow insecure connections (e.g. do not verify TLS certs)", + ) + cmd.Flags().StringArrayP( + "ca-cert", "E", nil, "path to a CA cert that will be used in addition to system certs; may be specified multiple times", + ) + + cmd.Flags().VisitAll(func(flag *pflag.Flag) { + cfgName := strings.ReplaceAll(flag.Name, "-", "_") + err := viper.BindPFlag(cfgName, flag) + cobra.CheckErr(err) + }) return cmd } @@ -109,6 +110,9 @@ func checkSubmitArgs() error { return errors.New("no media type supplied") } + isInsecure = viper.GetBool("insecure") + certPaths = viper.GetStringSlice("ca_cert") + return nil } @@ -119,6 +123,9 @@ func provisionData(data []byte, submitter ISubmitter, uri string, mediaType stri return fmt.Errorf("unable to set submit URI: %w", err) } + submitter.SetIsInsecure(isInsecure) + submitter.SetCerts(certPaths) + submitter.SetDeleteSession(true) if err := submitter.Run(data, mediaType); err != nil { return fmt.Errorf("run failed: %w", err) diff --git a/cocli/cmd/corimSubmit_test.go b/cocli/cmd/corimSubmit_test.go index 5fa29d20..b5ee04a1 100644 --- a/cocli/cmd/corimSubmit_test.go +++ b/cocli/cmd/corimSubmit_test.go @@ -1,3 +1,6 @@ +// Copyright 2021-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + package cmd import ( @@ -133,6 +136,8 @@ func Test_CorimSubmitCmd_submit_ok(t *testing.T) { require.NoError(t, err) ms.EXPECT().SetAuth(gomock.Any()) ms.EXPECT().SetSubmitURI("http://veraison.example/endorsement-provisioning/v1/submit").Return(nil) + ms.EXPECT().SetIsInsecure(false) + ms.EXPECT().SetCerts([]string{}) ms.EXPECT().SetDeleteSession(true) ms.EXPECT().Run(testSignedCorimValid, "application/corim-unsigned+cbor; profile=http://arm.com/psa/iot/1").Return(nil) err = cmd.Execute() @@ -158,6 +163,8 @@ func Test_CorimSubmitCmd_submit_not_ok(t *testing.T) { require.NoError(t, err) ms.EXPECT().SetAuth(gomock.Any()) ms.EXPECT().SetSubmitURI("http://veraison.example/endorsement-provisioning/v1/submit").Return(nil) + ms.EXPECT().SetIsInsecure(false) + ms.EXPECT().SetCerts([]string{}) ms.EXPECT().SetDeleteSession(true) err = errors.New(`unexpected HTTP response code 404`) diff --git a/cocli/cmd/isubmitter.go b/cocli/cmd/isubmitter.go index 823e0ac8..cc9734ed 100644 --- a/cocli/cmd/isubmitter.go +++ b/cocli/cmd/isubmitter.go @@ -1,3 +1,6 @@ +// Copyright 2021-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + package cmd import ( @@ -11,4 +14,6 @@ type ISubmitter interface { SetAuth(a auth.IAuthenticator) SetSubmitURI(uri string) error SetDeleteSession(session bool) + SetIsInsecure(v bool) + SetCerts(paths []string) } diff --git a/go.mod b/go.mod index 96a5aa49..8b008732 100644 --- a/go.mod +++ b/go.mod @@ -10,9 +10,10 @@ require ( github.com/spf13/afero v1.9.2 github.com/spf13/cast v1.4.1 github.com/spf13/cobra v1.2.1 + github.com/spf13/pflag v1.0.5 github.com/spf13/viper v1.9.0 github.com/stretchr/testify v1.8.2 - github.com/veraison/apiclient v0.2.0 + github.com/veraison/apiclient v0.2.1-0.20240531100343-8a3a730a1e94 github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff github.com/veraison/go-cose v1.1.1-0.20230825153510-da0f9a62ade7 github.com/veraison/swid v1.1.1-0.20230911094910-8ffdd07a22ca @@ -37,7 +38,6 @@ require ( github.com/pelletier/go-toml v1.9.4 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect - github.com/spf13/pflag v1.0.5 // indirect github.com/subosito/gotenv v1.2.0 // indirect github.com/x448/float16 v0.8.4 // indirect golang.org/x/crypto v0.12.0 // indirect diff --git a/go.sum b/go.sum index e1ae4e55..dec21edf 100644 --- a/go.sum +++ b/go.sum @@ -323,6 +323,8 @@ github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/veraison/apiclient v0.2.0 h1:QELvZ+eEfzh9v0ORe9B2UTMpiA7aONHpZIfwSfcRR6s= github.com/veraison/apiclient v0.2.0/go.mod h1:LCXFZ3D/tJ3HLAOHUg8bnAKGvgTl53e1ntwdwjVbQ5A= +github.com/veraison/apiclient v0.2.1-0.20240531100343-8a3a730a1e94 h1:0d7vTs3K9Y4bskTtI3pvkFE0HiSHc4vWA3M6Fc0lWRM= +github.com/veraison/apiclient v0.2.1-0.20240531100343-8a3a730a1e94/go.mod h1:LCXFZ3D/tJ3HLAOHUg8bnAKGvgTl53e1ntwdwjVbQ5A= github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff h1:r6I2eJL/z8dp5flsQIKHMeDjyV6UO8If3MaVBLvTjF4= github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff/go.mod h1:+kxt8iuFiVvKRs2VQ1Ho7bbAScXAB/kHFFuP5Biw19I= github.com/veraison/go-cose v1.1.1-0.20230825153510-da0f9a62ade7 h1:KcKzBthSrSZIUEWBjVvkuk/DE3PyYFbXZxhx5byGFtc= From 92c647baf9d9c1e8e7cb5cec5419bc713311268b Mon Sep 17 00:00:00 2001 From: Sergei Trofimov Date: Fri, 31 May 2024 13:45:49 +0100 Subject: [PATCH 2/2] fix(github): add go setup step to CI flows This is necessary as macos-latest image does not appear to come with go installed by default. Signed-off-by: Sergei Trofimov --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 322b5d77..be89239a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,9 @@ jobs: matrix: os: [macos-latest, ubuntu-latest] steps: + - uses: actions/setup-go@v3 + with: + go-version: "1.19" - name: Checkout code uses: actions/checkout@v2 with: