Skip to content

Commit

Permalink
chore!: use modular capools introduced in Caddy v2.8.0
Browse files Browse the repository at this point in the history
Signed-off-by: Matthew Penner <[email protected]>
  • Loading branch information
matthewpi committed May 20, 2024
1 parent fcb6763 commit e3cbbc9
Show file tree
Hide file tree
Showing 4 changed files with 106 additions and 2 deletions.
4 changes: 3 additions & 1 deletion internal/caddy/http.go
Original file line number Diff line number Diff line change
Expand Up @@ -392,7 +392,9 @@ func (i *Input) getHTTPServer(s *caddyhttp.Server, l gatewayv1.Listener) (*caddy
certs = append(certs, base64.StdEncoding.EncodeToString(block.Bytes))
}
}
tls.RootCAPool = certs
tls.CA = caddytls.InlineCAPool{
TrustedCACerts: certs,
}
}
// Caddy will default to using system trust for TLS if
// we don't override the pool.
Expand Down
6 changes: 6 additions & 0 deletions internal/caddyv2/caddyhttp/reverseproxy/transport.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ package reverseproxy

import (
caddy "github.com/caddyserver/gateway/internal/caddyv2"
"github.com/caddyserver/gateway/internal/caddyv2/caddytls"
)

type Transport interface {
Expand Down Expand Up @@ -91,9 +92,14 @@ func (HTTPTransport) IAmATransport() {}
// TLSConfig holds configuration related to the TLS configuration for the
// transport/client.
type TLSConfig struct {
// Certificate authority module which provides the certificate pool of trusted certificates
CA caddytls.CA `json:"ca,omitempty"`

// DEPRECATED: Use the `ca` field with the `tls.ca_pool.source.inline` module instead.
// Optional list of base64-encoded DER-encoded CA certificates to trust.
RootCAPool []string `json:"root_ca_pool,omitempty"`

// DEPRECATED: Use the `ca` field with the `tls.ca_pool.source.file` module instead.
// List of PEM-encoded CA certificate files to add to the same trust
// store as RootCAPool (or root_ca_pool in the JSON).
RootCAPEMFiles []string `json:"root_ca_pem_files,omitempty"`
Expand Down
94 changes: 94 additions & 0 deletions internal/caddyv2/caddytls/capools.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
// SPDX-License-Identifier: Apache-2.0
// SPDX-FileCopyrightText: Copyright (c) 2024 Matthew Penner

package caddytls

// CA .
// TODO: document
type CA interface {
IAmACA()
}

type InlineCAPoolProvider string

func (InlineCAPoolProvider) MarshalJSON() ([]byte, error) {
return []byte(`"inline"`), nil
}

// InlineCAPool is a certificate authority pool provider coming from
// a DER-encoded certificates in the config.
type InlineCAPool struct {
// Provider is the name of this provider for the JSON config.
// DO NOT USE this. This is a special value to represent this provider.
// It will be overwritten when we are marshalled.
Provider InlineCAPoolProvider `json:"provider"`

// A list of base64 DER-encoded CA certificates
// against which to validate client certificates.
// Client certs which are not signed by any of
// these CAs will be rejected.
TrustedCACerts []string `json:"trusted_ca_certs,omitempty"`
}

func (InlineCAPool) IAmACA() {}

type FileCAPoolProvider string

func (FileCAPoolProvider) MarshalJSON() ([]byte, error) {
return []byte(`"file"`), nil
}

// FileCAPool is a certificate authority pool provider coming from
// a DER-encoded certificates in the config.
type FileCAPool struct {
// Provider is the name of this provider for the JSON config.
// DO NOT USE this. This is a special value to represent this provider.
// It will be overwritten when we are marshalled.
Provider FileCAPoolProvider `json:"provider"`

// TrustedCACertPEMFiles is a list of PEM file names
// from which to load certificates of trusted CAs.
// Client certificates which are not signed by any of
// these CA certificates will be rejected.
TrustedCACertPEMFiles []string `json:"pem_files,omitempty"`
}

func (FileCAPool) IAmACA() {}

type PKIRootCAPoolProvider string

func (PKIRootCAPoolProvider) MarshalJSON() ([]byte, error) {
return []byte(`"pki_root"`), nil
}

// PKIRootCAPool extracts the trusted root certificates from Caddy's native 'pki' app.
type PKIRootCAPool struct {
// Provider is the name of this provider for the JSON config.
// DO NOT USE this. This is a special value to represent this provider.
// It will be overwritten when we are marshalled.
Provider PKIRootCAPoolProvider `json:"provider"`

// List of the Authority names that are configured in the `pki` app whose root certificates are trusted.
Authority []string `json:"authority,omitempty"`
}

func (PKIRootCAPool) IAmACA() {}

type PKIIntermediateCAPoolProvider string

func (PKIIntermediateCAPoolProvider) MarshalJSON() ([]byte, error) {
return []byte(`"pki_intermediate"`), nil
}

// PKIIntermediateCAPool extracts the trusted intermediate certificates from Caddy's native 'pki' app.
type PKIIntermediateCAPool struct {
// Provider is the name of this provider for the JSON config.
// DO NOT USE this. This is a special value to represent this provider.
// It will be overwritten when we are marshalled.
Provider PKIIntermediateCAPoolProvider `json:"provider"`

// List of the Authority names that are configured in the `pki` app whose intermediate certificates are trusted.
Authority []string `json:"authority,omitempty"`
}

func (PKIIntermediateCAPool) IAmACA() {}
4 changes: 3 additions & 1 deletion internal/caddyv2/caddytls/connpolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,12 +66,14 @@ type ConnectionPolicy struct {

// ClientAuthentication configures TLS client auth.
type ClientAuthentication struct {
// DEPRECATED: Use the `ca` field with the `tls.ca_pool.source.inline` module instead.
// A list of base64 DER-encoded CA certificates
// against which to validate client certificates.
// Client certs which are not signed by any of
// these CAs will be rejected.
TrustedCACerts []string `json:"trusted_ca_certs,omitempty"`

// DEPRECATED: Use the `ca` field with the `tls.ca_pool.source.file` module instead.
// TrustedCACertPEMFiles is a list of PEM file names
// from which to load certificates of trusted CAs.
// Client certificates which are not signed by any of
Expand All @@ -80,7 +82,7 @@ type ClientAuthentication struct {

// DEPRECATED: This field is deprecated and will be removed in
// a future version. Please use the `validators` field instead
// with the tls.client_auth.leaf module instead.
// with the tls.client_auth.verifier.leaf module instead.
//
// A list of base64 DER-encoded client leaf certs
// to accept. If this list is not empty, client certs
Expand Down

0 comments on commit e3cbbc9

Please sign in to comment.