From 3f7ed36e4643c4ca78121c8292d1fdbfac040825 Mon Sep 17 00:00:00 2001 From: Lukasz Leszczuk Date: Thu, 7 Nov 2019 11:04:40 +0100 Subject: [PATCH 1/5] Add support for Redis with custom CA. --- main.go | 2 ++ pkg/apis/options/sessions.go | 2 ++ pkg/sessions/redis/redis_store.go | 25 +++++++++++++++++++++++++ 3 files changed, 29 insertions(+) diff --git a/main.go b/main.go index e84a796e..6943f508 100644 --- a/main.go +++ b/main.go @@ -91,6 +91,8 @@ func main() { flagSet.String("redis-connection-url", "", "URL of redis server for redis session storage (eg: redis://HOST[:PORT])") flagSet.Bool("redis-use-sentinel", false, "Connect to redis via sentinels. Must set --redis-sentinel-master-name and --redis-sentinel-connection-urls to use this feature") flagSet.String("redis-sentinel-master-name", "", "Redis sentinel master name. Used in conjunction with --redis-use-sentinel") + flagSet.String("redis-ca-path", "", "Redis custom CA path") + flagSet.Bool("redis-insecure-tls", false, "Use insecure TLS connection to redis") flagSet.Var(&redisSentinelConnectionURLs, "redis-sentinel-connection-urls", "List of Redis sentinel connection URLs (eg redis://HOST[:PORT]). Used in conjunction with --redis-use-sentinel") flagSet.String("logging-filename", "", "File to log requests to, empty for stdout") diff --git a/pkg/apis/options/sessions.go b/pkg/apis/options/sessions.go index c96d490c..d4bb585f 100644 --- a/pkg/apis/options/sessions.go +++ b/pkg/apis/options/sessions.go @@ -27,4 +27,6 @@ type RedisStoreOptions struct { UseSentinel bool `flag:"redis-use-sentinel" cfg:"redis_use_sentinel" env:"OAUTH2_PROXY_REDIS_USE_SENTINEL"` SentinelMasterName string `flag:"redis-sentinel-master-name" cfg:"redis_sentinel_master_name" env:"OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME"` SentinelConnectionURLs []string `flag:"redis-sentinel-connection-urls" cfg:"redis_sentinel_connection_urls" env:"OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS"` + RedisCAPath string `flag:"redis-ca-path" cfg:"redis_ca_path" env:"OAUTH2_PROXY_REDIS_CA_PATH"` + RedisInsecureTLS bool `flag:"redis-insecure-tls" cfg:"redis_insecure_tls" env:"OAUTH2_PROXY_REDIS_INSECURE_TLS"` } diff --git a/pkg/sessions/redis/redis_store.go b/pkg/sessions/redis/redis_store.go index ed33d72d..0efa47d0 100644 --- a/pkg/sessions/redis/redis_store.go +++ b/pkg/sessions/redis/redis_store.go @@ -4,10 +4,13 @@ import ( "crypto/aes" "crypto/cipher" "crypto/rand" + "crypto/x509" "encoding/base64" "encoding/hex" "fmt" + "github.com/pusher/oauth2_proxy/pkg/logger" "io" + "io/ioutil" "net/http" "strings" "time" @@ -64,6 +67,28 @@ func newRedisClient(opts options.RedisStoreOptions) (*redis.Client, error) { return nil, fmt.Errorf("unable to parse redis url: %s", err) } + if opts.RedisInsecureTLS != false { + opt.TLSConfig.InsecureSkipVerify = true + } + + if opts.RedisCAPath != "" { + rootCAs, _ := x509.SystemCertPool() + if rootCAs == nil { + rootCAs = x509.NewCertPool() + } + certs, err := ioutil.ReadFile(opts.RedisCAPath) + if err != nil { + return nil, fmt.Errorf("failed to load %q, %v", opts.RedisCAPath, err) + } + + // Append our cert to the system pool + if ok := rootCAs.AppendCertsFromPEM(certs); !ok { + logger.Printf("no certs appended, using system certs only") + } + + opt.TLSConfig.RootCAs = rootCAs + } + client := redis.NewClient(opt) return client, nil } From 3c10aee62c8fde64cf19a747e6495fe57b1b8744 Mon Sep 17 00:00:00 2001 From: Lukasz Leszczuk Date: Sat, 9 Nov 2019 13:57:40 +0100 Subject: [PATCH 2/5] Code formatting. Add missing CHANGELOG entry. --- CHANGELOG.md | 2 +- pkg/sessions/redis/redis_store.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 556beca4..7b4dc975 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,7 @@ - [#302](https://github.com/pusher/oauth2_proxy/pull/302) Rewrite dist script (@syscll) - [#304](https://github.com/pusher/oauth2_proxy/pull/304) Add new Logo! :tada: (@JoelSpeed) - [#300](https://github.com/pusher/oauth2_proxy/pull/300) Added userinfo endpoint (@kbabuadze) - +- [#309](https://github.com/pusher/oauth2_proxy/pull/309) Added support for custom CA when connecting to Redis cache # v4.0.0 - [#248](https://github.com/pusher/oauth2_proxy/pull/248) Fix issue with X-Auth-Request-Redirect header being ignored diff --git a/pkg/sessions/redis/redis_store.go b/pkg/sessions/redis/redis_store.go index 0efa47d0..a0f331b7 100644 --- a/pkg/sessions/redis/redis_store.go +++ b/pkg/sessions/redis/redis_store.go @@ -8,7 +8,6 @@ import ( "encoding/base64" "encoding/hex" "fmt" - "github.com/pusher/oauth2_proxy/pkg/logger" "io" "io/ioutil" "net/http" @@ -20,6 +19,7 @@ import ( "github.com/pusher/oauth2_proxy/pkg/apis/sessions" "github.com/pusher/oauth2_proxy/pkg/cookies" "github.com/pusher/oauth2_proxy/pkg/encryption" + "github.com/pusher/oauth2_proxy/pkg/logger" ) // TicketData is a structure representing the ticket used in server session storage From d7a51e4aabf649f2f96df0a1cf8a56743bd02123 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20Leszczuk?= Date: Tue, 12 Nov 2019 11:34:14 +0100 Subject: [PATCH 3/5] Update main.go Co-Authored-By: Joel Speed --- main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.go b/main.go index 6943f508..7cf562bd 100644 --- a/main.go +++ b/main.go @@ -92,7 +92,7 @@ func main() { flagSet.Bool("redis-use-sentinel", false, "Connect to redis via sentinels. Must set --redis-sentinel-master-name and --redis-sentinel-connection-urls to use this feature") flagSet.String("redis-sentinel-master-name", "", "Redis sentinel master name. Used in conjunction with --redis-use-sentinel") flagSet.String("redis-ca-path", "", "Redis custom CA path") - flagSet.Bool("redis-insecure-tls", false, "Use insecure TLS connection to redis") + flagSet.Bool("redis-insecure-skip-tls-verify", false, "Use insecure TLS connection to redis") flagSet.Var(&redisSentinelConnectionURLs, "redis-sentinel-connection-urls", "List of Redis sentinel connection URLs (eg redis://HOST[:PORT]). Used in conjunction with --redis-use-sentinel") flagSet.String("logging-filename", "", "File to log requests to, empty for stdout") From befab0521ad53e9a7211065cd6f382d635701144 Mon Sep 17 00:00:00 2001 From: Lukasz Leszczuk Date: Tue, 12 Nov 2019 11:42:03 +0100 Subject: [PATCH 4/5] log message in case of failure during loading system cert pool --- pkg/sessions/redis/redis_store.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/sessions/redis/redis_store.go b/pkg/sessions/redis/redis_store.go index a0f331b7..fdeebf6b 100644 --- a/pkg/sessions/redis/redis_store.go +++ b/pkg/sessions/redis/redis_store.go @@ -72,7 +72,10 @@ func newRedisClient(opts options.RedisStoreOptions) (*redis.Client, error) { } if opts.RedisCAPath != "" { - rootCAs, _ := x509.SystemCertPool() + rootCAs, err := x509.SystemCertPool() + if err != nil { + logger.Printf("failed to load system cert pool for redis connection, falling back to empty cert pool") + } if rootCAs == nil { rootCAs = x509.NewCertPool() } From 06a283e581039f20a1be5ce7663a9281682899bb Mon Sep 17 00:00:00 2001 From: Lukasz Leszczuk Date: Tue, 12 Nov 2019 16:11:27 +0100 Subject: [PATCH 5/5] Fix settings naming --- pkg/apis/options/sessions.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/apis/options/sessions.go b/pkg/apis/options/sessions.go index d4bb585f..dbbb1cba 100644 --- a/pkg/apis/options/sessions.go +++ b/pkg/apis/options/sessions.go @@ -28,5 +28,5 @@ type RedisStoreOptions struct { SentinelMasterName string `flag:"redis-sentinel-master-name" cfg:"redis_sentinel_master_name" env:"OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME"` SentinelConnectionURLs []string `flag:"redis-sentinel-connection-urls" cfg:"redis_sentinel_connection_urls" env:"OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS"` RedisCAPath string `flag:"redis-ca-path" cfg:"redis_ca_path" env:"OAUTH2_PROXY_REDIS_CA_PATH"` - RedisInsecureTLS bool `flag:"redis-insecure-tls" cfg:"redis_insecure_tls" env:"OAUTH2_PROXY_REDIS_INSECURE_TLS"` + RedisInsecureTLS bool `flag:"redis-insecure-skip-tls-verify" cfg:"redis_insecure_skip_tls_verify" env:"OAUTH2_PROXY_REDIS_INSECURE_SKIP_TLS_VERIFY"` }