diff options
author | Alex Auvolat <alex@adnab.me> | 2022-08-24 18:22:00 +0200 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2022-08-24 18:22:00 +0200 |
commit | e7f6c15bc11ce04fdc3444f7bd1a588516e92dd9 (patch) | |
tree | a2e0a9c8c6652e170ef4aadc3d5b3953e58a7181 | |
parent | 730c9049ad79b15c3372cbd3737c5e90b311bd62 (diff) | |
download | diplonat-e7f6c15bc11ce04fdc3444f7bd1a588516e92dd9.tar.gz diplonat-e7f6c15bc11ce04fdc3444f7bd1a588516e92dd9.zip |
Add possibility to skip tls verification for consulconsul-tls
-rw-r--r-- | src/config/options.rs | 2 | ||||
-rw-r--r-- | src/config/runtime.rs | 21 | ||||
-rw-r--r-- | src/consul.rs | 29 |
3 files changed, 37 insertions, 15 deletions
diff --git a/src/config/options.rs b/src/config/options.rs index 7334083..28b3379 100644 --- a/src/config/options.rs +++ b/src/config/options.rs @@ -39,6 +39,8 @@ pub struct ConfigOptsConsul { pub url: Option<String>, /// Consul's CA certificate [default: None] pub ca_cert: Option<String>, + /// Skip TLS verification for Consul server + pub tls_skip_verify: bool, /// Consul's client certificate [default: None] pub client_cert: Option<String>, /// Consul's client key [default: None] diff --git a/src/config/runtime.rs b/src/config/runtime.rs index cc80b0d..2e7b573 100644 --- a/src/config/runtime.rs +++ b/src/config/runtime.rs @@ -20,7 +20,7 @@ pub struct RuntimeConfigAcme { pub struct RuntimeConfigConsul { pub node_name: String, pub url: String, - pub tls: Option<(reqwest::Certificate, reqwest::Identity)>, + pub tls: Option<(Option<reqwest::Certificate>, bool, reqwest::Identity)>, } #[derive(Debug)] @@ -80,11 +80,16 @@ impl RuntimeConfigConsul { .expect("'DIPLONAT_CONSUL_NODE_NAME' environment variable is required"); let url = opts.url.unwrap_or(super::CONSUL_URL.to_string()); - let tls = match (&opts.ca_cert, &opts.client_cert, &opts.client_key) { - (Some(ca_cert), Some(client_cert), Some(client_key)) => { - let mut ca_cert_buf = vec![]; - File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?; - let cert = reqwest::Certificate::from_pem(&ca_cert_buf[..])?; + let tls = match (&opts.client_cert, &opts.client_key) { + (Some(client_cert), Some(client_key)) => { + let cert = match &opts.ca_cert { + Some(ca_cert) => { + let mut ca_cert_buf = vec![]; + File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?; + Some(reqwest::Certificate::from_pem(&ca_cert_buf[..])?) + } + None => None, + }; let mut client_cert_buf = vec![]; File::open(client_cert)?.read_to_end(&mut client_cert_buf)?; @@ -95,9 +100,9 @@ impl RuntimeConfigConsul { let ident = reqwest::Identity::from_pem(&[&client_cert_buf[..], &client_key_buf[..]].concat()[..])?; - Some((cert, ident)) + Some((cert, opts.tls_skip_verify, ident)) } - (None, None, None) => None, + (None, None) => None, _ => bail!("Incomplete TLS configuration parameters"), }; diff --git a/src/consul.rs b/src/consul.rs index 4677931..c7ac2b6 100644 --- a/src/consul.rs +++ b/src/consul.rs @@ -23,13 +23,28 @@ pub struct Consul { impl Consul { pub fn new(config: &RuntimeConfigConsul) -> Self { - let client = if let Some((ca, ident)) = config.tls.clone() { - reqwest::Client::builder() - .use_rustls_tls() - .add_root_certificate(ca) - .identity(ident) - .build() - .expect("Unable to build reqwest client") + let client = if let Some((ca, skip_verify, ident)) = config.tls.clone() { + if skip_verify { + reqwest::Client::builder() + .use_rustls_tls() + .danger_accept_invalid_certs(true) + .identity(ident) + .build() + .expect("Unable to build reqwest client") + } else if let Some(ca) = ca { + reqwest::Client::builder() + .use_rustls_tls() + .add_root_certificate(ca) + .identity(ident) + .build() + .expect("Unable to build reqwest client") + } else { + reqwest::Client::builder() + .use_rustls_tls() + .identity(ident) + .build() + .expect("Unable to build reqwest client") + } } else { reqwest::Client::new() }; |