diff options
author | Alex Auvolat <alex@adnab.me> | 2022-08-24 17:53:33 +0200 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2022-08-24 17:53:33 +0200 |
commit | 5007077f1dcb0778e4433d7b43900072e3f0ca4b (patch) | |
tree | 136f63e93e801e64c1295b2f13f5c28288e4c976 | |
parent | 698236cdb4ed6e0280f87da4006bd53dce8b3dc1 (diff) | |
download | tricot-5007077f1dcb0778e4433d7b43900072e3f0ca4b.tar.gz tricot-5007077f1dcb0778e4433d7b43900072e3f0ca4b.zip |
Add possibility to skip TLS server certificate verification
-rw-r--r-- | src/consul.rs | 42 | ||||
-rw-r--r-- | src/main.rs | 5 |
2 files changed, 34 insertions, 13 deletions
diff --git a/src/consul.rs b/src/consul.rs index cba435a..13b99d8 100644 --- a/src/consul.rs +++ b/src/consul.rs @@ -11,6 +11,7 @@ use serde::{Deserialize, Serialize}; pub struct ConsulConfig { pub addr: String, pub ca_cert: Option<String>, + pub tls_skip_verify: bool, pub client_cert: Option<String>, pub client_key: Option<String>, } @@ -88,26 +89,41 @@ pub struct Consul { impl Consul { pub fn new(config: ConsulConfig, kv_prefix: &str, local_node: &str) -> Result<Self> { - let client = match (&config.ca_cert, &config.client_cert, &config.client_key) { - (Some(ca_cert), Some(client_cert), Some(client_key)) => { - let mut ca_cert_buf = vec![]; - File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?; - + let client = match (&config.client_cert, &config.client_key) { + (Some(client_cert), Some(client_key)) => { let mut client_cert_buf = vec![]; File::open(client_cert)?.read_to_end(&mut client_cert_buf)?; let mut client_key_buf = vec![]; File::open(client_key)?.read_to_end(&mut client_key_buf)?; - reqwest::Client::builder() - .use_rustls_tls() - .add_root_certificate(reqwest::Certificate::from_pem(&ca_cert_buf[..])?) - .identity(reqwest::Identity::from_pem( - &[&client_cert_buf[..], &client_key_buf[..]].concat()[..], - )?) - .build()? + let identity = reqwest::Identity::from_pem( + &[&client_cert_buf[..], &client_key_buf[..]].concat()[..], + )?; + + if config.tls_skip_verify { + reqwest::Client::builder() + .use_rustls_tls() + .danger_accept_invalid_certs(true) + .identity(identity) + .build()? + } else if let Some(ca_cert) = &config.ca_cert { + let mut ca_cert_buf = vec![]; + File::open(ca_cert)?.read_to_end(&mut ca_cert_buf)?; + + reqwest::Client::builder() + .use_rustls_tls() + .add_root_certificate(reqwest::Certificate::from_pem(&ca_cert_buf[..])?) + .identity(identity) + .build()? + } else { + reqwest::Client::builder() + .use_rustls_tls() + .identity(identity) + .build()? + } } - (None, None, None) => reqwest::Client::new(), + (None, None) => reqwest::Client::new(), _ => bail!("Incomplete Consul TLS configuration parameters"), }; diff --git a/src/main.rs b/src/main.rs index dada7e7..edc79b4 100644 --- a/src/main.rs +++ b/src/main.rs @@ -40,6 +40,10 @@ struct Opt { #[structopt(long = "consul-ca-cert", env = "TRICOT_CONSUL_CA_CERT")] pub consul_ca_cert: Option<String>, + /// Skip TLS verification for Consul + #[structopt(long = "consul-tls-skip-verify", env = "TRICOT_CONSUL_TLS_SKIP_VERIFY")] + pub consul_tls_skip_verify: bool, + /// Client certificate for Consul server with TLS #[structopt(long = "consul-client-cert", env = "TRICOT_CONSUL_CLIENT_CERT")] pub consul_client_cert: Option<String>, @@ -122,6 +126,7 @@ async fn main() { let consul_config = consul::ConsulConfig { addr: opt.consul_addr.clone(), ca_cert: opt.consul_ca_cert.clone(), + tls_skip_verify: opt.consul_tls_skip_verify, client_cert: opt.consul_client_cert.clone(), client_key: opt.consul_client_key.clone(), }; |