Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: add --insecure to skip TLS certificate verification #1769

Merged
merged 3 commits into from
Jun 13, 2024
Merged

fix: add --insecure to skip TLS certificate verification #1769

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
96423ae
fix: add `--insecure` to skip TLS certificate verification
safeer Jun 13, 2024
5ff4157
fix: add #nosec G402 directive
safeer Jun 13, 2024
36c8da2
fix: add #nosec G402 directive
safeer Jun 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion cmd/ftl/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ type CLI struct {
ConfigFlag string `name:"config" short:"C" help:"Path to FTL project configuration file." env:"FTL_CONFIG" placeholder:"FILE"`

Authenticators map[string]string `help:"Authenticators to use for FTL endpoints." mapsep:"," env:"FTL_AUTHENTICATORS" placeholder:"HOST=EXE,…"`
Insecure bool `help:"Skip TLS certificate verification. Caution: susceptible to machine-in-the-middle attacks."`

Ping pingCmd `cmd:"" help:"Ping the FTL cluster."`
Status statusCmd `cmd:"" help:"Show FTL status."`
Expand Down Expand Up @@ -74,7 +75,7 @@ func main() {
},
)

rpc.InitialiseClients(cli.Authenticators)
rpc.InitialiseClients(cli.Authenticators, cli.Insecure)

// Set some envars for child processes.
os.Setenv("LOG_LEVEL", cli.LogConfig.Level.String())
Expand All @@ -84,6 +85,10 @@ func main() {
logger := log.Configure(os.Stderr, cli.LogConfig)
ctx = log.ContextWithLogger(ctx, logger)

if cli.Insecure {
logger.Warnf("--insecure skips TLS certificate verification")
}

configPath := cli.ConfigFlag
if configPath == "" {
var ok bool
Expand Down
12 changes: 10 additions & 2 deletions internal/rpc/rpc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,17 @@ import (
//
// "authenticators" are authenticator executables to use for each endpoint. The key is the URL of the endpoint, the
// value is the path to the authenticator executable.
func InitialiseClients(authenticators map[string]string) {
//
// "allowInsecure" skips certificate verification, making TLS susceptible to machine-in-the-middle attacks.
func InitialiseClients(authenticators map[string]string, allowInsecure bool) {
// We can't have a client-wide timeout because it also applies to
// streaming RPCs, timing them out.
h2cClient = &http.Client{
Transport: authn.Transport(&http2.Transport{
AllowHTTP: true,
TLSClientConfig: &tls.Config{
InsecureSkipVerify: allowInsecure, // #nosec G402
},
DialTLSContext: func(ctx context.Context, network, addr string, _ *tls.Config) (net.Conn, error) {
conn, err := dialer.Dial(network, addr)
return conn, err
Expand All @@ -37,6 +42,9 @@ func InitialiseClients(authenticators map[string]string) {
}
tlsClient = &http.Client{
Transport: authn.Transport(&http2.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: allowInsecure, // #nosec G402
},
DialTLSContext: func(ctx context.Context, network, addr string, config *tls.Config) (net.Conn, error) {
tlsDialer := tls.Dialer{Config: config, NetDialer: dialer}
conn, err := tlsDialer.DialContext(ctx, network, addr)
Expand All @@ -47,7 +55,7 @@ func InitialiseClients(authenticators map[string]string) {
}

func init() {
InitialiseClients(map[string]string{})
InitialiseClients(map[string]string{}, false)
}

var (
Expand Down
Loading