Native SSL support

Add two new flags for atlantis server: --ssl-key-file for the key --ssl-cert-file for the server and CA certs You either need to use both or neither. You'll get an error if you accidentally use only one. Currently defaults to non-SSL mode. I think you could make a good argument for SSL by default but since that would be a breaking change I left it for the maintainers to decide. Removed docs for setting up an NGINX frontend.
hootsuite · Jan 16, 2018 · bd682bf · bd682bf
1 parent 5abc367
commit bd682bf
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 69 deletions.
diff --git a/README.md b/README.md
@@ -481,7 +481,7 @@ However, if you were to lose the data, all you would need to do is run `atlantis
 
 **Q: How to add SSL to Atlantis server?**
 
-A: Atlantis currently only supports HTTP. In order to add SSL you will need to front Atlantis server with NGINX or HAProxy. Follow the document [here](./docs/nginx-ssl-proxy.md) to use configure NGINX with SSL as a reverse proxy.
+A: Pass the `--ssl` option to enable SSL for incoming connections.  You will need to get a trusted certificate and pass it into Atlantis server with the `--ssl-key-file` and `--ssl-cert-file` options.
 
 
 ## Contributing

diff --git a/cmd/server.go b/cmd/server.go
@@ -31,6 +31,8 @@ const (
 	LogLevelFlag        = "log-level"
 	PortFlag            = "port"
 	RequireApprovalFlag = "require-approval"
+	SSLCertFileFlag     = "ssl-cert-file"
+	SSLKeyFileFlag      = "ssl-key-file"
 )
 
 var stringFlags = []stringFlag{
@@ -94,6 +96,14 @@ var stringFlags = []stringFlag{
 		description: "Log level. Either debug, info, warn, or error.",
 		value:       "info",
 	},
+	{
+		name:        SSLCertFileFlag,
+		description: "File containing x509 Certificate used for serving HTTPS. If the cert is signed by a CA, the file should be the concatenation of the server's certificate, any intermediates, and the CA's certificate.",
+	},
+	{
+		name:        SSLKeyFileFlag,
+		description: fmt.Sprintf("File containing x509 private key matching --%s.", SSLCertFileFlag),
+	},
 }
 var boolFlags = []boolFlag{
 	{
@@ -248,13 +258,17 @@ func (s *ServerCmd) validate(config server.Config) error {
 	if logLevel != "debug" && logLevel != "info" && logLevel != "warn" && logLevel != "error" {
 		return errors.New("invalid log level: not one of debug, info, warn, error")
 	}
-	vcsErr := fmt.Errorf("--%s/--%s or --%s/--%s must be set", GHUserFlag, GHTokenFlag, GitlabUserFlag, GitlabTokenFlag)
+
+	if (config.SSLKeyFile == "") != (config.SSLCertFile == "") {
+		return fmt.Errorf("%s and %s are required for ssl", SSLKeyFileFlag, SSLCertFileFlag)
+	}
 
 	// The following combinations are valid.
 	// 1. github user and token
 	// 2. gitlab user and token
 	// 3. all 4 set
 	// We validate using contradiction (I think).
+	vcsErr := fmt.Errorf("--%s/--%s or --%s/--%s must be set", GHUserFlag, GHTokenFlag, GitlabUserFlag, GitlabTokenFlag)
 	if config.GithubUser != "" && config.GithubToken == "" || config.GithubToken != "" && config.GithubUser == "" {
 		return vcsErr
 	}

diff --git a/docs/nginx-ssl-proxy.md b/docs/nginx-ssl-proxy.md
diff --git a/server/server.go b/server/server.go
@@ -45,6 +45,8 @@ type Server struct {
 	EventsController   *EventsController
 	IndexTemplate      TemplateWriter
 	LockDetailTemplate TemplateWriter
+	SSLCertFile        string
+	SSLKeyFile         string
 }
 
 // Config configures Server.
@@ -67,6 +69,8 @@ type Config struct {
 	// allowing terraform apply's to be run.
 	RequireApproval bool            `mapstructure:"require-approval"`
 	SlackToken      string          `mapstructure:"slack-token"`
+	SSLCertFile     string          `mapstructure:"ssl-cert-file"`
+	SSLKeyFile      string          `mapstructure:"ssl-key-file"`
 	Webhooks        []WebhookConfig `mapstructure:"webhooks"`
 }
 
@@ -214,6 +218,8 @@ func NewServer(config Config) (*Server, error) {
 		EventsController:   eventsController,
 		IndexTemplate:      indexTemplate,
 		LockDetailTemplate: lockTemplate,
+		SSLKeyFile:         config.SSLKeyFile,
+		SSLCertFile:        config.SSLCertFile,
 	}, nil
 }
 
@@ -249,7 +255,15 @@ func (s *Server) Start() error {
 	server := &http.Server{Addr: fmt.Sprintf(":%d", s.Port), Handler: n}
 	go func() {
 		s.Logger.Warn("Atlantis started - listening on port %v", s.Port)
-		if err := server.ListenAndServe(); err != nil {
+
+		var err error
+		if s.SSLCertFile != "" && s.SSLKeyFile != "" {
+			err = server.ListenAndServeTLS(s.SSLCertFile, s.SSLKeyFile)
+		} else {
+			err = server.ListenAndServe()
+		}
+
+		if err != nil {
 			// When shutdown safely, there will be no error.
 			s.Logger.Err(err.Error())
 		}