TC-1781 collectsub TLS cert management (guacsec#123)

Signed-off-by: mrizzi <[email protected]>
mrizzi · Sep 17, 2024 · 882ab4a · 882ab4a
1 parent f7096ec
commit 882ab4a
Showing 1 changed file with 26 additions and 10 deletions.
diff --git a/pkg/collectsub/client/client.go b/pkg/collectsub/client/client.go
@@ -21,8 +21,10 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io"
+	"os"
 
 	pb "github.com/guacsec/guac/pkg/collectsub/collectsub"
+	"github.com/spf13/viper"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
@@ -56,17 +58,31 @@ func ValidateCsubClientFlags(addr string, tls bool, tlsSkipVerify bool) (CsubCli
 func NewClient(opts CsubClientOptions) (Client, error) {
 
 	var creds credentials.TransportCredentials
-	if !opts.Tls {
-		// Set up a connection to the server.
-		creds = insecure.NewCredentials()
-	} else {
-		// Get the system certificates.
-		sysPool, err := x509.SystemCertPool()
-		if err != nil {
-			return nil, fmt.Errorf("failed to get system cert: %w", err)
+	certFile := viper.GetString("csub-tls-root-ca")
+	tlsSkipVerify := opts.TlsSkipVerify
+	systemTls := opts.Tls
+
+	if certFile != "" || systemTls == true {
+		var caCertPool *x509.CertPool
+		if certFile != "" {
+			caCert, err := os.ReadFile(certFile)
+			if err != nil {
+				return nil, fmt.Errorf("unable to read root certificate: %v", err)
+			}
+			caCertPool = x509.NewCertPool()
+			caCertPool.AppendCertsFromPEM(caCert)
+		} else {
+			sysPool, err := x509.SystemCertPool()
+			if err != nil {
+				return nil, fmt.Errorf("failed to get system cert: %w", err)
+			}
+			caCertPool = sysPool
 		}
+
 		// Connect to the service using TLS.
-		creds = credentials.NewTLS(&tls.Config{RootCAs: sysPool, InsecureSkipVerify: opts.TlsSkipVerify})
+		creds = credentials.NewTLS(&tls.Config{RootCAs: caCertPool, InsecureSkipVerify: tlsSkipVerify})
+	} else {
+		creds = insecure.NewCredentials()
 	}
 
 	conn, err := grpc.Dial(opts.Addr, grpc.WithTransportCredentials(creds))
@@ -93,7 +109,7 @@ func (c *client) AddCollectEntries(ctx context.Context, entries []*pb.CollectEnt
 		return err
 	}
 	if !res.Success {
-		return fmt.Errorf("add collect entries unsuccessful")
+		return fmt.Errorf("add collect entry unsuccessful")
 	}
 	return nil
 }