feat: Extended Root CA for upstream connections (ory#181)

wraix · christian-roggia · commit 818510ec12cb · 2021-06-20T16:59:15.000+02:00
This allows for appending a certificate file to the Root CA without altering the system Root CA. This is useful for allowing self-signed certificates on the upstream connections
diff --git a/proxy/proxy.go b/proxy/proxy.go
@@ -22,6 +22,8 @@ package proxy
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"io/ioutil"
 	"net/http"
 	"net/url"
@@ -88,7 +90,28 @@ func (d *Proxy) RoundTrip(r *http.Request) (*http.Response, error) {
 			Header:     rw.header,
 		}, nil
 	} else if err == nil {
-		res, err := http.DefaultTransport.RoundTrip(r)
+
+		transport := http.DefaultTransport
+
+		// FIXME: Test config settings for extended Root CA cert file
+		if true {
+			d.r.Logger().
+				WithFields(fields).
+				WithField("insecure-skip-verify", false).
+				Warn("Using extended Root CA")
+
+			transport, err = useTransportWithExtendedRootCa("./config/certs/hydra/private.crt") // FIXME: Read from a config somehow...
+			if err != nil {
+				d.r.Logger().
+					WithError(errors.WithStack(err)).
+					WithField("granted", false).
+					WithFields(fields).
+					Warn("Access request denied because extended Root CA failed")
+				return nil, err
+			}
+		}
+
+		res, err := transport.RoundTrip(r)
 		if err != nil {
 			d.r.Logger().
 				WithError(errors.WithStack(err)).
@@ -194,3 +217,33 @@ func ConfigureBackendURL(r *http.Request, rl *rule.Rule) error {
 
 	return nil
 }
+
+// Allow for extending the Root CA chain
+// Use to avoid the error: "http: proxy error: x509: certificate signed by unknown authority" for self-signed
+// certificates upstream.
+func useTransportWithExtendedRootCa(certFile string) (transport *http.Transport, err error) {
+	transport = &(*http.DefaultTransport.(*http.Transport)) // shallow copy
+
+	// Get the SystemCertPool or continue with an empty pool on error
+	rootCAs, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, err
+	}
+
+	certs, err := ioutil.ReadFile(certFile)
+	if err != nil {
+		return nil, err
+	}
+
+	// Append our cert to the system pool
+	if ok := rootCAs.AppendCertsFromPEM(certs); !ok {
+		return nil, errors.New("No certs appended, only system certs present, did you specifi the correct cert file?")
+	}
+
+	transport.TLSClientConfig = &tls.Config{
+		InsecureSkipVerify: false,
+		RootCAs:            rootCAs,
+	}
+
+	return transport, nil
+}
