Skip to content

[WIP] THREESCALE-11740 - Use system certificates #1540

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
tkan145 wants to merge 1 commit into from
Closed

[WIP] THREESCALE-11740 - Use system certificates #1540

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion gateway/src/apicast/cli/command/start.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ local exec = require('resty.execvp')
local resty_env = require('resty.env')
local re = require('ngx.re')
local resty_url = require('resty.url')
local system = require('resty.system')

local Template = require('apicast.cli.template')
local Environment = require('apicast.cli.environment')
Expand Down Expand Up @@ -146,7 +147,10 @@ local function build_context(options, config)


context.prefix = apicast_root()
context.ca_bundle = pl.path.abspath(tostring(context.ca_bundle) or pl.path.join(context.prefix, 'conf', 'ca-bundle.crt'))

context.ca_bundle = pl.path.abspath(tostring(context.ca_bundle)
or system.get_system_trusted_certs_filepath()
or pl.path.join(context.prefix, 'conf', 'ca-bundle.crt'))

context.access_log_file = options.access_log_file

Expand Down
33 changes: 33 additions & 0 deletions gateway/src/resty/system.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
local pl_path = require 'pl.path'

local _M = {}

do
-- Possible certificate files; stop after finding one.
-- copied from https://github.com/golang/go/blob/master/src/crypto/x509/root_linux.go#L9
local trusted_cert_files = {
"/etc/ssl/certs/ca-certificates.crt", -- Debian/Ubuntu/Gentoo etc.
"/etc/pki/tls/certs/ca-bundle.crt", -- Fedora/RHEL 6
"/etc/ssl/ca-bundle.pem", -- OpenSUSE
"/etc/pki/tls/cacert.pem", -- OpenELEC
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", -- CentOS/RHEL 7
"/etc/ssl/cert.pem", -- Alpine Linux
}

-- Load CA certs in order, the first one found will be used.
-- from context
-- from default system location
-- local APIcast ca-bundle (for backward compatible)
--
function _M.get_system_trusted_certs_filepath()
for _, path in ipairs(trusted_cert_files) do
if pl_path.exists(path) then
return path
end
end

return nil
end
end

return _M
37 changes: 37 additions & 0 deletions spec/resty/system_spec.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
local system = require "resty.system"
local pl_path = require "pl.path"

describe("resty.system", function()
describe("get_system_trusted_certs_filepath", function ()
local old_exists = pl_path.exists
after_each(function()
pl_path.exists = old_exists
end)

it("retrieves the default filepath", function()
local tests = {
"/etc/ssl/certs/ca-certificates.crt",
"/etc/pki/tls/certs/ca-bundle.crt",
"/etc/ssl/ca-bundle.pem",
"/etc/pki/tls/cacert.pem",
"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem",
"/etc/ssl/cert.pem",
}
for _, test_path in pairs(tests) do
pl_path.exists = function(path)
return path == test_path
end
assert.same(test_path, system.get_system_trusted_certs_filepath())
end
end)

it("return nil if nothing found", function()
pl_path.exists = function(path)
return false
end

local ok = system.get_system_trusted_certs_filepath()
assert.is_nil(ok)
end)
end)
end)