Commit 9d536536 by Carl Bergquist Committed by GitHub

Merge pull request #9378 from mattbostock/verify_tls

Bugfix: Always verify TLS unless explicitly told otherwise
parents 45704d45 83f1ae4e
......@@ -11,25 +11,28 @@ import (
"github.com/grafana/grafana/pkg/middleware"
m "github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/util"
macaron "gopkg.in/macaron.v1"
)
var pluginProxyTransport = &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
Renegotiation: tls.RenegotiateFreelyAsClient,
},
Proxy: http.ProxyFromEnvironment,
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
DualStack: true,
}).Dial,
TLSHandshakeTimeout: 10 * time.Second,
}
var pluginProxyTransport *http.Transport
func InitAppPluginRoutes(r *macaron.Macaron) {
pluginProxyTransport = &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: setting.PluginAppsSkipVerifyTLS,
Renegotiation: tls.RenegotiateFreelyAsClient,
},
Proxy: http.ProxyFromEnvironment,
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
DualStack: true,
}).Dial,
TLSHandshakeTimeout: 10 * time.Second,
}
for _, plugin := range plugins.Apps {
for _, route := range plugin.Routes {
url := util.JoinUrlFragments("/api/plugin-proxy/"+plugin.Id, route.Path)
......
package api
import (
"crypto/tls"
"net"
"net/http"
"net/http/httputil"
......@@ -14,8 +13,7 @@ import (
)
var grafanaComProxyTransport = &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: false},
Proxy: http.ProxyFromEnvironment,
Proxy: http.ProxyFromEnvironment,
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
......
......@@ -78,16 +78,25 @@ func OAuthLogin(ctx *middleware.Context) {
}
// handle call back
tr := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: setting.OAuthService.OAuthInfos[name].TlsSkipVerify,
},
}
oauthClient := &http.Client{
Transport: tr,
}
// initialize oauth2 context
oauthCtx := oauth2.NoContext
if setting.OAuthService.OAuthInfos[name].TlsClientCert != "" {
if setting.OAuthService.OAuthInfos[name].TlsClientCert != "" || setting.OAuthService.OAuthInfos[name].TlsClientKey != "" {
cert, err := tls.LoadX509KeyPair(setting.OAuthService.OAuthInfos[name].TlsClientCert, setting.OAuthService.OAuthInfos[name].TlsClientKey)
if err != nil {
log.Fatal(err)
}
// Load CA cert
tr.TLSClientConfig.Certificates = append(tr.TLSClientConfig.Certificates, cert)
}
if setting.OAuthService.OAuthInfos[name].TlsClientCa != "" {
caCert, err := ioutil.ReadFile(setting.OAuthService.OAuthInfos[name].TlsClientCa)
if err != nil {
log.Fatal(err)
......@@ -95,19 +104,11 @@ func OAuthLogin(ctx *middleware.Context) {
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
tr := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
},
}
sslcli := &http.Client{Transport: tr}
oauthCtx = context.Background()
oauthCtx = context.WithValue(oauthCtx, oauth2.HTTPClient, sslcli)
tr.TLSClientConfig.RootCAs = caCertPool
}
oauthCtx := context.WithValue(context.Background(), oauth2.HTTPClient, oauthClient)
// get token from provider
token, err := connect.Exchange(oauthCtx, code)
if err != nil {
......
......@@ -17,8 +17,6 @@ var version = "master"
func main() {
setupLogging()
services.Init(version)
app := cli.NewApp()
app.Name = "Grafana cli"
app.Usage = ""
......@@ -45,11 +43,19 @@ func main() {
EnvVar: "GF_PLUGIN_URL",
},
cli.BoolFlag{
Name: "insecure",
Usage: "Skip TLS verification (insecure)",
},
cli.BoolFlag{
Name: "debug, d",
Usage: "enable debug logging",
},
}
app.Before = func(c *cli.Context) error {
services.Init(version, c.GlobalBool("insecure"))
return nil
}
app.Commands = commands.Commands
app.CommandNotFound = cmdNotFound
......
......@@ -22,7 +22,7 @@ var (
grafanaVersion string
)
func Init(version string) {
func Init(version string, skipTLSVerify bool) {
grafanaVersion = version
tr := &http.Transport{
......@@ -36,8 +36,9 @@ func Init(version string) {
IdleConnTimeout: 90 * time.Second,
TLSHandshakeTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
TLSClientConfig: &tls.Config{InsecureSkipVerify: false},
TLSClientConfig: &tls.Config{
InsecureSkipVerify: skipTLSVerify,
},
}
HttpClient = http.Client{
......
......@@ -122,6 +122,9 @@ var (
// Basic Auth
BasicAuthEnabled bool
// Plugin settings
PluginAppsSkipVerifyTLS bool
// Session settings.
SessionOptions session.Options
......@@ -560,6 +563,9 @@ func NewConfigContext(args *CommandLineArgs) error {
authBasic := Cfg.Section("auth.basic")
BasicAuthEnabled = authBasic.Key("enabled").MustBool(true)
// global plugin settings
PluginAppsSkipVerifyTLS = Cfg.Section("plugins").Key("app_tls_skip_verify_insecure").MustBool(false)
// PhantomJS rendering
ImagesDir = filepath.Join(DataPath, "png")
PhantomDir = filepath.Join(HomePath, "vendor/phantomjs")
......
......@@ -13,6 +13,7 @@ type OAuthInfo struct {
TlsClientCert string
TlsClientKey string
TlsClientCa string
TlsSkipVerify bool
}
type OAuther struct {
......
......@@ -66,6 +66,7 @@ func NewOAuthService() {
TlsClientCert: sec.Key("tls_client_cert").String(),
TlsClientKey: sec.Key("tls_client_key").String(),
TlsClientCa: sec.Key("tls_client_ca").String(),
TlsSkipVerify: sec.Key("tls_skip_verify_insecure").MustBool(),
}
if !info.Enabled {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment