Skip to content

N
nexpie-grafana-theme
Commit ccf093da by Matt Bostock
Options

OAuth: Separate TLS client auth and CA config 

It should be specify to either use TLS client authentication or use a
user-supplied CA; previously you had to enable client authentication to
use a custom CA.
parent f2f8ca52
Showing with 14 additions and 13 deletions
pkg/api/login_oauth.go
...@@ -78,16 +78,25 @@ func OAuthLogin(ctx *middleware.Context) { ...@@ -78,16 +78,25 @@ func OAuthLogin(ctx *middleware.Context) {
} }
// handle call back // handle call back
tr := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: setting.OAuthService.OAuthInfos[name].TlsSkipVerify,
},
}
sslcli := &http.Client{
Transport: tr,
}
// initialize oauth2 context
oauthCtx := oauth2.NoContext
if setting.OAuthService.OAuthInfos[name].TlsClientCert != "" || setting.OAuthService.OAuthInfos[name].TlsClientKey != "" { if setting.OAuthService.OAuthInfos[name].TlsClientCert != "" || setting.OAuthService.OAuthInfos[name].TlsClientKey != "" {
cert, err := tls.LoadX509KeyPair(setting.OAuthService.OAuthInfos[name].TlsClientCert, setting.OAuthService.OAuthInfos[name].TlsClientKey) cert, err := tls.LoadX509KeyPair(setting.OAuthService.OAuthInfos[name].TlsClientCert, setting.OAuthService.OAuthInfos[name].TlsClientKey)
if err != nil { if err != nil {
log.Fatal(err) log.Fatal(err)
} }
// Load CA cert tr.TLSClientConfig.Certificates = append(tr.TLSClientConfig.Certificates, cert)
}
if setting.OAuthService.OAuthInfos[name].TlsClientCa != "" {
caCert, err := ioutil.ReadFile(setting.OAuthService.OAuthInfos[name].TlsClientCa) caCert, err := ioutil.ReadFile(setting.OAuthService.OAuthInfos[name].TlsClientCa)
if err != nil { if err != nil {
log.Fatal(err) log.Fatal(err)
...@@ -95,18 +104,10 @@ func OAuthLogin(ctx *middleware.Context) { ...@@ -95,18 +104,10 @@ func OAuthLogin(ctx *middleware.Context) {
caCertPool := x509.NewCertPool() caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert) caCertPool.AppendCertsFromPEM(caCert)
tr := &http.Transport{ tr.TLSClientConfig.RootCAs = caCertPool
TLSClientConfig: &tls.Config{
InsecureSkipVerify: setting.OAuthService.OAuthInfos[name].TlsSkipVerify,
Certificates: []tls.Certificate{cert},
RootCAs: caCertPool,
},
} }
sslcli := &http.Client{Transport: tr}
oauthCtx = context.Background() oauthCtx := context.WithValue(context.Background(), oauth2.HTTPClient, sslcli)
oauthCtx = context.WithValue(oauthCtx, oauth2.HTTPClient, sslcli)
}
// get token from provider // get token from provider
token, err := connect.Exchange(oauthCtx, code) token, err := connect.Exchange(oauthCtx, code)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment