tenants: add web certificate field, make authentik's core certificate configurable based on keypair
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer
81
internal/web/tenant_tls/tenant_tls.go
Normal file
81
internal/web/tenant_tls/tenant_tls.go
Normal file
@ -0,0 +1,81 @@
|
||||
package tenant_tls
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
log "github.com/sirupsen/logrus"
|
||||
"goauthentik.io/api"
|
||||
"goauthentik.io/internal/crypto"
|
||||
"goauthentik.io/internal/outpost/ak"
|
||||
)
|
||||
|
||||
type Watcher struct {
|
||||
client *api.APIClient
|
||||
log *log.Entry
|
||||
cs *ak.CryptoStore
|
||||
fallback *tls.Certificate
|
||||
tenants []api.Tenant
|
||||
}
|
||||
|
||||
func NewWatcher(client *api.APIClient) *Watcher {
|
||||
cs := ak.NewCryptoStore(client.CryptoApi)
|
||||
l := log.WithField("logger", "authentik.router.tenant_tls")
|
||||
cert, err := crypto.GenerateSelfSignedCert()
|
||||
if err != nil {
|
||||
l.WithError(err).Error("failed to generate default cert")
|
||||
}
|
||||
|
||||
return &Watcher{
|
||||
client: client,
|
||||
log: l,
|
||||
cs: cs,
|
||||
fallback: &cert,
|
||||
}
|
||||
}
|
||||
|
||||
func (w *Watcher) Start() {
|
||||
ticker := time.NewTicker(time.Minute * 3)
|
||||
w.log.Info("Starting Tenant TLS Checker")
|
||||
for ; true; <-ticker.C {
|
||||
w.Check()
|
||||
}
|
||||
}
|
||||
|
||||
func (w *Watcher) Check() {
|
||||
tenants, _, err := w.client.CoreApi.CoreTenantsListExecute(api.ApiCoreTenantsListRequest{})
|
||||
if err != nil {
|
||||
w.log.WithError(err).Warning("failed to get tenants")
|
||||
return
|
||||
}
|
||||
for _, t := range tenants.Results {
|
||||
if t.WebCertificate.IsSet() {
|
||||
err := w.cs.AddKeypair(*t.WebCertificate.Get())
|
||||
if err != nil {
|
||||
w.log.WithError(err).Warning("failed to add certificate")
|
||||
}
|
||||
}
|
||||
}
|
||||
w.tenants = tenants.Results
|
||||
}
|
||||
|
||||
func (w *Watcher) GetCertificate(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||
var bestSelection *api.Tenant
|
||||
for _, t := range w.tenants {
|
||||
if !t.WebCertificate.IsSet() {
|
||||
continue
|
||||
}
|
||||
if *t.Default {
|
||||
bestSelection = &t
|
||||
}
|
||||
if strings.HasSuffix(ch.ServerName, t.Domain) {
|
||||
bestSelection = &t
|
||||
}
|
||||
}
|
||||
if bestSelection == nil {
|
||||
return w.fallback, nil
|
||||
}
|
||||
cert := w.cs.Get(*bestSelection.WebCertificate.Get())
|
||||
return cert, nil
|
||||
}
|
||||
Reference in New Issue
Block a user