Skip to content

Commit 3495480

Browse files
feat: accept other certificates (#889)
env var P_TRUSTED_CA_CERTS_DIR accepts a directory path where user can keep all the certificates intended to be accepted by the server
1 parent 5487f54 commit 3495480

File tree

5 files changed

+39
-2
lines changed

5 files changed

+39
-2
lines changed

server/src/cli.rs

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,9 @@ pub struct Cli {
3434
/// The location of TLS Private Key file
3535
pub tls_key_path: Option<PathBuf>,
3636

37+
/// The location of other certificates to accept
38+
pub trusted_ca_certs_path: Option<PathBuf>,
39+
3740
/// The address on which the http server will listen.
3841
pub address: String,
3942

@@ -122,6 +125,7 @@ impl Cli {
122125
// identifiers for arguments
123126
pub const TLS_CERT: &'static str = "tls-cert-path";
124127
pub const TLS_KEY: &'static str = "tls-key-path";
128+
pub const TRUSTED_CA_CERTS_PATH: &'static str = "trusted-ca-certs-path";
125129
pub const ADDRESS: &'static str = "address";
126130
pub const DOMAIN_URI: &'static str = "origin";
127131
pub const STAGING: &'static str = "local-staging-path";
@@ -224,6 +228,14 @@ impl Cli {
224228
.value_parser(validation::file_path)
225229
.help("Local path on this device where private key file is located. Required to enable TLS"),
226230
)
231+
.arg(
232+
Arg::new(Self::TRUSTED_CA_CERTS_PATH)
233+
.long(Self::TRUSTED_CA_CERTS_PATH)
234+
.env("P_TRUSTED_CA_CERTS_DIR")
235+
.value_name("DIR")
236+
.value_parser(validation::canonicalize_path)
237+
.help("Local path on this device where all trusted certificates are located.")
238+
)
227239
.arg(
228240
Arg::new(Self::ADDRESS)
229241
.long(Self::ADDRESS)
@@ -509,6 +521,7 @@ impl FromArgMatches for Cli {
509521
self.query_cache_path = m.get_one::<PathBuf>(Self::QUERY_CACHE).cloned();
510522
self.tls_cert_path = m.get_one::<PathBuf>(Self::TLS_CERT).cloned();
511523
self.tls_key_path = m.get_one::<PathBuf>(Self::TLS_KEY).cloned();
524+
self.trusted_ca_certs_path = m.get_one::<PathBuf>(Self::TRUSTED_CA_CERTS_PATH).cloned();
512525
self.domain_address = m.get_one::<Url>(Self::DOMAIN_URI).cloned();
513526

514527
self.address = m

server/src/handlers/http/modal/ingest_server.rs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,7 @@ impl ParseableServer for IngestServer {
8383
let ssl = get_ssl_acceptor(
8484
&CONFIG.parseable.tls_cert_path,
8585
&CONFIG.parseable.tls_key_path,
86+
&CONFIG.parseable.trusted_ca_certs_path,
8687
)?;
8788

8889
// fn that creates the app

server/src/handlers/http/modal/query_server.rs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,7 @@ impl ParseableServer for QueryServer {
6565
let ssl = get_ssl_acceptor(
6666
&CONFIG.parseable.tls_cert_path,
6767
&CONFIG.parseable.tls_key_path,
68+
&CONFIG.parseable.trusted_ca_certs_path,
6869
)?;
6970

7071
let create_app_fn = move || {

server/src/handlers/http/modal/server.rs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,7 @@ impl ParseableServer for Server {
9696
let ssl = get_ssl_acceptor(
9797
&CONFIG.parseable.tls_cert_path,
9898
&CONFIG.parseable.tls_key_path,
99+
&CONFIG.parseable.trusted_ca_certs_path,
99100
)?;
100101

101102
// Create a channel to trigger server shutdown

server/src/handlers/http/modal/ssl_acceptor.rs

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,21 +16,42 @@
1616
*
1717
*/
1818

19-
use std::{fs::File, io::BufReader, path::PathBuf};
19+
use std::{
20+
fs::{self, File},
21+
io::BufReader,
22+
path::PathBuf,
23+
};
2024

2125
use rustls::ServerConfig;
2226

2327
pub fn get_ssl_acceptor(
2428
tls_cert: &Option<PathBuf>,
2529
tls_key: &Option<PathBuf>,
30+
other_certs: &Option<PathBuf>,
2631
) -> anyhow::Result<Option<ServerConfig>> {
2732
match (tls_cert, tls_key) {
2833
(Some(cert), Some(key)) => {
2934
let server_config = ServerConfig::builder().with_no_client_auth();
3035

3136
let cert_file = &mut BufReader::new(File::open(cert)?);
3237
let key_file = &mut BufReader::new(File::open(key)?);
33-
let certs = rustls_pemfile::certs(cert_file).collect::<Result<Vec<_>, _>>()?;
38+
39+
let mut certs = rustls_pemfile::certs(cert_file).collect::<Result<Vec<_>, _>>()?;
40+
// Load CA certificates from the directory
41+
if let Some(other_cert_dir) = other_certs {
42+
if other_cert_dir.is_dir() {
43+
for entry in fs::read_dir(other_cert_dir)? {
44+
let path = entry.unwrap().path();
45+
46+
if path.is_file() {
47+
let other_cert_file = &mut BufReader::new(File::open(&path)?);
48+
let mut other_certs = rustls_pemfile::certs(other_cert_file)
49+
.collect::<Result<Vec<_>, _>>()?;
50+
certs.append(&mut other_certs);
51+
}
52+
}
53+
}
54+
}
3455
let private_key = rustls_pemfile::private_key(key_file)?
3556
.ok_or(anyhow::anyhow!("Could not parse private key."))?;
3657

0 commit comments

Comments
 (0)