From c65e3d175174e01ed4207e88cedaad5642a74510 Mon Sep 17 00:00:00 2001 From: Antoine Grondin Date: Tue, 15 Sep 2020 21:39:03 +0900 Subject: [PATCH] pass config.Option to every func --- v2/spiffetls/tlsconfig/config.go | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/v2/spiffetls/tlsconfig/config.go b/v2/spiffetls/tlsconfig/config.go index 31afb8f6..f9194b39 100644 --- a/v2/spiffetls/tlsconfig/config.go +++ b/v2/spiffetls/tlsconfig/config.go @@ -10,9 +10,9 @@ import ( // TLSClientConfig returns a TLS configuration which verifies and authorizes // the server X509-SVID. -func TLSClientConfig(bundle x509bundle.Source, authorizer Authorizer) *tls.Config { +func TLSClientConfig(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config { config := new(tls.Config) - HookTLSClientConfig(config, bundle, authorizer) + HookTLSClientConfig(config, bundle, authorizer, opts...) return config } @@ -20,10 +20,10 @@ func TLSClientConfig(bundle x509bundle.Source, authorizer Authorizer) *tls.Confi // the server X509-SVID. If there is an existing callback set for // VerifyPeerCertificate it will be wrapped by by this package and invoked // after SPIFFE authentication has completed. -func HookTLSClientConfig(config *tls.Config, bundle x509bundle.Source, authorizer Authorizer) { +func HookTLSClientConfig(config *tls.Config, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) { resetAuthFields(config) config.InsecureSkipVerify = true - config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer) + config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer, opts...) } // A Option changes the defaults used to by mTLS ClientConfig functions. @@ -71,7 +71,7 @@ func HookMTLSClientConfig(config *tls.Config, svid x509svid.Source, bundle x509b resetAuthFields(config) config.GetClientCertificate = GetClientCertificate(svid, opts...) config.InsecureSkipVerify = true - config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer) + config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer, opts...) } // MTLSWebClientConfig returns a TLS configuration which presents an X509-SVID @@ -124,15 +124,15 @@ func HookMTLSServerConfig(config *tls.Config, svid x509svid.Source, bundle x509b resetAuthFields(config) config.ClientAuth = tls.RequireAnyClientCert config.GetCertificate = GetCertificate(svid, opts...) - config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer) + config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer, opts...) } // MTLSWebServerConfig returns a TLS configuration which presents a web // server certificate to the client and requires, verifies, and authorizes // client X509-SVIDs. -func MTLSWebServerConfig(cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer) *tls.Config { +func MTLSWebServerConfig(cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config { config := new(tls.Config) - HookMTLSWebServerConfig(config, cert, bundle, authorizer) + HookMTLSWebServerConfig(config, cert, bundle, authorizer, opts...) return config } @@ -141,11 +141,11 @@ func MTLSWebServerConfig(cert *tls.Certificate, bundle x509bundle.Source, author // X509-SVIDs. If there is an existing callback set for VerifyPeerCertificate // it will be wrapped by by this package and invoked after SPIFFE // authentication has completed. -func HookMTLSWebServerConfig(config *tls.Config, cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer) { +func HookMTLSWebServerConfig(config *tls.Config, cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) { resetAuthFields(config) config.ClientAuth = tls.RequireAnyClientCert config.Certificates = []tls.Certificate{*cert} - config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer) + config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer, opts...) } // GetCertificate returns a GetCertificate callback for tls.Config. It uses the @@ -170,7 +170,7 @@ func GetClientCertificate(svid x509svid.Source, opts ...Option) func(*tls.Certif // VerifyPeerCertificate returns a VerifyPeerCertificate callback for // tls.Config. It uses the given bundle source and authorizer to verify and // authorize X509-SVIDs provided by peers during the TLS handshake. -func VerifyPeerCertificate(bundle x509bundle.Source, authorizer Authorizer) func([][]byte, [][]*x509.Certificate) error { +func VerifyPeerCertificate(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) func([][]byte, [][]*x509.Certificate) error { return func(raw [][]byte, _ [][]*x509.Certificate) error { id, certs, err := x509svid.ParseAndVerify(raw, bundle) if err != nil { @@ -185,9 +185,9 @@ func VerifyPeerCertificate(bundle x509bundle.Source, authorizer Authorizer) func // SPIFFE authentication against the peer certificates using the given bundle and // authorizer. The wrapped callback will be passed the verified chains. // Note: TLS clients must set `InsecureSkipVerify` when doing SPIFFE authentication to disable hostname verification. -func WrapVerifyPeerCertificate(wrapped func([][]byte, [][]*x509.Certificate) error, bundle x509bundle.Source, authorizer Authorizer) func([][]byte, [][]*x509.Certificate) error { +func WrapVerifyPeerCertificate(wrapped func([][]byte, [][]*x509.Certificate) error, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) func([][]byte, [][]*x509.Certificate) error { if wrapped == nil { - return VerifyPeerCertificate(bundle, authorizer) + return VerifyPeerCertificate(bundle, authorizer, opts...) } return func(raw [][]byte, _ [][]*x509.Certificate) error {