From 77d6880036a7fa665171e6cbe11918737875a434 Mon Sep 17 00:00:00 2001 From: Sander Ginn Date: Mon, 17 Feb 2020 18:13:03 +0100 Subject: [PATCH] Adds option to provide a CA root certificate for x509 validation --- keycloak/keycloak_client.go | 14 +++++++++++++- keycloak/keycloak_client_test.go | 2 +- provider/provider.go | 9 ++++++++- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/keycloak/keycloak_client.go b/keycloak/keycloak_client.go index 9a5bd3d75..a1013c2cb 100644 --- a/keycloak/keycloak_client.go +++ b/keycloak/keycloak_client.go @@ -2,6 +2,8 @@ package keycloak import ( "bytes" + "crypto/tls" + "crypto/x509" "encoding/json" "fmt" "golang.org/x/net/publicsuffix" @@ -40,7 +42,7 @@ const ( tokenUrl = "%s/auth/realms/%s/protocol/openid-connect/token" ) -func NewKeycloakClient(baseUrl, clientId, clientSecret, realm, username, password string, initialLogin bool, clientTimeout int) (*KeycloakClient, error) { +func NewKeycloakClient(baseUrl, clientId, clientSecret, realm, username, password string, initialLogin bool, clientTimeout int, caCert string) (*KeycloakClient, error) { cookieJar, err := cookiejar.New(&cookiejar.Options{ PublicSuffixList: publicsuffix.List, }) @@ -53,6 +55,16 @@ func NewKeycloakClient(baseUrl, clientId, clientSecret, realm, username, passwor Timeout: time.Second * time.Duration(clientTimeout), Jar: cookieJar, } + + if caCert != "" { + caCertPool := x509.NewCertPool() + caCertPool.AppendCertsFromPEM([]byte(caCert)) + httpClient.Transport = &http.Transport{ + TLSClientConfig: &tls.Config{ + RootCAs: caCertPool, + }, + } + } clientCredentials := &ClientCredentials{ ClientId: clientId, ClientSecret: clientSecret, diff --git a/keycloak/keycloak_client_test.go b/keycloak/keycloak_client_test.go index 347f498a3..f640f49ed 100644 --- a/keycloak/keycloak_client_test.go +++ b/keycloak/keycloak_client_test.go @@ -51,7 +51,7 @@ func TestAccKeycloakApiClientRefresh(t *testing.T) { t.Fatal("KEYCLOAK_CLIENT_TIMEOUT must be an integer") } - keycloakClient, err := NewKeycloakClient(os.Getenv("KEYCLOAK_URL"), os.Getenv("KEYCLOAK_CLIENT_ID"), os.Getenv("KEYCLOAK_CLIENT_SECRET"), os.Getenv("KEYCLOAK_REALM"), os.Getenv("KEYCLOAK_USER"), os.Getenv("KEYCLOAK_PASSWORD"), true, clientTimeout) + keycloakClient, err := NewKeycloakClient(os.Getenv("KEYCLOAK_URL"), os.Getenv("KEYCLOAK_CLIENT_ID"), os.Getenv("KEYCLOAK_CLIENT_SECRET"), os.Getenv("KEYCLOAK_REALM"), os.Getenv("KEYCLOAK_USER"), os.Getenv("KEYCLOAK_PASSWORD"), true, clientTimeout, "") if err != nil { t.Fatalf("%s", err) } diff --git a/provider/provider.go b/provider/provider.go index d46efe8cf..6857e0f6b 100644 --- a/provider/provider.go +++ b/provider/provider.go @@ -106,6 +106,12 @@ func KeycloakProvider() *schema.Provider { Description: "Timeout (in seconds) of the Keycloak client", DefaultFunc: schema.EnvDefaultFunc("KEYCLOAK_CLIENT_TIMEOUT", 5), }, + "root_ca_certificate": { + Optional: true, + Type: schema.TypeString, + Description: "Allows x509 calls using an unknown CA certificate (for development purposes)", + Default: "", + }, }, ConfigureFunc: configureKeycloakProvider, } @@ -120,6 +126,7 @@ func configureKeycloakProvider(data *schema.ResourceData) (interface{}, error) { realm := data.Get("realm").(string) initialLogin := data.Get("initial_login").(bool) clientTimeout := data.Get("client_timeout").(int) + rootCaCertificate := data.Get("root_ca_certificate").(string) - return keycloak.NewKeycloakClient(url, clientId, clientSecret, realm, username, password, initialLogin, clientTimeout) + return keycloak.NewKeycloakClient(url, clientId, clientSecret, realm, username, password, initialLogin, clientTimeout, rootCaCertificate) }