Add support for Redis with custom CA.

2025-01-04 03:49:06 +02:00 · 2019-11-07 11:04:40 +01:00 · 2019-11-07 11:04:40 +01:00 · 3f7ed36e46
commit 3f7ed36e46
parent fef940da9a
3 changed files with 29 additions and 0 deletions
--- a/main.go
+++ b/main.go
@ -91,6 +91,8 @@ func main() {
 	flagSet.String("redis-connection-url", "", "URL of redis server for redis session storage (eg: redis://HOST[:PORT])")
 	flagSet.Bool("redis-use-sentinel", false, "Connect to redis via sentinels. Must set --redis-sentinel-master-name and --redis-sentinel-connection-urls to use this feature")
 	flagSet.String("redis-sentinel-master-name", "", "Redis sentinel master name. Used in conjunction with --redis-use-sentinel")
+	flagSet.String("redis-ca-path", "", "Redis custom CA path")
+	flagSet.Bool("redis-insecure-tls", false, "Use insecure TLS connection to redis")
 	flagSet.Var(&redisSentinelConnectionURLs, "redis-sentinel-connection-urls", "List of Redis sentinel connection URLs (eg redis://HOST[:PORT]). Used in conjunction with --redis-use-sentinel")

 	flagSet.String("logging-filename", "", "File to log requests to, empty for stdout")
--- a/pkg/apis/options/sessions.go
+++ b/pkg/apis/options/sessions.go
@ -27,4 +27,6 @@ type RedisStoreOptions struct {
 	UseSentinel            bool     `flag:"redis-use-sentinel" cfg:"redis_use_sentinel" env:"OAUTH2_PROXY_REDIS_USE_SENTINEL"`
 	SentinelMasterName     string   `flag:"redis-sentinel-master-name" cfg:"redis_sentinel_master_name" env:"OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME"`
 	SentinelConnectionURLs []string `flag:"redis-sentinel-connection-urls" cfg:"redis_sentinel_connection_urls" env:"OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS"`
+	RedisCAPath            string   `flag:"redis-ca-path" cfg:"redis_ca_path" env:"OAUTH2_PROXY_REDIS_CA_PATH"`
+	RedisInsecureTLS       bool     `flag:"redis-insecure-tls" cfg:"redis_insecure_tls" env:"OAUTH2_PROXY_REDIS_INSECURE_TLS"`
 }
--- a/pkg/sessions/redis/redis_store.go
+++ b/pkg/sessions/redis/redis_store.go
@ -4,10 +4,13 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
+	"github.com/pusher/oauth2_proxy/pkg/logger"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"strings"
 	"time"
@ -64,6 +67,28 @@ func newRedisClient(opts options.RedisStoreOptions) (*redis.Client, error) {
 		return nil, fmt.Errorf("unable to parse redis url: %s", err)
 	}

+	if opts.RedisInsecureTLS != false {
+		opt.TLSConfig.InsecureSkipVerify = true
+	}
+
+	if opts.RedisCAPath != "" {
+		rootCAs, _ := x509.SystemCertPool()
+		if rootCAs == nil {
+			rootCAs = x509.NewCertPool()
+		}
+		certs, err := ioutil.ReadFile(opts.RedisCAPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to load %q, %v", opts.RedisCAPath, err)
+		}
+
+		// Append our cert to the system pool
+		if ok := rootCAs.AppendCertsFromPEM(certs); !ok {
+			logger.Printf("no certs appended, using system certs only")
+		}
+
+		opt.TLSConfig.RootCAs = rootCAs
+	}
+
 	client := redis.NewClient(opt)
 	return client, nil
 }