Fix #635: Support specifying alternative provider TLS trust source(s) (#645)

* Fix #635: Support specifying alternative provider TLS trust source(s) * Update pkg/apis/options/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/validation/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Address review comments * upd CHANGELOG.md * refactor test to assert textual subjects + add openssl gen cmd Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2025-08-10 22:51:31 +02:00 · 2020-07-03 16:09:17 +01:00
parent 390d479d28
commit b0375e85fa
7 changed files with 163 additions and 18 deletions
--- a/pkg/validation/options.go
+++ b/pkg/validation/options.go
@@ -21,21 +21,34 @@ import (
 	"github.com/oauth2-proxy/oauth2-proxy/pkg/ip"
 	"github.com/oauth2-proxy/oauth2-proxy/pkg/logger"
 	"github.com/oauth2-proxy/oauth2-proxy/pkg/requests"
+	"github.com/oauth2-proxy/oauth2-proxy/pkg/util"
 	"github.com/oauth2-proxy/oauth2-proxy/providers"
 )

 // Validate checks that required options are set and validates those that they
 // are of the correct format
 func Validate(o *options.Options) error {
+	msgs := make([]string, 0)
 	if o.SSLInsecureSkipVerify {
-		// TODO: Accept a certificate bundle.
 		insecureTransport := &http.Transport{
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 		}
 		http.DefaultClient = &http.Client{Transport: insecureTransport}
+	} else if len(o.ProviderCAFiles) > 0 {
+		pool, err := util.GetCertPool(o.ProviderCAFiles)
+		if err == nil {
+			transport := &http.Transport{
+				TLSClientConfig: &tls.Config{
+					RootCAs: pool,
+				},
+			}
+
+			http.DefaultClient = &http.Client{Transport: transport}
+		} else {
+			msgs = append(msgs, fmt.Sprintf("unable to load provider CA file(s): %v", err))
+		}
 	}

-	msgs := make([]string, 0)
 	if o.Cookie.Secret == "" {
 		msgs = append(msgs, "missing setting: cookie-secret")
 	} else {