feat(auth-callout): Add support for custom certificates for HTTS requ…

…ests Signed-off-by: Rodney Osodo <[email protected]>
absmach · Feb 28, 2025 · 0afc8d2 · 0afc8d2
1 parent 0b784cd
commit 0afc8d2
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 3 deletions.
diff --git a/auth/README.md b/auth/README.md
@@ -97,6 +97,9 @@ The service is configured using the environment variables presented in the follo
 | SMQ_AUTH_CALLOUT_METHOD           | Callout method                                                          | POST                           |
 | SMQ_AUTH_CALLOUT_TLS_VERIFICATION | Enable TLS verification for callouts                                    | true                           |
 | SMQ_AUTH_CALLOUT_TIMEOUT          | Callout timeout                                                         | 10s                            |
+| SMQ_AUTH_CALLOUT_CA_CERT          | Path to CA certificate file                                             | ""                             |
+| SMQ_AUTH_CALLOUT_CERT             | Path to client certificate file                                         | ""                             |
+| SMQ_AUTH_CALLOUT_KEY              | Path to client key file                                                 | ""                             |
 
 ## Deployment
 

diff --git a/cmd/auth/main.go b/cmd/auth/main.go
@@ -6,6 +6,8 @@ package main
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
+	"errors"
 	"fmt"
 	"log"
 	"log/slog"
@@ -83,6 +85,9 @@ type config struct {
 	AuthCalloutMethod          string        `env:"SMQ_AUTH_CALLOUT_METHOD"           envDefault:"POST"`
 	AuthCalloutTLSVerification bool          `env:"SMQ_AUTH_CALLOUT_TLS_VERIFICATION" envDefault:"true"`
 	AuthCalloutTimeout         time.Duration `env:"SMQ_AUTH_CALLOUT_TIMEOUT"          envDefault:"10s"`
+	AuthCalloutCACert          string        `env:"SMQ_AUTH_CALLOUT_CA_CERT"          envDefault:""`
+	AuthCalloutCert            string        `env:"SMQ_AUTH_CALLOUT_CERT"             envDefault:""`
+	AuthCalloutKey             string        `env:"SMQ_AUTH_CALLOUT_KEY"              envDefault:""`
 }
 
 func main() {
@@ -251,11 +256,32 @@ func newService(db *sqlx.DB, tracer trace.Tracer, cfg config, dbConfig pgclient.
 
 	t := jwt.New([]byte(cfg.SecretKey))
 
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: !cfg.AuthCalloutTLSVerification,
+	}
+	if cfg.AuthCalloutCert != "" || cfg.AuthCalloutKey != "" {
+		clientTLSCert, err := tls.LoadX509KeyPair(cfg.AuthCalloutCert, cfg.AuthCalloutKey)
+		if err != nil {
+			return nil, err
+		}
+		certPool, err := x509.SystemCertPool()
+		if err != nil {
+			return nil, err
+		}
+		caCert, err := os.ReadFile(cfg.AuthCalloutCACert)
+		if err != nil {
+			return nil, err
+		}
+		if !certPool.AppendCertsFromPEM(caCert) {
+			return nil, errors.New("failed to append CA certificate")
+		}
+		tlsConfig.RootCAs = certPool
+		tlsConfig.Certificates = []tls.Certificate{clientTLSCert}
+	}
+
 	httpClient := &http.Client{
 		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: !cfg.AuthCalloutTLSVerification,
-			},
+			TLSClientConfig: tlsConfig,
 		},
 		Timeout: cfg.AuthCalloutTimeout,
 	}

diff --git a/docker/.env b/docker/.env
@@ -105,6 +105,9 @@ SMQ_AUTH_CALLOUT_URLS=""
 SMQ_AUTH_CALLOUT_METHOD="POST"
 SMQ_AUTH_CALLOUT_TLS_VERIFICATION="false"
 SMQ_AUTH_CALLOUT_TIMEOUT="10s"
+SMQ_AUTH_CALLOUT_CA_CERT=""
+SMQ_AUTH_CALLOUT_CERT=""
+SMQ_AUTH_CALLOUT_KEY=""
 
 #### Auth Client Config
 SMQ_AUTH_URL=auth:9001

diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -146,6 +146,9 @@ services:
       SMQ_AUTH_CALLOUT_METHOD: ${SMQ_AUTH_CALLOUT_METHOD}
       SMQ_AUTH_CALLOUT_TLS_VERIFICATION: ${SMQ_AUTH_CALLOUT_TLS_VERIFICATION}
       SMQ_AUTH_CALLOUT_TIMEOUT: ${SMQ_AUTH_CALLOUT_TIMEOUT}
+      SMQ_AUTH_CALLOUT_CA_CERT: ${SMQ_AUTH_CALLOUT_CA_CERT}
+      SMQ_AUTH_CALLOUT_CERT: ${SMQ_AUTH_CALLOUT_CERT}
+      SMQ_AUTH_CALLOUT_KEY: ${SMQ_AUTH_CALLOUT_KEY}
     ports:
       - ${SMQ_AUTH_HTTP_PORT}:${SMQ_AUTH_HTTP_PORT}
       - ${SMQ_AUTH_GRPC_PORT}:${SMQ_AUTH_GRPC_PORT}
@@ -175,6 +178,22 @@ services:
         target: /auth-grpc-client-ca${SMQ_AUTH_GRPC_CLIENT_CA_CERTS:+.crt}
         bind:
           create_host_path: true
+      # Auth Callout Client Certificates
+      - type: bind
+        source: ${SMQ_AUTH_CALLOUT_CLIENT_CERT:-ssl/certs/dummy/client_cert}
+        target: /auth-callout-client${SMQ_AUTH_CALLOUT_CLIENT_CERT:+.crt}
+        bind:
+          create_host_path: true
+      - type: bind
+        source: ${SMQ_AUTH_CALLOUT_CLIENT_KEY:-ssl/certs/dummy/client_key}
+        target: /auth-callout-client${SMQ_AUTH_CALLOUT_CLIENT_KEY:+.key}
+        bind:
+          create_host_path: true
+      - type: bind
+        source: ${SMQ_AUTH_CALLOUT_CLIENT_CA_CERTS:-ssl/certs/dummy/client_ca_certs}
+        target: /auth-callout-client-ca${SMQ_AUTH_CALLOUT_CLIENT_CA_CERTS:+.crt}
+        bind:
+          create_host_path: true
 
   domains-db:
     image: postgres:16.2-alpine