Added support for http client configuration via command arguments

2025-05-11 02:28:22 +00:00 · 2024-11-29 10:16:33 +01:00 · 2024-11-29 10:16:33 +01:00 · d5e2df49db
commit d5e2df49db
parent d9703ff6fd
4 changed files with 62 additions and 2 deletions
--- a/cmd/root.go
+++ b/cmd/root.go
@ -60,6 +60,10 @@ func init() {
 	rootCmd.PersistentFlags().Uint("mfaRetrys", 3, "How often to retry TOTP Auth, only used in nointeractive modes")
 	rootCmd.PersistentFlags().Duration("mfaDelay", time.Second*10, "Delay between MFA Attempts, only used in noninteractive modes")

+	rootCmd.PersistentFlags().Bool("tlsSkipVerify", false, "Allow servers with self-signed certificates")
+	rootCmd.PersistentFlags().String("tlsClientPrivateKey", "", "Client private key for mtls")
+	rootCmd.PersistentFlags().String("tlsClientCert", "", "Client certificate for mtls")
+
 	viper.BindPFlag("debug", rootCmd.PersistentFlags().Lookup("debug"))
 	viper.BindPFlag("timeout", rootCmd.PersistentFlags().Lookup("timeout"))
 	viper.BindPFlag("serverAddress", rootCmd.PersistentFlags().Lookup("serverAddress"))
@ -72,6 +76,10 @@ func init() {
 	viper.BindPFlag("mfaTotpOffset", rootCmd.PersistentFlags().Lookup("mfaTotpOffset"))
 	viper.BindPFlag("mfaRetrys", rootCmd.PersistentFlags().Lookup("mfaRetrys"))
 	viper.BindPFlag("mfaDelay", rootCmd.PersistentFlags().Lookup("mfaDelay"))
+
+	viper.BindPFlag("tlsSkipVerify", rootCmd.PersistentFlags().Lookup("tlsSkipVerify"))
+	viper.BindPFlag("tlsClientCert", rootCmd.PersistentFlags().Lookup("tlsClientCert"))
+	viper.BindPFlag("tlsClientPrivateKey", rootCmd.PersistentFlags().Lookup("tlsClientPrivateKey"))
 }

 // initConfig reads in config file and ENV variables if set.
--- a/cmd/verify.go
+++ b/cmd/verify.go
@ -41,7 +41,11 @@ var verifyCMD = &cobra.Command{
 			fmt.Println()
 		}

-		client, err := api.NewClient(nil, "", serverAddress, userPrivateKey, userPassword)
+		httpClient, err := util.GetHttpClient()
+		if err != nil {
+			return err
+		}
+		client, err := api.NewClient(httpClient, "", serverAddress, userPrivateKey, userPassword)
 		if err != nil {
 			return fmt.Errorf("Creating Client: %w", err)
 		}
--- a/util/client.go
+++ b/util/client.go
@ -65,7 +65,11 @@ func GetClient(ctx context.Context) (*api.Client, error) {
 		fmt.Println()
 	}

-	client, err := api.NewClient(nil, "", serverAddress, userPrivateKey, userPassword)
+	httpClient, err := GetHttpClient()
+	if err != nil {
+		return nil, err
+	}
+	client, err := api.NewClient(httpClient, "", serverAddress, userPrivateKey, userPassword)
 	if err != nil {
 		return nil, fmt.Errorf("Creating Client: %w", err)
 	}
--- a/util/http.go
+++ b/util/http.go
@ -0,0 +1,44 @@
+package util
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net/http"
+
+	"github.com/spf13/viper"
+)
+
+func GetClientCertificate() (tls.Certificate, error) {
+	cert := viper.GetString("tlsClientCert")
+	certExists := cert != ""
+	key := viper.GetString("tlsClientPrivateKey")
+	keyExists := key != ""
+	if !certExists && !keyExists {
+		return tls.Certificate{}, nil
+	}
+	if certExists && !keyExists {
+		return tls.Certificate{}, fmt.Errorf("Client TLS private key is empty, but client TLS cert was sent.")
+	}
+	if !certExists && keyExists {
+		return tls.Certificate{}, fmt.Errorf("Client TLS cert is empty, but client TLS private key was sent.")
+	}
+	return tls.LoadX509KeyPair("client.cert", "client-key.pem")
+}
+
+func GetHttpClient() (*http.Client, error) {
+	tlsSkipVerify := viper.GetBool("tlsSkipVerify")
+	cert, err := GetClientCertificate()
+	if err != nil {
+		return nil, err
+	}
+	httpClient := http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				Certificates:       []tls.Certificate{cert},
+				InsecureSkipVerify: tlsSkipVerify,
+			},
+		},
+	}
+
+	return &httpClient, nil
+}