Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add client cert support #70

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

britcey
Copy link

@britcey britcey commented Sep 22, 2020

Signed-off-by: Ben Ritcey [email protected]

This adds the ability to specify client certificates to use when talking to Jira - depending on the config, that may be sufficient to identify the account creating the Jira issues.

I left user/password as required - in the case where the client cert is used for authentication, they'll often just be ignored (depends on server config).

  • I didn't see a clean way to unset user_cert/user_key in the individual receivers if set in the default, so I made the value of 'none' magical. I'm open to any better suggestions.

  • what's the correct way to set insecure_skip_verify boolean based on the default? As-is, you'd have to specify it per receiver.

Signed-off-by: Ben Ritcey <[email protected]>
@britcey
Copy link
Author

britcey commented Sep 22, 2020

Looks like it's the use of the deprecated client.Authentication.SetBasicAuth that's causing tests to fail:

cmd/jiralert/main.go:118:4: SA1019: client.Authentication.SetBasicAuth is deprecated: Use BasicAuthTransport instead (staticcheck)

but AFAICT you can't use BasicAuthTransport with TLSConfig, etc.

I will, however, confirm that with the go-jira project.

Copy link
Member

@bwplotka bwplotka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good, some comments only (:

cmd/jiralert/main.go Outdated Show resolved Hide resolved
cmd/jiralert/main.go Outdated Show resolved Hide resolved
cmd/jiralert/main.go Outdated Show resolved Hide resolved
cmd/jiralert/main.go Outdated Show resolved Hide resolved
cmd/jiralert/main.go Outdated Show resolved Hide resolved
examples/jiralert.yml Outdated Show resolved Hide resolved
# optional client cert
# cert_file: /path/to/cert.crt
# key_file: /path/to/cert.key
# insecure_skip_verify: false
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be default, so let's remove it

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to indicate that insecure_skip_verify is an option in the config, e.g.,

# insecure_skip_verify: true

?

pkg/config/config.go Outdated Show resolved Hide resolved
pkg/config/config.go Outdated Show resolved Hide resolved
// want to be able to override CAFile/KeyFile/CertFile in each receiver
// while still having a default value - use "none" to indicate no value
// set
if rc.CAFile == "none" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

none? hmmm, don't get this, why we need this?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is what I was referring to in the first bullet point of the PR comment -

if you set a CAFile (or KeyFile/CertFile) in the defaults but didn't want it set in one of the specific receivers, you can't just set it to blank in the receiver config - the current config logic is that "if it's blank in the receiver config, use the default".

So I went with a "magic" value of "none" - I don't love that sort of magic, but I'm not sure what else to do short of totally rewriting the config logic. AFAICT, you can't set 'nil' in YAML - setting it to 'null' or '~' just results in an empty string.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would expect the following to work:

Marshal the default config
Then marshal the receiver config into the initialized default struct - all fields that are missing in the receiver's YAML will not override the defaults. All fields that are present in the receiver's config will override the default config.

Example receiver uses the defaults:
	defaults:
	  api_url: url
	  cert_file: file
	receivers:
	  api_url: url2
	
	Receiver Parsed:
	Receiver{
		CAFile = file
		APIURL = url2

Example receiver overrides the defaults:
	defaults:
	  api_url: url
	  cert_file: file
	receivers:
	  cert_file: file2
	  api_url: url2
	
	Receiver Parsed:
	Receiver{
		CAFile = file2
		APIURL = url2

Example receiver overrides the defaults and doesn't use cert:
	defaults:
	  api_url: url
	  cert_file: file
	receivers:
	  cert_file: ""
	  api_url: url2
	
	Receiver Parsed:
	Receiver{
		CAFile = ""
		APIURL = url2

In other words, when the field doesn't exist in the receiver config use the default and in all other cases use the field value from the receiver config.

Also, let's add a test for this to make it clear and make sure we don't break this logic in the feature

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(apologies for the big gap in responding - other work got in the way)

This may be my Go inexperience showing, but I believe that won't work as-is, since unmarshaling YAML with missing fields just initializes those fields to the empty string - it doesn't differentiate between "not specified" and "blank".

https://play.golang.org/p/_4ih2Xomnit

However, if I make them string pointers, the pointers will get initialized to nil if not set, which I can use to detect "not specified" vs. "blank". This appears to be one of the cases when using string pointers vs. strings makes sense: https://dhdersch.github.io/golang/2016/01/23/golang-when-to-use-string-pointers.html

Let me know if that sounds like a reasonable approach.

cmd/jiralert/main.go Outdated Show resolved Hide resolved
// want to be able to override CAFile/KeyFile/CertFile in each receiver
// while still having a default value - use "none" to indicate no value
// set
if rc.CAFile == "none" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would expect the following to work:

Marshal the default config
Then marshal the receiver config into the initialized default struct - all fields that are missing in the receiver's YAML will not override the defaults. All fields that are present in the receiver's config will override the default config.

Example receiver uses the defaults:
	defaults:
	  api_url: url
	  cert_file: file
	receivers:
	  api_url: url2
	
	Receiver Parsed:
	Receiver{
		CAFile = file
		APIURL = url2

Example receiver overrides the defaults:
	defaults:
	  api_url: url
	  cert_file: file
	receivers:
	  cert_file: file2
	  api_url: url2
	
	Receiver Parsed:
	Receiver{
		CAFile = file2
		APIURL = url2

Example receiver overrides the defaults and doesn't use cert:
	defaults:
	  api_url: url
	  cert_file: file
	receivers:
	  cert_file: ""
	  api_url: url2
	
	Receiver Parsed:
	Receiver{
		CAFile = ""
		APIURL = url2

In other words, when the field doesn't exist in the receiver config use the default and in all other cases use the field value from the receiver config.

Also, let's add a test for this to make it clear and make sure we don't break this logic in the feature

@britcey britcey force-pushed the feature/client_certs branch 2 times, most recently from c721010 to 721d928 Compare October 15, 2020 20:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants