Merge pull request #67 from freakhill/master

support for client certificate
2024-09-19 20:46:33 +00:00 · 2015-10-04 20:43:55 -07:00 · 2015-10-04 20:43:55 -07:00 · 57923e98c4
commit 57923e98c4
parent 36dfe5deac 7e11f664d9
1 changed files with 74 additions and 33 deletions
--- a/app/app.go
+++ b/app/app.go
@ -2,6 +2,8 @@ package app

 import (
 	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"errors"
 	"io/ioutil"
@ -46,6 +48,8 @@ type Options struct {
 	EnableTLS        bool                   `hcl:"enable_tls"`
 	TLSCrtFile       string                 `hcl:"tls_crt_file"`
 	TLSKeyFile       string                 `hcl:"tls_key_file"`
+	VerifyClientCert bool                   `hcl:"verify_client_cert"`
+	ClientCAs        []string               `hcl:"client_cas"`
 	TitleFormat      string                 `hcl:"title_format"`
 	EnableReconnect  bool                   `hcl:"enable_reconnect"`
 	ReconnectTime    int                    `hcl:"reconnect_time"`
@ -67,6 +71,8 @@ var DefaultOptions = Options{
 	EnableTLS:        false,
 	TLSCrtFile:       "~/.gotty.crt",
 	TLSKeyFile:       "~/.gotty.key",
+	VerifyClientCert: false,
+	ClientCAs:        []string{},
 	TitleFormat:      "GoTTY - {{ .Command }} ({{ .Hostname }})",
 	EnableReconnect:  false,
 	ReconnectTime:    10,
@ -191,9 +197,44 @@ func (app *App) Run() error {
 		}
 	}

+	serverMaker := func() *http.Server {
+		return &http.Server{
+			Addr:    endpoint,
+			Handler: siteHandler}
+	}
+	if app.options.VerifyClientCert && app.options.EnableTLS {
+		serverMaker = func() *http.Server {
+			clientCaPool := x509.NewCertPool()
+			for _, path := range app.options.ClientCAs {
+				pem, err := ioutil.ReadFile(path)
+				if err != nil {
+					log.Printf("Could not read pem file at: " + path)
+					return nil
+				}
+				if clientCaPool.AppendCertsFromPEM(pem) {
+					log.Printf("Could not parse pem file at: " + path)
+					return nil
+				}
+			}
+			return &http.Server{
+				Addr:    endpoint,
+				Handler: siteHandler,
+				TLSConfig: &tls.Config{
+					ClientAuth:               tls.RequireAndVerifyClientCert,
+					ClientCAs:                clientCaPool,
+					PreferServerCipherSuites: true}}
+		}
+	}
+
+	server := serverMaker()
+	if server == nil {
+		log.Printf("Failed to build server.")
+		return errors.New("Failed to build server.")
+	}
+
 	var err error
 	app.server = manners.NewWithServer(
-		&http.Server{Addr: endpoint, Handler: siteHandler},
+		server,
 	)
 	if app.options.EnableTLS {
 		crtFile := ExpandHomeDir(app.options.TLSCrtFile)