scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-01 02:57:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Use tls_skip_verify in vault-ssh-helper

Browse Source
This commit is contained in:
vishalnayak
2016-02-23 17:32:49 -05:00
parent bcdf66369c
commit 26cdd93088
1 changed files with 7 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
api/ssh_agent.go
View File

@@ -16,14 +16,14 @@ const (
// Default path at which SSH backend will be mounted in Vault server // Default path at which SSH backend will be mounted in Vault server
SSHHelperDefaultMountPoint = "ssh" SSHHelperDefaultMountPoint = "ssh"
// Echo request message sent as OTP by the ssh-helper // Echo request message sent as OTP by the vault-ssh-helper
VerifyEchoRequest = "verify-echo-request" VerifyEchoRequest = "verify-echo-request"
// Echo response message sent as a response to OTP matching echo request // Echo response message sent as a response to OTP matching echo request
VerifyEchoResponse = "verify-echo-response" VerifyEchoResponse = "verify-echo-response"
) )
// SSHHelper is a structure representing a ssh-helper which can talk to vault server // SSHHelper is a structure representing a vault-ssh-helper which can talk to vault server
// in order to verify the OTP entered by the user. It contains the path at which // in order to verify the OTP entered by the user. It contains the path at which
// SSH backend is mounted at the server. // SSH backend is mounted at the server.
type SSHHelper struct { type SSHHelper struct {
@@ -45,20 +45,21 @@ type SSHVerifyResponse struct {
IP string `mapstructure:"ip"` IP string `mapstructure:"ip"`
} }
// SSHHelperConfig is a structure which represents the entries from the ssh-helper's configuration file. // SSHHelperConfig is a structure which represents the entries from the vault-ssh-helper's configuration file.
type SSHHelperConfig struct { type SSHHelperConfig struct {
VaultAddr string `hcl:"vault_addr"` VaultAddr string `hcl:"vault_addr"`
SSHMountPoint string `hcl:"ssh_mount_point"` SSHMountPoint string `hcl:"ssh_mount_point"`
CACert string `hcl:"ca_cert"` CACert string `hcl:"ca_cert"`
CAPath string `hcl:"ca_path"` CAPath string `hcl:"ca_path"`
AllowedCidrList string `hcl:"allowed_cidr_list"` AllowedCidrList string `hcl:"allowed_cidr_list"`
TLSSkipVerify bool `hcl:"tls_skip_verify"`
} }
// TLSClient returns a HTTP client that uses TLS verification (TLS 1.2) for a given // TLSClient returns a HTTP client that uses TLS verification (TLS 1.2) for a given
// certificate pool. // certificate pool.
func (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509.CertPool) { func (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509.CertPool) {
tlsConfig := &tls.Config{ tlsConfig := &tls.Config{
InsecureSkipVerify: true, InsecureSkipVerify: c.TLSSkipVerify,
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
RootCAs: certPool, RootCAs: certPool,
} }
@@ -69,7 +70,7 @@ func (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509.
} }
// NewClient returns a new client for the configuration. This client will be used by the // NewClient returns a new client for the configuration. This client will be used by the
// ssh-helper to communicate with Vault server and verify the OTP entered by user. // vault-ssh-helper to communicate with Vault server and verify the OTP entered by user.
// If the configuration supplies Vault SSL certificates, then the client will // If the configuration supplies Vault SSL certificates, then the client will
// have TLS configured in its transport. // have TLS configured in its transport.
func (c *SSHHelperConfig) NewClient() (*Client, error) { func (c *SSHHelperConfig) NewClient() (*Client, error) {
@@ -80,7 +81,7 @@ func (c *SSHHelperConfig) NewClient() (*Client, error) {
clientConfig.Address = c.VaultAddr clientConfig.Address = c.VaultAddr
// Check if certificates are provided via config file. // Check if certificates are provided via config file.
if c.CACert != "" || c.CAPath != "" { if c.CACert != "" || c.CAPath != "" || c.TLSSkipVerify {
var certPool *x509.CertPool var certPool *x509.CertPool
var err error var err error
if c.CACert != "" { if c.CACert != "" {