feat(assets): Add support for mutual TLS to allow the assets service to fetch files behind authentication walls (#1034)

2023-03-13 16:58:39 +00:00 · 2023-03-13 16:58:39 +00:00 · 0fe47eee48
commit 0fe47eee48
parent 6e76074fe9
2 changed files with 36 additions and 2 deletions
--- a/backend/internal/assets/cacher/cacher.go
+++ b/backend/internal/assets/cacher/cacher.go
@ -2,9 +2,11 @@ package cacher

 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"io"
 	"io/ioutil"
+	"log"
 	"mime"
 	"net/http"
 	metrics "openreplay/backend/pkg/metrics/assets"
@ -38,14 +40,43 @@ func (c *cacher) CanCache() bool {

 func NewCacher(cfg *config.Config) *cacher {
 	rewriter := assets.NewRewriter(cfg.AssetsOrigin)
+
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: true,
+	}
+
+	if cfg.ClientCertFilePath != "" && cfg.ClientKeyFilePath != "" && cfg.CaCertFilePath != "" {
+
+		var cert tls.Certificate
+		var err error
+
+		cert, err = tls.LoadX509KeyPair(cfg.ClientCertFilePath, cfg.ClientKeyFilePath)
+		if err != nil {
+			log.Fatalf("Error creating x509 keypair from the client cert file %s and client key file %s , Error: %s", err, cfg.ClientCertFilePath, cfg.ClientKeyFilePath)
+		}
+
+		caCert, err := ioutil.ReadFile(cfg.CaCertFilePath)
+		if err != nil {
+			log.Fatalf("Error opening cert file %s, Error: %s", cfg.CaCertFilePath, err)
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+		tlsConfig = &tls.Config{
+				InsecureSkipVerify: true,
+				Certificates:       []tls.Certificate{cert},
+				RootCAs:            caCertPool,
+			}
+		
+	}
+
 	c := &cacher{
 		timeoutMap: newTimeoutMap(),
 		s3:         storage.NewS3(cfg.AWSRegion, cfg.S3BucketAssets),
 		httpClient: &http.Client{
 			Timeout: time.Duration(6) * time.Second,
 			Transport: &http.Transport{
-				Proxy:           http.ProxyFromEnvironment,
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+				Proxy: http.ProxyFromEnvironment,
+				TLSClientConfig: tlsConfig,
 			},
 		},
 		rewriter:       rewriter,
--- a/backend/internal/config/assets/config.go
+++ b/backend/internal/config/assets/config.go
@ -15,6 +15,9 @@ type Config struct {
 	AssetsSizeLimit      int               `env:"ASSETS_SIZE_LIMIT,required"`
 	AssetsRequestHeaders map[string]string `env:"ASSETS_REQUEST_HEADERS"`
 	UseProfiler          bool              `env:"PROFILER_ENABLED,default=false"`
+	ClientKeyFilePath    string            `env:"CLIENT_KEY_FILE_PATH"`
+	CaCertFilePath       string            `env:"CA_CERT_FILE_PATH"`
+	ClientCertFilePath   string            `env:"CLIENT_CERT_FILE_PATH"`
 }

 func New() *Config {