feat: allow using custom trust anchors

desmax74 · Apr 11, 2024 · e1f7b42 · e1f7b42
1 parent 51ba5c3
commit e1f7b42
Show file tree

Hide file tree

Showing 37 changed files with 541 additions and 79 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -113,8 +113,11 @@ guac = { git = "https://github.com/trustification/guac-rs.git", rev="561931b314e
 # walker-common = { path = "../csaf-walker/common" }
 #cpe = { git = "https://github.com/trustification/cpe-rs", rev = "dc2c5661d436410cc9562596ab16a2e771261eb2" }
 csaf = { git = "https://github.com/ctron/csaf-rs", rev = "183326beac525d58962f78be8eca973017702753" } # FIXME: waiting for release #16 #28
-#walker-common = { git = "https://github.com/ctron/csaf-walker", rev = "08884c1b3db9d717fc0365b0df50cd4dd114a5fd" } # FIXME: waiting for release
-#sbom-walker = { git = "https://github.com/ctron/csaf-walker", rev = "08884c1b3db9d717fc0365b0df50cd4dd114a5fd" } # FIXME: waiting for release
+
+walker-common = { git = "https://github.com/ctron/csaf-walker", rev = "38e76054b756325069f02caa8e6d029029a68a75" } # FIXME: waiting for release
+walker-extras = { git = "https://github.com/ctron/csaf-walker", rev = "38e76054b756325069f02caa8e6d029029a68a75" } # FIXME: waiting for release
+csaf-walker = { git = "https://github.com/ctron/csaf-walker", rev = "38e76054b756325069f02caa8e6d029029a68a75" } # FIXME: waiting for release
+sbom-walker = { git = "https://github.com/ctron/csaf-walker", rev = "38e76054b756325069f02caa8e6d029029a68a75" } # FIXME: waiting for release
 
 # also check: spog/ui/Cargo.toml
 # TODO Switch to the official repository once https://github.com/CycloneDX/cyclonedx-rust-cargo/issues/615 is fixed

diff --git a/auth/src/authenticator/mod.rs b/auth/src/authenticator/mod.rs
@@ -150,9 +150,7 @@ async fn create_client(config: AuthenticatorClientConfig) -> anyhow::Result<Auth
         client = client.make_insecure();
     }
 
-    for ca in config.tls_ca_certificates {
-        client = client.add_ca_cert(ca);
-    }
+    client = client.add_ca_certs(config.tls_ca_certificates);
 
     let client = Client::<Discovered>::discover_with_client(
         client.build()?,

diff --git a/auth/src/client/provider/openid.rs b/auth/src/client/provider/openid.rs
@@ -4,10 +4,13 @@ use super::{
 };
 use crate::devmode;
 use anyhow::Context;
+use clap::ArgAction;
 use core::fmt::{self, Debug, Formatter};
+use std::path::PathBuf;
 use std::time::Duration;
 use std::{ops::Deref, sync::Arc};
 use tokio::sync::RwLock;
+use trustification_common::reqwest::ClientFactory;
 use url::Url;
 
 #[derive(Clone, Debug, PartialEq, Eq, clap::Args)]
@@ -49,6 +52,14 @@ pub struct OpenIdTokenProviderConfigArguments {
         default_value = "false"
     )]
     pub tls_insecure: bool,
+    /// Enable additional TLS certificates for communication with the SSO server
+    #[arg(
+        id = "oidc_tls_certificate",
+        long = "oidc-tls-certificate",
+        env = "OIDC_PROVIDER_TLS_CA_CERTIFICATES",
+        action = ArgAction::Append
+    )]
+    pub tls_ca_certificates: Vec<PathBuf>,
 }
 
 impl OpenIdTokenProviderConfigArguments {
@@ -59,6 +70,7 @@ impl OpenIdTokenProviderConfigArguments {
             client_secret: Some(devmode::SSO_CLIENT_SECRET.to_string()),
             refresh_before: Duration::from_secs(30).into(),
             tls_insecure: false,
+            tls_ca_certificates: vec![],
         }
     }
 }
@@ -85,6 +97,7 @@ pub struct OpenIdTokenProviderConfig {
     pub issuer_url: String,
     pub refresh_before: humantime::Duration,
     pub tls_insecure: bool,
+    pub tls_ca_certificates: Vec<PathBuf>,
 }
 
 impl OpenIdTokenProviderConfig {
@@ -95,6 +108,7 @@ impl OpenIdTokenProviderConfig {
             client_secret: devmode::SSO_CLIENT_SECRET.to_string(),
             refresh_before: Duration::from_secs(30).into(),
             tls_insecure: false,
+            tls_ca_certificates: vec![],
         }
     }
 
@@ -120,6 +134,7 @@ impl OpenIdTokenProviderConfig {
                 issuer_url,
                 refresh_before: arguments.refresh_before,
                 tls_insecure: arguments.tls_insecure,
+                tls_ca_certificates: arguments.tls_ca_certificates,
             }),
             _ => None,
         }
@@ -164,15 +179,15 @@ impl OpenIdTokenProvider {
 
     pub async fn with_config(config: OpenIdTokenProviderConfig) -> anyhow::Result<Self> {
         let issuer = Url::parse(&config.issuer_url).context("Parse issuer URL")?;
-        let mut client = reqwest::ClientBuilder::new();
+        let mut client = ClientFactory::new();
 
         if config.tls_insecure {
             log::warn!("Using insecure TLS when contacting the OIDC issuer");
-            client = client
-                .danger_accept_invalid_certs(true)
-                .danger_accept_invalid_hostnames(true);
+            client = client.make_insecure();
         }
 
+        client = client.add_ca_certs(config.tls_ca_certificates);
+
         let client =
             openid::Client::discover_with_client(client.build()?, config.client_id, config.client_secret, None, issuer)
                 .await

diff --git a/auth/src/swagger_ui.rs b/auth/src/swagger_ui.rs
@@ -2,6 +2,7 @@ use crate::devmode::{self, SWAGGER_UI_CLIENT_ID};
 use actix_web::dev::HttpServiceFactory;
 use openid::{Client, Discovered, Provider, StandardClaims};
 use std::sync::Arc;
+use trustification_common::tls::ClientConfig;
 use url::Url;
 use utoipa::openapi::{
     security::{AuthorizationCode, Flow, OAuth2, Scopes, SecurityScheme},
@@ -12,17 +13,36 @@ use utoipa_swagger_ui::{oauth, SwaggerUi};
 #[derive(Clone, Debug, Default, clap::Args)]
 #[command(rename_all_env = "SCREAMING_SNAKE_CASE", next_help_heading = "Swagger UI OIDC")]
 pub struct SwaggerUiOidcConfig {
+    /// Make the TLS client insecure, disabling all validation (DANGER!).
+    #[arg(
+        id = "swagger-ui-tls-insecure",
+        long,
+        env = "SWAGGER_UI_OIDC_TLS_INSECURE",
+        default_value_t = false
+    )]
+    pub tls_insecure: bool,
+
+    /// Additional certificates which will be added as trust anchors.
+    #[arg(
+        id = "swagger-ui-tls-ca-certificates",
+        long,
+        env = "SWAGGER_UI_OIDC_TLS_CA_CERTIFICATES"
+    )]
+    pub ca_certificates: Vec<String>,
+
     /// The issuer URL used by the Swagger UI, disabled if none.
-    #[arg(long, env)]
+    #[arg(long, env = "SWAGGER_UI_OIDC_ISSUER_URL")]
     pub swagger_ui_oidc_issuer_url: Option<String>,
     /// The client ID use by the swagger UI frontend
-    #[arg(long, env, default_value = "frontend")]
+    #[arg(long, env = "SWAGGER_UI_OIDC_CLIENT_ID", default_value = "frontend")]
     pub swagger_ui_oidc_client_id: String,
 }
 
 impl SwaggerUiOidcConfig {
     pub fn devmode() -> Self {
         Self {
+            tls_insecure: false,
+            ca_certificates: vec![],
             swagger_ui_oidc_issuer_url: Some(devmode::issuer_url()),
             swagger_ui_oidc_client_id: SWAGGER_UI_CLIENT_ID.to_string(),
         }
@@ -37,13 +57,27 @@ pub struct SwaggerUiOidc {
 
 impl SwaggerUiOidc {
     pub async fn new(config: SwaggerUiOidcConfig) -> anyhow::Result<Option<Self>> {
-        let issuer_url = match config.swagger_ui_oidc_issuer_url {
+        let SwaggerUiOidcConfig {
+            tls_insecure,
+            ca_certificates,
+            swagger_ui_oidc_issuer_url,
+            swagger_ui_oidc_client_id,
+        } = config;
+
+        let client = ClientConfig {
+            tls_insecure,
+            ca_certificates,
+        }
+        .build_client()?;
+
+        let issuer_url = match swagger_ui_oidc_issuer_url {
             None => return Ok(None),
             Some(issuer_url) => issuer_url,
         };
 
-        let client: Client<Discovered, StandardClaims> = openid::Client::discover(
-            config.swagger_ui_oidc_client_id.clone(),
+        let client: Client<Discovered, StandardClaims> = Client::discover_with_client(
+            client,
+            swagger_ui_oidc_client_id.clone(),
             None,
             None,
             Url::parse(&issuer_url)?,

diff --git a/bombastic/walker/src/lib.rs b/bombastic/walker/src/lib.rs
@@ -128,14 +128,16 @@ impl Run {
                             client_id,
                             client_secret,
                             refresh_before,
-                            tls_insecure: insecure_tls,
+                            tls_insecure,
+                            tls_ca_certificates,
                         }) => {
                             let config = walker_common::sender::provider::OpenIdTokenProviderConfig {
                                 issuer_url,
                                 client_id,
                                 client_secret,
                                 refresh_before,
-                                tls_insecure: insecure_tls,
+                                tls_insecure,
+                                tls_ca_certificates,
                             };
                             Arc::new(walker_common::sender::provider::OpenIdTokenProvider::with_config(config).await?)
                                 as Arc<dyn TokenProvider>

diff --git a/bombastic/walker/src/scanner.rs b/bombastic/walker/src/scanner.rs
@@ -1,11 +1,8 @@
 use crate::{processing::ProcessVisitor, report::SbomReportVisitor};
 use parking_lot::Mutex;
 use sbom_walker::{
-    model::metadata::Key,
-    retrieve::RetrievingVisitor,
-    source::{DispatchSource, FileSource, HttpSource},
-    validation::ValidationVisitor,
-    walker::Walker,
+    discover::DiscoverConfig, model::metadata::Key, retrieve::RetrievingVisitor, source::new_source,
+    validation::ValidationVisitor, walker::Walker,
 };
 use std::path::PathBuf;
 use std::sync::Arc;
@@ -15,7 +12,7 @@ use tracing::{instrument, log};
 use trustification_common_walker::report::{Report, ReportBuilder, ReportVisitor, ScannerError};
 use url::Url;
 use walker_common::{
-    fetcher::{Fetcher, FetcherOptions},
+    fetcher::FetcherOptions,
     sender::{self, provider::TokenProvider, HttpSenderOptions},
     since::Since,
     validate::ValidationOptions,
@@ -61,17 +58,15 @@ impl Scanner {
 
         let since = Since::new(None::<SystemTime>, self.options.since_file.clone(), Default::default())?;
 
-        let source: DispatchSource = match Url::parse(&self.options.source) {
-            Ok(url) => HttpSource::new(
-                url,
-                Fetcher::new(FetcherOptions::default()).await?,
-                sbom_walker::source::HttpOptions::new()
-                    .since(*since)
-                    .keys(self.options.keys.clone()),
-            )
-            .into(),
-            Err(_) => FileSource::new(&self.options.source, None)?.into(),
-        };
+        let source = new_source(
+            DiscoverConfig {
+                source: self.options.source.clone(),
+                since: *since,
+                keys: self.options.keys.clone(),
+            },
+            FetcherOptions::default(),
+        )
+        .await?;
 
         let sender = sender::HttpSender::new(
             self.options.provider.clone(),

diff --git a/deploy/k8s/DEPLOYING.md b/deploy/k8s/DEPLOYING.md
@@ -113,6 +113,36 @@ helm upgrade --install --dependency-update -n $NAMESPACE infrastructure charts/t
 helm upgrade --install -n $NAMESPACE trustification charts/trustification --values values-ocp-no-aws.yaml --set-string appDomain=$APP_DOMAIN
 ```
 
+## CRC
+
+**NOTE:** You might need to set up CRC first. This step is not part of this documentation.
+
+Start `crc`:
+
+```bash
+crc start --cpus 8 --memory 32768 --disk-size 80
+```
+
+Create a namespace:
+
+```shell
+oc new-project trustification
+```
+
+Then deploy the application:
+
+```bash
+NAMESPACE=trustification
+APP_DOMAIN=-$NAMESPACE.$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}')
+
+oc get secret -n openshift-ingress  router-certs-default -o go-template='{{index .data "tls.crt"}}' | base64 -d > tls.crt
+oc create configmap crc-trust-anchor --from-file=tls.crt -n $NAMESPACE
+rm tls.crt
+
+helm upgrade --install --dependency-update -n $NAMESPACE infrastructure charts/trustification-infrastructure --values values-ocp-no-aws.yaml --set-string keycloak.ingress.hostname=sso$APP_DOMAIN --set-string appDomain=$APP_DOMAIN
+helm upgrade --install -n $NAMESPACE trustification charts/trustification --values values-ocp-no-aws.yaml --set-string appDomain=$APP_DOMAIN --values values-crc.yaml
+```
+
 ## Branding
 
 Install the branding Helm chart using:

diff --git a/deploy/k8s/charts/trustification/templates/helpers/_auth.tpl b/deploy/k8s/charts/trustification/templates/helpers/_auth.tpl
@@ -91,6 +91,11 @@ authentication:
     - clientId: {{ include "trustification.oidc.clientId" (dict "root" .root "clientId" "frontend" ) }}
       issuerUrl: {{ include "trustification.oidc.issuerUrlForClient" (dict "root" .root "clientId" "frontend" ) }}
 
+      {{- with .root.Values.tls.additionalTrustAnchor }}
+      tlsCaCertificates:
+        - {{ . | quote }}
+      {{- end }}
+
       additionalPermissions:
         - "read.sbom"
         - "read.vex"
@@ -110,6 +115,11 @@ authentication:
     - clientId: {{ include "trustification.oidc.clientId" (dict "root" .root "clientId" "walker" ) }}
       issuerUrl: {{ include "trustification.oidc.issuerUrlForClient" (dict "root" .root "clientId" "walker" ) }}
 
+      {{- with .root.Values.tls.additionalTrustAnchor }}
+      tlsCaCertificates:
+        - {{ . | quote }}
+      {{- end }}
+
       scopeMappings:
         "trustification/bombastic":
           - "create.sbom"
@@ -127,16 +137,26 @@ authentication:
 {{- else -}}{{/* Keycloak is the default */}}
 authentication:
   clients:
+
     - clientId: {{ include "trustification.oidc.clientId" (dict "root" .root "clientId" "frontend" ) }}
       issuerUrl: {{ include "trustification.oidc.issuerUrlForClient" (dict "root" .root "clientId" "frontend" ) }}
       scopeMappings: &keycloakScopeMappings
         "create:document": [ "create.sbom", "create.vex" ]
         "read:document": [ "read.sbom", "read.vex" ]
         "update:document": [ "update.sbom", "update.vex" ]
         "delete:document": [ "delete.sbom", "delete.vex" ]
+      {{- with .root.Values.tls.additionalTrustAnchor }}
+      tlsCaCertificates:
+        - {{ . | quote }}
+      {{- end }}
+
     - clientId: {{ include "trustification.oidc.clientId" (dict "root" .root "clientId" "walker" ) }}
       issuerUrl: {{ include "trustification.oidc.issuerUrlForClient" (dict "root" .root "clientId" "walker" ) }}
       scopeMappings: *keycloakScopeMappings
+      {{- with .root.Values.tls.additionalTrustAnchor }}
+      tlsCaCertificates:
+        - {{ . | quote }}
+      {{- end }}
 
 {{- end }}
 {{- end }}
diff --git a/deploy/k8s/charts/trustification/templates/helpers/_deployment.tpl b/deploy/k8s/charts/trustification/templates/helpers/_deployment.tpl
@@ -54,4 +54,4 @@ resources:
   {{- . | toYaml | nindent 2 }}
 {{ end }}
 
-{{- end }}
+{{- end }}
diff --git a/deploy/k8s/charts/trustification/templates/helpers/_extra.tpl b/deploy/k8s/charts/trustification/templates/helpers/_extra.tpl
@@ -0,0 +1,23 @@
+{{/*
+Additional volumes
+
+Arguments (dict):
+  * root - .
+*/}}
+{{- define "trustification.application.extraVolumes" }}
+{{- with .root.Values.extraVolumes }}
+{{- . | toYaml }}
+{{- end }}
+{{- end }}
+
+{{/*
+Additional volume mounts
+
+Arguments (dict):
+  * root - .
+*/}}
+{{- define "trustification.application.extraVolumeMounts" }}
+{{- with .root.Values.extraVolumeMounts }}
+{{- . | toYaml }}
+{{- end }}
+{{- end }}