2023-11-06 11:46:14 +00:00
|
|
|
package brand_tls
|
2021-12-22 10:43:45 +00:00
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/tls"
|
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
log "github.com/sirupsen/logrus"
|
2023-11-06 11:46:14 +00:00
|
|
|
|
2022-03-03 09:40:07 +00:00
|
|
|
"goauthentik.io/api/v3"
|
2021-12-22 10:43:45 +00:00
|
|
|
"goauthentik.io/internal/crypto"
|
|
|
|
"goauthentik.io/internal/outpost/ak"
|
|
|
|
)
|
|
|
|
|
|
|
|
type Watcher struct {
|
|
|
|
client *api.APIClient
|
|
|
|
log *log.Entry
|
|
|
|
cs *ak.CryptoStore
|
|
|
|
fallback *tls.Certificate
|
2023-11-06 11:46:14 +00:00
|
|
|
brands []api.Brand
|
2021-12-22 10:43:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func NewWatcher(client *api.APIClient) *Watcher {
|
|
|
|
cs := ak.NewCryptoStore(client.CryptoApi)
|
2023-11-06 11:46:14 +00:00
|
|
|
l := log.WithField("logger", "authentik.router.brand_tls")
|
2021-12-22 10:43:45 +00:00
|
|
|
cert, err := crypto.GenerateSelfSignedCert()
|
|
|
|
if err != nil {
|
|
|
|
l.WithError(err).Error("failed to generate default cert")
|
|
|
|
}
|
|
|
|
|
|
|
|
return &Watcher{
|
|
|
|
client: client,
|
|
|
|
log: l,
|
|
|
|
cs: cs,
|
|
|
|
fallback: &cert,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (w *Watcher) Start() {
|
|
|
|
ticker := time.NewTicker(time.Minute * 3)
|
2023-11-06 11:46:14 +00:00
|
|
|
w.log.Info("Starting Brand TLS Checker")
|
2021-12-22 10:43:45 +00:00
|
|
|
for ; true; <-ticker.C {
|
|
|
|
w.Check()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (w *Watcher) Check() {
|
2023-11-06 11:46:14 +00:00
|
|
|
w.log.Info("updating brand certificates")
|
|
|
|
brands, _, err := w.client.CoreApi.CoreBrandsListExecute(api.ApiCoreBrandsListRequest{})
|
2021-12-22 10:43:45 +00:00
|
|
|
if err != nil {
|
2023-11-06 11:46:14 +00:00
|
|
|
w.log.WithError(err).Warning("failed to get brands")
|
2021-12-22 10:43:45 +00:00
|
|
|
return
|
|
|
|
}
|
2023-11-06 11:46:14 +00:00
|
|
|
for _, t := range brands.Results {
|
2021-12-26 13:24:44 +00:00
|
|
|
if kp := t.WebCertificate.Get(); kp != nil {
|
|
|
|
err := w.cs.AddKeypair(*kp)
|
2021-12-22 10:43:45 +00:00
|
|
|
if err != nil {
|
|
|
|
w.log.WithError(err).Warning("failed to add certificate")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2023-11-06 11:46:14 +00:00
|
|
|
w.brands = brands.Results
|
2021-12-22 10:43:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (w *Watcher) GetCertificate(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
2023-11-06 11:46:14 +00:00
|
|
|
var bestSelection *api.Brand
|
|
|
|
for _, t := range w.brands {
|
2023-01-05 17:30:11 +00:00
|
|
|
if t.WebCertificate.Get() == nil {
|
2021-12-22 10:43:45 +00:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
if *t.Default {
|
|
|
|
bestSelection = &t
|
|
|
|
}
|
|
|
|
if strings.HasSuffix(ch.ServerName, t.Domain) {
|
|
|
|
bestSelection = &t
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if bestSelection == nil {
|
|
|
|
return w.fallback, nil
|
|
|
|
}
|
|
|
|
cert := w.cs.Get(*bestSelection.WebCertificate.Get())
|
2022-06-20 19:26:34 +00:00
|
|
|
if cert == nil {
|
|
|
|
return w.fallback, nil
|
|
|
|
}
|
2021-12-22 10:43:45 +00:00
|
|
|
return cert, nil
|
|
|
|
}
|