feat(auth): allow additional CA certs for OAuth2

Allow specifying additional TLS CA certificates for OAuth2
authenticator.

This is useful when the cert for the OAuth2 services is not installed in
the system and needs to be specified explicitly.

Signed-off-by: Sergei Trofimov <[email protected]>

Author: setrofim

auth/oauth2.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net/http"
 	"net/url"
 	"strings"
 	"time"
@@ -20,6 +21,7 @@ type Oauth2Authenticator struct {
 	ClientSecret string
 	Username     string
 	Password     string
+	CertPaths    []string
 
 	Token *oauth2.Token
 }
@@ -31,6 +33,7 @@ func (o *Oauth2Authenticator) Configure(cfg map[string]interface{}) error {
 		ClientSecret string                 `mapstructure:"client_secret"`
 		Username     string                 `mapstructure:"username"`
 		Password     string                 `mapstructure:"password"`
+		CertPaths    []string               `mapstructure:"ca_cert"`
 		Rest         map[string]interface{} `mapstructure:",remain"`
 	}{}
 
@@ -43,6 +46,7 @@ func (o *Oauth2Authenticator) Configure(cfg map[string]interface{}) error {
 	o.TokenURL = decoded.TokenURL
 	o.Username = decoded.Username
 	o.Password = decoded.Password
+	o.CertPaths = decoded.CertPaths
 
 	if err := o.validate(); err != nil {
 		return err
@@ -90,6 +94,15 @@ func (o *Oauth2Authenticator) obtainToken() (*oauth2.Token, error) {
 		},
 	}
 
+	if len(o.CertPaths) > 0 {
+		transport, err := NewTLSTransport(o.CertPaths)
+		if err != nil {
+			return nil, err
+		}
+		client := &http.Client{Transport: transport}
+		ctx = context.WithValue(ctx, oauth2.HTTPClient, client)
+	}
+
 	return conf.PasswordCredentialsToken(ctx, o.Username, o.Password)
 }
 

auth/tls.go

@@ -0,0 +1,38 @@
+// Copyright 2024 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package auth
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"net/http"
+	"os"
+)
+
+// NewTLSTransport returns a pointer to a new http.Transport with TLS config
+// initilaized with system certs as well as specified certPaths.
+func NewTLSTransport(certPaths []string) (*http.Transport, error) {
+	certPool, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, err
+	}
+
+	for _, certPath := range certPaths {
+		rawCert, err := os.ReadFile(certPath)
+		if err != nil {
+			return nil, fmt.Errorf("could not read cert: %w", err)
+		}
+
+		if ok := certPool.AppendCertsFromPEM(rawCert); !ok {
+			return nil, fmt.Errorf("invalid cert in %s", certPath)
+		}
+	}
+
+	return &http.Transport{
+		TLSClientConfig: &tls.Config{
+			RootCAs:    certPool,
+			MinVersion: tls.VersionTLS12,
+		},
+	}, nil
+}

common/client.go

@@ -6,11 +6,9 @@ package common
 import (
 	"bytes"
 	"crypto/tls"
-	"crypto/x509"
 	"fmt"
 	"io"
 	"net/http"
-	"os"
 	"time"
 
 	"github.com/veraison/apiclient/auth"
@@ -50,30 +48,12 @@ func NewInsecureTLSClient(a auth.IAuthenticator) *Client {
 // The client will use the provided IAuthenticator for requests, if it is not
 // nil.
 func NewTLSClient(a auth.IAuthenticator, certPaths []string) (*Client, error) {
-	certPool, err := x509.SystemCertPool()
+	transport, err := auth.NewTLSTransport(certPaths)
 	if err != nil {
 		return nil, err
 	}
 
-	for _, certPath := range certPaths {
-		rawCert, err := os.ReadFile(certPath)
-		if err != nil {
-			return nil, fmt.Errorf("could not read cert: %w", err)
-		}
-
-		if ok := certPool.AppendCertsFromPEM(rawCert); !ok {
-			return nil, fmt.Errorf("invalid cert in %s", certPath)
-		}
-	}
-
-	transport := http.Transport{
-		TLSClientConfig: &tls.Config{
-			RootCAs:    certPool,
-			MinVersion: tls.VersionTLS12,
-		},
-	}
-
-	return NewClientWithTransport(a, &transport), nil
+	return NewClientWithTransport(a, transport), nil
 }
 
 // NewClientWithTransport instantiates a new Client with the specified transport and a fixed