feat: WithPort, WithInsecureSkipVerifyTLS

zitadel · Nov 11, 2024 · eec761e · eec761e
1 parent b392fea
commit eec761e
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 10 deletions.
diff --git a/pkg/client/client.go b/pkg/client/client.go
@@ -96,7 +96,7 @@ func newConnection(
 	tokenSource oauth2.TokenSource,
 	opts ...grpc.DialOption,
 ) (*grpc.ClientConn, error) {
-	transportCreds, err := transportCredentials(zitadel.Domain(), zitadel.IsTLS())
+	transportCreds, err := transportCredentials(zitadel.Domain(), zitadel.IsTLS(), zitadel.IsInsecureSkipVerifyTLS())
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/client/credentials.go b/pkg/client/credentials.go
@@ -2,6 +2,7 @@ package client
 
 import (
 	"context"
+	"crypto/tls"
 	"crypto/x509"
 
 	"golang.org/x/oauth2"
@@ -55,16 +56,24 @@ func requestMetadataFromToken(token *oauth2.Token) map[string]string {
 	}
 }
 
-func transportCredentials(domain string, tls bool) (credentials.TransportCredentials, error) {
-	if !tls {
+func transportCredentials(domain string, withTLS bool, insecureSkipVerifyTLS bool) (credentials.TransportCredentials, error) {
+	if !withTLS {
 		return insecure.NewCredentials(), nil
 	}
+	tlsConfig := &tls.Config{
+		ServerName:         domain,
+		InsecureSkipVerify: insecureSkipVerifyTLS,
+	}
+	if insecureSkipVerifyTLS {
+		return credentials.NewTLS(tlsConfig), nil
+	}
 	ca, err := x509.SystemCertPool()
 	if err != nil {
 		return nil, err
 	}
 	if ca == nil {
 		ca = x509.NewCertPool()
 	}
-	return credentials.NewClientTLSFromCert(ca, domain), nil
+	tlsConfig.RootCAs = ca
+	return credentials.NewTLS(tlsConfig), nil
 }
diff --git a/pkg/zitadel/zitadel.go b/pkg/zitadel/zitadel.go
@@ -9,16 +9,18 @@ import (
 // This includes authentication, authorization as well as explicit API interaction
 // and is dependent of the provided information and initialization of such.
 type Zitadel struct {
-	domain string
-	port   string
-	tls    bool
+	domain                string
+	port                  string
+	tls                   bool
+	insecureSkipVerifyTLS bool
 }
 
 func New(domain string, options ...Option) *Zitadel {
 	zitadel := &Zitadel{
-		domain: domain,
-		port:   "443",
-		tls:    true,
+		domain:                domain,
+		port:                  "443",
+		tls:                   true,
+		insecureSkipVerifyTLS: false,
 	}
 	for _, option := range options {
 		option(zitadel)
@@ -30,13 +32,22 @@ func New(domain string, options ...Option) *Zitadel {
 type Option func(*Zitadel)
 
 // WithInsecure allows to connect to a ZITADEL instance running without TLS
+// Do not use in production
 func WithInsecure(port string) Option {
 	return func(z *Zitadel) {
 		z.port = port
 		z.tls = false
 	}
 }
 
+// WithInsecureSkipVerifyTLS allows to connect to a ZITADEL instance running with TLS but has an untrusted certificate
+// Do not use in production
+func WithInsecureSkipVerifyTLS() Option {
+	return func(z *Zitadel) {
+		z.insecureSkipVerifyTLS = true
+	}
+}
+
 // WithPort allows to connect to a ZITADEL instance running on a different port
 func WithPort(port uint16) Option {
 	return func(z *Zitadel) {
@@ -61,6 +72,10 @@ func (z *Zitadel) IsTLS() bool {
 	return z.tls
 }
 
+func (z *Zitadel) IsInsecureSkipVerifyTLS() bool {
+	return z.insecureSkipVerifyTLS
+}
+
 func (z *Zitadel) Domain() string {
 	return z.domain
 }