feat: tls config for server (#37)

* feat: tls config for server
hasura · Oct 12, 2024 · 506a035 · 506a035
1 parent 3112447
commit 506a035
Show file tree

Hide file tree

Showing 5 changed files with 568 additions and 55 deletions.
diff --git a/jsonschema/ndc-rest-schema.jsonschema b/jsonschema/ndc-rest-schema.jsonschema
@@ -132,6 +132,16 @@
       "type": "object",
       "description": "EncodingObject represents the Encoding Object that contains serialization strategy for application/x-www-form-urlencoded\n\n[Encoding Object]: https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.1.0.md#encoding-object"
     },
+    "EnvBoolean": {
+      "oneOf": [
+        {
+          "type": "boolean"
+        },
+        {
+          "type": "string"
+        }
+      ]
+    },
     "EnvInt": {
       "oneOf": [
         {
@@ -158,6 +168,19 @@
     "EnvString": {
       "type": "string"
     },
+    "EnvStrings": {
+      "oneOf": [
+        {
+          "type": "string"
+        },
+        {
+          "items": {
+            "type": "string"
+          },
+          "type": "array"
+        }
+      ]
+    },
     "ForeignKeyConstraint": {
       "properties": {
         "column_mapping": {
@@ -750,6 +773,9 @@
         },
         "security": {
           "$ref": "#/$defs/AuthSecurities"
+        },
+        "tls": {
+          "$ref": "#/$defs/TLSConfig"
         }
       },
       "additionalProperties": false,
@@ -759,6 +785,61 @@
       ],
       "description": "ServerConfig contains server configurations"
     },
+    "TLSConfig": {
+      "properties": {
+        "certFile": {
+          "$ref": "#/$defs/EnvString",
+          "description": "Path to the TLS cert to use for TLS required connections."
+        },
+        "certPem": {
+          "$ref": "#/$defs/EnvString",
+          "description": "Alternative to cert_file. Provide the certificate contents as a string instead of a filepath."
+        },
+        "keyFile": {
+          "$ref": "#/$defs/EnvString",
+          "description": "Path to the TLS key to use for TLS required connections."
+        },
+        "keyPem": {
+          "$ref": "#/$defs/EnvString",
+          "description": "Alternative to key_file. Provide the key contents as a string instead of a filepath."
+        },
+        "caFile": {
+          "$ref": "#/$defs/EnvString",
+          "description": "Path to the CA cert. For a client this verifies the server certificate. For a server this verifies client certificates.\nIf empty uses system root CA."
+        },
+        "caPem": {
+          "$ref": "#/$defs/EnvString",
+          "description": "Alternative to ca_file. Provide the CA cert contents as a string instead of a filepath."
+        },
+        "insecureSkipVerify": {
+          "$ref": "#/$defs/EnvBoolean",
+          "description": "Additionally you can configure TLS to be enabled but skip verifying the server's certificate chain."
+        },
+        "includeSystemCACertsPool": {
+          "$ref": "#/$defs/EnvBoolean",
+          "description": "Whether to load the system certificate authorities pool alongside the certificate authority."
+        },
+        "minVersion": {
+          "$ref": "#/$defs/EnvString",
+          "description": "Minimum acceptable TLS version."
+        },
+        "maxVersion": {
+          "$ref": "#/$defs/EnvString",
+          "description": "Maximum acceptable TLS version."
+        },
+        "cipherSuites": {
+          "$ref": "#/$defs/EnvStrings",
+          "description": "Explicit cipher suites can be set. If left blank, a safe default list is used.\nSee https://go.dev/src/crypto/tls/cipher_suites.go for a list of supported cipher suites."
+        },
+        "reloadInterval": {
+          "$ref": "#/$defs/EnvInt",
+          "description": "Specifies the duration after which the certificate will be reloaded. If not set, it will never be reloaded.\nThe interval unit is minute"
+        }
+      },
+      "additionalProperties": false,
+      "type": "object",
+      "description": "TLSConfig represents the transport layer security (LTS) configuration for the mutualTLS authentication"
+    },
     "Type": {
       "type": "object"
     },

diff --git a/schema/auth.go b/schema/auth.go
@@ -18,13 +18,15 @@ const (
 	HTTPAuthScheme      SecuritySchemeType = "http"
 	OAuth2Scheme        SecuritySchemeType = "oauth2"
 	OpenIDConnectScheme SecuritySchemeType = "openIdConnect"
+	MutualTLSScheme     SecuritySchemeType = "mutualTLS"
 )
 
 var securityScheme_enums = []SecuritySchemeType{
 	APIKeyScheme,
 	HTTPAuthScheme,
 	OAuth2Scheme,
 	OpenIDConnectScheme,
+	MutualTLSScheme,
 }
 
 // JSONSchema is used to generate a custom jsonschema
@@ -218,22 +220,22 @@ func (ss SecurityScheme) Validate() error {
 	switch ss.Type {
 	case APIKeyScheme:
 		if ss.APIKeyAuthConfig == nil {
-			return (APIKeyAuthConfig{}).Validate()
+			ss.APIKeyAuthConfig = &APIKeyAuthConfig{}
 		}
 		return ss.APIKeyAuthConfig.Validate()
 	case HTTPAuthScheme:
 		if ss.HTTPAuthConfig == nil {
-			return (HTTPAuthConfig{}).Validate()
+			ss.HTTPAuthConfig = &HTTPAuthConfig{}
 		}
 		return ss.HTTPAuthConfig.Validate()
 	case OAuth2Scheme:
 		if ss.OAuth2Config == nil {
-			return (OAuth2Config{}).Validate()
+			ss.OAuth2Config = &OAuth2Config{}
 		}
 		return ss.OAuth2Config.Validate()
 	case OpenIDConnectScheme:
 		if ss.OpenIDConfig == nil {
-			return (OpenIDConfig{}).Validate()
+			ss.OpenIDConfig = &OpenIDConfig{}
 		}
 		return ss.OpenIDConfig.Validate()
 	}