From 772cbacbcadfab0a137efaf247916904ac41671e Mon Sep 17 00:00:00 2001 From: Jesse Geens Date: Mon, 30 Sep 2024 11:49:04 +0200 Subject: [PATCH] Only load X509 key pair if the scheme is set to https; otherwise, omit TLSClientConfig --- changelog/unreleased/eos-http-client-tls.md | 3 +++ pkg/eosclient/eosgrpc/eoshttp.go | 27 ++++++++++++++------- 2 files changed, 21 insertions(+), 9 deletions(-) create mode 100644 changelog/unreleased/eos-http-client-tls.md diff --git a/changelog/unreleased/eos-http-client-tls.md b/changelog/unreleased/eos-http-client-tls.md new file mode 100644 index 00000000000..d2df281353e --- /dev/null +++ b/changelog/unreleased/eos-http-client-tls.md @@ -0,0 +1,3 @@ +Enhancement: Omit loading X509 key pair in EOS HTTP Client if the scheme is not https + +https://github.com/cs3org/reva/pull/4870 \ No newline at end of file diff --git a/pkg/eosclient/eosgrpc/eoshttp.go b/pkg/eosclient/eosgrpc/eoshttp.go index ee1aa3aacf4..49663553355 100644 --- a/pkg/eosclient/eosgrpc/eoshttp.go +++ b/pkg/eosclient/eosgrpc/eoshttp.go @@ -22,6 +22,7 @@ import ( "bytes" "context" "crypto/tls" + "errors" "fmt" "io" "net/http" @@ -147,19 +148,12 @@ func NewEOSHTTPClient(opt *HTTPOptions) (*EOSHTTPClient, error) { } opt.init() - cert, err := tls.LoadX509KeyPair(opt.ClientCertFile, opt.ClientKeyFile) + baseUrl, err := url.Parse(opt.BaseURL) if err != nil { - return nil, err + return nil, errors.New("Failed to parse BaseURL") } - // TODO: the error reporting of http.transport is insufficient - // we may want to check manually at least the existence of the certfiles - // The point is that also the error reporting of the context that calls this function - // is weak t := &http.Transport{ - TLSClientConfig: &tls.Config{ - Certificates: []tls.Certificate{cert}, - }, MaxIdleConns: opt.MaxIdleConns, MaxConnsPerHost: opt.MaxConnsPerHost, MaxIdleConnsPerHost: opt.MaxIdleConnsPerHost, @@ -167,6 +161,21 @@ func NewEOSHTTPClient(opt *HTTPOptions) (*EOSHTTPClient, error) { DisableCompression: true, } + if baseUrl.Scheme == "https" { + cert, err := tls.LoadX509KeyPair(opt.ClientCertFile, opt.ClientKeyFile) + if err != nil { + return nil, err + } + t.TLSClientConfig = &tls.Config{ + Certificates: []tls.Certificate{cert}, + } + } + + // TODO: the error reporting of http.transport is insufficient + // we may want to check manually at least the existence of the certfiles + // The point is that also the error reporting of the context that calls this function + // is weak + cl := &http.Client{ Transport: t, CheckRedirect: func(req *http.Request, via []*http.Request) error {