Use MitmTLSConfig in the config instead of MitmCa

stripe · Sep 12, 2024 · f4ef674 · f4ef674
1 parent 6563aa7
commit f4ef674
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 5 deletions.
diff --git a/pkg/smokescreen/config.go b/pkg/smokescreen/config.go
@@ -19,6 +19,7 @@ import (
 	"time"
 
 	log "github.com/sirupsen/logrus"
+	"github.com/stripe/goproxy"
 	acl "github.com/stripe/smokescreen/pkg/smokescreen/acl/v1"
 	"github.com/stripe/smokescreen/pkg/smokescreen/conntrack"
 	"github.com/stripe/smokescreen/pkg/smokescreen/metrics"
@@ -100,7 +101,7 @@ type Config struct {
 	// If the handler returns an error, smokescreen will deny the request.
 	PostDecisionRequestHandler func(*http.Request) error
 	// MitmCa is used to provide a custom CA for MITM
-	MitmCa *tls.Certificate
+	MitmTLSConfig func(host string, ctx *goproxy.ProxyCtx) (*tls.Config, error)
 }
 
 type missingRoleError struct {

diff --git a/pkg/smokescreen/config_loader.go b/pkg/smokescreen/config_loader.go
@@ -10,6 +10,7 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/stripe/goproxy"
 	"gopkg.in/yaml.v2"
 )
 
@@ -169,7 +170,7 @@ func (c *Config) UnmarshalYAML(unmarshal func(interface{}) error) error {
 		if mitmCa.Leaf, err = x509.ParseCertificate(mitmCa.Certificate[0]); err != nil {
 			return fmt.Errorf("could not populate x509 Leaf value: %v", err)
 		}
-		c.MitmCa = &mitmCa
+		c.MitmTLSConfig = goproxy.TLSConfigFromCA(&mitmCa)
 	}
 
 	return nil

diff --git a/pkg/smokescreen/smokescreen.go b/pkg/smokescreen/smokescreen.go
@@ -695,7 +695,7 @@ func handleConnect(config *Config, pctx *goproxy.ProxyCtx) (*goproxy.ConnectActi
 	connectAction := goproxy.OkConnect
 	// If the ACLDecision matched a MITM rule
 	if sctx.Decision.MitmConfig != nil {
-		if config.MitmCa == nil {
+		if config.MitmTLSConfig == nil {
 			deny := denyError{errors.New("ACLDecision specified MITM but Smokescreen doesn't have MITM enabled")}
 			sctx.Decision.allow = false
 			sctx.Decision.MitmConfig = nil
@@ -716,7 +716,7 @@ func handleConnect(config *Config, pctx *goproxy.ProxyCtx) (*goproxy.ConnectActi
 
 		connectAction = &goproxy.ConnectAction{
 			Action:            goproxy.ConnectMitm,
-			TLSConfig:         goproxy.TLSConfigFromCA(config.MitmCa),
+			TLSConfig:         config.MitmTLSConfig,
 			MitmMutateRequest: mitmMutateRequest,
 		}
 	}

diff --git a/pkg/smokescreen/smokescreen_test.go b/pkg/smokescreen/smokescreen_test.go
@@ -1403,7 +1403,7 @@ func TestMitm(t *testing.T) {
 		r.NoError(err)
 		mitmCa.Leaf, err = x509.ParseCertificate(mitmCa.Certificate[0])
 		r.NoError(err)
-		cfg.MitmCa = &mitmCa
+		cfg.MitmTLSConfig = goproxy.TLSConfigFromCA(&mitmCa)
 		r.NoError(err)
 		err = cfg.SetAllowAddresses([]string{"127.0.0.1"})
 		r.NoError(err)