Merge pull request #23 from OpenCHAMI/add-cacerts

Changed cert flags and added cert for gofish
2025-12-20 11:37:01 -07:00 · 2024-05-06 14:02:49 -06:00 · 2024-05-06 14:02:49 -06:00 · e1abff671d
commit e1abff671d
parent b58167a322 b5c0d9ce2a
4 changed files with 74 additions and 49 deletions
--- a/cmd/collect.go
+++ b/cmd/collect.go
@ -49,7 +49,7 @@ var collectCmd = &cobra.Command{
 			Timeout:     timeout,
 			Threads:     threads,
 			Verbose:     verbose,
-			WithSecureTLS: withSecureTLS,
+			CaCertPath:  cacertPath,
 			OutputPath:  outputPath,
 			ForceUpdate: forceUpdate,
 		}
@ -74,7 +74,6 @@ func init() {
 	collectCmd.PersistentFlags().BoolVar(&forceUpdate, "force-update", false, "set flag to force update data sent to SMD ")
 	collectCmd.PersistentFlags().StringVar(&preferredDriver, "preferred-driver", "ipmi", "set the preferred driver to use")
 	collectCmd.PersistentFlags().StringVar(&ipmitoolPath, "ipmitool.path", "/usr/bin/ipmitool", "set the path for ipmitool")
-	collectCmd.PersistentFlags().BoolVar(&withSecureTLS, "secure-tls", false, "enable secure TLS")
-	collectCmd.PersistentFlags().StringVar(&certPoolFile, "cert-pool", "", "path to CA cert. (defaults to system CAs; used with --secure-tls=true)")
+	collectCmd.PersistentFlags().StringVar(&cacertPath, "ca-cert", "", "path to CA cert. (defaults to system CAs; used with --secure-tls=true)")
 	rootCmd.AddCommand(collectCmd)
 }
--- a/cmd/root.go
+++ b/cmd/root.go
@ -14,8 +14,7 @@ var (
 	ports           []int
 	hosts           []string
 	protocol        string
-	withSecureTLS   bool
-	certPoolFile    string
+	cacertPath      string
 	user            string
 	pass            string
 	dbpath          string
--- a/cmd/update.go
+++ b/cmd/update.go
@ -36,7 +36,6 @@ var updateCmd = &cobra.Command{
 				Pass:      pass,
 				Timeout:   timeout,
 				Port:      port,
-				WithSecureTLS: withSecureTLS,
 			},
 		}

@ -76,7 +75,6 @@ func init() {
 	updateCmd.Flags().StringVar(&firmwareUrl, "firmware-url", "", "set the path to the firmware")
 	updateCmd.Flags().StringVar(&firmwareVersion, "firmware-version", "", "set the version of firmware to be installed")
 	updateCmd.Flags().StringVar(&component, "component", "", "set the component to upgrade")
-	updateCmd.Flags().BoolVar(&withSecureTLS, "secure-tls", false, "enable secure TLS")
 	updateCmd.Flags().BoolVar(&status, "status", false, "get the status of the update")
 	rootCmd.AddCommand(updateCmd)
 }
--- a/internal/collect.go
+++ b/internal/collect.go
@ -44,8 +44,7 @@ type QueryParams struct {
 	Threads      int
 	Preferred    string
 	Timeout      int
-	WithSecureTLS bool
-	CertPoolFile  string
+	CaCertPath   string
 	Verbose      bool
 	IpmitoolPath string
 	OutputPath   string
@ -54,6 +53,7 @@ type QueryParams struct {
 }

 func NewClient(l *log.Logger, q *QueryParams) (*bmclib.Client, error) {
+
 	tr := &http.Transport{
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 	}
@ -75,9 +75,9 @@ func NewClient(l *log.Logger, q *QueryParams) (*bmclib.Client, error) {
 	}

 	// only work if valid cert is provided
-	if q.WithSecureTLS && q.CertPoolFile != "" {
+	if q.CaCertPath != "" {
 		pool := x509.NewCertPool()
-		data, err := os.ReadFile(q.CertPoolFile)
+		data, err := os.ReadFile(q.CaCertPath)
 		if err != nil {
 			return nil, fmt.Errorf("could not read cert pool file: %v", err)
 		}
@ -557,10 +557,12 @@ func CollectProcessors(q *QueryParams) ([]byte, error) {
 }

 func connectGofish(q *QueryParams) (*gofish.APIClient, error) {
-	config := makeGofishConfig(q)
+	config, err := makeGofishConfig(q)
+	if err != nil {
+		return nil, fmt.Errorf("failed to make gofish config: %v", err)
+	}
 	c, err := gofish.Connect(config)
 	if err != nil {
-
 		return nil, fmt.Errorf("could not connect to redfish endpoint: %v", err)
 	}
 	if c != nil {
@ -574,15 +576,42 @@ func connectGofish(q *QueryParams) (*gofish.APIClient, error) {
 	return c, err
 }

-func makeGofishConfig(q *QueryParams) gofish.ClientConfig {
-	url := baseRedfishUrl(q)
+func makeGofishConfig(q *QueryParams) (gofish.ClientConfig, error) {
+	var (
+		client = &http.Client{}
+		url    = baseRedfishUrl(q)
+		config = gofish.ClientConfig{
+			Endpoint:            url,
+			Username:            q.User,
+			Password:            q.Pass,
+			Insecure:            q.CaCertPath == "",
+			TLSHandshakeTimeout: q.Timeout,
+			HTTPClient:          client,
+			// MaxConcurrentRequests: int64(q.Threads),  // NOTE: this was added in latest gofish
+		}
+	)
+	if q.CaCertPath != "" {
+		cacert, err := os.ReadFile(q.CaCertPath)
+		if err != nil {
+			return config, fmt.Errorf("failed to read CA cert file: %v", err)
+		}
+		certPool := x509.NewCertPool()
+		certPool.AppendCertsFromPEM(cacert)
+		client.Transport = &http.Transport{
+			TLSClientConfig: &tls.Config{
+				RootCAs: certPool,
+			},
+		}
+	}
 	return gofish.ClientConfig{
 		Endpoint:            url,
 		Username:            q.User,
 		Password:            q.Pass,
-		Insecure:            !q.WithSecureTLS,
+		Insecure:            q.CaCertPath == "",
 		TLSHandshakeTimeout: q.Timeout,
-	}
+		HTTPClient:          client,
+		// MaxConcurrentRequests: int64(q.Threads),  // NOTE: this was added in latest gofish
+	}, nil
 }

 func makeRequest[T any](client *bmclib.Client, fn func(context.Context) (T, error), timeout int) ([]byte, error) {