Merge pull request #23 from OpenCHAMI/add-cacerts

Changed cert flags and added cert for gofish
2025-12-20 11:37:01 -07:00 · 2024-05-06 14:02:49 -06:00 · 2024-05-06 14:02:49 -06:00 · e1abff671d
commit e1abff671d
parent b58167a322 b5c0d9ce2a
4 changed files with 74 additions and 49 deletions
--- a/cmd/collect.go
+++ b/cmd/collect.go
@ -41,17 +41,17 @@ var collectCmd = &cobra.Command{
 			threads = mathutil.Clamp(len(probeStates), 1, 255)
 		}
 		q := &magellan.QueryParams{
-			User:          user,
-			Pass:          pass,
-			Protocol:      protocol,
-			Drivers:       drivers,
-			Preferred:     preferredDriver,
-			Timeout:       timeout,
-			Threads:       threads,
-			Verbose:       verbose,
-			WithSecureTLS: withSecureTLS,
-			OutputPath:    outputPath,
-			ForceUpdate:   forceUpdate,
+			User:        user,
+			Pass:        pass,
+			Protocol:    protocol,
+			Drivers:     drivers,
+			Preferred:   preferredDriver,
+			Timeout:     timeout,
+			Threads:     threads,
+			Verbose:     verbose,
+			CaCertPath:  cacertPath,
+			OutputPath:  outputPath,
+			ForceUpdate: forceUpdate,
 		}
 		magellan.CollectAll(&probeStates, l, q)

@ -74,7 +74,6 @@ func init() {
 	collectCmd.PersistentFlags().BoolVar(&forceUpdate, "force-update", false, "set flag to force update data sent to SMD ")
 	collectCmd.PersistentFlags().StringVar(&preferredDriver, "preferred-driver", "ipmi", "set the preferred driver to use")
 	collectCmd.PersistentFlags().StringVar(&ipmitoolPath, "ipmitool.path", "/usr/bin/ipmitool", "set the path for ipmitool")
-	collectCmd.PersistentFlags().BoolVar(&withSecureTLS, "secure-tls", false, "enable secure TLS")
-	collectCmd.PersistentFlags().StringVar(&certPoolFile, "cert-pool", "", "path to CA cert. (defaults to system CAs; used with --secure-tls=true)")
+	collectCmd.PersistentFlags().StringVar(&cacertPath, "ca-cert", "", "path to CA cert. (defaults to system CAs; used with --secure-tls=true)")
 	rootCmd.AddCommand(collectCmd)
 }
--- a/cmd/root.go
+++ b/cmd/root.go
@ -14,8 +14,7 @@ var (
 	ports           []int
 	hosts           []string
 	protocol        string
-	withSecureTLS   bool
-	certPoolFile    string
+	cacertPath      string
 	user            string
 	pass            string
 	dbpath          string
--- a/cmd/update.go
+++ b/cmd/update.go
@ -28,15 +28,14 @@ var updateCmd = &cobra.Command{
 			Component:        component,
 			TransferProtocol: transferProtocol,
 			QueryParams: magellan.QueryParams{
-				Drivers:       []string{"redfish"},
-				Preferred:     "redfish",
-				Protocol:      protocol,
-				Host:          host,
-				User:          user,
-				Pass:          pass,
-				Timeout:       timeout,
-				Port:          port,
-				WithSecureTLS: withSecureTLS,
+				Drivers:   []string{"redfish"},
+				Preferred: "redfish",
+				Protocol:  protocol,
+				Host:      host,
+				User:      user,
+				Pass:      pass,
+				Timeout:   timeout,
+				Port:      port,
 			},
 		}

@ -76,7 +75,6 @@ func init() {
 	updateCmd.Flags().StringVar(&firmwareUrl, "firmware-url", "", "set the path to the firmware")
 	updateCmd.Flags().StringVar(&firmwareVersion, "firmware-version", "", "set the version of firmware to be installed")
 	updateCmd.Flags().StringVar(&component, "component", "", "set the component to upgrade")
-	updateCmd.Flags().BoolVar(&withSecureTLS, "secure-tls", false, "enable secure TLS")
 	updateCmd.Flags().BoolVar(&status, "status", false, "get the status of the update")
 	rootCmd.AddCommand(updateCmd)
 }
--- a/internal/collect.go
+++ b/internal/collect.go
@ -35,25 +35,25 @@ const (

 // NOTE: ...params were getting too long...
 type QueryParams struct {
-	Host          string
-	Port          int
-	Protocol      string
-	User          string
-	Pass          string
-	Drivers       []string
-	Threads       int
-	Preferred     string
-	Timeout       int
-	WithSecureTLS bool
-	CertPoolFile  string
-	Verbose       bool
-	IpmitoolPath  string
-	OutputPath    string
-	ForceUpdate   bool
-	AccessToken   string
+	Host         string
+	Port         int
+	Protocol     string
+	User         string
+	Pass         string
+	Drivers      []string
+	Threads      int
+	Preferred    string
+	Timeout      int
+	CaCertPath   string
+	Verbose      bool
+	IpmitoolPath string
+	OutputPath   string
+	ForceUpdate  bool
+	AccessToken  string
 }

 func NewClient(l *log.Logger, q *QueryParams) (*bmclib.Client, error) {
+
 	tr := &http.Transport{
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 	}
@ -75,9 +75,9 @@ func NewClient(l *log.Logger, q *QueryParams) (*bmclib.Client, error) {
 	}

 	// only work if valid cert is provided
-	if q.WithSecureTLS && q.CertPoolFile != "" {
+	if q.CaCertPath != "" {
 		pool := x509.NewCertPool()
-		data, err := os.ReadFile(q.CertPoolFile)
+		data, err := os.ReadFile(q.CaCertPath)
 		if err != nil {
 			return nil, fmt.Errorf("could not read cert pool file: %v", err)
 		}
@ -557,10 +557,12 @@ func CollectProcessors(q *QueryParams) ([]byte, error) {
 }

 func connectGofish(q *QueryParams) (*gofish.APIClient, error) {
-	config := makeGofishConfig(q)
+	config, err := makeGofishConfig(q)
+	if err != nil {
+		return nil, fmt.Errorf("failed to make gofish config: %v", err)
+	}
 	c, err := gofish.Connect(config)
 	if err != nil {
-
 		return nil, fmt.Errorf("could not connect to redfish endpoint: %v", err)
 	}
 	if c != nil {
@ -574,15 +576,42 @@ func connectGofish(q *QueryParams) (*gofish.APIClient, error) {
 	return c, err
 }

-func makeGofishConfig(q *QueryParams) gofish.ClientConfig {
-	url := baseRedfishUrl(q)
+func makeGofishConfig(q *QueryParams) (gofish.ClientConfig, error) {
+	var (
+		client = &http.Client{}
+		url    = baseRedfishUrl(q)
+		config = gofish.ClientConfig{
+			Endpoint:            url,
+			Username:            q.User,
+			Password:            q.Pass,
+			Insecure:            q.CaCertPath == "",
+			TLSHandshakeTimeout: q.Timeout,
+			HTTPClient:          client,
+			// MaxConcurrentRequests: int64(q.Threads),  // NOTE: this was added in latest gofish
+		}
+	)
+	if q.CaCertPath != "" {
+		cacert, err := os.ReadFile(q.CaCertPath)
+		if err != nil {
+			return config, fmt.Errorf("failed to read CA cert file: %v", err)
+		}
+		certPool := x509.NewCertPool()
+		certPool.AppendCertsFromPEM(cacert)
+		client.Transport = &http.Transport{
+			TLSClientConfig: &tls.Config{
+				RootCAs: certPool,
+			},
+		}
+	}
 	return gofish.ClientConfig{
 		Endpoint:            url,
 		Username:            q.User,
 		Password:            q.Pass,
-		Insecure:            !q.WithSecureTLS,
+		Insecure:            q.CaCertPath == "",
 		TLSHandshakeTimeout: q.Timeout,
-	}
+		HTTPClient:          client,
+		// MaxConcurrentRequests: int64(q.Threads),  // NOTE: this was added in latest gofish
+	}, nil
 }

 func makeRequest[T any](client *bmclib.Client, fn func(context.Context) (T, error), timeout int) ([]byte, error) {