[lxc-devel] [lxd/master] lxc/config: More TLS optimizations

Sun Oct 7 18:52:17 UTC 2018

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20181007/567ced32/attachment.bin>
-------------- next part --------------
From a76df1eadc1187520c2cf8ee98b3b368b4c06a24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Sun, 7 Oct 2018 14:51:53 -0400
Subject: [PATCH] lxc/config: More TLS optimizations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxc/config/remote.go | 50 +++++++++++++++++++++++++-------------------
 1 file changed, 28 insertions(+), 22 deletions(-)

diff --git a/lxc/config/remote.go b/lxc/config/remote.go
index 02b7660729..4954159ec7 100644
--- a/lxc/config/remote.go
+++ b/lxc/config/remote.go
@@ -70,7 +70,7 @@ func (c *Config) GetContainerServer(name string) (lxd.ContainerServer, error) {
 	}
 
 	// HTTPs
-	if args.TLSClientCert == "" || args.TLSClientKey == "" {
+	if remote.AuthType != "candid" && (args.TLSClientCert == "" || args.TLSClientKey == "") {
 		return nil, fmt.Errorf("Missing TLS client certificate and key")
 	}
 
@@ -147,7 +147,23 @@ func (c *Config) getConnectionArgs(name string) (*lxd.ConnectionArgs, error) {
 		args.CookieJar = c.cookiejar
 	}
 
-	if strings.HasPrefix(remote.Addr, "unix:") || remote.Protocol == "simplestreams" {
+	// Stop here if no TLS involved
+	if strings.HasPrefix(remote.Addr, "unix:") {
+		return &args, nil
+	}
+
+	// Server certificate
+	if shared.PathExists(c.ServerCertPath(name)) {
+		content, err := ioutil.ReadFile(c.ServerCertPath(name))
+		if err != nil {
+			return nil, err
+		}
+
+		args.TLSServerCert = string(content)
+	}
+
+	// Stop here if no client certificate involved
+	if remote.Protocol == "simplestreams" || remote.AuthType == "candid" {
 		return &args, nil
 	}
 
@@ -161,6 +177,16 @@ func (c *Config) getConnectionArgs(name string) (*lxd.ConnectionArgs, error) {
 		args.TLSClientCert = string(content)
 	}
 
+	// Client CA
+	if shared.PathExists(c.ConfigPath("client.ca")) {
+		content, err := ioutil.ReadFile(c.ConfigPath("client.ca"))
+		if err != nil {
+			return nil, err
+		}
+
+		args.TLSCA = string(content)
+	}
+
 	// Client key
 	if shared.PathExists(c.ConfigPath("client.key")) {
 		content, err := ioutil.ReadFile(c.ConfigPath("client.key"))
@@ -190,25 +216,5 @@ func (c *Config) getConnectionArgs(name string) (*lxd.ConnectionArgs, error) {
 		args.TLSClientKey = string(content)
 	}
 
-	// Client CA
-	if shared.PathExists(c.ConfigPath("client.ca")) {
-		content, err := ioutil.ReadFile(c.ConfigPath("client.ca"))
-		if err != nil {
-			return nil, err
-		}
-
-		args.TLSCA = string(content)
-	}
-
-	// Server certificate
-	if shared.PathExists(c.ServerCertPath(name)) {
-		content, err := ioutil.ReadFile(c.ServerCertPath(name))
-		if err != nil {
-			return nil, err
-		}
-
-		args.TLSServerCert = string(content)
-	}
-
 	return &args, nil
 }
