Skip to content
This repository was archived by the owner on Sep 30, 2024. It is now read-only.

gitserver: include system certificates for git#41253

Merged
keegancsmith merged 6 commits into
mainfrom
k/tls-git
Sep 9, 2022
Merged

gitserver: include system certificates for git#41253
keegancsmith merged 6 commits into
mainfrom
k/tls-git

Conversation

@keegancsmith

@keegancsmith keegancsmith commented Sep 2, 2022

Copy link
Copy Markdown
Member

When specifying certificates for tls.external site configuration we adjust the TLS configuration for go and git. In the case of go we would respect both the certificates specified as well as the system certificate authorities. For git we would only respect the custom certificates. This lead to customers either including system certificates in the site configuration, or baking in the custom certificates into our docker images.

We now will include system certificates for git if running on linux. Given we deploy on Linux this is fine. It isn't possible to support all operating systems, since not all OSs expose certificates. For example darwin does not. This is also why the x509 package in go doesn't expose system certificates, since it can't do it cross platform.

As such we introduce the cacert package which is a modification the x509 to expose the system certificates on Linux.

Test Plan: modified unit tests to output the certificate, validated the certificate included the system certifications. Additionally validated the code did not error on non-linux systems.

Fixes https://github.com/sourcegraph/sourcegraph/issues/38128
Fixes https://github.com/sourcegraph/customer/issues/1136

@keegancsmith
cacert: initial import from stdlib without patch
542ff13 
This is to make it possible to review what we have changed as a commit.
@keegancsmith
cacert: patch and expose loadSystemRoots on linux
1c2311b
@keegancsmith
gitserver: include system certificates for git
c199919 
When specifying certificates for tls.external site configuration we
adjust the TLS configuration for go and git. In the case of go we would
respect both the certificates specified as well as the system
certificate authorities. For git we would only respect the custom
certificates. This lead to customers either including system
certificates in the site configuration, or baking in the custom
certificates into our docker images.

We now will include system certificates for git if running on linux.
Given we deploy on Linux this is fine. It isn't possible to support all
operating systems, since not all OSs expose certificates. For example
darwin does not. This is also why the x509 package in go doesn't expose
system certificates, since it can't do it cross platform.

As such we introduce the cacert package which is a modification the x509
to expose the system certificates on Linux.

Test Plan: modified unit tests to output the certificate, validated the
certificate included the system certifications. Additionally validated
the code did not error on non-linux systems.
@keegancsmith keegancsmith requested a review from a team September 2, 2022 12:01
@cla-bot cla-bot Bot added the cla-signed label Sep 2, 2022
@sourcegraph-bot

sourcegraph-bot commented Sep 2, 2022
edited
Loading

Copy link
Copy Markdown
Contributor

Codenotify: Notifying subscribers in CODENOTIFY files for diff 25cda22...53ca808.

Notify File(s)
@indradhanush cmd/gitserver/server/serverutil.go
cmd/gitserver/server/serverutil_test.go
@ryanslade cmd/gitserver/server/serverutil.go
cmd/gitserver/server/serverutil_test.go
@sashaostrikov cmd/gitserver/server/serverutil.go
cmd/gitserver/server/serverutil_test.go

@keegancsmith keegancsmith mentioned this pull request Sep 2, 2022
Closed
sfllaw
sfllaw reviewed Sep 2, 2022
View reviewed changes
Comment thread cmd/gitserver/server/serverutil.go Outdated
sfllaw
sfllaw reviewed Sep 2, 2022
View reviewed changes
Comment thread cmd/gitserver/server/internal/cacert/root_other.go
@keegancsmith

keegancsmith commented Sep 6, 2022

Copy link
Copy Markdown
Member Author

@sourcegraph/repo-management ping

LawnGnome
LawnGnome approved these changes Sep 8, 2022
View reviewed changes

@LawnGnome LawnGnome left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, after reviewing in conjunction with the relevant bits of the upstream crypto/x509 code.

@keegancsmith keegancsmith enabled auto-merge (squash) September 9, 2022 09:00
@keegancsmith keegancsmith merged commit 510115a into main Sep 9, 2022
@keegancsmith keegancsmith deleted the k/tls-git branch September 9, 2022 09:09
ryanslade
ryanslade reviewed Sep 9, 2022
View reviewed changes

@ryanslade ryanslade left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

unknwon
unknwon reviewed Sep 27, 2022
View reviewed changes

@unknwon unknwon left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

4 more reviewers

@ryanslade ryanslade ryanslade left review comments

@sfllaw sfllaw sfllaw left review comments

@unknwon unknwon unknwon left review comments

@LawnGnome LawnGnome LawnGnome approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

gitserver: Setting tls.external.certificates clobbers system Certificate Authorities

6 participants

@keegancsmith @sourcegraph-bot @ryanslade @sfllaw @LawnGnome @unknwon