openwhisk-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jeremiaswer...@apache.org
Subject [incubator-openwhisk] branch master updated: Support client certificate on cli and nginx (#2427)
Date Wed, 19 Jul 2017 12:01:25 GMT
This is an automated email from the ASF dual-hosted git repository.

jeremiaswerner pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk.git


The following commit(s) were added to refs/heads/master by this push:
     new 8e6b959  Support client certificate on cli and nginx (#2427)
8e6b959 is described below

commit 8e6b95900086a9cd039dd7c48caabc8163e4369b
Author: ningyougang <415622920@qq.com>
AuthorDate: Wed Jul 19 20:01:23 2017 +0800

    Support client certificate on cli and nginx (#2427)
    
    In order to increase the security of auth, it is necessary to add client
    certificate on cli and nginx. So user can use wsk -i property set --cert
    openwhisk-client-cert.pem --key openwhisk-client-key.pem to pass client
    certificate to nginx. If you don't want to use default client certificate
    which system provides, you can create your own client certificate instead
    of them.
---
 ansible/group_vars/all                             |  6 +-
 ansible/roles/nginx/files/genssl.sh                | 75 ++++++++++++++++++----
 ...{openwhisk-key.pem => openwhisk-server-key.pem} |  0
 ansible/roles/nginx/tasks/deploy.yml               |  1 +
 ansible/roles/nginx/templates/nginx.conf.j2        |  3 +-
 ansible/setup.yml                                  |  9 ++-
 ansible/templates/whisk.properties.j2              |  1 +
 docs/cli.md                                        |  8 +++
 tests/src/test/scala/common/Wsk.scala              |  2 +
 .../whisk/core/cli/test/WskBasicUsageTests.scala   | 47 +++++++++++++-
 tools/cli/go-whisk-cli/commands/commands.go        |  5 +-
 tools/cli/go-whisk-cli/commands/flags.go           |  4 ++
 tools/cli/go-whisk-cli/commands/property.go        | 74 ++++++++++++++++++++-
 tools/cli/go-whisk-cli/commands/wsk.go             |  2 +
 .../go-whisk-cli/wski18n/resources/en_US.all.json  | 24 +++++++
 tools/cli/go-whisk/whisk/client.go                 | 17 ++++-
 16 files changed, 252 insertions(+), 26 deletions(-)

diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index 18512b1..7f2f269 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -166,10 +166,12 @@ nginx:
     adminportal: 8443
   ssl:
     path: "{{ openwhisk_home }}/ansible/roles/nginx/files"
-    cert: "openwhisk-cert.pem"
-    key: "openwhisk-key.pem"
+    cert: "openwhisk-server-cert.pem"
+    key: "openwhisk-server-key.pem"
     password_enabled: false
     password_file: "ssl.pass"
+    client_ca_cert: "{{ openwhisk_client_ca_cert | default('openwhisk-client-ca-cert.pem')
}}"
+    verify_client: "{{ nginx_ssl_verify_client | default('off') }}"
 
 # These are the variables to define all database relevant settings.
 # The authKeys are the users, that are initially created to use OpenWhisk.
diff --git a/ansible/roles/nginx/files/genssl.sh b/ansible/roles/nginx/files/genssl.sh
index f5dd89f..d78400d 100755
--- a/ansible/roles/nginx/files/genssl.sh
+++ b/ansible/roles/nginx/files/genssl.sh
@@ -8,22 +8,71 @@ if [ "$#" -ne 1 ]; then
     echo "usage: $0 [common name: host or ip]"
 fi
 CN=$1
+TYPE=$2
+PASSWORD="openwhisk"
 
 ## generates a (self-signed) certificate
 
 ## uncomment to regenerate the key
-#openssl genrsa -out "$SCRIPTDIR/openwhisk-key.pem" 2048
+#openssl genrsa -out "$SCRIPTDIR/openwhisk-server-key.pem" 2048
 
-echo generating certificate request
-openssl req -new \
-    -key "$SCRIPTDIR/openwhisk-key.pem" \
-    -nodes \
+if [ "$TYPE" == "server" ]; then
+    echo generating server certificate request
+    openssl req -new \
+        -key "$SCRIPTDIR/openwhisk-server-key.pem" \
+        -nodes \
+        -subj "/C=US/ST=NY/L=Yorktown/O=OpenWhisk/CN=$CN" \
+        -out "$SCRIPTDIR/openwhisk-server-request.csr"
+
+    echo generating self-signed password-less server certificate
+    openssl x509 -req \
+        -in "$SCRIPTDIR/openwhisk-server-request.csr" \
+        -signkey "$SCRIPTDIR/openwhisk-server-key.pem" \
+        -out "$SCRIPTDIR/openwhisk-server-cert.pem" \
+        -days 365
+else
+    echo generating client ca key
+    openssl genrsa -aes256 -passout pass:$PASSWORD -out "$SCRIPTDIR/openwhisk-client-ca-key.pem"
2048
+
+    echo generating client ca request
+    openssl req -new \
+    -key "$SCRIPTDIR/openwhisk-client-ca-key.pem" \
+    -passin pass:$PASSWORD \
     -subj "/C=US/ST=NY/L=Yorktown/O=OpenWhisk/CN=$CN" \
-    -out "$SCRIPTDIR/openwhisk-request.csr"
-
-echo generating self-signed password-less certificate
-openssl x509 -req \
-    -in "$SCRIPTDIR/openwhisk-request.csr" \
-    -signkey "$SCRIPTDIR/openwhisk-key.pem" \
-    -out "$SCRIPTDIR/openwhisk-cert.pem" \
-    -days 365
+    -out "$SCRIPTDIR/openwhisk-client-ca.csr"
+
+    echo generating client ca pem
+    openssl x509 -req \
+    -in "$SCRIPTDIR/openwhisk-client-ca.csr" \
+    -signkey "$SCRIPTDIR/openwhisk-client-ca-key.pem" \
+    -passin pass:$PASSWORD \
+    -out "$SCRIPTDIR/openwhisk-client-ca-cert.pem" \
+    -days 365 -sha1 -extensions v3_ca
+
+    echo generating client key
+    openssl genrsa -aes256 -passout pass:$PASSWORD -out "$SCRIPTDIR/openwhisk-client-key.pem"
2048
+
+    echo generating client certificate csr file
+    openssl req -new \
+    -key "$SCRIPTDIR/openwhisk-client-key.pem" \
+    -passin pass:$PASSWORD \
+    -subj "/C=US/ST=NY/L=Yorktown/O=OpenWhisk/CN=guest" \
+    -out "$SCRIPTDIR/openwhisk-client-certificate-request.csr"
+
+    echo generating self-signed client certificate
+    echo 01 > $SCRIPTDIR/openwhisk-client-ca-cert.srl
+    openssl x509 -req \
+    -in "$SCRIPTDIR/openwhisk-client-certificate-request.csr" \
+    -CA "$SCRIPTDIR/openwhisk-client-ca-cert.pem" \
+    -CAkey "$SCRIPTDIR/openwhisk-client-ca-key.pem" \
+    -CAserial "$SCRIPTDIR/openwhisk-client-ca-cert.srl" \
+    -passin pass:$PASSWORD \
+    -out "$SCRIPTDIR/openwhisk-client-cert.pem" \
+    -days 365 -sha1 -extensions v3_req
+
+    echo remove client key\'s password
+    openssl rsa \
+    -in "$SCRIPTDIR/openwhisk-client-key.pem" \
+    -passin pass:$PASSWORD \
+    -out "$SCRIPTDIR/openwhisk-client-key.pem"
+fi
diff --git a/ansible/roles/nginx/files/openwhisk-key.pem b/ansible/roles/nginx/files/openwhisk-server-key.pem
similarity index 100%
rename from ansible/roles/nginx/files/openwhisk-key.pem
rename to ansible/roles/nginx/files/openwhisk-server-key.pem
diff --git a/ansible/roles/nginx/tasks/deploy.yml b/ansible/roles/nginx/tasks/deploy.yml
index 8fafa24..c5b48f3 100644
--- a/ansible/roles/nginx/tasks/deploy.yml
+++ b/ansible/roles/nginx/tasks/deploy.yml
@@ -18,6 +18,7 @@
   with_items:
         - "{{ nginx.ssl.cert }}"
         - "{{ nginx.ssl.key }}"
+        - "{{ nginx.ssl.client_ca_cert }}"
 
 - name: copy password files for cert from local to remote in nginx config directory
   copy:
diff --git a/ansible/roles/nginx/templates/nginx.conf.j2 b/ansible/roles/nginx/templates/nginx.conf.j2
index 4795746..d8526d7 100644
--- a/ansible/roles/nginx/templates/nginx.conf.j2
+++ b/ansible/roles/nginx/templates/nginx.conf.j2
@@ -45,7 +45,8 @@ http {
         {% if nginx.ssl.password_enabled %}
         ssl_password_file   "/etc/nginx/{{ nginx.ssl.password_file }}";
         {% endif %}
-        ssl_verify_client off;
+        ssl_client_certificate /etc/nginx/{{ nginx.ssl.client_ca_cert }};
+        ssl_verify_client {{ nginx.ssl.verify_client }};
         ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
         ssl_ciphers RC4:HIGH:!aNULL:!MD5;
         ssl_prefer_server_ciphers on;
diff --git a/ansible/setup.yml b/ansible/setup.yml
index 78e187a..28d02c5 100644
--- a/ansible/setup.yml
+++ b/ansible/setup.yml
@@ -30,7 +30,10 @@
     local_action: template src="db_local.ini.j2" dest="{{ playbook_dir }}/db_local.ini"
     when: not db.stat.exists
 
-  - name: gen untrusted certificate for host
-    local_action: shell "{{ playbook_dir }}/roles/nginx/files/genssl.sh" "*.{{ whisk_api_localhost_name
| default(whisk_api_host_name) | default(whisk_api_localhost_name_default) }}"
-    when: nginx.ssl.cert == "openwhisk-cert.pem"
+  - name: gen untrusted server certificate for host
+    local_action: shell "{{ playbook_dir }}/roles/nginx/files/genssl.sh" "*.{{ whisk_api_localhost_name
| default(whisk_api_host_name) | default(whisk_api_localhost_name_default) }}" "server"
+    when: nginx.ssl.cert == "openwhisk-server-cert.pem"
     
+  - name: gen untrusted client certificate for host
+    local_action: shell "{{ playbook_dir }}/roles/nginx/files/genssl.sh" "*.{{ whisk_api_localhost_name
| default(whisk_api_host_name) | default(whisk_api_localhost_name_default) }}" "client"
+    when: nginx.ssl.client_ca_cert == "openwhisk-client-ca-cert.pem"
diff --git a/ansible/templates/whisk.properties.j2 b/ansible/templates/whisk.properties.j2
index ac65f3a..728bff6 100644
--- a/ansible/templates/whisk.properties.j2
+++ b/ansible/templates/whisk.properties.j2
@@ -10,6 +10,7 @@ whisk.logs.dir={{ whisk_logs_dir }}
 whisk.version.name={{ whisk_version_name }}
 whisk.version.date={{ whisk.version.date }}
 whisk.version.buildno={{ docker.image.tag }}
+whisk.ssl.client.verification={{ nginx.ssl.verify_client }}
 whisk.ssl.cert={{ nginx.ssl.path }}/{{ nginx.ssl.cert }}
 whisk.ssl.key={{ nginx.ssl.path }}/{{ nginx.ssl.key }}
 whisk.ssl.challenge=openwhisk
diff --git a/docs/cli.md b/docs/cli.md
index 76ea5a6..fc8890e 100644
--- a/docs/cli.md
+++ b/docs/cli.md
@@ -52,3 +52,11 @@ After you have configured your environment, you can begin using the OpenWhisk
CL
 The CLI can be setup to use an HTTPS proxy. To setup an HTTPS proxy, an environment variable
called `HTTPS_PROXY` must be created. The variable must be set to the address of the HTTPS
proxy, and its port using the following format:
 `{PROXY IP}:{PROXY PORT}`.
 
+## Configure the CLI to use client certificate
+The CLI has an extra level of security from client to apihost, system provides default client
certificate configuration which deployment process generated, then you can refer to below
steps to use client certificate:
+* The client certificate verification is off default, you can configure `nginx_ssl_verify_client`
to `on` or `optional` to open it for your corresponding environment configuration.
+* Create your own client certificate instead of system provides if you want, after created,
you can configure `openwhisk_client_ca_cert` to your own ca cert path for your corresponding
environment configuration.
+* Run the follwing command to pass client certificate:
+```
+./bin/wsk property set --cert <client_cert_path> --key <client_key_path>
+```
diff --git a/tests/src/test/scala/common/Wsk.scala b/tests/src/test/scala/common/Wsk.scala
index 32a7482..5b9e403 100644
--- a/tests/src/test/scala/common/Wsk.scala
+++ b/tests/src/test/scala/common/Wsk.scala
@@ -71,6 +71,8 @@ import whisk.utils.retry
 
 case class WskProps(
     authKey: String = WhiskProperties.readAuthKey(WhiskProperties.getAuthFileForTesting),
+    cert: String = WhiskProperties.getFileRelativeToWhiskHome("ansible/roles/nginx/files/openwhisk-client-cert.pem").getAbsolutePath,
+    key: String = WhiskProperties.getFileRelativeToWhiskHome("ansible/roles/nginx/files/openwhisk-client-key.pem").getAbsolutePath
,
     namespace: String = "_",
     apiversion: String = "v1",
     apihost: String = WhiskProperties.getEdgeHost) {
diff --git a/tests/src/test/scala/whisk/core/cli/test/WskBasicUsageTests.scala b/tests/src/test/scala/whisk/core/cli/test/WskBasicUsageTests.scala
index e16285e..4a1be09 100644
--- a/tests/src/test/scala/whisk/core/cli/test/WskBasicUsageTests.scala
+++ b/tests/src/test/scala/whisk/core/cli/test/WskBasicUsageTests.scala
@@ -112,6 +112,41 @@ class WskBasicUsageTests
         }
     }
 
+    // If client certificate verification is off, should ingore run below tests.
+    if (!WhiskProperties.getProperty("whisk.ssl.client.verification").equals("off")){
+        it should "set valid cert key to get expected success result for client certificate
verification" in {
+            val tmpwskprops = File.createTempFile("wskprops", ".tmp")
+            try {
+                val namespace = wsk.namespace.list().stdout.trim.split("\n").last
+                val env = Map("WSK_CONFIG_FILE" -> tmpwskprops.getAbsolutePath())
+                // Send request to https://<apihost>/api/v1/namespaces, wsk client
passes client certificate to nginx, nginx will
+                // verify it by client ca's openwhisk-client-ca-cert.pem
+                val stdout = wsk.cli(Seq("property", "set", "-i", "--apihost", wskprops.apihost,
"--auth", wskprops.authKey,
+                    "--cert", wskprops.cert, "--key", wskprops.key, "--namespace", namespace),
env = env).stdout
+                stdout should include(s"ok: client cert set")
+                stdout should include(s"ok: client key set")
+                stdout should include(s"ok: whisk auth set")
+                stdout should include(s"ok: whisk API host set to ${wskprops.apihost}")
+                stdout should include(s"ok: whisk namespace set to ${namespace}")
+            } finally {
+                tmpwskprops.delete()
+            }
+        }
+
+        it should "set invalid cert key to get expected exception result for client certificate
verification" in {
+            val tmpwskprops = File.createTempFile("wskprops", ".tmp")
+            try {
+                val namespace = wsk.namespace.list().stdout.trim.split("\n").last
+                val env = Map("WSK_CONFIG_FILE" -> tmpwskprops.getAbsolutePath())
+                val thrown = the [Exception] thrownBy wsk.cli(Seq("property", "set", "-i",
"--apihost", wskprops.apihost, "--auth", wskprops.authKey,
+                    "--cert", "invalid-cert.pem", "--key", "invalid-key.pem", "--namespace",
namespace), env = env)
+                thrown.getMessage should include ("cannot validate certificate")
+            } finally {
+                tmpwskprops.delete()
+            }
+        }
+    }
+
     it should "ensure default namespace is used when a blank namespace is set" in {
         val tmpwskprops = File.createTempFile("wskprops", ".tmp")
         try {
@@ -169,15 +204,21 @@ class WskBasicUsageTests
     it should "validate default property values" in {
         val tmpwskprops = File.createTempFile("wskprops", ".tmp")
         val env = Map("WSK_CONFIG_FILE" -> tmpwskprops.getAbsolutePath())
-        val stdout = wsk.cli(Seq("property", "unset", "--auth", "--apihost", "--apiversion",
"--namespace"), env = env).stdout
+        val stdout = wsk.cli(Seq("property", "unset", "--auth", "--cert", "--key", "--apihost",
"--apiversion", "--namespace"), env = env).stdout
         try {
             stdout should include regex ("ok: whisk auth unset")
+            stdout should include regex ("ok: client cert unset")
+            stdout should include regex ("ok: client key unset")
             stdout should include regex ("ok: whisk API host unset")
             stdout should include regex ("ok: whisk API version unset")
             stdout should include regex ("ok: whisk namespace unset")
 
             wsk.cli(Seq("property", "get", "--auth"), env = env).
                 stdout should include regex ("""(?i)whisk auth\s*$""") // default = empty
string
+            wsk.cli(Seq("property", "get", "--cert"), env = env).
+              stdout should include regex ("""(?i)client cert\s*$""") // default = empty
string
+            wsk.cli(Seq("property", "get", "--key"), env = env).
+              stdout should include regex ("""(?i)client key\s*$""") // default = empty string
             wsk.cli(Seq("property", "get", "--apihost"), env = env).
                 stdout should include regex ("""(?i)whisk API host\s*$""") // default = empty
string
             wsk.cli(Seq("property", "get", "--namespace"), env = env).
@@ -202,9 +243,11 @@ class WskBasicUsageTests
     it should "set multiple property values with single command" in {
         val tmpwskprops = File.createTempFile("wskprops", ".tmp")
         val env = Map("WSK_CONFIG_FILE" -> tmpwskprops.getAbsolutePath())
-        val stdout = wsk.cli(Seq("property", "set", "--auth", "testKey", "--apihost", "openwhisk.ng.bluemix.net",
"--apiversion", "v1"), env = env).stdout
+        val stdout = wsk.cli(Seq("property", "set", "--auth", "testKey", "--cert", "cert.pem",
"--key", "key.pem", "--apihost", "openwhisk.ng.bluemix.net", "--apiversion", "v1"), env =
env).stdout
         try {
             stdout should include regex ("ok: whisk auth set")
+            stdout should include regex ("ok: client cert set")
+            stdout should include regex ("ok: client key set")
             stdout should include regex ("ok: whisk API host set")
             stdout should include regex ("ok: whisk API version set")
             val fileContent = FileUtils.readFileToString(tmpwskprops)
diff --git a/tools/cli/go-whisk-cli/commands/commands.go b/tools/cli/go-whisk-cli/commands/commands.go
index 3041c53..aed1660 100644
--- a/tools/cli/go-whisk-cli/commands/commands.go
+++ b/tools/cli/go-whisk-cli/commands/commands.go
@@ -36,7 +36,8 @@ func setupClientConfig(cmd *cobra.Command, args []string) (error){
 
     // Determine if the parent command will require the API host to be set
     apiHostRequired := (cmd.Parent().Name() == "property" && cmd.Name() == "get"
&& (flags.property.auth ||
-      flags.property.apihost || flags.property.namespace || flags.property.apiversion ||
flags.property.cliversion)) ||
+      flags.property.cert || flags.property.key || flags.property.apihost || flags.property.namespace
||
+      flags.property.apiversion || flags.property.cliversion)) ||
       (cmd.Parent().Name() == "property" && cmd.Name() == "set" && (len(flags.property.apihostSet)
> 0 ||
         len(flags.property.apiversionSet) > 0 || len(flags.global.auth) > 0)) ||
       (cmd.Parent().Name() == "sdk" && cmd.Name() == "install" && len(args)
> 0 && args[0] == "bashauto")
@@ -51,6 +52,8 @@ func setupClientConfig(cmd *cobra.Command, args []string) (error){
     }
 
     clientConfig := &whisk.Config{
+        Cert: Properties.Cert,
+        Key: Properties.Key,
         AuthToken:  Properties.Auth,
         Namespace:  Properties.Namespace,
         BaseURL:    baseURL,
diff --git a/tools/cli/go-whisk-cli/commands/flags.go b/tools/cli/go-whisk-cli/commands/flags.go
index a4fc3c0..d506109 100644
--- a/tools/cli/go-whisk-cli/commands/flags.go
+++ b/tools/cli/go-whisk-cli/commands/flags.go
@@ -39,6 +39,8 @@ type Flags struct {
     global struct {
         verbose     bool
         debug       bool
+        cert        string
+        key         string
         auth        string
         apihost     string
         apiversion  string
@@ -62,6 +64,8 @@ type Flags struct {
     }
 
     property struct {
+        cert            bool
+        key             bool
         auth            bool
         apihost         bool
         apiversion      bool
diff --git a/tools/cli/go-whisk-cli/commands/property.go b/tools/cli/go-whisk-cli/commands/property.go
index 7078cf6..0aba5f4 100644
--- a/tools/cli/go-whisk-cli/commands/property.go
+++ b/tools/cli/go-whisk-cli/commands/property.go
@@ -31,6 +31,8 @@ import (
 )
 
 var Properties struct {
+    Cert       string
+    Key        string
     Auth       string
     APIHost    string
     APIVersion string
@@ -41,6 +43,8 @@ var Properties struct {
     PropsFile  string
 }
 
+const DefaultCert       string = ""
+const DefaultKey        string = ""
 const DefaultAuth       string = ""
 const DefaultAPIHost    string = ""
 const DefaultAPIVersion string = "v1"
@@ -77,6 +81,21 @@ var propertySetCmd = &cobra.Command{
         }
 
         // read in each flag, update if necessary
+        if cert := flags.global.cert; len(cert) > 0 {
+            props["CERT"] = cert
+            client.Config.Cert = cert
+            okMsg += fmt.Sprintf(
+                wski18n.T("{{.ok}} client cert set. Run 'wsk property get --cert' to see
the new value.\n",
+                    map[string]interface{}{"ok": color.GreenString("ok:")}))
+        }
+
+        if key := flags.global.key; len(key) > 0 {
+            props["KEY"] = key
+            client.Config.Key = key
+            okMsg += fmt.Sprintf(
+                wski18n.T("{{.ok}} client key set. Run 'wsk property get --key' to see the
new value.\n",
+                    map[string]interface{}{"ok": color.GreenString("ok:")}))
+        }
 
         if auth := flags.global.auth; len(auth) > 0 {
             props["AUTH"] = auth
@@ -184,6 +203,20 @@ var propertyUnsetCmd = &cobra.Command{
 
         // read in each flag, update if necessary
 
+        if flags.property.cert {
+            delete(props, "CERT")
+            okMsg += fmt.Sprintf(
+                wski18n.T("{{.ok}} client cert unset.\n",
+                    map[string]interface{}{"ok": color.GreenString("ok:")}))
+        }
+
+        if flags.property.key {
+            delete(props, "KEY")
+            okMsg += fmt.Sprintf(
+                wski18n.T("{{.ok}} client key unset.\n",
+                    map[string]interface{}{"ok": color.GreenString("ok:")}))
+        }
+
         if flags.property.auth {
             delete(props, "AUTH")
             okMsg += fmt.Sprintf(
@@ -255,13 +288,22 @@ var propertyGetCmd = &cobra.Command{
     RunE: func(cmd *cobra.Command, args []string) error {
 
         // If no property is explicitly specified, default to all properties
-        if !(flags.property.all || flags.property.auth ||
+        if !(flags.property.all || flags.property.cert ||
+             flags.property.key || flags.property.auth ||
              flags.property.apiversion || flags.property.cliversion ||
              flags.property.namespace || flags.property.apibuild ||
              flags.property.apihost || flags.property.apibuildno) {
             flags.property.all = true
         }
 
+        if flags.property.all || flags.property.cert {
+            fmt.Fprintf(color.Output, "%s\t\t%s\n", wski18n.T("client cert"), boldString(Properties.Cert))
+        }
+
+        if flags.property.all || flags.property.key {
+            fmt.Fprintf(color.Output, "%s\t\t%s\n", wski18n.T("client key"), boldString(Properties.Key))
+        }
+
         if flags.property.all || flags.property.auth {
             fmt.Fprintf(color.Output, "%s\t\t%s\n", wski18n.T("whisk auth"), boldString(Properties.Auth))
         }
@@ -317,6 +359,8 @@ func init() {
     )
 
     // need to set property flags as booleans instead of strings... perhaps with boolApihost...
+    propertyGetCmd.Flags().BoolVar(&flags.property.cert, "cert", false, wski18n.T("client
cert"))
+    propertyGetCmd.Flags().BoolVar(&flags.property.key, "key", false, wski18n.T("client
key"))
     propertyGetCmd.Flags().BoolVar(&flags.property.auth, "auth", false, wski18n.T("authorization
key"))
     propertyGetCmd.Flags().BoolVar(&flags.property.apihost, "apihost", false, wski18n.T("whisk
API host"))
     propertyGetCmd.Flags().BoolVar(&flags.property.apiversion, "apiversion", false, wski18n.T("whisk
API version"))
@@ -327,10 +371,14 @@ func init() {
     propertyGetCmd.Flags().BoolVar(&flags.property.all, "all", false, wski18n.T("all
properties"))
 
     propertySetCmd.Flags().StringVarP(&flags.global.auth, "auth", "u", "", wski18n.T("authorization
`KEY`"))
+    propertySetCmd.Flags().StringVar(&flags.global.cert, "cert", "", wski18n.T("client
cert"))
+    propertySetCmd.Flags().StringVar(&flags.global.key, "key", "", wski18n.T("client
key"))
     propertySetCmd.Flags().StringVar(&flags.property.apihostSet, "apihost", "", wski18n.T("whisk
API `HOST`"))
     propertySetCmd.Flags().StringVar(&flags.property.apiversionSet, "apiversion", "",
wski18n.T("whisk API `VERSION`"))
     propertySetCmd.Flags().StringVar(&flags.property.namespaceSet, "namespace", "", wski18n.T("whisk
`NAMESPACE`"))
 
+    propertyUnsetCmd.Flags().BoolVar(&flags.property.cert, "cert", false, wski18n.T("client
cert"))
+    propertyUnsetCmd.Flags().BoolVar(&flags.property.key, "key", false, wski18n.T("client
key"))
     propertyUnsetCmd.Flags().BoolVar(&flags.property.auth, "auth", false, wski18n.T("authorization
key"))
     propertyUnsetCmd.Flags().BoolVar(&flags.property.apihost, "apihost", false, wski18n.T("whisk
API host"))
     propertyUnsetCmd.Flags().BoolVar(&flags.property.apiversion, "apiversion", false,
wski18n.T("whisk API version"))
@@ -339,6 +387,8 @@ func init() {
 }
 
 func SetDefaultProperties() {
+    Properties.Key = DefaultCert
+    Properties.Cert = DefaultKey
     Properties.Auth = DefaultAuth
     Properties.Namespace = DefaultNamespace
     Properties.APIHost = DefaultAPIHost
@@ -399,6 +449,14 @@ func loadProperties() error {
         return werr
     }
 
+    if cert, hasProp := props["CERT"]; hasProp {
+        Properties.Cert = cert
+    }
+
+    if key, hasProp := props["KEY"]; hasProp {
+        Properties.Key = key
+    }
+
     if authToken, hasProp := props["AUTH"]; hasProp {
         Properties.Auth = authToken
     }
@@ -436,6 +494,20 @@ func loadProperties() error {
 
 func parseConfigFlags(cmd *cobra.Command, args []string) error {
 
+    if cert := flags.global.cert; len(cert) > 0 {
+        Properties.Cert = cert
+        if client != nil {
+            client.Config.Cert = cert
+        }
+    }
+
+    if key := flags.global.key; len(key) > 0 {
+        Properties.Key = key
+        if client != nil {
+            client.Config.Key = key
+        }
+    }
+
     if auth := flags.global.auth; len(auth) > 0 {
         Properties.Auth = auth
         if client != nil {
diff --git a/tools/cli/go-whisk-cli/commands/wsk.go b/tools/cli/go-whisk-cli/commands/wsk.go
index f8eab5c..e18b978 100644
--- a/tools/cli/go-whisk-cli/commands/wsk.go
+++ b/tools/cli/go-whisk-cli/commands/wsk.go
@@ -60,6 +60,8 @@ func init() {
 
     WskCmd.PersistentFlags().BoolVarP(&flags.global.verbose, "verbose", "v", false, wski18n.T("verbose
output"))
     WskCmd.PersistentFlags().BoolVarP(&flags.global.debug, "debug", "d", false, wski18n.T("debug
level output"))
+    WskCmd.PersistentFlags().StringVar(&flags.global.cert, "cert", "", wski18n.T("client
cert"))
+    WskCmd.PersistentFlags().StringVar(&flags.global.key, "key", "", wski18n.T("client
key"))
     WskCmd.PersistentFlags().StringVarP(&flags.global.auth, "auth", "u", "", wski18n.T("authorization
`KEY`"))
     WskCmd.PersistentFlags().StringVar(&flags.global.apihost, "apihost", "", wski18n.T("whisk
API `HOST`"))
     WskCmd.PersistentFlags().StringVar(&flags.global.apiversion, "apiversion", "", wski18n.T("whisk
API `VERSION`"))
diff --git a/tools/cli/go-whisk-cli/wski18n/resources/en_US.all.json b/tools/cli/go-whisk-cli/wski18n/resources/en_US.all.json
index 7d3929e..9b513a3 100644
--- a/tools/cli/go-whisk-cli/wski18n/resources/en_US.all.json
+++ b/tools/cli/go-whisk-cli/wski18n/resources/en_US.all.json
@@ -253,6 +253,14 @@
     "translation": "Unable to set the property value: {{.err}}"
   },
   {
+    "id": "{{.ok}} client cert set. Run 'wsk property get --cert' to see the new value.\n",
+    "translation": "{{.ok}} client cert set. Run 'wsk property get --cert' to see the new
value.\n"
+  },
+  {
+    "id": "{{.ok}} client key set. Run 'wsk property get --key' to see the new value.\n",
+    "translation": "{{.ok}} client key set. Run 'wsk property get --key' to see the new value.\n"
+  },
+  {
     "id": "{{.ok}} whisk auth set. Run 'wsk property get --auth' to see the new value.\n",
     "translation": "{{.ok}} whisk auth set. Run 'wsk property get --auth' to see the new
value.\n"
   },
@@ -293,6 +301,14 @@
     "translation": "Unable to unset the property value: {{.err}}"
   },
   {
+    "id": "{{.ok}} client cert unset.\n",
+    "translation": "{{.ok}} client cert unset.\n"
+  },
+  {
+    "id": "{{.ok}} client key unset.\n",
+    "translation": "{{.ok}} client key unset.\n"
+  },
+  {
     "id": "{{.ok}} whisk auth unset.\n",
     "translation": "{{.ok}} whisk auth unset.\n"
   },
@@ -321,6 +337,14 @@
     "translation": "get property"
   },
   {
+    "id": "client cert",
+    "translation": "client cert"
+  },
+  {
+    "id": "client key",
+    "translation": "client key"
+  },
+  {
     "id": "whisk auth",
     "translation": "whisk auth"
   },
diff --git a/tools/cli/go-whisk/whisk/client.go b/tools/cli/go-whisk/whisk/client.go
index ab50696..dbe8dd3 100644
--- a/tools/cli/go-whisk/whisk/client.go
+++ b/tools/cli/go-whisk/whisk/client.go
@@ -67,6 +67,8 @@ type Client struct {
 
 type Config struct {
     Namespace 	string // NOTE :: Default is "_"
+    Cert        string
+    Key         string
     AuthToken 	string
     Host		string
     BaseURL   	*url.URL // NOTE :: Default is "openwhisk.ng.bluemix.net"
@@ -81,9 +83,18 @@ func NewClient(httpClient *http.Client, config *Config) (*Client, error)
{
     // Disable certificate checking in the dev environment if in insecure mode
     if config.Insecure {
         Debug(DbgInfo, "Disabling certificate checking.\n")
-
-        tlsConfig := &tls.Config{
-            InsecureSkipVerify: true,
+        var tlsConfig *tls.Config
+        if config.Cert != "" && config.Key != "" {
+            if cert, err := tls.LoadX509KeyPair(config.Cert, config.Key); err == nil {
+                tlsConfig = &tls.Config{
+                    Certificates: []tls.Certificate{cert},
+                    InsecureSkipVerify: true,
+                }
+            }
+        }else{
+            tlsConfig = &tls.Config{
+                InsecureSkipVerify: true,
+            }
         }
 
         http.DefaultClient.Transport = &http.Transport{

-- 
To stop receiving notification emails like this one, please contact
['"commits@openwhisk.apache.org" <commits@openwhisk.apache.org>'].

Mime
View raw message