api: expand client cert search capabilities (#395)

Add API support for the newly-expanded client cert search capabilities. Update the API proto definitions and implementation logic. Remove the previous (unreleased) client_cert_issuer_cn API field.
pomerium · Jan 22, 2024 · 3ebce1c · 3ebce1c
1 parent 012055f
commit 3ebce1c
Show file tree

Hide file tree

Showing 3 changed files with 223 additions and 120 deletions.
diff --git a/api/tunnel.go b/api/tunnel.go
@@ -16,6 +16,7 @@ import (
  "google.golang.org/protobuf/proto"
  "google.golang.org/protobuf/types/known/timestamppb"
 
+ "github.com/pomerium/cli/certstore"
  pb "github.com/pomerium/cli/proto"
  "github.com/pomerium/cli/tcptunnel"
 )
@@ -102,7 +103,13 @@ func getTLSConfig(conn *pb.Connection) (*tls.Config, error) {
  }
  cfg.Certificates = append(cfg.Certificates, cert)
  }
- // TODO: add option corresponding to --client-cert-from-store
+ if c := conn.ClientCertFromStore; c != nil {
+ f, err := certstore.GetClientCertificateFunc(c.GetIssuerFilter(), c.GetSubjectFilter())
+ if err != nil {
+ return nil, fmt.Errorf("client cert from store: %w", err)
+ }
+ cfg.GetClientCertificate = f
+ }
 
  if len(conn.GetCaCert()) == 0 {
  return cfg, nil