fix: allow TLS with remote docker when using public CA

This provides a small fix that allows you to define docker hosts that you can connect with in three different ways: 1. Mutual TLS, docker host uses non-standard CA 2. Mutual TLS, docker host uses standard CA 3. No Authentication, docker host uses non-standard CA 4. No authentication, docker host uses standard CA In the previous implementation only condition 1 and 4 were allowed. This makes condition 2 and 3 possible. The logic is a little messy, but it works. DCO-1.1 Signed-off-by: Patrick Wagstrom <160672+pridkett@users.noreply.github.com>
2024-11-23 14:54:05 +00:00 · 2024-09-21 18:01:42 -04:00 · 2024-09-21 18:01:42 -04:00 · 495bf51ac8
commit 495bf51ac8
parent dd75890364
1 changed files with 28 additions and 9 deletions
--- a/server/docker.js
+++ b/server/docker.js
@ -156,15 +156,34 @@ class DockerHost {
        let certPath = path.join(Database.dockerTLSDir, dirName, DockerHost.CertificateFileNameCert);
        let keyPath = path.join(Database.dockerTLSDir, dirName, DockerHost.CertificateFileNameKey);

-        if (dockerType === "tcp" && fs.existsSync(caPath) && fs.existsSync(certPath) && fs.existsSync(keyPath)) {
-            let ca = fs.readFileSync(caPath);
-            let key = fs.readFileSync(keyPath);
-            let cert = fs.readFileSync(certPath);
-            certOptions = {
-                ca,
-                key,
-                cert
-            };
+        if (dockerType === "tcp") {
+            if (fs.existsSync(keyPath) && fs.existsSync(certPath)) {
+                // Load the key and cert
+                key = fs.readFileSync(keyPath);
+                cert = fs.readFileSync(certPath);
+
+                if (fs.existsSync(caPath)) {
+                    // Condition 1: Mutual TLS with self-signed certificate
+                    ca = fs.readFileSync(caPath);
+                    certOptions = {
+                        ca,
+                        key,
+                        cert
+                    };
+                } else {
+                    // Condition 2: Mutual TLS with certificate in the standard trust store
+                    certOptions = {
+                        key,
+                        cert
+                    };
+                }
+            } else if (fs.existsSync(caPath)) {
+                // Condition 3: TLS using self-signed certificate (without mutual TLS)
+                ca = fs.readFileSync(caPath);
+                certOptions = {
+                    ca
+                };
+            }
        }

        return {