From 878101cda5f969ce1ae86ed13a532219723afe39 Mon Sep 17 00:00:00 2001
From: Asa Yeamans <asa.yeamans@braingu.com>
Date: Fri, 12 May 2023 10:44:28 -0500
Subject: [PATCH] Pass cert validation CA and peer verification flag to
 JwksResolver via its config like with OidcFilter

Signed-off-by: Asa Yeamans <asa.yeamans@braingu.com>
---
 config/oidc/config.proto          | 5 +++++
 src/filters/oidc/jwks_resolver.cc | 5 +++--
 src/filters/oidc/jwks_resolver.h  | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/config/oidc/config.proto b/config/oidc/config.proto
index 9e814cec..a71fe932 100644
--- a/config/oidc/config.proto
+++ b/config/oidc/config.proto
@@ -93,6 +93,11 @@ message OIDCConfig {
         // true in any other cases.
         // Optional.
         bool skip_verify_peer_cert = 3;
+
+        // When specified, the Authservice will trust the specified Certificate Authority when performing HTTPS calls to
+        // the Token Endpoint of the OIDC Identity Provider.
+        // Optional.
+        string trusted_certificate_authority = 4;
     }
 
     oneof jwks_config {
diff --git a/src/filters/oidc/jwks_resolver.cc b/src/filters/oidc/jwks_resolver.cc
index 598b4490..3830b948 100644
--- a/src/filters/oidc/jwks_resolver.cc
+++ b/src/filters/oidc/jwks_resolver.cc
@@ -24,7 +24,7 @@ DynamicJwksResolverImpl::JwksFetcher::JwksFetcher(
                                    ? config.periodic_fetch_interval_sec()
                                    : kJwksPeriodicFetchIntervalSec)),
       timer_(ioc_, periodic_fetch_interval_sec_),
-      verify_peer_cert_(!config.skip_verify_peer_cert()) {
+      config_(config) {
   // Extract initial JWKs.
   // After timer callback sucessful, next timer invocation will be scheduled.
   timer_.expires_at(std::chrono::steady_clock::now() +
@@ -37,7 +37,8 @@ void DynamicJwksResolverImpl::JwksFetcher::request(
     const boost::system::error_code&) {
   boost::asio::spawn(ioc_, [this](boost::asio::yield_context yield) {
     common::http::TransportSocketOptions opt;
-    opt.verify_peer_ = verify_peer_cert_;
+    opt.ca_cert_ = config_.trusted_certificate_authority();
+    opt.verify_peer_ = ! config_.skip_verify_peer_cert();
     auto resp = http_ptr_->Get(jwks_uri_, {}, "", opt, "", ioc_, yield);
     auto next_schedule_interval = periodic_fetch_interval_sec_;
 
diff --git a/src/filters/oidc/jwks_resolver.h b/src/filters/oidc/jwks_resolver.h
index 38c19e95..00c2e25f 100644
--- a/src/filters/oidc/jwks_resolver.h
+++ b/src/filters/oidc/jwks_resolver.h
@@ -77,7 +77,7 @@ class DynamicJwksResolverImpl : public JwksResolver {
     boost::asio::io_context& ioc_;
     std::chrono::seconds periodic_fetch_interval_sec_;
     boost::asio::steady_timer timer_;
-    bool verify_peer_cert_ = false;
+    const config::oidc::OIDCConfig::JwksFetcherConfig config_;
   };
 
   explicit DynamicJwksResolverImpl(