pass config.Option to every func

spiffe · Sep 15, 2020 · c65e3d1 · c65e3d1
1 parent c6b9a8f
commit c65e3d1
Showing 1 changed file with 13 additions and 13 deletions.
diff --git a/v2/spiffetls/tlsconfig/config.go b/v2/spiffetls/tlsconfig/config.go
@@ -10,20 +10,20 @@ import (
 
 // TLSClientConfig returns a TLS configuration which verifies and authorizes
 // the server X509-SVID.
-func TLSClientConfig(bundle x509bundle.Source, authorizer Authorizer) *tls.Config {
+func TLSClientConfig(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config {
 	config := new(tls.Config)
-	HookTLSClientConfig(config, bundle, authorizer)
+	HookTLSClientConfig(config, bundle, authorizer, opts...)
 	return config
 }
 
 // HookTLSClientConfig sets up the TLS configuration to verify and authorize
 // the server X509-SVID. If there is an existing callback set for
 // VerifyPeerCertificate it will be wrapped by by this package and invoked
 // after SPIFFE authentication has completed.
-func HookTLSClientConfig(config *tls.Config, bundle x509bundle.Source, authorizer Authorizer) {
+func HookTLSClientConfig(config *tls.Config, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) {
 	resetAuthFields(config)
 	config.InsecureSkipVerify = true
-	config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer)
+	config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer, opts...)
 }
 
 // A Option changes the defaults used to by mTLS ClientConfig functions.
@@ -71,7 +71,7 @@ func HookMTLSClientConfig(config *tls.Config, svid x509svid.Source, bundle x509b
 	resetAuthFields(config)
 	config.GetClientCertificate = GetClientCertificate(svid, opts...)
 	config.InsecureSkipVerify = true
-	config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer)
+	config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer, opts...)
 }
 
 // MTLSWebClientConfig returns a TLS configuration which presents an X509-SVID
@@ -124,15 +124,15 @@ func HookMTLSServerConfig(config *tls.Config, svid x509svid.Source, bundle x509b
 	resetAuthFields(config)
 	config.ClientAuth = tls.RequireAnyClientCert
 	config.GetCertificate = GetCertificate(svid, opts...)
-	config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer)
+	config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer, opts...)
 }
 
 // MTLSWebServerConfig returns a TLS configuration which presents a web
 // server certificate to the client and requires, verifies, and authorizes
 // client X509-SVIDs.
-func MTLSWebServerConfig(cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer) *tls.Config {
+func MTLSWebServerConfig(cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config {
 	config := new(tls.Config)
-	HookMTLSWebServerConfig(config, cert, bundle, authorizer)
+	HookMTLSWebServerConfig(config, cert, bundle, authorizer, opts...)
 	return config
 }
 
@@ -141,11 +141,11 @@ func MTLSWebServerConfig(cert *tls.Certificate, bundle x509bundle.Source, author
 // X509-SVIDs. If there is an existing callback set for VerifyPeerCertificate
 // it will be wrapped by by this package and invoked after SPIFFE
 // authentication has completed.
-func HookMTLSWebServerConfig(config *tls.Config, cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer) {
+func HookMTLSWebServerConfig(config *tls.Config, cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) {
 	resetAuthFields(config)
 	config.ClientAuth = tls.RequireAnyClientCert
 	config.Certificates = []tls.Certificate{*cert}
-	config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer)
+	config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer, opts...)
 }
 
 // GetCertificate returns a GetCertificate callback for tls.Config. It uses the
@@ -170,7 +170,7 @@ func GetClientCertificate(svid x509svid.Source, opts ...Option) func(*tls.Certif
 // VerifyPeerCertificate returns a VerifyPeerCertificate callback for
 // tls.Config. It uses the given bundle source and authorizer to verify and
 // authorize X509-SVIDs provided by peers during the TLS handshake.
-func VerifyPeerCertificate(bundle x509bundle.Source, authorizer Authorizer) func([][]byte, [][]*x509.Certificate) error {
+func VerifyPeerCertificate(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) func([][]byte, [][]*x509.Certificate) error {
 	return func(raw [][]byte, _ [][]*x509.Certificate) error {
 		id, certs, err := x509svid.ParseAndVerify(raw, bundle)
 		if err != nil {
@@ -185,9 +185,9 @@ func VerifyPeerCertificate(bundle x509bundle.Source, authorizer Authorizer) func
 // SPIFFE authentication against the peer certificates using the given bundle and
 // authorizer. The wrapped callback will be passed the verified chains.
 // Note: TLS clients must set `InsecureSkipVerify` when doing SPIFFE authentication to disable hostname verification.
-func WrapVerifyPeerCertificate(wrapped func([][]byte, [][]*x509.Certificate) error, bundle x509bundle.Source, authorizer Authorizer) func([][]byte, [][]*x509.Certificate) error {
+func WrapVerifyPeerCertificate(wrapped func([][]byte, [][]*x509.Certificate) error, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) func([][]byte, [][]*x509.Certificate) error {
 	if wrapped == nil {
-		return VerifyPeerCertificate(bundle, authorizer)
+		return VerifyPeerCertificate(bundle, authorizer, opts...)
 	}
 
 	return func(raw [][]byte, _ [][]*x509.Certificate) error {