Step 23: TLS transport for sgardd and sgard client.

Server: --tls-cert/--tls-key flags enable TLS (min TLS 1.2). Client: --tls enables TLS transport, --tls-ca for custom CA certs. Two integration tests: push/pull over TLS, reject untrusted client. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-24 11:57:03 -07:00
parent c00d9c65c3
commit 3fabd86150
7 changed files with 329 additions and 19 deletions
--- a/cmd/sgard/main.go
+++ b/cmd/sgard/main.go
@@ -2,6 +2,8 @@ package main

 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -10,6 +12,7 @@ import (
 	"github.com/kisom/sgard/client"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 )

@@ -17,6 +20,8 @@ var (
 	repoFlag   string
 	remoteFlag string
 	sshKeyFlag string
+	tlsFlag    bool
+	tlsCAFlag  string
 )

 var rootCmd = &cobra.Command{
@@ -66,8 +71,27 @@ func dialRemote(ctx context.Context) (*client.Client, func(), error) {
 	cachedToken := client.LoadCachedToken()
 	creds := client.NewTokenCredentials(cachedToken)

+	var transportCreds grpc.DialOption
+	if tlsFlag {
+		tlsCfg := &tls.Config{MinVersion: tls.VersionTLS12}
+		if tlsCAFlag != "" {
+			caPEM, err := os.ReadFile(tlsCAFlag)
+			if err != nil {
+				return nil, nil, fmt.Errorf("reading CA cert: %w", err)
+			}
+			pool := x509.NewCertPool()
+			if !pool.AppendCertsFromPEM(caPEM) {
+				return nil, nil, fmt.Errorf("failed to parse CA cert %s", tlsCAFlag)
+			}
+			tlsCfg.RootCAs = pool
+		}
+		transportCreds = grpc.WithTransportCredentials(credentials.NewTLS(tlsCfg))
+	} else {
+		transportCreds = grpc.WithTransportCredentials(insecure.NewCredentials())
+	}
+
 	conn, err := grpc.NewClient(addr,
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		transportCreds,
 		grpc.WithPerRPCCredentials(creds),
 	)
 	if err != nil {
@@ -90,6 +114,8 @@ func main() {
 	rootCmd.PersistentFlags().StringVar(&repoFlag, "repo", defaultRepo(), "path to sgard repository")
 	rootCmd.PersistentFlags().StringVar(&remoteFlag, "remote", "", "gRPC server address (host:port)")
 	rootCmd.PersistentFlags().StringVar(&sshKeyFlag, "ssh-key", "", "path to SSH private key")
+	rootCmd.PersistentFlags().BoolVar(&tlsFlag, "tls", false, "use TLS for remote connection")
+	rootCmd.PersistentFlags().StringVar(&tlsCAFlag, "tls-ca", "", "path to CA certificate for TLS verification")

 	if err := rootCmd.Execute(); err != nil {
 		fmt.Fprintln(os.Stderr, err)