Include certificate pinning hashes in the service configuration

This change allows the SDKs to consume hashes used for certificate
pinning. This means that the end user does not have to configure
certificate pinning manually or using a IDE to have pinning with
their provisioned services.

Author: Aiden Keating

pkg/cmd/clientConfig.go

@@ -120,6 +120,10 @@ kubectl plugin mobile get clientconfig`,
 					}
 				}
 				if includedService {
+					err = appendCertificatePinningInfoToService(svcConfig)
+					if err != nil {
+						return errors.Wrap(err, "unable to append certificate pinning information to service config")
+					}
 					ret = append(ret, svcConfig)
 				}
 			}

pkg/cmd/convert.go

@@ -16,14 +16,40 @@ package cmd
 
 import (
 	"strings"
-
 	"k8s.io/client-go/pkg/api/v1"
+	"crypto/sha256"
+	"crypto/tls"
+	"encoding/base64"
+	"net/url"
 )
 
 func isClientConfigKey(key string) bool {
 	return key == "url" || key == "name" || key == "type" || key == "id"
 }
 
+func appendCertificatePinningInfoToService(s *ServiceConfig) error {
+	serviceURL, err := url.Parse(s.URL)
+	if err != nil {
+		return err
+	}
+	if serviceURL.Scheme != "https" {
+		return nil
+	}
+	// TODO: Make the InsecureSkipVerify here configurable. I think there will be times when we don't want to allow auto-pinning to unverified certificates.
+	// TODO: Allow for the Host variable to contain a port. So split it and then if there's a port use that, else use 443.
+	conn, err := tls.Dial("tcp", serviceURL.Host+":443", &tls.Config{
+		InsecureSkipVerify: true,
+	})
+	if err != nil {
+		return err
+	}
+	hasher := sha256.New()
+	// TODO: Do we want to loop through here? The command here https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning only returns what we are currently returning.
+	hasher.Write(conn.ConnectionState().PeerCertificates[0].RawSubjectPublicKeyInfo)
+	s.CertificatePinningHashes = []string{base64.StdEncoding.EncodeToString(hasher.Sum(nil))}
+	return nil
+}
+
 func convertSecretToMobileService(s v1.Secret) *Service {
 	params := map[string]string{}
 	for key, value := range s.Data {
@@ -32,6 +58,7 @@ func convertSecretToMobileService(s v1.Secret) *Service {
 		}
 	}
 	external := s.Labels["external"] == "true"
+
 	return &Service{
 		Namespace:    s.Labels["namespace"],
 		ID:           s.Name,

pkg/cmd/types.go

@@ -80,11 +80,12 @@ type ServiceConfigs struct {
 
 //ServiceConfig is the configuration for a specific service
 type ServiceConfig struct {
-	ID     string                 `json:"id"`
-	Name   string                 `json:"name"`
-	Type   string                 `json:"type"`
-	URL    string                 `json:"url"`
-	Config map[string]interface{} `json:"config"`
+	ID                       string                 `json:"id"`
+	Name                     string                 `json:"name"`
+	Type                     string                 `json:"type"`
+	URL                      string                 `json:"url"`
+	Config                   map[string]interface{} `json:"config"`
+	CertificatePinningHashes []string               `json:"certificatePinningHashes"`
 }
 
 // defaultSecretConvertor will provide a default secret to config conversion