From 74632a25c3f790e205e778c1e050b0fc81e1567d Mon Sep 17 00:00:00 2001
From: Karl Persson <23356117+kalleep@users.noreply.github.com>
Date: Mon, 24 Feb 2025 16:03:14 +0100
Subject: [PATCH] Authz: folder api tls settings (#101213)

* Skip certificate verification

* Add more settings for folder api
---
 pkg/services/authz/rbac.go          | 10 +++++++---
 pkg/services/authz/rbac_settings.go | 13 +++++++++++++
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/pkg/services/authz/rbac.go b/pkg/services/authz/rbac.go
index f83a2b4d4a7..fcb398667ab 100644
--- a/pkg/services/authz/rbac.go
+++ b/pkg/services/authz/rbac.go
@@ -151,20 +151,24 @@ func RegisterRBACAuthZService(
 	reg prometheus.Registerer,
 	cache cache.Cache,
 	exchangeClient authnlib.TokenExchanger,
-	folderAPIURL string,
+	cfg RBACServerSettings,
 ) {
 	var folderStore store.FolderStore
 	// FIXME: for now we default to using database read proxy for folders if the api url is not configured.
 	// we should remove this and the sql implementation once we have verified that is works correctly
-	if folderAPIURL == "" {
+	if cfg.Folder.Host == "" {
 		folderStore = store.NewSQLFolderStore(db, tracer)
 	} else {
 		folderStore = store.NewAPIFolderStore(tracer, func(ctx context.Context) (*rest.Config, error) {
 			return &rest.Config{
-				Host: folderAPIURL,
+				Host: cfg.Folder.Host,
 				WrapTransport: func(rt http.RoundTripper) http.RoundTripper {
 					return &tokenExhangeRoundTripper{te: exchangeClient, rt: rt}
 				},
+				TLSClientConfig: rest.TLSClientConfig{
+					Insecure: cfg.Folder.Insecure,
+					CAFile:   cfg.Folder.CAFile,
+				},
 				QPS:   50,
 				Burst: 100,
 			}, nil
diff --git a/pkg/services/authz/rbac_settings.go b/pkg/services/authz/rbac_settings.go
index 0ee661c2b50..9d643e73af5 100644
--- a/pkg/services/authz/rbac_settings.go
+++ b/pkg/services/authz/rbac_settings.go
@@ -57,3 +57,16 @@ func readAuthzClientSettings(cfg *setting.Cfg) (*authzClientSettings, error) {
 
 	return s, nil
 }
+
+type RBACServerSettings struct {
+	Folder FolderAPISettings
+}
+
+type FolderAPISettings struct {
+	// Host is hostname for folder api
+	Host string
+	// Insecure will skip verification of ceritificates. Should only be used for testing
+	Insecure bool
+	// CAFile is a filepath to trusted root certificates for server
+	CAFile string
+}