auto_encrypt: add validations for auto_encrypt.{tls,allow_tls} (#7704)

Fixes https://github.com/hashicorp/consul/issues/7407.
This commit is contained in:
Hans Hasselberg 2020-04-24 15:51:38 +02:00 committed by GitHub
parent 3956cff60f
commit 1194fe441f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 78 additions and 14 deletions

View File

@ -1219,6 +1219,13 @@ func (b *Builder) Validate(rt RuntimeConfig) error {
} }
} }
if rt.ServerMode && rt.AutoEncryptTLS {
return fmt.Errorf("auto_encrypt.tls can only be used on a client.")
}
if !rt.ServerMode && rt.AutoEncryptAllowTLS {
return fmt.Errorf("auto_encrypt.allow_tls can only be used on a server.")
}
// ---------------------------------------------------------------- // ----------------------------------------------------------------
// warnings // warnings
// //

View File

@ -2683,83 +2683,140 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
}, },
}, },
{ {
desc: "auto_encrypt.allow works implies connect", desc: "auto_encrypt.allow_tls works implies connect",
args: []string{ args: []string{
`-data-dir=` + dataDir, `-data-dir=` + dataDir,
}, },
json: []string{`{ json: []string{`{
"verify_incoming": true, "verify_incoming": true,
"auto_encrypt": { "allow_tls": true } "auto_encrypt": { "allow_tls": true },
"server": true
}`}, }`},
hcl: []string{` hcl: []string{`
verify_incoming = true verify_incoming = true
auto_encrypt { allow_tls = true } auto_encrypt { allow_tls = true }
server = true
`}, `},
patch: func(rt *RuntimeConfig) { patch: func(rt *RuntimeConfig) {
rt.DataDir = dataDir rt.DataDir = dataDir
rt.VerifyIncoming = true rt.VerifyIncoming = true
rt.AutoEncryptAllowTLS = true rt.AutoEncryptAllowTLS = true
rt.ConnectEnabled = true rt.ConnectEnabled = true
// server things
rt.ServerMode = true
rt.LeaveOnTerm = false
rt.SkipLeaveOnInt = true
}, },
}, },
{ {
desc: "auto_encrypt.allow works with verify_incoming", desc: "auto_encrypt.allow_tls works with verify_incoming",
args: []string{ args: []string{
`-data-dir=` + dataDir, `-data-dir=` + dataDir,
}, },
json: []string{`{ json: []string{`{
"verify_incoming": true, "verify_incoming": true,
"auto_encrypt": { "allow_tls": true } "auto_encrypt": { "allow_tls": true },
"server": true
}`}, }`},
hcl: []string{` hcl: []string{`
verify_incoming = true verify_incoming = true
auto_encrypt { allow_tls = true } auto_encrypt { allow_tls = true }
server = true
`}, `},
patch: func(rt *RuntimeConfig) { patch: func(rt *RuntimeConfig) {
rt.DataDir = dataDir rt.DataDir = dataDir
rt.VerifyIncoming = true rt.VerifyIncoming = true
rt.AutoEncryptAllowTLS = true rt.AutoEncryptAllowTLS = true
rt.ConnectEnabled = true rt.ConnectEnabled = true
// server things
rt.ServerMode = true
rt.LeaveOnTerm = false
rt.SkipLeaveOnInt = true
}, },
}, },
{ {
desc: "auto_encrypt.allow works with verify_incoming_rpc", desc: "auto_encrypt.allow_tls works with verify_incoming_rpc",
args: []string{ args: []string{
`-data-dir=` + dataDir, `-data-dir=` + dataDir,
}, },
json: []string{`{ json: []string{`{
"verify_incoming_rpc": true, "verify_incoming_rpc": true,
"auto_encrypt": { "allow_tls": true } "auto_encrypt": { "allow_tls": true },
"server": true
}`}, }`},
hcl: []string{` hcl: []string{`
verify_incoming_rpc = true verify_incoming_rpc = true
auto_encrypt { allow_tls = true } auto_encrypt { allow_tls = true }
server = true
`}, `},
patch: func(rt *RuntimeConfig) { patch: func(rt *RuntimeConfig) {
rt.DataDir = dataDir rt.DataDir = dataDir
rt.VerifyIncomingRPC = true rt.VerifyIncomingRPC = true
rt.AutoEncryptAllowTLS = true rt.AutoEncryptAllowTLS = true
rt.ConnectEnabled = true rt.ConnectEnabled = true
// server things
rt.ServerMode = true
rt.LeaveOnTerm = false
rt.SkipLeaveOnInt = true
}, },
}, },
{ {
desc: "auto_encrypt.allow warns without verify_incoming or verify_incoming_rpc", desc: "auto_encrypt.allow_tls warns without verify_incoming or verify_incoming_rpc",
args: []string{ args: []string{
`-data-dir=` + dataDir, `-data-dir=` + dataDir,
}, },
json: []string{`{ json: []string{`{
"auto_encrypt": { "allow_tls": true } "auto_encrypt": { "allow_tls": true },
"server": true
}`}, }`},
hcl: []string{` hcl: []string{`
auto_encrypt { allow_tls = true } auto_encrypt { allow_tls = true }
server = true
`}, `},
warns: []string{"if auto_encrypt.allow_tls is turned on, either verify_incoming or verify_incoming_rpc should be enabled. It is necessary to turn it off during a migration to TLS, but it should definitely be turned on afterwards."}, warns: []string{"if auto_encrypt.allow_tls is turned on, either verify_incoming or verify_incoming_rpc should be enabled. It is necessary to turn it off during a migration to TLS, but it should definitely be turned on afterwards."},
patch: func(rt *RuntimeConfig) { patch: func(rt *RuntimeConfig) {
rt.DataDir = dataDir rt.DataDir = dataDir
rt.AutoEncryptAllowTLS = true rt.AutoEncryptAllowTLS = true
rt.ConnectEnabled = true rt.ConnectEnabled = true
// server things
rt.ServerMode = true
rt.LeaveOnTerm = false
rt.SkipLeaveOnInt = true
}, },
}, },
{
desc: "auto_encrypt.allow_tls errors in client mode",
args: []string{
`-data-dir=` + dataDir,
},
json: []string{`{
"auto_encrypt": { "allow_tls": true },
"server": false
}`},
hcl: []string{`
auto_encrypt { allow_tls = true }
server = false
`},
err: "auto_encrypt.allow_tls can only be used on a server.",
},
{
desc: "auto_encrypt.tls errors in server mode",
args: []string{
`-data-dir=` + dataDir,
},
json: []string{`{
"auto_encrypt": { "tls": true },
"server": true
}`},
hcl: []string{`
auto_encrypt { tls = true }
server = true
`},
err: "auto_encrypt.tls can only be used on a client.",
},
{ {
desc: "test connect vault provider configuration", desc: "test connect vault provider configuration",
args: []string{ args: []string{
@ -3992,7 +4049,7 @@ func TestFullConfig(t *testing.T) {
] ]
}, },
"auto_encrypt": { "auto_encrypt": {
"tls": true, "tls": false,
"dns_san": ["a.com", "b.com"], "dns_san": ["a.com", "b.com"],
"ip_san": ["192.168.4.139", "192.168.4.140"], "ip_san": ["192.168.4.139", "192.168.4.140"],
"allow_tls": true "allow_tls": true
@ -4076,7 +4133,7 @@ func TestFullConfig(t *testing.T) {
"key_file": "IEkkwgIA", "key_file": "IEkkwgIA",
"leave_on_terminate": true, "leave_on_terminate": true,
"limits": { "limits": {
"http_max_conns_per_client": 250, "http_max_conns_per_client": 100,
"https_handshake_timeout": "2391ms", "https_handshake_timeout": "2391ms",
"rpc_handshake_timeout": "1932ms", "rpc_handshake_timeout": "1932ms",
"rpc_rate": 12029.43, "rpc_rate": 12029.43,
@ -4622,7 +4679,7 @@ func TestFullConfig(t *testing.T) {
} }
} }
auto_encrypt = { auto_encrypt = {
tls = true tls = false
dns_san = ["a.com", "b.com"] dns_san = ["a.com", "b.com"]
ip_san = ["192.168.4.139", "192.168.4.140"] ip_san = ["192.168.4.139", "192.168.4.140"]
allow_tls = true allow_tls = true
@ -4709,7 +4766,7 @@ func TestFullConfig(t *testing.T) {
key_file = "IEkkwgIA" key_file = "IEkkwgIA"
leave_on_terminate = true leave_on_terminate = true
limits { limits {
http_max_conns_per_client = 250 http_max_conns_per_client = 100
https_handshake_timeout = "2391ms" https_handshake_timeout = "2391ms"
rpc_handshake_timeout = "1932ms" rpc_handshake_timeout = "1932ms"
rpc_rate = 12029.43 rpc_rate = 12029.43
@ -5348,7 +5405,7 @@ func TestFullConfig(t *testing.T) {
}, },
}, },
}, },
AutoEncryptTLS: true, AutoEncryptTLS: false,
AutoEncryptDNSSAN: []string{"a.com", "b.com"}, AutoEncryptDNSSAN: []string{"a.com", "b.com"},
AutoEncryptIPSAN: []net.IP{net.ParseIP("192.168.4.139"), net.ParseIP("192.168.4.140")}, AutoEncryptIPSAN: []net.IP{net.ParseIP("192.168.4.139"), net.ParseIP("192.168.4.140")},
AutoEncryptAllowTLS: true, AutoEncryptAllowTLS: true,
@ -5416,7 +5473,7 @@ func TestFullConfig(t *testing.T) {
HTTPPort: 7999, HTTPPort: 7999,
HTTPResponseHeaders: map[string]string{"M6TKa9NP": "xjuxjOzQ", "JRCrHZed": "rl0mTx81"}, HTTPResponseHeaders: map[string]string{"M6TKa9NP": "xjuxjOzQ", "JRCrHZed": "rl0mTx81"},
HTTPSAddrs: []net.Addr{tcpAddr("95.17.17.19:15127")}, HTTPSAddrs: []net.Addr{tcpAddr("95.17.17.19:15127")},
HTTPMaxConnsPerClient: 250, HTTPMaxConnsPerClient: 100,
HTTPSHandshakeTimeout: 2391 * time.Millisecond, HTTPSHandshakeTimeout: 2391 * time.Millisecond,
HTTPSPort: 15127, HTTPSPort: 15127,
KeyFile: "IEkkwgIA", KeyFile: "IEkkwgIA",