mirror of https://github.com/status-im/consul.git
Allow setting verify_incoming* when using auto_encrypt or auto_config (#8394)
Ensure that enabling AutoConfig sets the tls configurator properly This also refactors the TLS configurator a bit so the naming doesn’t imply only AutoEncrypt as the source of the automatically setup TLS cert info.
This commit is contained in:
parent
ab71058aa4
commit
4f98af0724
|
@ -149,7 +149,7 @@ func (m *CertMonitor) Update(certs *structs.SignedResponse) error {
|
|||
// that the recipient of the response who also has access to the private key will
|
||||
// have filled it in. The Cache definitely does this but auto-encrypt/auto-config
|
||||
// will need to ensure the original response is setup this way too.
|
||||
err := m.tlsConfigurator.UpdateAutoEncrypt(
|
||||
err := m.tlsConfigurator.UpdateAutoTLS(
|
||||
certs.ManualCARoots,
|
||||
connectCAPems,
|
||||
certs.IssuedCert.CertPEM,
|
||||
|
@ -311,7 +311,7 @@ func (m *CertMonitor) handleCacheEvent(u cache.UpdateEvent) error {
|
|||
pems = append(pems, root.RootCert)
|
||||
}
|
||||
|
||||
if err := m.tlsConfigurator.UpdateAutoEncryptCA(pems); err != nil {
|
||||
if err := m.tlsConfigurator.UpdateAutoTLSCA(pems); err != nil {
|
||||
return fmt.Errorf("failed to update Connect CA certificates: %w", err)
|
||||
}
|
||||
case leafWatchID:
|
||||
|
@ -324,7 +324,7 @@ func (m *CertMonitor) handleCacheEvent(u cache.UpdateEvent) error {
|
|||
if !ok {
|
||||
return fmt.Errorf("invalid type for agent leaf cert watch response: %T", u.Result)
|
||||
}
|
||||
if err := m.tlsConfigurator.UpdateAutoEncryptCert(leaf.CertPEM, leaf.PrivateKeyPEM); err != nil {
|
||||
if err := m.tlsConfigurator.UpdateAutoTLSCert(leaf.CertPEM, leaf.PrivateKeyPEM); err != nil {
|
||||
return fmt.Errorf("failed to update the agent leaf cert: %w", err)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -118,7 +118,7 @@ func waitForChans(timeout time.Duration, chans ...<-chan struct{}) bool {
|
|||
func testTLSConfigurator(t *testing.T) *tlsutil.Configurator {
|
||||
t.Helper()
|
||||
logger := testutil.Logger(t)
|
||||
cfg, err := tlsutil.NewConfigurator(tlsutil.Config{AutoEncryptTLS: true}, logger)
|
||||
cfg, err := tlsutil.NewConfigurator(tlsutil.Config{AutoTLS: true}, logger)
|
||||
require.NoError(t, err)
|
||||
return cfg
|
||||
}
|
||||
|
|
|
@ -1799,7 +1799,7 @@ func (c *RuntimeConfig) ToTLSUtilConfig() tlsutil.Config {
|
|||
CipherSuites: c.TLSCipherSuites,
|
||||
PreferServerCipherSuites: c.TLSPreferServerCipherSuites,
|
||||
EnableAgentTLSForChecks: c.EnableAgentTLSForChecks,
|
||||
AutoEncryptTLS: c.AutoEncryptTLS,
|
||||
AutoTLS: c.AutoEncryptTLS || c.AutoConfig.Enabled,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -7367,7 +7367,47 @@ func TestRuntime_ToTLSUtilConfig(t *testing.T) {
|
|||
require.True(t, r.VerifyIncomingHTTPS)
|
||||
require.True(t, r.VerifyOutgoing)
|
||||
require.True(t, r.EnableAgentTLSForChecks)
|
||||
require.True(t, r.AutoEncryptTLS)
|
||||
require.True(t, r.AutoTLS)
|
||||
require.True(t, r.VerifyServerHostname)
|
||||
require.True(t, r.PreferServerCipherSuites)
|
||||
require.Equal(t, "a", r.CAFile)
|
||||
require.Equal(t, "b", r.CAPath)
|
||||
require.Equal(t, "c", r.CertFile)
|
||||
require.Equal(t, "d", r.KeyFile)
|
||||
require.Equal(t, "e", r.NodeName)
|
||||
require.Equal(t, "f", r.ServerName)
|
||||
require.Equal(t, "g", r.Domain)
|
||||
require.Equal(t, "tls12", r.TLSMinVersion)
|
||||
require.Equal(t, []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, r.CipherSuites)
|
||||
}
|
||||
|
||||
func TestRuntime_ToTLSUtilConfig_AutoConfig(t *testing.T) {
|
||||
c := &RuntimeConfig{
|
||||
VerifyIncoming: true,
|
||||
VerifyIncomingRPC: true,
|
||||
VerifyIncomingHTTPS: true,
|
||||
VerifyOutgoing: true,
|
||||
VerifyServerHostname: true,
|
||||
CAFile: "a",
|
||||
CAPath: "b",
|
||||
CertFile: "c",
|
||||
KeyFile: "d",
|
||||
NodeName: "e",
|
||||
ServerName: "f",
|
||||
DNSDomain: "g",
|
||||
TLSMinVersion: "tls12",
|
||||
TLSCipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
|
||||
TLSPreferServerCipherSuites: true,
|
||||
EnableAgentTLSForChecks: true,
|
||||
AutoConfig: AutoConfig{Enabled: true},
|
||||
}
|
||||
r := c.ToTLSUtilConfig()
|
||||
require.True(t, r.VerifyIncoming)
|
||||
require.True(t, r.VerifyIncomingRPC)
|
||||
require.True(t, r.VerifyIncomingHTTPS)
|
||||
require.True(t, r.VerifyOutgoing)
|
||||
require.True(t, r.EnableAgentTLSForChecks)
|
||||
require.True(t, r.AutoTLS)
|
||||
require.True(t, r.VerifyServerHostname)
|
||||
require.True(t, r.PreferServerCipherSuites)
|
||||
require.Equal(t, "a", r.CAFile)
|
||||
|
|
|
@ -89,7 +89,7 @@ func TestAutoEncryptSign(t *testing.T) {
|
|||
}
|
||||
|
||||
cfg := test.Config
|
||||
cfg.AutoEncryptTLS = true
|
||||
cfg.AutoTLS = true
|
||||
cfg.Domain = "consul"
|
||||
codec, err := insecureRPCClient(s, cfg)
|
||||
if test.ConnError {
|
||||
|
|
|
@ -647,7 +647,7 @@ func (s *Server) connectCARootsMonitor(ctx context.Context) {
|
|||
for _, ca := range cas {
|
||||
caPems = append(caPems, ca.RootCert)
|
||||
}
|
||||
if err := s.tlsConfigurator.UpdateAutoEncryptCA(caPems); err != nil {
|
||||
if err := s.tlsConfigurator.UpdateAutoTLSCA(caPems); err != nil {
|
||||
s.logger.Error("Failed to update AutoEncrypt CAPems", "error", err)
|
||||
}
|
||||
|
||||
|
|
|
@ -127,9 +127,9 @@ type Config struct {
|
|||
// and key).
|
||||
EnableAgentTLSForChecks bool
|
||||
|
||||
// AutoEncryptTLS opts the agent into provisioning agent
|
||||
// AutoTLS opts the agent into provisioning agent
|
||||
// TLS certificates.
|
||||
AutoEncryptTLS bool
|
||||
AutoTLS bool
|
||||
}
|
||||
|
||||
func tlsVersions() []string {
|
||||
|
@ -159,14 +159,14 @@ func SpecificDC(dc string, tlsWrap DCWrapper) Wrapper {
|
|||
}
|
||||
}
|
||||
|
||||
type autoEncrypt struct {
|
||||
type autoTLS struct {
|
||||
manualCAPems []string
|
||||
connectCAPems []string
|
||||
cert *tls.Certificate
|
||||
verifyServerHostname bool
|
||||
}
|
||||
|
||||
func (a *autoEncrypt) caPems() []string {
|
||||
func (a *autoTLS) caPems() []string {
|
||||
return append(a.manualCAPems, a.connectCAPems...)
|
||||
}
|
||||
|
||||
|
@ -180,7 +180,7 @@ type manual struct {
|
|||
type Configurator struct {
|
||||
sync.RWMutex
|
||||
base *Config
|
||||
autoEncrypt *autoEncrypt
|
||||
autoTLS *autoTLS
|
||||
manual *manual
|
||||
peerDatacenterUseTLS map[string]bool
|
||||
|
||||
|
@ -201,7 +201,7 @@ func NewConfigurator(config Config, logger hclog.Logger) (*Configurator, error)
|
|||
c := &Configurator{
|
||||
logger: logger.Named(logging.TLSUtil),
|
||||
manual: &manual{},
|
||||
autoEncrypt: &autoEncrypt{},
|
||||
autoTLS: &autoTLS{},
|
||||
peerDatacenterUseTLS: map[string]bool{},
|
||||
}
|
||||
err := c.Update(config)
|
||||
|
@ -215,7 +215,7 @@ func NewConfigurator(config Config, logger hclog.Logger) (*Configurator, error)
|
|||
func (c *Configurator) CAPems() []string {
|
||||
c.RLock()
|
||||
defer c.RUnlock()
|
||||
return append(c.manual.caPems, c.autoEncrypt.caPems()...)
|
||||
return append(c.manual.caPems, c.autoTLS.caPems()...)
|
||||
}
|
||||
|
||||
// ManualCAPems returns the currently loaded CAs in PEM format.
|
||||
|
@ -242,7 +242,7 @@ func (c *Configurator) Update(config Config) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
pool, err := pool(append(pems, c.autoEncrypt.caPems()...))
|
||||
pool, err := pool(append(pems, c.autoTLS.caPems()...))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
@ -257,17 +257,17 @@ func (c *Configurator) Update(config Config) error {
|
|||
return nil
|
||||
}
|
||||
|
||||
// UpdateAutoEncryptCA updates the autoEncrypt.caPems. This is supposed to be called
|
||||
// UpdateAutoTLSCA updates the autoEncrypt.caPems. This is supposed to be called
|
||||
// from the server in order to be able to accept TLS connections with TLS
|
||||
// certificates.
|
||||
// Or it is being called on the client side when CA changes are detected.
|
||||
func (c *Configurator) UpdateAutoEncryptCA(connectCAPems []string) error {
|
||||
func (c *Configurator) UpdateAutoTLSCA(connectCAPems []string) error {
|
||||
c.Lock()
|
||||
// order of defers matters because log acquires a RLock()
|
||||
defer c.log("UpdateAutoEncryptCA")
|
||||
defer c.Unlock()
|
||||
|
||||
pool, err := pool(append(c.manual.caPems, append(c.autoEncrypt.manualCAPems, connectCAPems...)...))
|
||||
pool, err := pool(append(c.manual.caPems, append(c.autoTLS.manualCAPems, connectCAPems...)...))
|
||||
if err != nil {
|
||||
c.RUnlock()
|
||||
return err
|
||||
|
@ -276,14 +276,14 @@ func (c *Configurator) UpdateAutoEncryptCA(connectCAPems []string) error {
|
|||
c.RUnlock()
|
||||
return err
|
||||
}
|
||||
c.autoEncrypt.connectCAPems = connectCAPems
|
||||
c.autoTLS.connectCAPems = connectCAPems
|
||||
c.caPool = pool
|
||||
c.version++
|
||||
return nil
|
||||
}
|
||||
|
||||
// UpdateAutoEncryptCert
|
||||
func (c *Configurator) UpdateAutoEncryptCert(pub, priv string) error {
|
||||
// UpdateAutoTLSCert
|
||||
func (c *Configurator) UpdateAutoTLSCert(pub, priv string) error {
|
||||
// order of defers matters because log acquires a RLock()
|
||||
defer c.log("UpdateAutoEncryptCert")
|
||||
cert, err := tls.X509KeyPair([]byte(pub), []byte(priv))
|
||||
|
@ -294,14 +294,14 @@ func (c *Configurator) UpdateAutoEncryptCert(pub, priv string) error {
|
|||
c.Lock()
|
||||
defer c.Unlock()
|
||||
|
||||
c.autoEncrypt.cert = &cert
|
||||
c.autoTLS.cert = &cert
|
||||
c.version++
|
||||
return nil
|
||||
}
|
||||
|
||||
// UpdateAutoEncrypt sets everything under autoEncrypt. This is being called on the
|
||||
// client when it received its cert from AutoEncrypt endpoint.
|
||||
func (c *Configurator) UpdateAutoEncrypt(manualCAPems, connectCAPems []string, pub, priv string, verifyServerHostname bool) error {
|
||||
// UpdateAutoTLS sets everything under autoEncrypt. This is being called on the
|
||||
// client when it received its cert from AutoEncrypt/AutoConfig endpoints.
|
||||
func (c *Configurator) UpdateAutoTLS(manualCAPems, connectCAPems []string, pub, priv string, verifyServerHostname bool) error {
|
||||
// order of defers matters because log acquires a RLock()
|
||||
defer c.log("UpdateAutoEncrypt")
|
||||
cert, err := tls.X509KeyPair([]byte(pub), []byte(priv))
|
||||
|
@ -316,11 +316,11 @@ func (c *Configurator) UpdateAutoEncrypt(manualCAPems, connectCAPems []string, p
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
c.autoEncrypt.manualCAPems = manualCAPems
|
||||
c.autoEncrypt.connectCAPems = connectCAPems
|
||||
c.autoEncrypt.cert = &cert
|
||||
c.autoTLS.manualCAPems = manualCAPems
|
||||
c.autoTLS.connectCAPems = connectCAPems
|
||||
c.autoTLS.cert = &cert
|
||||
c.caPool = pool
|
||||
c.autoEncrypt.verifyServerHostname = verifyServerHostname
|
||||
c.autoTLS.verifyServerHostname = verifyServerHostname
|
||||
c.version++
|
||||
return nil
|
||||
}
|
||||
|
@ -375,20 +375,19 @@ func (c *Configurator) check(config Config, pool *x509.CertPool, cert *tls.Certi
|
|||
|
||||
// Ensure we have a CA and cert if VerifyIncoming is set
|
||||
if config.anyVerifyIncoming() {
|
||||
autoEncryptMsg := " AutoEncrypt only secures the connection between client and server and doesn't affect incoming connections on the client."
|
||||
if pool == nil {
|
||||
errMsg := "VerifyIncoming set, and no CA certificate provided!"
|
||||
if config.AutoEncryptTLS {
|
||||
errMsg += autoEncryptMsg
|
||||
}
|
||||
return fmt.Errorf(errMsg)
|
||||
// both auto-config and auto-encrypt require verifying the connection from the client to the server for secure
|
||||
// operation. In order to be able to verify the servers certificate we must have some CA certs already provided.
|
||||
// Therefore, even though both of those features can push down extra CA certificates which could be used to
|
||||
// verify incoming connections, we still must consider it an error if none are provided in the initial configuration
|
||||
// as those features cannot be successfully enabled without providing CA certificates to use those features.
|
||||
return fmt.Errorf("VerifyIncoming set but no CA certificates were provided")
|
||||
}
|
||||
if cert == nil {
|
||||
errMsg := "VerifyIncoming set, and no Cert/Key pair provided!"
|
||||
if config.AutoEncryptTLS {
|
||||
errMsg += autoEncryptMsg
|
||||
}
|
||||
return fmt.Errorf(errMsg)
|
||||
|
||||
// We will use the auto_encrypt/auto_config cert for TLS in the incoming APIs when available. Therefore the check
|
||||
// here will ensure that either we enabled one of those two features or a certificate and key were provided manually
|
||||
if cert == nil && !config.AutoTLS {
|
||||
return fmt.Errorf("VerifyIncoming requires either a Cert and Key pair in the configuration file, or auto_encrypt/auto_config be enabled")
|
||||
}
|
||||
}
|
||||
return nil
|
||||
|
@ -500,7 +499,7 @@ func (c *Configurator) commonTLSConfig(verifyIncoming bool) *tls.Config {
|
|||
// to a server requesting a certificate. Return the autoEncrypt certificate
|
||||
// if possible, otherwise default to the manually provisioned one.
|
||||
tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
|
||||
cert := c.autoEncrypt.cert
|
||||
cert := c.autoTLS.cert
|
||||
if cert == nil {
|
||||
cert = c.manual.cert
|
||||
}
|
||||
|
@ -536,7 +535,7 @@ func (c *Configurator) Cert() *tls.Certificate {
|
|||
defer c.RUnlock()
|
||||
cert := c.manual.cert
|
||||
if cert == nil {
|
||||
cert = c.autoEncrypt.cert
|
||||
cert = c.autoTLS.cert
|
||||
}
|
||||
return cert
|
||||
}
|
||||
|
@ -554,7 +553,7 @@ func (c *Configurator) outgoingRPCTLSDisabled() bool {
|
|||
defer c.RUnlock()
|
||||
|
||||
// if AutoEncrypt enabled, always use TLS
|
||||
if c.base.AutoEncryptTLS {
|
||||
if c.base.AutoTLS {
|
||||
return false
|
||||
}
|
||||
|
||||
|
@ -574,7 +573,7 @@ func (c *Configurator) MutualTLSCapable() bool {
|
|||
func (c *Configurator) mutualTLSCapable() bool {
|
||||
c.RLock()
|
||||
defer c.RUnlock()
|
||||
return c.caPool != nil && (c.autoEncrypt.cert != nil || c.manual.cert != nil)
|
||||
return c.caPool != nil && (c.autoTLS.cert != nil || c.manual.cert != nil)
|
||||
}
|
||||
|
||||
// This function acquires a read lock because it reads from the config.
|
||||
|
@ -584,7 +583,7 @@ func (c *Configurator) verifyOutgoing() bool {
|
|||
|
||||
// If AutoEncryptTLS is enabled and there is a CA, then verify
|
||||
// outgoing.
|
||||
if c.base.AutoEncryptTLS && c.caPool != nil {
|
||||
if c.base.AutoTLS && c.caPool != nil {
|
||||
return true
|
||||
}
|
||||
|
||||
|
@ -644,7 +643,7 @@ func (c *Configurator) serverNameOrNodeName() string {
|
|||
func (c *Configurator) VerifyServerHostname() bool {
|
||||
c.RLock()
|
||||
defer c.RUnlock()
|
||||
return c.base.VerifyServerHostname || c.autoEncrypt.verifyServerHostname
|
||||
return c.base.VerifyServerHostname || c.autoTLS.verifyServerHostname
|
||||
}
|
||||
|
||||
// IncomingGRPCConfig generates a *tls.Config for incoming GRPC connections.
|
||||
|
@ -798,7 +797,7 @@ func (c *Configurator) OutgoingALPNRPCWrapper() ALPNWrapper {
|
|||
func (c *Configurator) AutoEncryptCertNotAfter() time.Time {
|
||||
c.RLock()
|
||||
defer c.RUnlock()
|
||||
tlsCert := c.autoEncrypt.cert
|
||||
tlsCert := c.autoTLS.cert
|
||||
if tlsCert == nil || tlsCert.Certificate == nil {
|
||||
return time.Now().AddDate(0, 0, -1)
|
||||
}
|
||||
|
|
|
@ -500,15 +500,16 @@ func TestConfigurator_ErrorPropagation(t *testing.T) {
|
|||
{Config{VerifyIncoming: true, CAFile: "", CAPath: capath}, true, false}, // 18
|
||||
{Config{VerifyIncoming: true, CAFile: "", CAPath: capath,
|
||||
CertFile: certfile, KeyFile: keyfile}, false, false}, // 19
|
||||
{Config{CertFile: "bogus", KeyFile: "bogus"}, true, true}, // 20
|
||||
{Config{CAFile: "bogus"}, true, true}, // 21
|
||||
{Config{CAPath: "bogus"}, true, true}, // 22
|
||||
{Config{CertFile: "bogus", KeyFile: "bogus"}, true, true}, // 20
|
||||
{Config{CAFile: "bogus"}, true, true}, // 21
|
||||
{Config{CAPath: "bogus"}, true, true}, // 22
|
||||
{Config{VerifyIncoming: true, CAFile: cafile, AutoTLS: true}, false, false}, // 22
|
||||
}
|
||||
for _, v := range tlsVersions() {
|
||||
variants = append(variants, variant{Config{TLSMinVersion: v}, false, false})
|
||||
}
|
||||
|
||||
c := Configurator{autoEncrypt: &autoEncrypt{}, manual: &manual{}}
|
||||
c := Configurator{autoTLS: &autoTLS{}, manual: &manual{}}
|
||||
for i, v := range variants {
|
||||
info := fmt.Sprintf("case %d, config: %+v", i, v.config)
|
||||
_, err1 := NewConfigurator(v.config, nil)
|
||||
|
@ -661,10 +662,10 @@ func TestConfigurator_CommonTLSConfigGetClientCertificate(t *testing.T) {
|
|||
|
||||
c2, err := loadKeyPair("../test/key/ourdomain.cer", "../test/key/ourdomain.key")
|
||||
require.NoError(t, err)
|
||||
c.autoEncrypt.cert = c2
|
||||
c.autoTLS.cert = c2
|
||||
cert, err = c.commonTLSConfig(false).GetClientCertificate(nil)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, c.autoEncrypt.cert, cert)
|
||||
require.Equal(t, c.autoTLS.cert, cert)
|
||||
}
|
||||
|
||||
func TestConfigurator_CommonTLSConfigGetCertificate(t *testing.T) {
|
||||
|
@ -678,10 +679,10 @@ func TestConfigurator_CommonTLSConfigGetCertificate(t *testing.T) {
|
|||
// Setting a certificate as the auto-encrypt cert will return it as the regular server certificate
|
||||
c1, err := loadKeyPair("../test/key/something_expired.cer", "../test/key/something_expired.key")
|
||||
require.NoError(t, err)
|
||||
c.autoEncrypt.cert = c1
|
||||
c.autoTLS.cert = c1
|
||||
cert, err = c.commonTLSConfig(false).GetCertificate(nil)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, c.autoEncrypt.cert, cert)
|
||||
require.Equal(t, c.autoTLS.cert, cert)
|
||||
|
||||
// Setting a different certificate as a manual cert will override the auto-encrypt cert and instead return the manual cert
|
||||
c2, err := loadKeyPair("../test/key/ourdomain.cer", "../test/key/ourdomain.key")
|
||||
|
@ -718,7 +719,7 @@ func TestConfigurator_CommonTLSConfigTLSMinVersion(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestConfigurator_CommonTLSConfigVerifyIncoming(t *testing.T) {
|
||||
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
|
||||
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
|
||||
type variant struct {
|
||||
verify bool
|
||||
expected tls.ClientAuthType
|
||||
|
@ -733,7 +734,7 @@ func TestConfigurator_CommonTLSConfigVerifyIncoming(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestConfigurator_OutgoingRPCTLSDisabled(t *testing.T) {
|
||||
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
|
||||
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
|
||||
type variant struct {
|
||||
verify bool
|
||||
autoEncryptTLS bool
|
||||
|
@ -755,7 +756,7 @@ func TestConfigurator_OutgoingRPCTLSDisabled(t *testing.T) {
|
|||
info := fmt.Sprintf("case %d", i)
|
||||
c.caPool = v.pool
|
||||
c.base.VerifyOutgoing = v.verify
|
||||
c.base.AutoEncryptTLS = v.autoEncryptTLS
|
||||
c.base.AutoTLS = v.autoEncryptTLS
|
||||
require.Equal(t, v.expected, c.outgoingRPCTLSDisabled(), info)
|
||||
}
|
||||
}
|
||||
|
@ -809,7 +810,7 @@ func TestConfigurator_MutualTLSCapable(t *testing.T) {
|
|||
require.NoError(t, err)
|
||||
|
||||
caPEM := loadFile(t, "../test/hostname/CertAuth.crt")
|
||||
require.NoError(t, c.UpdateAutoEncryptCA([]string{caPEM}))
|
||||
require.NoError(t, c.UpdateAutoTLSCA([]string{caPEM}))
|
||||
|
||||
require.False(t, c.mutualTLSCapable())
|
||||
})
|
||||
|
@ -824,8 +825,8 @@ func TestConfigurator_MutualTLSCapable(t *testing.T) {
|
|||
caPEM := loadFile(t, "../test/hostname/CertAuth.crt")
|
||||
certPEM := loadFile(t, "../test/hostname/Bob.crt")
|
||||
keyPEM := loadFile(t, "../test/hostname/Bob.key")
|
||||
require.NoError(t, c.UpdateAutoEncryptCA([]string{caPEM}))
|
||||
require.NoError(t, c.UpdateAutoEncryptCert(certPEM, keyPEM))
|
||||
require.NoError(t, c.UpdateAutoTLSCA([]string{caPEM}))
|
||||
require.NoError(t, c.UpdateAutoTLSCert(certPEM, keyPEM))
|
||||
|
||||
require.True(t, c.mutualTLSCapable())
|
||||
})
|
||||
|
@ -900,7 +901,7 @@ func TestConfigurator_IncomingALPNRPCConfig(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestConfigurator_IncomingHTTPSConfig(t *testing.T) {
|
||||
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
|
||||
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
|
||||
require.Equal(t, []string{"h2", "http/1.1"}, c.IncomingHTTPSConfig().NextProtos)
|
||||
}
|
||||
|
||||
|
@ -908,7 +909,7 @@ func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) {
|
|||
c := Configurator{base: &Config{
|
||||
TLSMinVersion: "tls12",
|
||||
EnableAgentTLSForChecks: false,
|
||||
}, autoEncrypt: &autoEncrypt{}}
|
||||
}, autoTLS: &autoTLS{}}
|
||||
tlsConf := c.OutgoingTLSConfigForCheck(true)
|
||||
require.Equal(t, true, tlsConf.InsecureSkipVerify)
|
||||
require.Equal(t, uint16(0), tlsConf.MinVersion)
|
||||
|
@ -922,7 +923,7 @@ func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestConfigurator_OutgoingRPCConfig(t *testing.T) {
|
||||
c := &Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
|
||||
c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}}
|
||||
require.Nil(t, c.OutgoingRPCConfig())
|
||||
|
||||
c, err := NewConfigurator(Config{
|
||||
|
@ -940,7 +941,7 @@ func TestConfigurator_OutgoingRPCConfig(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestConfigurator_OutgoingALPNRPCConfig(t *testing.T) {
|
||||
c := &Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
|
||||
c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}}
|
||||
require.Nil(t, c.OutgoingALPNRPCConfig())
|
||||
|
||||
c, err := NewConfigurator(Config{
|
||||
|
@ -960,7 +961,7 @@ func TestConfigurator_OutgoingALPNRPCConfig(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestConfigurator_OutgoingRPCWrapper(t *testing.T) {
|
||||
c := &Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
|
||||
c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}}
|
||||
wrapper := c.OutgoingRPCWrapper()
|
||||
require.NotNil(t, wrapper)
|
||||
conn := &net.TCPConn{}
|
||||
|
@ -980,7 +981,7 @@ func TestConfigurator_OutgoingRPCWrapper(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestConfigurator_OutgoingALPNRPCWrapper(t *testing.T) {
|
||||
c := &Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
|
||||
c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}}
|
||||
wrapper := c.OutgoingRPCWrapper()
|
||||
require.NotNil(t, wrapper)
|
||||
conn := &net.TCPConn{}
|
||||
|
@ -1054,7 +1055,7 @@ func TestConfigurator_ServerNameOrNodeName(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestConfigurator_VerifyOutgoing(t *testing.T) {
|
||||
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
|
||||
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
|
||||
type variant struct {
|
||||
verify bool
|
||||
autoEncryptTLS bool
|
||||
|
@ -1076,7 +1077,7 @@ func TestConfigurator_VerifyOutgoing(t *testing.T) {
|
|||
info := fmt.Sprintf("case %d", i)
|
||||
c.caPool = v.pool
|
||||
c.base.VerifyOutgoing = v.verify
|
||||
c.base.AutoEncryptTLS = v.autoEncryptTLS
|
||||
c.base.AutoTLS = v.autoEncryptTLS
|
||||
require.Equal(t, v.expected, c.verifyOutgoing(), info)
|
||||
}
|
||||
}
|
||||
|
@ -1087,34 +1088,34 @@ func TestConfigurator_Domain(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestConfigurator_VerifyServerHostname(t *testing.T) {
|
||||
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
|
||||
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
|
||||
require.False(t, c.VerifyServerHostname())
|
||||
|
||||
c.base.VerifyServerHostname = true
|
||||
c.autoEncrypt.verifyServerHostname = false
|
||||
c.autoTLS.verifyServerHostname = false
|
||||
require.True(t, c.VerifyServerHostname())
|
||||
|
||||
c.base.VerifyServerHostname = false
|
||||
c.autoEncrypt.verifyServerHostname = true
|
||||
c.autoTLS.verifyServerHostname = true
|
||||
require.True(t, c.VerifyServerHostname())
|
||||
|
||||
c.base.VerifyServerHostname = true
|
||||
c.autoEncrypt.verifyServerHostname = true
|
||||
c.autoTLS.verifyServerHostname = true
|
||||
require.True(t, c.VerifyServerHostname())
|
||||
}
|
||||
|
||||
func TestConfigurator_AutoEncrytCertExpired(t *testing.T) {
|
||||
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
|
||||
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
|
||||
require.True(t, c.AutoEncryptCertExpired())
|
||||
|
||||
cert, err := loadKeyPair("../test/key/something_expired.cer", "../test/key/something_expired.key")
|
||||
require.NoError(t, err)
|
||||
c.autoEncrypt.cert = cert
|
||||
c.autoTLS.cert = cert
|
||||
require.True(t, c.AutoEncryptCertExpired())
|
||||
|
||||
cert, err = loadKeyPair("../test/key/ourdomain.cer", "../test/key/ourdomain.key")
|
||||
require.NoError(t, err)
|
||||
c.autoEncrypt.cert = cert
|
||||
c.autoTLS.cert = cert
|
||||
require.False(t, c.AutoEncryptCertExpired())
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue