diff --git a/tlsutil/config.go b/tlsutil/config.go index 10040735b2..9b93bcc104 100644 --- a/tlsutil/config.go +++ b/tlsutil/config.go @@ -150,6 +150,8 @@ func SpecificDC(dc string, tlsWrap DCWrapper) Wrapper { } } +// autoTLS stores configuration that is received from the auto-encrypt or +// auto-config features. type autoTLS struct { manualCAPems []string connectCAPems []string @@ -157,7 +159,7 @@ type autoTLS struct { verifyServerHostname bool } -func (a *autoTLS) caPems() []string { +func (a autoTLS) caPems() []string { return append(a.manualCAPems, a.connectCAPems...) } @@ -172,7 +174,7 @@ type Configurator struct { // lock synchronizes access to all fields on this struct except for logger and version. lock sync.RWMutex base *Config - autoTLS *autoTLS + autoTLS autoTLS manual *manual peerDatacenterUseTLS map[string]bool caPool *x509.CertPool @@ -197,7 +199,6 @@ func NewConfigurator(config Config, logger hclog.Logger) (*Configurator, error) c := &Configurator{ logger: logger.Named(logging.TLSUtil), manual: &manual{}, - autoTLS: &autoTLS{}, peerDatacenterUseTLS: map[string]bool{}, } err := c.Update(config) @@ -274,7 +275,7 @@ func (c *Configurator) UpdateAutoTLSCA(connectCAPems []string) error { return nil } -// UpdateAutoTLSCert +// UpdateAutoTLSCert receives the updated Auto-Encrypt certificate. func (c *Configurator) UpdateAutoTLSCert(pub, priv string) error { cert, err := tls.X509KeyPair([]byte(pub), []byte(priv)) if err != nil { @@ -290,8 +291,8 @@ func (c *Configurator) UpdateAutoTLSCert(pub, priv string) error { return nil } -// UpdateAutoTLS sets everything under autoEncrypt. This is being called on the -// client when it received its cert from AutoEncrypt/AutoConfig endpoints. +// UpdateAutoTLS receives updates from Auto-Config, only expected to be called on +// client agents. func (c *Configurator) UpdateAutoTLS(manualCAPems, connectCAPems []string, pub, priv string, verifyServerHostname bool) error { cert, err := tls.X509KeyPair([]byte(pub), []byte(priv)) if err != nil { diff --git a/tlsutil/config_test.go b/tlsutil/config_test.go index 17710bc14b..e681036dba 100644 --- a/tlsutil/config_test.go +++ b/tlsutil/config_test.go @@ -506,7 +506,7 @@ func TestConfigurator_ErrorPropagation(t *testing.T) { variants = append(variants, variant{Config{TLSMinVersion: v}, false, false}) } - c := Configurator{autoTLS: &autoTLS{}, manual: &manual{}} + c := Configurator{manual: &manual{}} for i, v := range variants { info := fmt.Sprintf("case %d, config: %+v", i, v.config) _, err1 := NewConfigurator(v.config, nil) @@ -716,7 +716,7 @@ func TestConfigurator_CommonTLSConfigTLSMinVersion(t *testing.T) { } func TestConfigurator_CommonTLSConfigVerifyIncoming(t *testing.T) { - c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} + c := Configurator{base: &Config{}} type variant struct { verify bool expected tls.ClientAuthType @@ -731,7 +731,7 @@ func TestConfigurator_CommonTLSConfigVerifyIncoming(t *testing.T) { } func TestConfigurator_OutgoingRPCTLSDisabled(t *testing.T) { - c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} + c := Configurator{base: &Config{}} type variant struct { verify bool autoEncryptTLS bool @@ -909,7 +909,7 @@ func TestConfigurator_IncomingALPNRPCConfig(t *testing.T) { } func TestConfigurator_IncomingHTTPSConfig(t *testing.T) { - c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} + c := Configurator{base: &Config{}} require.Equal(t, []string{"h2", "http/1.1"}, c.IncomingHTTPSConfig().NextProtos) } @@ -917,7 +917,7 @@ func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) { c := Configurator{base: &Config{ TLSMinVersion: "tls12", EnableAgentTLSForChecks: false, - }, autoTLS: &autoTLS{}} + }} tlsConf := c.OutgoingTLSConfigForCheck(true, "") require.Equal(t, true, tlsConf.InsecureSkipVerify) require.Equal(t, uint16(0), tlsConf.MinVersion) @@ -936,7 +936,7 @@ func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) { } func TestConfigurator_OutgoingRPCConfig(t *testing.T) { - c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}} + c := &Configurator{base: &Config{}} require.Nil(t, c.OutgoingRPCConfig()) c, err := NewConfigurator(Config{ @@ -954,7 +954,7 @@ func TestConfigurator_OutgoingRPCConfig(t *testing.T) { } func TestConfigurator_OutgoingALPNRPCConfig(t *testing.T) { - c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}} + c := &Configurator{base: &Config{}} require.Nil(t, c.OutgoingALPNRPCConfig()) c, err := NewConfigurator(Config{ @@ -974,7 +974,7 @@ func TestConfigurator_OutgoingALPNRPCConfig(t *testing.T) { } func TestConfigurator_OutgoingRPCWrapper(t *testing.T) { - c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}} + c := &Configurator{base: &Config{}} wrapper := c.OutgoingRPCWrapper() require.NotNil(t, wrapper) conn := &net.TCPConn{} @@ -996,7 +996,7 @@ func TestConfigurator_OutgoingRPCWrapper(t *testing.T) { } func TestConfigurator_OutgoingALPNRPCWrapper(t *testing.T) { - c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}} + c := &Configurator{base: &Config{}} wrapper := c.OutgoingRPCWrapper() require.NotNil(t, wrapper) conn := &net.TCPConn{} @@ -1071,7 +1071,7 @@ func TestConfigurator_ServerNameOrNodeName(t *testing.T) { } func TestConfigurator_VerifyOutgoing(t *testing.T) { - c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} + c := Configurator{base: &Config{}} type variant struct { verify bool autoEncryptTLS bool @@ -1104,7 +1104,7 @@ func TestConfigurator_Domain(t *testing.T) { } func TestConfigurator_VerifyServerHostname(t *testing.T) { - c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} + c := Configurator{base: &Config{}} require.False(t, c.VerifyServerHostname()) c.base.VerifyServerHostname = true @@ -1121,7 +1121,7 @@ func TestConfigurator_VerifyServerHostname(t *testing.T) { } func TestConfigurator_AutoEncrytCertExpired(t *testing.T) { - c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} + c := Configurator{base: &Config{}} require.True(t, c.AutoEncryptCertExpired()) cert, err := loadKeyPair("../test/key/something_expired.cer", "../test/key/something_expired.key")