tlsutil: un-ptr and add godoc to autoTLs struct

the autoTLS field on Configurator is only set once. By making it a value receiver it
should be allocated as a single block of memory along with Configurator.

Also add godoc to document what it is used for.
This commit is contained in:
Daniel Nephin 2021-06-21 12:20:39 -04:00
parent 08cd772626
commit a4432bb0b4
2 changed files with 19 additions and 18 deletions

View File

@ -150,6 +150,8 @@ func SpecificDC(dc string, tlsWrap DCWrapper) Wrapper {
} }
} }
// autoTLS stores configuration that is received from the auto-encrypt or
// auto-config features.
type autoTLS struct { type autoTLS struct {
manualCAPems []string manualCAPems []string
connectCAPems []string connectCAPems []string
@ -157,7 +159,7 @@ type autoTLS struct {
verifyServerHostname bool verifyServerHostname bool
} }
func (a *autoTLS) caPems() []string { func (a autoTLS) caPems() []string {
return append(a.manualCAPems, a.connectCAPems...) return append(a.manualCAPems, a.connectCAPems...)
} }
@ -172,7 +174,7 @@ type Configurator struct {
// lock synchronizes access to all fields on this struct except for logger and version. // lock synchronizes access to all fields on this struct except for logger and version.
lock sync.RWMutex lock sync.RWMutex
base *Config base *Config
autoTLS *autoTLS autoTLS autoTLS
manual *manual manual *manual
peerDatacenterUseTLS map[string]bool peerDatacenterUseTLS map[string]bool
caPool *x509.CertPool caPool *x509.CertPool
@ -197,7 +199,6 @@ func NewConfigurator(config Config, logger hclog.Logger) (*Configurator, error)
c := &Configurator{ c := &Configurator{
logger: logger.Named(logging.TLSUtil), logger: logger.Named(logging.TLSUtil),
manual: &manual{}, manual: &manual{},
autoTLS: &autoTLS{},
peerDatacenterUseTLS: map[string]bool{}, peerDatacenterUseTLS: map[string]bool{},
} }
err := c.Update(config) err := c.Update(config)
@ -274,7 +275,7 @@ func (c *Configurator) UpdateAutoTLSCA(connectCAPems []string) error {
return nil return nil
} }
// UpdateAutoTLSCert // UpdateAutoTLSCert receives the updated Auto-Encrypt certificate.
func (c *Configurator) UpdateAutoTLSCert(pub, priv string) error { func (c *Configurator) UpdateAutoTLSCert(pub, priv string) error {
cert, err := tls.X509KeyPair([]byte(pub), []byte(priv)) cert, err := tls.X509KeyPair([]byte(pub), []byte(priv))
if err != nil { if err != nil {
@ -290,8 +291,8 @@ func (c *Configurator) UpdateAutoTLSCert(pub, priv string) error {
return nil return nil
} }
// UpdateAutoTLS sets everything under autoEncrypt. This is being called on the // UpdateAutoTLS receives updates from Auto-Config, only expected to be called on
// client when it received its cert from AutoEncrypt/AutoConfig endpoints. // client agents.
func (c *Configurator) UpdateAutoTLS(manualCAPems, connectCAPems []string, pub, priv string, verifyServerHostname bool) error { func (c *Configurator) UpdateAutoTLS(manualCAPems, connectCAPems []string, pub, priv string, verifyServerHostname bool) error {
cert, err := tls.X509KeyPair([]byte(pub), []byte(priv)) cert, err := tls.X509KeyPair([]byte(pub), []byte(priv))
if err != nil { if err != nil {

View File

@ -506,7 +506,7 @@ func TestConfigurator_ErrorPropagation(t *testing.T) {
variants = append(variants, variant{Config{TLSMinVersion: v}, false, false}) variants = append(variants, variant{Config{TLSMinVersion: v}, false, false})
} }
c := Configurator{autoTLS: &autoTLS{}, manual: &manual{}} c := Configurator{manual: &manual{}}
for i, v := range variants { for i, v := range variants {
info := fmt.Sprintf("case %d, config: %+v", i, v.config) info := fmt.Sprintf("case %d, config: %+v", i, v.config)
_, err1 := NewConfigurator(v.config, nil) _, err1 := NewConfigurator(v.config, nil)
@ -716,7 +716,7 @@ func TestConfigurator_CommonTLSConfigTLSMinVersion(t *testing.T) {
} }
func TestConfigurator_CommonTLSConfigVerifyIncoming(t *testing.T) { func TestConfigurator_CommonTLSConfigVerifyIncoming(t *testing.T) {
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} c := Configurator{base: &Config{}}
type variant struct { type variant struct {
verify bool verify bool
expected tls.ClientAuthType expected tls.ClientAuthType
@ -731,7 +731,7 @@ func TestConfigurator_CommonTLSConfigVerifyIncoming(t *testing.T) {
} }
func TestConfigurator_OutgoingRPCTLSDisabled(t *testing.T) { func TestConfigurator_OutgoingRPCTLSDisabled(t *testing.T) {
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} c := Configurator{base: &Config{}}
type variant struct { type variant struct {
verify bool verify bool
autoEncryptTLS bool autoEncryptTLS bool
@ -909,7 +909,7 @@ func TestConfigurator_IncomingALPNRPCConfig(t *testing.T) {
} }
func TestConfigurator_IncomingHTTPSConfig(t *testing.T) { func TestConfigurator_IncomingHTTPSConfig(t *testing.T) {
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} c := Configurator{base: &Config{}}
require.Equal(t, []string{"h2", "http/1.1"}, c.IncomingHTTPSConfig().NextProtos) require.Equal(t, []string{"h2", "http/1.1"}, c.IncomingHTTPSConfig().NextProtos)
} }
@ -917,7 +917,7 @@ func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) {
c := Configurator{base: &Config{ c := Configurator{base: &Config{
TLSMinVersion: "tls12", TLSMinVersion: "tls12",
EnableAgentTLSForChecks: false, EnableAgentTLSForChecks: false,
}, autoTLS: &autoTLS{}} }}
tlsConf := c.OutgoingTLSConfigForCheck(true, "") tlsConf := c.OutgoingTLSConfigForCheck(true, "")
require.Equal(t, true, tlsConf.InsecureSkipVerify) require.Equal(t, true, tlsConf.InsecureSkipVerify)
require.Equal(t, uint16(0), tlsConf.MinVersion) require.Equal(t, uint16(0), tlsConf.MinVersion)
@ -936,7 +936,7 @@ func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) {
} }
func TestConfigurator_OutgoingRPCConfig(t *testing.T) { func TestConfigurator_OutgoingRPCConfig(t *testing.T) {
c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}} c := &Configurator{base: &Config{}}
require.Nil(t, c.OutgoingRPCConfig()) require.Nil(t, c.OutgoingRPCConfig())
c, err := NewConfigurator(Config{ c, err := NewConfigurator(Config{
@ -954,7 +954,7 @@ func TestConfigurator_OutgoingRPCConfig(t *testing.T) {
} }
func TestConfigurator_OutgoingALPNRPCConfig(t *testing.T) { func TestConfigurator_OutgoingALPNRPCConfig(t *testing.T) {
c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}} c := &Configurator{base: &Config{}}
require.Nil(t, c.OutgoingALPNRPCConfig()) require.Nil(t, c.OutgoingALPNRPCConfig())
c, err := NewConfigurator(Config{ c, err := NewConfigurator(Config{
@ -974,7 +974,7 @@ func TestConfigurator_OutgoingALPNRPCConfig(t *testing.T) {
} }
func TestConfigurator_OutgoingRPCWrapper(t *testing.T) { func TestConfigurator_OutgoingRPCWrapper(t *testing.T) {
c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}} c := &Configurator{base: &Config{}}
wrapper := c.OutgoingRPCWrapper() wrapper := c.OutgoingRPCWrapper()
require.NotNil(t, wrapper) require.NotNil(t, wrapper)
conn := &net.TCPConn{} conn := &net.TCPConn{}
@ -996,7 +996,7 @@ func TestConfigurator_OutgoingRPCWrapper(t *testing.T) {
} }
func TestConfigurator_OutgoingALPNRPCWrapper(t *testing.T) { func TestConfigurator_OutgoingALPNRPCWrapper(t *testing.T) {
c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}} c := &Configurator{base: &Config{}}
wrapper := c.OutgoingRPCWrapper() wrapper := c.OutgoingRPCWrapper()
require.NotNil(t, wrapper) require.NotNil(t, wrapper)
conn := &net.TCPConn{} conn := &net.TCPConn{}
@ -1071,7 +1071,7 @@ func TestConfigurator_ServerNameOrNodeName(t *testing.T) {
} }
func TestConfigurator_VerifyOutgoing(t *testing.T) { func TestConfigurator_VerifyOutgoing(t *testing.T) {
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} c := Configurator{base: &Config{}}
type variant struct { type variant struct {
verify bool verify bool
autoEncryptTLS bool autoEncryptTLS bool
@ -1104,7 +1104,7 @@ func TestConfigurator_Domain(t *testing.T) {
} }
func TestConfigurator_VerifyServerHostname(t *testing.T) { func TestConfigurator_VerifyServerHostname(t *testing.T) {
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} c := Configurator{base: &Config{}}
require.False(t, c.VerifyServerHostname()) require.False(t, c.VerifyServerHostname())
c.base.VerifyServerHostname = true c.base.VerifyServerHostname = true
@ -1121,7 +1121,7 @@ func TestConfigurator_VerifyServerHostname(t *testing.T) {
} }
func TestConfigurator_AutoEncrytCertExpired(t *testing.T) { func TestConfigurator_AutoEncrytCertExpired(t *testing.T) {
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} c := Configurator{base: &Config{}}
require.True(t, c.AutoEncryptCertExpired()) require.True(t, c.AutoEncryptCertExpired())
cert, err := loadKeyPair("../test/key/something_expired.cer", "../test/key/something_expired.key") cert, err := loadKeyPair("../test/key/something_expired.cer", "../test/key/something_expired.key")