Merge pull request #10490 from hashicorp/dnephin/fix-tls-for-health-check

tlsutil: fix ServerName used for health checks that use TLS

.changelog/10490.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+checks: fixes the default ServerName used with TLS health checks.
+```

tlsutil/config.go

@@ -720,10 +720,6 @@ func (c *Configurator) IncomingHTTPSConfig() *tls.Config {
 func (c *Configurator) OutgoingTLSConfigForCheck(skipVerify bool, serverName string) *tls.Config {
 	c.log("OutgoingTLSConfigForCheck")
 
-	if serverName == "" {
-		serverName = c.serverNameOrNodeName()
-	}
-
 	if !c.enableAgentTLSForChecks() {
 		return &tls.Config{
 			InsecureSkipVerify: skipVerify,
@@ -731,6 +727,9 @@ func (c *Configurator) OutgoingTLSConfigForCheck(skipVerify bool, serverName str
 		}
 	}
 
+	if serverName == "" {
+		serverName = c.serverNameOrNodeName()
+	}
 	config := c.commonTLSConfig(false)
 	config.InsecureSkipVerify = skipVerify
 	config.ServerName = serverName

tlsutil/config_test.go

@@ -11,6 +11,8 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/yamux"
 	"github.com/stretchr/testify/require"
@@ -913,26 +915,137 @@ func TestConfigurator_IncomingHTTPSConfig(t *testing.T) {
 	require.Equal(t, []string{"h2", "http/1.1"}, c.IncomingHTTPSConfig().NextProtos)
 }
 
-func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) {
+func TestConfigurator_OutgoingTLSConfigForCheck(t *testing.T) {
-	c := Configurator{base: &Config{
+	type testCase struct {
+		name       string
+		conf       func() (*Configurator, error)
+		skipVerify bool
+		serverName string
+		expected   *tls.Config
+	}
+
+	cmpTLSConfig := cmp.Options{
+		cmpopts.IgnoreFields(tls.Config{}, "GetCertificate", "GetClientCertificate"),
+		cmpopts.IgnoreUnexported(tls.Config{}),
+	}
+
+	run := func(t *testing.T, tc testCase) {
+		configurator, err := tc.conf()
+		require.NoError(t, err)
+		c := configurator.OutgoingTLSConfigForCheck(tc.skipVerify, tc.serverName)
+		assertDeepEqual(t, tc.expected, c, cmpTLSConfig)
+	}
+
+	testCases := []testCase{
+		{
+			name: "default tls",
+			conf: func() (*Configurator, error) {
+				return NewConfigurator(Config{}, nil)
+			},
+			expected: &tls.Config{},
+		},
+		{
+			name: "default tls, skip verify, no server name",
+			conf: func() (*Configurator, error) {
+				return NewConfigurator(Config{
 					TLSMinVersion:           "tls12",
 					EnableAgentTLSForChecks: false,
-	}}
+				}, nil)
-	tlsConf := c.OutgoingTLSConfigForCheck(true, "")
+			},
-	require.Equal(t, true, tlsConf.InsecureSkipVerify)
+			skipVerify: true,
-	require.Equal(t, uint16(0), tlsConf.MinVersion)
+			expected:   &tls.Config{InsecureSkipVerify: true},
+		},
+		{
+			name: "default tls, skip verify, default server name",
+			conf: func() (*Configurator, error) {
+				return NewConfigurator(Config{
+					TLSMinVersion:           "tls12",
+					EnableAgentTLSForChecks: false,
+					ServerName:              "servername",
+					NodeName:                "nodename",
+				}, nil)
+			},
+			skipVerify: true,
+			expected:   &tls.Config{InsecureSkipVerify: true},
+		},
+		{
+			name: "default tls, skip verify, check server name",
+			conf: func() (*Configurator, error) {
+				return NewConfigurator(Config{
+					TLSMinVersion:           "tls12",
+					EnableAgentTLSForChecks: false,
+					ServerName:              "servername",
+				}, nil)
+			},
+			skipVerify: true,
+			serverName: "check-server-name",
+			expected: &tls.Config{
+				InsecureSkipVerify: true,
+				ServerName:         "check-server-name",
+			},
+		},
+		{
+			name: "agent tls, default server name",
+			conf: func() (*Configurator, error) {
+				return NewConfigurator(Config{
+					TLSMinVersion:           "tls12",
+					EnableAgentTLSForChecks: true,
+					NodeName:                "nodename",
+					ServerName:              "servername",
+				}, nil)
+			},
+			expected: &tls.Config{
+				MinVersion: tls.VersionTLS12,
+				ServerName: "servername",
+			},
+		},
+		{
+			name: "agent tls, skip verify, node name for server name",
+			conf: func() (*Configurator, error) {
+				return NewConfigurator(Config{
+					TLSMinVersion:           "tls12",
+					EnableAgentTLSForChecks: true,
+					NodeName:                "nodename",
+				}, nil)
+			},
+			skipVerify: true,
+			expected: &tls.Config{
+				InsecureSkipVerify: true,
+				MinVersion:         tls.VersionTLS12,
+				ServerName:         "nodename",
+			},
+		},
+		{
+			name: "agent tls, skip verify, with server name override",
+			conf: func() (*Configurator, error) {
+				return NewConfigurator(Config{
+					TLSMinVersion:           "tls12",
+					EnableAgentTLSForChecks: true,
+					ServerName:              "servername",
+				}, nil)
+			},
+			skipVerify: true,
+			serverName: "override",
+			expected: &tls.Config{
+				InsecureSkipVerify: true,
+				MinVersion:         tls.VersionTLS12,
+				ServerName:         "override",
+			},
+		},
+	}
 
-	c.base.EnableAgentTLSForChecks = true
+	for _, tc := range testCases {
-	c.base.ServerName = "servername"
+		t.Run(tc.name, func(t *testing.T) {
-	tlsConf = c.OutgoingTLSConfigForCheck(true, "")
+			run(t, tc)
-	require.Equal(t, true, tlsConf.InsecureSkipVerify)
+		})
-	require.Equal(t, tlsLookup[c.base.TLSMinVersion], tlsConf.MinVersion)
+	}
-	require.Equal(t, c.base.ServerName, tlsConf.ServerName)
+}
 
-	tlsConf = c.OutgoingTLSConfigForCheck(true, "servername2")
+func assertDeepEqual(t *testing.T, x, y interface{}, opts ...cmp.Option) {
-	require.Equal(t, true, tlsConf.InsecureSkipVerify)
+	t.Helper()
-	require.Equal(t, tlsLookup[c.base.TLSMinVersion], tlsConf.MinVersion)
+	if diff := cmp.Diff(x, y, opts...); diff != "" {
-	require.Equal(t, "servername2", tlsConf.ServerName)
+		t.Fatalf("assertion failed: values are not equal\n--- expected\n+++ actual\n%v", diff)
+	}
 }
 
 func TestConfigurator_OutgoingRPCConfig(t *testing.T) {