auto_encrypt: verify_incoming_rpc is good enough for auto_encrypt.allow_tls (#6376)

Previously `verify_incoming` was required when turning on `auto_encrypt.allow_tls`, but that doesn't work together with HTTPS UI in some scenarios. Adding `verify_incoming_rpc` to the allowed configurations.
2019-08-27 14:36:36 +02:00 · 2019-08-27 14:36:36 +02:00 · faa54ab989
parent e7a5d80169
commit faa54ab989
2 changed files with 75 additions and 2 deletions
--- a/agent/config/builder.go
+++ b/agent/config/builder.go
@ -1103,8 +1103,8 @@ func (b *Builder) Validate(rt RuntimeConfig) error {
 	}

 	if rt.AutoEncryptAllowTLS {
-		if !rt.VerifyIncoming {
-			return fmt.Errorf("if auto_encrypt.allow_tls is turned on, TLS must be configured in order to work properly.")
+		if !rt.VerifyIncoming && !rt.VerifyIncomingRPC {
+			return fmt.Errorf("if auto_encrypt.allow_tls is turned on, either verify_incoming or verify_incoming_rpc must be enabled.")
 		}
 	}

--- a/agent/config/runtime_test.go
+++ b/agent/config/runtime_test.go
@ -2527,6 +2527,79 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
 				rt.VerifyOutgoing = true
 			},
 		},
+		{
+			desc: "auto_encrypt.allow works implies connect",
+			args: []string{
+				`-data-dir=` + dataDir,
+			},
+			json: []string{`{
+			  "verify_incoming": true,
+			  "auto_encrypt": { "allow_tls": true }
+			}`},
+			hcl: []string{`
+			  verify_incoming = true
+			  auto_encrypt { allow_tls = true }
+			`},
+			patch: func(rt *RuntimeConfig) {
+				rt.DataDir = dataDir
+				rt.VerifyIncoming = true
+				rt.AutoEncryptAllowTLS = true
+				rt.ConnectEnabled = true
+			},
+		},
+		{
+			desc: "auto_encrypt.allow works with verify_incoming",
+			args: []string{
+				`-data-dir=` + dataDir,
+			},
+			json: []string{`{
+			  "verify_incoming": true,
+			  "auto_encrypt": { "allow_tls": true }
+			}`},
+			hcl: []string{`
+			  verify_incoming = true
+			  auto_encrypt { allow_tls = true }
+			`},
+			patch: func(rt *RuntimeConfig) {
+				rt.DataDir = dataDir
+				rt.VerifyIncoming = true
+				rt.AutoEncryptAllowTLS = true
+				rt.ConnectEnabled = true
+			},
+		},
+		{
+			desc: "auto_encrypt.allow works with verify_incoming_rpc",
+			args: []string{
+				`-data-dir=` + dataDir,
+			},
+			json: []string{`{
+			  "verify_incoming_rpc": true,
+			  "auto_encrypt": { "allow_tls": true }
+			}`},
+			hcl: []string{`
+			  verify_incoming_rpc = true
+			  auto_encrypt { allow_tls = true }
+			`},
+			patch: func(rt *RuntimeConfig) {
+				rt.DataDir = dataDir
+				rt.VerifyIncomingRPC = true
+				rt.AutoEncryptAllowTLS = true
+				rt.ConnectEnabled = true
+			},
+		},
+		{
+			desc: "auto_encrypt.allow fails without verify_incoming or verify_incoming_rpc",
+			args: []string{
+				`-data-dir=` + dataDir,
+			},
+			json: []string{`{
+			  "auto_encrypt": { "allow_tls": true }
+			}`},
+			hcl: []string{`
+			  auto_encrypt { allow_tls = true }
+			`},
+			err: "if auto_encrypt.allow_tls is turned on, either verify_incoming or verify_incoming_rpc must be enabled.",
+		},
 		{
 			desc: "test connect vault provider configuration",
 			args: []string{