mirror of
https://github.com/status-im/consul.git
synced 2025-01-10 13:55:55 +00:00
5fb9df1640
* Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
139 lines
4.5 KiB
Go
139 lines
4.5 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package autoconf
|
|
|
|
import (
|
|
"github.com/hashicorp/consul/agent/config"
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
"github.com/hashicorp/consul/proto/private/pbautoconf"
|
|
"github.com/hashicorp/consul/proto/private/pbconfig"
|
|
"github.com/hashicorp/consul/proto/private/pbconnect"
|
|
"github.com/hashicorp/consul/types"
|
|
)
|
|
|
|
// translateAgentConfig is meant to take in a proto/pbconfig.Config type
|
|
// and craft the corresponding agent/config.Config type. The need for this function
|
|
// should eventually be removed with the protobuf and normal version converging.
|
|
// In the meantime, its not desirable to have the flatter Config struct in protobufs
|
|
// as in the long term we want a configuration with more nested groupings.
|
|
//
|
|
// Why is this function not in the proto/pbconfig package? The answer, that
|
|
// package cannot import the agent/config package without running into import cycles.
|
|
func translateConfig(c *pbconfig.Config) config.Config {
|
|
result := config.Config{
|
|
Datacenter: stringPtrOrNil(c.Datacenter),
|
|
PrimaryDatacenter: stringPtrOrNil(c.PrimaryDatacenter),
|
|
NodeName: stringPtrOrNil(c.NodeName),
|
|
// only output the SegmentName in the configuration if it's non-empty
|
|
// this will avoid a warning later when parsing the persisted configuration
|
|
SegmentName: stringPtrOrNil(c.SegmentName),
|
|
// only output the Partition in the configuration if it's non-empty
|
|
// this will avoid a warning later when parsing the persisted configuration
|
|
Partition: stringPtrOrNil(c.Partition),
|
|
}
|
|
|
|
if a := c.AutoEncrypt; a != nil {
|
|
result.AutoEncrypt = config.AutoEncrypt{
|
|
TLS: &a.TLS,
|
|
DNSSAN: a.DNSSAN,
|
|
IPSAN: a.IPSAN,
|
|
AllowTLS: &a.AllowTLS,
|
|
}
|
|
}
|
|
|
|
if a := c.ACL; a != nil {
|
|
result.ACL = config.ACL{
|
|
Enabled: &a.Enabled,
|
|
PolicyTTL: stringPtrOrNil(a.PolicyTTL),
|
|
RoleTTL: stringPtrOrNil(a.RoleTTL),
|
|
TokenTTL: stringPtrOrNil(a.TokenTTL),
|
|
DownPolicy: stringPtrOrNil(a.DownPolicy),
|
|
DefaultPolicy: stringPtrOrNil(a.DefaultPolicy),
|
|
EnableKeyListPolicy: &a.EnableKeyListPolicy,
|
|
EnableTokenPersistence: &a.EnableTokenPersistence,
|
|
}
|
|
|
|
if t := c.ACL.Tokens; t != nil {
|
|
tokens := make([]config.ServiceProviderToken, 0, len(t.ManagedServiceProvider))
|
|
for _, mspToken := range t.ManagedServiceProvider {
|
|
tokens = append(tokens, config.ServiceProviderToken{
|
|
AccessorID: &mspToken.AccessorID,
|
|
SecretID: &mspToken.SecretID,
|
|
})
|
|
}
|
|
|
|
result.ACL.Tokens = config.Tokens{
|
|
InitialManagement: stringPtrOrNil(t.InitialManagement),
|
|
AgentRecovery: stringPtrOrNil(t.AgentRecovery),
|
|
Replication: stringPtrOrNil(t.Replication),
|
|
Default: stringPtrOrNil(t.Default),
|
|
Agent: stringPtrOrNil(t.Agent),
|
|
ManagedServiceProvider: tokens,
|
|
}
|
|
}
|
|
}
|
|
|
|
if g := c.Gossip; g != nil {
|
|
result.RetryJoinLAN = g.RetryJoinLAN
|
|
|
|
if e := c.Gossip.Encryption; e != nil {
|
|
result.EncryptKey = stringPtrOrNil(e.Key)
|
|
result.EncryptVerifyIncoming = &e.VerifyIncoming
|
|
result.EncryptVerifyOutgoing = &e.VerifyOutgoing
|
|
}
|
|
}
|
|
|
|
if t := c.TLS; t != nil {
|
|
result.TLS.Defaults = config.TLSProtocolConfig{
|
|
VerifyOutgoing: &t.VerifyOutgoing,
|
|
TLSCipherSuites: stringPtrOrNil(t.CipherSuites),
|
|
}
|
|
|
|
// NOTE: This inner check for deprecated values should eventually be
|
|
// removed, and possibly replaced with a versioning scheme for autoconfig
|
|
// or a proper integration with the deprecated config handling in
|
|
// agent/config/deprecated.go
|
|
if v, ok := types.DeprecatedConsulAgentTLSVersions[t.MinVersion]; ok {
|
|
result.TLS.Defaults.TLSMinVersion = stringPtrOrNil(v.String())
|
|
} else {
|
|
result.TLS.Defaults.TLSMinVersion = stringPtrOrNil(t.MinVersion)
|
|
}
|
|
|
|
result.TLS.InternalRPC.VerifyServerHostname = &t.VerifyServerHostname
|
|
}
|
|
|
|
return result
|
|
}
|
|
|
|
func stringPtrOrNil(v string) *string {
|
|
if v == "" {
|
|
return nil
|
|
}
|
|
return &v
|
|
}
|
|
|
|
func extractSignedResponse(resp *pbautoconf.AutoConfigResponse) (*structs.SignedResponse, error) {
|
|
roots, err := pbconnect.CARootsToStructs(resp.CARoots)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
cert, err := pbconnect.IssuedCertToStructs(resp.Certificate)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
out := &structs.SignedResponse{
|
|
IssuedCert: *cert,
|
|
ConnectCARoots: *roots,
|
|
ManualCARoots: resp.ExtraCACertificates,
|
|
}
|
|
|
|
if resp.Config != nil && resp.Config.TLS != nil {
|
|
out.VerifyServerHostname = resp.Config.TLS.VerifyServerHostname
|
|
}
|
|
|
|
return out, err
|
|
}
|