You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
consul/agent/auto-config/config_translate_test.go

180 lines
5.6 KiB

package autoconf
import (
"testing"
"github.com/stretchr/testify/require"
"github.com/hashicorp/consul/agent/config"
"github.com/hashicorp/consul/agent/structs"
pbconfig "github.com/hashicorp/consul/proto/pbconfig"
"github.com/hashicorp/consul/proto/pbconnect"
)
func stringPointer(s string) *string {
return &s
}
func boolPointer(b bool) *bool {
return &b
}
func mustTranslateCARootToProtobuf(t *testing.T, in *structs.CARoot) *pbconnect.CARoot {
out, err := pbconnect.NewCARootFromStructs(in)
require.NoError(t, err)
return out
}
func mustTranslateCARootsToStructs(t *testing.T, in *pbconnect.CARoots) *structs.IndexedCARoots {
out, err := pbconnect.CARootsToStructs(in)
require.NoError(t, err)
return out
}
func mustTranslateCARootsToProtobuf(t *testing.T, in *structs.IndexedCARoots) *pbconnect.CARoots {
out, err := pbconnect.NewCARootsFromStructs(in)
require.NoError(t, err)
return out
}
func mustTranslateIssuedCertToProtobuf(t *testing.T, in *structs.IssuedCert) *pbconnect.IssuedCert {
var out, err = pbconnect.NewIssuedCertFromStructs(in)
require.NoError(t, err)
return out
}
func TestTranslateConfig(t *testing.T) {
original := pbconfig.Config{
Datacenter: "abc",
PrimaryDatacenter: "def",
NodeName: "ghi",
SegmentName: "jkl",
ACL: &pbconfig.ACL{
Enabled: true,
PolicyTTL: "1s",
RoleTTL: "2s",
TokenTTL: "3s",
DownPolicy: "deny",
DefaultPolicy: "deny",
EnableKeyListPolicy: true,
EnableTokenPersistence: true,
MSPDisableBootstrap: false,
Tokens: &pbconfig.ACLTokens{
InitialManagement: "99e7e490-6baf-43fc-9010-78b6aa9a6813",
Replication: "51308d40-465c-4ac6-a636-7c0747edec89",
AgentRecovery: "e012e1ea-78a2-41cc-bc8b-231a44196f39",
Default: "8781a3f5-de46-4b45-83e1-c92f4cfd0332",
Agent: "ddb8f1b0-8a99-4032-b601-87926bce244e",
ManagedServiceProvider: []*pbconfig.ACLServiceProviderToken{
{
AccessorID: "23f37987-7b9e-4e5b-acae-dbc9bc137bae",
SecretID: "e28b820a-438e-4e2b-ad24-fe59e6a4914f",
},
},
},
},
AutoEncrypt: &pbconfig.AutoEncrypt{
TLS: true,
DNSSAN: []string{"dns"},
IPSAN: []string{"198.18.0.1"},
AllowTLS: false,
},
Gossip: &pbconfig.Gossip{
RetryJoinLAN: []string{"10.0.0.1"},
Encryption: &pbconfig.GossipEncryption{
Key: "blarg",
VerifyOutgoing: true,
VerifyIncoming: true,
},
},
TLS: &pbconfig.TLS{
VerifyOutgoing: true,
VerifyServerHostname: true,
CipherSuites: "stuff",
MinVersion: "tls13",
},
}
expected := config.Config{
Datacenter: stringPointer("abc"),
PrimaryDatacenter: stringPointer("def"),
NodeName: stringPointer("ghi"),
SegmentName: stringPointer("jkl"),
RetryJoinLAN: []string{"10.0.0.1"},
EncryptKey: stringPointer("blarg"),
EncryptVerifyIncoming: boolPointer(true),
EncryptVerifyOutgoing: boolPointer(true),
TLS: config.TLS{
Defaults: config.TLSProtocolConfig{
VerifyOutgoing: boolPointer(true),
TLSCipherSuites: stringPointer("stuff"),
agent: convert listener config to TLS types (#12522) * tlsutil: initial implementation of types/TLSVersion tlsutil: add test for parsing deprecated agent TLS version strings tlsutil: return TLSVersionInvalid with error tlsutil: start moving tlsutil cipher suite lookups over to types/tls tlsutil: rename tlsLookup to ParseTLSVersion, add cipherSuiteLookup agent: attempt to use types in runtime config agent: implement b.tlsVersion validation in config builder agent: fix tlsVersion nil check in builder tlsutil: update to renamed ParseTLSVersion and goTLSVersions tlsutil: fixup TestConfigurator_CommonTLSConfigTLSMinVersion tlsutil: disable invalid config parsing tests tlsutil: update tests auto_config: lookup old config strings from base.TLSMinVersion auto_config: update endpoint tests to use TLS types agent: update runtime_test to use TLS types agent: update TestRuntimeCinfig_Sanitize.golden agent: update config runtime tests to expect TLS types * website: update Consul agent tls_min_version values * agent: fixup TLS parsing and compilation errors * test: fixup lint issues in agent/config_runtime_test and tlsutil/config_test * tlsutil: add CHACHA20_POLY1305 cipher suites to goTLSCipherSuites * test: revert autoconfig tls min version fixtures to old format * types: add TLSVersions public function * agent: add warning for deprecated TLS version strings * agent: move agent config specific logic from tlsutil.ParseTLSVersion into agent config builder * tlsutil(BREAKING): change default TLS min version to TLS 1.2 * agent: move ParseCiphers logic from tlsutil into agent config builder * tlsutil: remove unused CipherString function * agent: fixup import for types package * Revert "tlsutil: remove unused CipherString function" This reverts commit 6ca7f6f58d268e617501b7db9500113c13bae70c. * agent: fixup config builder and runtime tests * tlsutil: fixup one remaining ListenerConfig -> ProtocolConfig * test: move TLS cipher suites parsing test from tlsutil into agent config builder tests * agent: remove parseCiphers helper from auto_config_endpoint_test * test: remove unused imports from tlsutil * agent: remove resolved FIXME comment * tlsutil: remove TODO and FIXME in cipher suite validation * agent: prevent setting inherited cipher suite config when TLS 1.3 is specified * changelog: add entry for converting agent config to TLS types * agent: remove FIXME in runtime test, this is covered in builder tests with invalid tls9 value now * tlsutil: remove config tests for values checked at agent config builder boundary * tlsutil: remove tls version check from loadProtocolConfig * tlsutil: remove tests and TODOs for logic checked in TestBuilder_tlsVersion and TestBuilder_tlsCipherSuites * website: update search link for supported Consul agent cipher suites * website: apply review suggestions for tls_min_version description * website: attempt to clean up markdown list formatting for tls_min_version * website: moar linebreaks to fix tls_min_version formatting * Revert "website: moar linebreaks to fix tls_min_version formatting" This reverts commit 38585927422f73ebf838a7663e566ac245f2a75c. * autoconfig: translate old values for TLSMinVersion * agent: rename var for translated value of deprecated TLS version value * Update agent/config/deprecated.go Co-authored-by: Dan Upton <daniel@floppy.co> * agent: fix lint issue * agent: fixup deprecated config test assertions for updated warning Co-authored-by: Dan Upton <daniel@floppy.co>
3 years ago
TLSMinVersion: stringPointer("TLSv1_3"),
},
InternalRPC: config.TLSProtocolConfig{
VerifyServerHostname: boolPointer(true),
},
},
ACL: config.ACL{
Enabled: boolPointer(true),
PolicyTTL: stringPointer("1s"),
RoleTTL: stringPointer("2s"),
TokenTTL: stringPointer("3s"),
DownPolicy: stringPointer("deny"),
DefaultPolicy: stringPointer("deny"),
EnableKeyListPolicy: boolPointer(true),
EnableTokenPersistence: boolPointer(true),
Tokens: config.Tokens{
InitialManagement: stringPointer("99e7e490-6baf-43fc-9010-78b6aa9a6813"),
AgentRecovery: stringPointer("e012e1ea-78a2-41cc-bc8b-231a44196f39"),
Replication: stringPointer("51308d40-465c-4ac6-a636-7c0747edec89"),
Default: stringPointer("8781a3f5-de46-4b45-83e1-c92f4cfd0332"),
Agent: stringPointer("ddb8f1b0-8a99-4032-b601-87926bce244e"),
ManagedServiceProvider: []config.ServiceProviderToken{
{
AccessorID: stringPointer("23f37987-7b9e-4e5b-acae-dbc9bc137bae"),
SecretID: stringPointer("e28b820a-438e-4e2b-ad24-fe59e6a4914f"),
},
},
},
},
AutoEncrypt: config.AutoEncrypt{
TLS: boolPointer(true),
DNSSAN: []string{"dns"},
IPSAN: []string{"198.18.0.1"},
AllowTLS: boolPointer(false),
},
}
translated := translateConfig(&original)
require.Equal(t, expected, translated)
}
func TestCArootsTranslation(t *testing.T) {
_, indexedRoots, _ := testCerts(t, "autoconf", "dc1")
protoRoots := mustTranslateCARootsToProtobuf(t, indexedRoots)
require.Equal(t, indexedRoots, mustTranslateCARootsToStructs(t, protoRoots))
}
func caRootRoundtrip(t *testing.T, s *structs.CARoot) *structs.CARoot {
pbRoot, err := pbconnect.NewCARootFromStructs(s)
require.NoError(t, err)
root, err := pbconnect.CARootToStructs(pbRoot)
require.NoError(t, err)
return root
}
func caRootsRoundtrip(t *testing.T, s *structs.IndexedCARoots) *structs.IndexedCARoots {
pbRoot, err := pbconnect.NewCARootsFromStructs(s)
require.NoError(t, err)
root, err := pbconnect.CARootsToStructs(pbRoot)
require.NoError(t, err)
return root
}
func issuedCertRoundtrip(t *testing.T, s *structs.IssuedCert) *structs.IssuedCert {
pbCert, err := pbconnect.NewIssuedCertFromStructs(s)
require.NoError(t, err)
cert, err := pbconnect.IssuedCertToStructs(pbCert)
require.NoError(t, err)
return cert
}