Backport of fix: add tls config to unix socket when https is used into release/1.15.x (#16336)

* backport of commit 49f7423ab8

* backport of commit d5408c8d01

---------

Co-authored-by: cskh <hui.kang@hashicorp.com>
pull/16344/head
hc-github-team-consul-core 2023-02-21 08:43:27 -05:00 committed by GitHub
parent a3a9b05e14
commit 84bc971334
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 102 additions and 4 deletions

3
.changelog/16301.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
agent configuration: Fix issue of using unix socket when https is used.
```

View File

@ -1051,7 +1051,8 @@ func (a *Agent) listenHTTP() ([]apiServer, error) {
for _, l := range listeners {
var tlscfg *tls.Config
_, isTCP := l.(*tcpKeepAliveListener)
if isTCP && proto == "https" {
isUnix := l.Addr().Network() == "unix"
if (isTCP || isUnix) && proto == "https" {
tlscfg = a.tlsConfigurator.IncomingHTTPSConfig()
l = tls.NewListener(l, tlscfg)
}

View File

@ -11,6 +11,7 @@ import (
"net/http"
"net/http/httptest"
"net/netip"
"net/url"
"os"
"path/filepath"
"runtime"
@ -140,6 +141,95 @@ func TestHTTPServer_UnixSocket_FileExists(t *testing.T) {
}
}
func TestHTTPSServer_UnixSocket(t *testing.T) {
if testing.Short() {
t.Skip("too slow for testing.Short")
}
t.Parallel()
if runtime.GOOS == "windows" {
t.SkipNow()
}
tempDir := testutil.TempDir(t, "consul")
socket := filepath.Join(tempDir, "test.sock")
a := StartTestAgent(t, TestAgent{
UseHTTPS: true,
HCL: `
addresses {
https = "unix://` + socket + `"
}
unix_sockets {
mode = "0777"
}
tls {
defaults {
ca_file = "../test/client_certs/rootca.crt"
cert_file = "../test/client_certs/server.crt"
key_file = "../test/client_certs/server.key"
}
}
`,
})
defer a.Shutdown()
// Ensure the socket was created
if _, err := os.Stat(socket); err != nil {
t.Fatalf("err: %s", err)
}
// Ensure the mode was set properly
fi, err := os.Stat(socket)
if err != nil {
t.Fatalf("err: %s", err)
}
if fi.Mode().String() != "Srwxrwxrwx" {
t.Fatalf("bad permissions: %s", fi.Mode())
}
// Make an HTTP/2-enabled client, using the API helpers to set
// up TLS to be as normal as possible for Consul.
tlscfg := &api.TLSConfig{
Address: "consul.test",
KeyFile: "../test/client_certs/client.key",
CertFile: "../test/client_certs/client.crt",
CAFile: "../test/client_certs/rootca.crt",
}
tlsccfg, err := api.SetupTLSConfig(tlscfg)
if err != nil {
t.Fatalf("err: %v", err)
}
transport := api.DefaultConfig().Transport
transport.TLSHandshakeTimeout = 30 * time.Second
transport.TLSClientConfig = tlsccfg
if err := http2.ConfigureTransport(transport); err != nil {
t.Fatalf("err: %v", err)
}
transport.DialContext = func(_ context.Context, _, _ string) (net.Conn, error) {
return net.Dial("unix", socket)
}
client := &http.Client{Transport: transport}
u, err := url.Parse("https://unix" + socket)
if err != nil {
t.Fatalf("err: %s", err)
}
u.Path = "/v1/agent/self"
u.Scheme = "https"
resp, err := client.Get(u.String())
if err != nil {
t.Fatalf("err: %s", err)
}
defer resp.Body.Close()
if body, err := io.ReadAll(resp.Body); err != nil || len(body) == 0 {
t.Fatalf("bad: %s %v", body, err)
} else if !strings.Contains(string(body), "NodeName") {
t.Fatalf("NodeName not found in results: %s", string(body))
}
}
func TestSetupHTTPServer_HTTP2(t *testing.T) {
if testing.Short() {
t.Skip("too slow for testing.Short")
@ -151,9 +241,13 @@ func TestSetupHTTPServer_HTTP2(t *testing.T) {
a := StartTestAgent(t, TestAgent{
UseHTTPS: true,
HCL: `
key_file = "../test/client_certs/server.key"
cert_file = "../test/client_certs/server.crt"
ca_file = "../test/client_certs/rootca.crt"
tls {
defaults {
ca_file = "../test/client_certs/rootca.crt"
cert_file = "../test/client_certs/server.crt"
key_file = "../test/client_certs/server.key"
}
}
`,
})
defer a.Shutdown()