From dbb461a5d353cf2e12a399c5a2abce0f03546b97 Mon Sep 17 00:00:00 2001 From: Matt Keeler Date: Thu, 30 Jul 2020 10:15:12 -0400 Subject: [PATCH] Allow setting verify_incoming* when using auto_encrypt or auto_config (#8394) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ensure that enabling AutoConfig sets the tls configurator properly This also refactors the TLS configurator a bit so the naming doesn’t imply only AutoEncrypt as the source of the automatically setup TLS cert info. --- agent/cert-monitor/cert_monitor.go | 6 +- agent/cert-monitor/cert_monitor_test.go | 2 +- agent/config/runtime.go | 2 +- agent/config/runtime_test.go | 42 ++++++++++- agent/consul/auto_encrypt_endpoint_test.go | 2 +- agent/consul/server.go | 2 +- tlsutil/config.go | 81 +++++++++++----------- tlsutil/config_test.go | 59 ++++++++-------- 8 files changed, 118 insertions(+), 78 deletions(-) diff --git a/agent/cert-monitor/cert_monitor.go b/agent/cert-monitor/cert_monitor.go index b65a490d3c..c23f08a256 100644 --- a/agent/cert-monitor/cert_monitor.go +++ b/agent/cert-monitor/cert_monitor.go @@ -149,7 +149,7 @@ func (m *CertMonitor) Update(certs *structs.SignedResponse) error { // that the recipient of the response who also has access to the private key will // have filled it in. The Cache definitely does this but auto-encrypt/auto-config // will need to ensure the original response is setup this way too. - err := m.tlsConfigurator.UpdateAutoEncrypt( + err := m.tlsConfigurator.UpdateAutoTLS( certs.ManualCARoots, connectCAPems, certs.IssuedCert.CertPEM, @@ -311,7 +311,7 @@ func (m *CertMonitor) handleCacheEvent(u cache.UpdateEvent) error { pems = append(pems, root.RootCert) } - if err := m.tlsConfigurator.UpdateAutoEncryptCA(pems); err != nil { + if err := m.tlsConfigurator.UpdateAutoTLSCA(pems); err != nil { return fmt.Errorf("failed to update Connect CA certificates: %w", err) } case leafWatchID: @@ -324,7 +324,7 @@ func (m *CertMonitor) handleCacheEvent(u cache.UpdateEvent) error { if !ok { return fmt.Errorf("invalid type for agent leaf cert watch response: %T", u.Result) } - if err := m.tlsConfigurator.UpdateAutoEncryptCert(leaf.CertPEM, leaf.PrivateKeyPEM); err != nil { + if err := m.tlsConfigurator.UpdateAutoTLSCert(leaf.CertPEM, leaf.PrivateKeyPEM); err != nil { return fmt.Errorf("failed to update the agent leaf cert: %w", err) } } diff --git a/agent/cert-monitor/cert_monitor_test.go b/agent/cert-monitor/cert_monitor_test.go index 07a65b4a15..500de549ab 100644 --- a/agent/cert-monitor/cert_monitor_test.go +++ b/agent/cert-monitor/cert_monitor_test.go @@ -118,7 +118,7 @@ func waitForChans(timeout time.Duration, chans ...<-chan struct{}) bool { func testTLSConfigurator(t *testing.T) *tlsutil.Configurator { t.Helper() logger := testutil.Logger(t) - cfg, err := tlsutil.NewConfigurator(tlsutil.Config{AutoEncryptTLS: true}, logger) + cfg, err := tlsutil.NewConfigurator(tlsutil.Config{AutoTLS: true}, logger) require.NoError(t, err) return cfg } diff --git a/agent/config/runtime.go b/agent/config/runtime.go index 55055ffb35..88c2271773 100644 --- a/agent/config/runtime.go +++ b/agent/config/runtime.go @@ -1799,7 +1799,7 @@ func (c *RuntimeConfig) ToTLSUtilConfig() tlsutil.Config { CipherSuites: c.TLSCipherSuites, PreferServerCipherSuites: c.TLSPreferServerCipherSuites, EnableAgentTLSForChecks: c.EnableAgentTLSForChecks, - AutoEncryptTLS: c.AutoEncryptTLS, + AutoTLS: c.AutoEncryptTLS || c.AutoConfig.Enabled, } } diff --git a/agent/config/runtime_test.go b/agent/config/runtime_test.go index dc98c074d1..f1ffe9a2bc 100644 --- a/agent/config/runtime_test.go +++ b/agent/config/runtime_test.go @@ -7357,7 +7357,47 @@ func TestRuntime_ToTLSUtilConfig(t *testing.T) { require.True(t, r.VerifyIncomingHTTPS) require.True(t, r.VerifyOutgoing) require.True(t, r.EnableAgentTLSForChecks) - require.True(t, r.AutoEncryptTLS) + require.True(t, r.AutoTLS) + require.True(t, r.VerifyServerHostname) + require.True(t, r.PreferServerCipherSuites) + require.Equal(t, "a", r.CAFile) + require.Equal(t, "b", r.CAPath) + require.Equal(t, "c", r.CertFile) + require.Equal(t, "d", r.KeyFile) + require.Equal(t, "e", r.NodeName) + require.Equal(t, "f", r.ServerName) + require.Equal(t, "g", r.Domain) + require.Equal(t, "tls12", r.TLSMinVersion) + require.Equal(t, []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, r.CipherSuites) +} + +func TestRuntime_ToTLSUtilConfig_AutoConfig(t *testing.T) { + c := &RuntimeConfig{ + VerifyIncoming: true, + VerifyIncomingRPC: true, + VerifyIncomingHTTPS: true, + VerifyOutgoing: true, + VerifyServerHostname: true, + CAFile: "a", + CAPath: "b", + CertFile: "c", + KeyFile: "d", + NodeName: "e", + ServerName: "f", + DNSDomain: "g", + TLSMinVersion: "tls12", + TLSCipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, + TLSPreferServerCipherSuites: true, + EnableAgentTLSForChecks: true, + AutoConfig: AutoConfig{Enabled: true}, + } + r := c.ToTLSUtilConfig() + require.True(t, r.VerifyIncoming) + require.True(t, r.VerifyIncomingRPC) + require.True(t, r.VerifyIncomingHTTPS) + require.True(t, r.VerifyOutgoing) + require.True(t, r.EnableAgentTLSForChecks) + require.True(t, r.AutoTLS) require.True(t, r.VerifyServerHostname) require.True(t, r.PreferServerCipherSuites) require.Equal(t, "a", r.CAFile) diff --git a/agent/consul/auto_encrypt_endpoint_test.go b/agent/consul/auto_encrypt_endpoint_test.go index b9098b21c5..9701d08910 100644 --- a/agent/consul/auto_encrypt_endpoint_test.go +++ b/agent/consul/auto_encrypt_endpoint_test.go @@ -89,7 +89,7 @@ func TestAutoEncryptSign(t *testing.T) { } cfg := test.Config - cfg.AutoEncryptTLS = true + cfg.AutoTLS = true cfg.Domain = "consul" codec, err := insecureRPCClient(s, cfg) if test.ConnError { diff --git a/agent/consul/server.go b/agent/consul/server.go index f6263a9ef2..9a7ca78eaf 100644 --- a/agent/consul/server.go +++ b/agent/consul/server.go @@ -647,7 +647,7 @@ func (s *Server) connectCARootsMonitor(ctx context.Context) { for _, ca := range cas { caPems = append(caPems, ca.RootCert) } - if err := s.tlsConfigurator.UpdateAutoEncryptCA(caPems); err != nil { + if err := s.tlsConfigurator.UpdateAutoTLSCA(caPems); err != nil { s.logger.Error("Failed to update AutoEncrypt CAPems", "error", err) } diff --git a/tlsutil/config.go b/tlsutil/config.go index 5d782d42ad..1875dcea6c 100644 --- a/tlsutil/config.go +++ b/tlsutil/config.go @@ -127,9 +127,9 @@ type Config struct { // and key). EnableAgentTLSForChecks bool - // AutoEncryptTLS opts the agent into provisioning agent + // AutoTLS opts the agent into provisioning agent // TLS certificates. - AutoEncryptTLS bool + AutoTLS bool } func tlsVersions() []string { @@ -159,14 +159,14 @@ func SpecificDC(dc string, tlsWrap DCWrapper) Wrapper { } } -type autoEncrypt struct { +type autoTLS struct { manualCAPems []string connectCAPems []string cert *tls.Certificate verifyServerHostname bool } -func (a *autoEncrypt) caPems() []string { +func (a *autoTLS) caPems() []string { return append(a.manualCAPems, a.connectCAPems...) } @@ -180,7 +180,7 @@ type manual struct { type Configurator struct { sync.RWMutex base *Config - autoEncrypt *autoEncrypt + autoTLS *autoTLS manual *manual peerDatacenterUseTLS map[string]bool @@ -201,7 +201,7 @@ func NewConfigurator(config Config, logger hclog.Logger) (*Configurator, error) c := &Configurator{ logger: logger.Named(logging.TLSUtil), manual: &manual{}, - autoEncrypt: &autoEncrypt{}, + autoTLS: &autoTLS{}, peerDatacenterUseTLS: map[string]bool{}, } err := c.Update(config) @@ -215,7 +215,7 @@ func NewConfigurator(config Config, logger hclog.Logger) (*Configurator, error) func (c *Configurator) CAPems() []string { c.RLock() defer c.RUnlock() - return append(c.manual.caPems, c.autoEncrypt.caPems()...) + return append(c.manual.caPems, c.autoTLS.caPems()...) } // ManualCAPems returns the currently loaded CAs in PEM format. @@ -242,7 +242,7 @@ func (c *Configurator) Update(config Config) error { if err != nil { return err } - pool, err := pool(append(pems, c.autoEncrypt.caPems()...)) + pool, err := pool(append(pems, c.autoTLS.caPems()...)) if err != nil { return err } @@ -257,17 +257,17 @@ func (c *Configurator) Update(config Config) error { return nil } -// UpdateAutoEncryptCA updates the autoEncrypt.caPems. This is supposed to be called +// UpdateAutoTLSCA updates the autoEncrypt.caPems. This is supposed to be called // from the server in order to be able to accept TLS connections with TLS // certificates. // Or it is being called on the client side when CA changes are detected. -func (c *Configurator) UpdateAutoEncryptCA(connectCAPems []string) error { +func (c *Configurator) UpdateAutoTLSCA(connectCAPems []string) error { c.Lock() // order of defers matters because log acquires a RLock() defer c.log("UpdateAutoEncryptCA") defer c.Unlock() - pool, err := pool(append(c.manual.caPems, append(c.autoEncrypt.manualCAPems, connectCAPems...)...)) + pool, err := pool(append(c.manual.caPems, append(c.autoTLS.manualCAPems, connectCAPems...)...)) if err != nil { c.RUnlock() return err @@ -276,14 +276,14 @@ func (c *Configurator) UpdateAutoEncryptCA(connectCAPems []string) error { c.RUnlock() return err } - c.autoEncrypt.connectCAPems = connectCAPems + c.autoTLS.connectCAPems = connectCAPems c.caPool = pool c.version++ return nil } -// UpdateAutoEncryptCert -func (c *Configurator) UpdateAutoEncryptCert(pub, priv string) error { +// UpdateAutoTLSCert +func (c *Configurator) UpdateAutoTLSCert(pub, priv string) error { // order of defers matters because log acquires a RLock() defer c.log("UpdateAutoEncryptCert") cert, err := tls.X509KeyPair([]byte(pub), []byte(priv)) @@ -294,14 +294,14 @@ func (c *Configurator) UpdateAutoEncryptCert(pub, priv string) error { c.Lock() defer c.Unlock() - c.autoEncrypt.cert = &cert + c.autoTLS.cert = &cert c.version++ return nil } -// UpdateAutoEncrypt sets everything under autoEncrypt. This is being called on the -// client when it received its cert from AutoEncrypt endpoint. -func (c *Configurator) UpdateAutoEncrypt(manualCAPems, connectCAPems []string, pub, priv string, verifyServerHostname bool) error { +// UpdateAutoTLS sets everything under autoEncrypt. This is being called on the +// client when it received its cert from AutoEncrypt/AutoConfig endpoints. +func (c *Configurator) UpdateAutoTLS(manualCAPems, connectCAPems []string, pub, priv string, verifyServerHostname bool) error { // order of defers matters because log acquires a RLock() defer c.log("UpdateAutoEncrypt") cert, err := tls.X509KeyPair([]byte(pub), []byte(priv)) @@ -316,11 +316,11 @@ func (c *Configurator) UpdateAutoEncrypt(manualCAPems, connectCAPems []string, p if err != nil { return err } - c.autoEncrypt.manualCAPems = manualCAPems - c.autoEncrypt.connectCAPems = connectCAPems - c.autoEncrypt.cert = &cert + c.autoTLS.manualCAPems = manualCAPems + c.autoTLS.connectCAPems = connectCAPems + c.autoTLS.cert = &cert c.caPool = pool - c.autoEncrypt.verifyServerHostname = verifyServerHostname + c.autoTLS.verifyServerHostname = verifyServerHostname c.version++ return nil } @@ -375,20 +375,19 @@ func (c *Configurator) check(config Config, pool *x509.CertPool, cert *tls.Certi // Ensure we have a CA and cert if VerifyIncoming is set if config.anyVerifyIncoming() { - autoEncryptMsg := " AutoEncrypt only secures the connection between client and server and doesn't affect incoming connections on the client." if pool == nil { - errMsg := "VerifyIncoming set, and no CA certificate provided!" - if config.AutoEncryptTLS { - errMsg += autoEncryptMsg - } - return fmt.Errorf(errMsg) + // both auto-config and auto-encrypt require verifying the connection from the client to the server for secure + // operation. In order to be able to verify the servers certificate we must have some CA certs already provided. + // Therefore, even though both of those features can push down extra CA certificates which could be used to + // verify incoming connections, we still must consider it an error if none are provided in the initial configuration + // as those features cannot be successfully enabled without providing CA certificates to use those features. + return fmt.Errorf("VerifyIncoming set but no CA certificates were provided") } - if cert == nil { - errMsg := "VerifyIncoming set, and no Cert/Key pair provided!" - if config.AutoEncryptTLS { - errMsg += autoEncryptMsg - } - return fmt.Errorf(errMsg) + + // We will use the auto_encrypt/auto_config cert for TLS in the incoming APIs when available. Therefore the check + // here will ensure that either we enabled one of those two features or a certificate and key were provided manually + if cert == nil && !config.AutoTLS { + return fmt.Errorf("VerifyIncoming requires either a Cert and Key pair in the configuration file, or auto_encrypt/auto_config be enabled") } } return nil @@ -500,7 +499,7 @@ func (c *Configurator) commonTLSConfig(verifyIncoming bool) *tls.Config { // to a server requesting a certificate. Return the autoEncrypt certificate // if possible, otherwise default to the manually provisioned one. tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { - cert := c.autoEncrypt.cert + cert := c.autoTLS.cert if cert == nil { cert = c.manual.cert } @@ -536,7 +535,7 @@ func (c *Configurator) Cert() *tls.Certificate { defer c.RUnlock() cert := c.manual.cert if cert == nil { - cert = c.autoEncrypt.cert + cert = c.autoTLS.cert } return cert } @@ -554,7 +553,7 @@ func (c *Configurator) outgoingRPCTLSDisabled() bool { defer c.RUnlock() // if AutoEncrypt enabled, always use TLS - if c.base.AutoEncryptTLS { + if c.base.AutoTLS { return false } @@ -574,7 +573,7 @@ func (c *Configurator) MutualTLSCapable() bool { func (c *Configurator) mutualTLSCapable() bool { c.RLock() defer c.RUnlock() - return c.caPool != nil && (c.autoEncrypt.cert != nil || c.manual.cert != nil) + return c.caPool != nil && (c.autoTLS.cert != nil || c.manual.cert != nil) } // This function acquires a read lock because it reads from the config. @@ -584,7 +583,7 @@ func (c *Configurator) verifyOutgoing() bool { // If AutoEncryptTLS is enabled and there is a CA, then verify // outgoing. - if c.base.AutoEncryptTLS && c.caPool != nil { + if c.base.AutoTLS && c.caPool != nil { return true } @@ -644,7 +643,7 @@ func (c *Configurator) serverNameOrNodeName() string { func (c *Configurator) VerifyServerHostname() bool { c.RLock() defer c.RUnlock() - return c.base.VerifyServerHostname || c.autoEncrypt.verifyServerHostname + return c.base.VerifyServerHostname || c.autoTLS.verifyServerHostname } // IncomingGRPCConfig generates a *tls.Config for incoming GRPC connections. @@ -798,7 +797,7 @@ func (c *Configurator) OutgoingALPNRPCWrapper() ALPNWrapper { func (c *Configurator) AutoEncryptCertNotAfter() time.Time { c.RLock() defer c.RUnlock() - tlsCert := c.autoEncrypt.cert + tlsCert := c.autoTLS.cert if tlsCert == nil || tlsCert.Certificate == nil { return time.Now().AddDate(0, 0, -1) } diff --git a/tlsutil/config_test.go b/tlsutil/config_test.go index fd8de28f57..2ef550999f 100644 --- a/tlsutil/config_test.go +++ b/tlsutil/config_test.go @@ -500,15 +500,16 @@ func TestConfigurator_ErrorPropagation(t *testing.T) { {Config{VerifyIncoming: true, CAFile: "", CAPath: capath}, true, false}, // 18 {Config{VerifyIncoming: true, CAFile: "", CAPath: capath, CertFile: certfile, KeyFile: keyfile}, false, false}, // 19 - {Config{CertFile: "bogus", KeyFile: "bogus"}, true, true}, // 20 - {Config{CAFile: "bogus"}, true, true}, // 21 - {Config{CAPath: "bogus"}, true, true}, // 22 + {Config{CertFile: "bogus", KeyFile: "bogus"}, true, true}, // 20 + {Config{CAFile: "bogus"}, true, true}, // 21 + {Config{CAPath: "bogus"}, true, true}, // 22 + {Config{VerifyIncoming: true, CAFile: cafile, AutoTLS: true}, false, false}, // 22 } for _, v := range tlsVersions() { variants = append(variants, variant{Config{TLSMinVersion: v}, false, false}) } - c := Configurator{autoEncrypt: &autoEncrypt{}, manual: &manual{}} + c := Configurator{autoTLS: &autoTLS{}, manual: &manual{}} for i, v := range variants { info := fmt.Sprintf("case %d, config: %+v", i, v.config) _, err1 := NewConfigurator(v.config, nil) @@ -661,10 +662,10 @@ func TestConfigurator_CommonTLSConfigGetClientCertificate(t *testing.T) { c2, err := loadKeyPair("../test/key/ourdomain.cer", "../test/key/ourdomain.key") require.NoError(t, err) - c.autoEncrypt.cert = c2 + c.autoTLS.cert = c2 cert, err = c.commonTLSConfig(false).GetClientCertificate(nil) require.NoError(t, err) - require.Equal(t, c.autoEncrypt.cert, cert) + require.Equal(t, c.autoTLS.cert, cert) } func TestConfigurator_CommonTLSConfigGetCertificate(t *testing.T) { @@ -678,10 +679,10 @@ func TestConfigurator_CommonTLSConfigGetCertificate(t *testing.T) { // Setting a certificate as the auto-encrypt cert will return it as the regular server certificate c1, err := loadKeyPair("../test/key/something_expired.cer", "../test/key/something_expired.key") require.NoError(t, err) - c.autoEncrypt.cert = c1 + c.autoTLS.cert = c1 cert, err = c.commonTLSConfig(false).GetCertificate(nil) require.NoError(t, err) - require.Equal(t, c.autoEncrypt.cert, cert) + require.Equal(t, c.autoTLS.cert, cert) // Setting a different certificate as a manual cert will override the auto-encrypt cert and instead return the manual cert c2, err := loadKeyPair("../test/key/ourdomain.cer", "../test/key/ourdomain.key") @@ -718,7 +719,7 @@ func TestConfigurator_CommonTLSConfigTLSMinVersion(t *testing.T) { } func TestConfigurator_CommonTLSConfigVerifyIncoming(t *testing.T) { - c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} + c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} type variant struct { verify bool expected tls.ClientAuthType @@ -733,7 +734,7 @@ func TestConfigurator_CommonTLSConfigVerifyIncoming(t *testing.T) { } func TestConfigurator_OutgoingRPCTLSDisabled(t *testing.T) { - c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} + c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} type variant struct { verify bool autoEncryptTLS bool @@ -755,7 +756,7 @@ func TestConfigurator_OutgoingRPCTLSDisabled(t *testing.T) { info := fmt.Sprintf("case %d", i) c.caPool = v.pool c.base.VerifyOutgoing = v.verify - c.base.AutoEncryptTLS = v.autoEncryptTLS + c.base.AutoTLS = v.autoEncryptTLS require.Equal(t, v.expected, c.outgoingRPCTLSDisabled(), info) } } @@ -809,7 +810,7 @@ func TestConfigurator_MutualTLSCapable(t *testing.T) { require.NoError(t, err) caPEM := loadFile(t, "../test/hostname/CertAuth.crt") - require.NoError(t, c.UpdateAutoEncryptCA([]string{caPEM})) + require.NoError(t, c.UpdateAutoTLSCA([]string{caPEM})) require.False(t, c.mutualTLSCapable()) }) @@ -824,8 +825,8 @@ func TestConfigurator_MutualTLSCapable(t *testing.T) { caPEM := loadFile(t, "../test/hostname/CertAuth.crt") certPEM := loadFile(t, "../test/hostname/Bob.crt") keyPEM := loadFile(t, "../test/hostname/Bob.key") - require.NoError(t, c.UpdateAutoEncryptCA([]string{caPEM})) - require.NoError(t, c.UpdateAutoEncryptCert(certPEM, keyPEM)) + require.NoError(t, c.UpdateAutoTLSCA([]string{caPEM})) + require.NoError(t, c.UpdateAutoTLSCert(certPEM, keyPEM)) require.True(t, c.mutualTLSCapable()) }) @@ -900,7 +901,7 @@ func TestConfigurator_IncomingALPNRPCConfig(t *testing.T) { } func TestConfigurator_IncomingHTTPSConfig(t *testing.T) { - c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} + c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} require.Equal(t, []string{"h2", "http/1.1"}, c.IncomingHTTPSConfig().NextProtos) } @@ -908,7 +909,7 @@ func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) { c := Configurator{base: &Config{ TLSMinVersion: "tls12", EnableAgentTLSForChecks: false, - }, autoEncrypt: &autoEncrypt{}} + }, autoTLS: &autoTLS{}} tlsConf := c.OutgoingTLSConfigForCheck(true) require.Equal(t, true, tlsConf.InsecureSkipVerify) require.Equal(t, uint16(0), tlsConf.MinVersion) @@ -922,7 +923,7 @@ func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) { } func TestConfigurator_OutgoingRPCConfig(t *testing.T) { - c := &Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} + c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}} require.Nil(t, c.OutgoingRPCConfig()) c, err := NewConfigurator(Config{ @@ -940,7 +941,7 @@ func TestConfigurator_OutgoingRPCConfig(t *testing.T) { } func TestConfigurator_OutgoingALPNRPCConfig(t *testing.T) { - c := &Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} + c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}} require.Nil(t, c.OutgoingALPNRPCConfig()) c, err := NewConfigurator(Config{ @@ -960,7 +961,7 @@ func TestConfigurator_OutgoingALPNRPCConfig(t *testing.T) { } func TestConfigurator_OutgoingRPCWrapper(t *testing.T) { - c := &Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} + c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}} wrapper := c.OutgoingRPCWrapper() require.NotNil(t, wrapper) conn := &net.TCPConn{} @@ -982,7 +983,7 @@ func TestConfigurator_OutgoingRPCWrapper(t *testing.T) { } func TestConfigurator_OutgoingALPNRPCWrapper(t *testing.T) { - c := &Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} + c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}} wrapper := c.OutgoingRPCWrapper() require.NotNil(t, wrapper) conn := &net.TCPConn{} @@ -1058,7 +1059,7 @@ func TestConfigurator_ServerNameOrNodeName(t *testing.T) { } func TestConfigurator_VerifyOutgoing(t *testing.T) { - c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} + c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} type variant struct { verify bool autoEncryptTLS bool @@ -1080,7 +1081,7 @@ func TestConfigurator_VerifyOutgoing(t *testing.T) { info := fmt.Sprintf("case %d", i) c.caPool = v.pool c.base.VerifyOutgoing = v.verify - c.base.AutoEncryptTLS = v.autoEncryptTLS + c.base.AutoTLS = v.autoEncryptTLS require.Equal(t, v.expected, c.verifyOutgoing(), info) } } @@ -1091,34 +1092,34 @@ func TestConfigurator_Domain(t *testing.T) { } func TestConfigurator_VerifyServerHostname(t *testing.T) { - c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} + c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} require.False(t, c.VerifyServerHostname()) c.base.VerifyServerHostname = true - c.autoEncrypt.verifyServerHostname = false + c.autoTLS.verifyServerHostname = false require.True(t, c.VerifyServerHostname()) c.base.VerifyServerHostname = false - c.autoEncrypt.verifyServerHostname = true + c.autoTLS.verifyServerHostname = true require.True(t, c.VerifyServerHostname()) c.base.VerifyServerHostname = true - c.autoEncrypt.verifyServerHostname = true + c.autoTLS.verifyServerHostname = true require.True(t, c.VerifyServerHostname()) } func TestConfigurator_AutoEncrytCertExpired(t *testing.T) { - c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} + c := Configurator{base: &Config{}, autoTLS: &autoTLS{}} require.True(t, c.AutoEncryptCertExpired()) cert, err := loadKeyPair("../test/key/something_expired.cer", "../test/key/something_expired.key") require.NoError(t, err) - c.autoEncrypt.cert = cert + c.autoTLS.cert = cert require.True(t, c.AutoEncryptCertExpired()) cert, err = loadKeyPair("../test/key/ourdomain.cer", "../test/key/ourdomain.key") require.NoError(t, err) - c.autoEncrypt.cert = cert + c.autoTLS.cert = cert require.False(t, c.AutoEncryptCertExpired()) }