Allow setting verify_incoming* when using auto_encrypt or auto_config (#8394)

Ensure that enabling AutoConfig sets the tls configurator properly

This also refactors the TLS configurator a bit so the naming doesn’t imply only AutoEncrypt as the source of the automatically setup TLS cert info.
pull/8409/head
Matt Keeler 2020-07-30 10:15:12 -04:00 committed by GitHub
parent c21c2fe494
commit dbb461a5d3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 118 additions and 78 deletions

View File

@ -149,7 +149,7 @@ func (m *CertMonitor) Update(certs *structs.SignedResponse) error {
// that the recipient of the response who also has access to the private key will // that the recipient of the response who also has access to the private key will
// have filled it in. The Cache definitely does this but auto-encrypt/auto-config // have filled it in. The Cache definitely does this but auto-encrypt/auto-config
// will need to ensure the original response is setup this way too. // will need to ensure the original response is setup this way too.
err := m.tlsConfigurator.UpdateAutoEncrypt( err := m.tlsConfigurator.UpdateAutoTLS(
certs.ManualCARoots, certs.ManualCARoots,
connectCAPems, connectCAPems,
certs.IssuedCert.CertPEM, certs.IssuedCert.CertPEM,
@ -311,7 +311,7 @@ func (m *CertMonitor) handleCacheEvent(u cache.UpdateEvent) error {
pems = append(pems, root.RootCert) pems = append(pems, root.RootCert)
} }
if err := m.tlsConfigurator.UpdateAutoEncryptCA(pems); err != nil { if err := m.tlsConfigurator.UpdateAutoTLSCA(pems); err != nil {
return fmt.Errorf("failed to update Connect CA certificates: %w", err) return fmt.Errorf("failed to update Connect CA certificates: %w", err)
} }
case leafWatchID: case leafWatchID:
@ -324,7 +324,7 @@ func (m *CertMonitor) handleCacheEvent(u cache.UpdateEvent) error {
if !ok { if !ok {
return fmt.Errorf("invalid type for agent leaf cert watch response: %T", u.Result) return fmt.Errorf("invalid type for agent leaf cert watch response: %T", u.Result)
} }
if err := m.tlsConfigurator.UpdateAutoEncryptCert(leaf.CertPEM, leaf.PrivateKeyPEM); err != nil { if err := m.tlsConfigurator.UpdateAutoTLSCert(leaf.CertPEM, leaf.PrivateKeyPEM); err != nil {
return fmt.Errorf("failed to update the agent leaf cert: %w", err) return fmt.Errorf("failed to update the agent leaf cert: %w", err)
} }
} }

View File

@ -118,7 +118,7 @@ func waitForChans(timeout time.Duration, chans ...<-chan struct{}) bool {
func testTLSConfigurator(t *testing.T) *tlsutil.Configurator { func testTLSConfigurator(t *testing.T) *tlsutil.Configurator {
t.Helper() t.Helper()
logger := testutil.Logger(t) logger := testutil.Logger(t)
cfg, err := tlsutil.NewConfigurator(tlsutil.Config{AutoEncryptTLS: true}, logger) cfg, err := tlsutil.NewConfigurator(tlsutil.Config{AutoTLS: true}, logger)
require.NoError(t, err) require.NoError(t, err)
return cfg return cfg
} }

View File

@ -1799,7 +1799,7 @@ func (c *RuntimeConfig) ToTLSUtilConfig() tlsutil.Config {
CipherSuites: c.TLSCipherSuites, CipherSuites: c.TLSCipherSuites,
PreferServerCipherSuites: c.TLSPreferServerCipherSuites, PreferServerCipherSuites: c.TLSPreferServerCipherSuites,
EnableAgentTLSForChecks: c.EnableAgentTLSForChecks, EnableAgentTLSForChecks: c.EnableAgentTLSForChecks,
AutoEncryptTLS: c.AutoEncryptTLS, AutoTLS: c.AutoEncryptTLS || c.AutoConfig.Enabled,
} }
} }

View File

@ -7357,7 +7357,47 @@ func TestRuntime_ToTLSUtilConfig(t *testing.T) {
require.True(t, r.VerifyIncomingHTTPS) require.True(t, r.VerifyIncomingHTTPS)
require.True(t, r.VerifyOutgoing) require.True(t, r.VerifyOutgoing)
require.True(t, r.EnableAgentTLSForChecks) require.True(t, r.EnableAgentTLSForChecks)
require.True(t, r.AutoEncryptTLS) require.True(t, r.AutoTLS)
require.True(t, r.VerifyServerHostname)
require.True(t, r.PreferServerCipherSuites)
require.Equal(t, "a", r.CAFile)
require.Equal(t, "b", r.CAPath)
require.Equal(t, "c", r.CertFile)
require.Equal(t, "d", r.KeyFile)
require.Equal(t, "e", r.NodeName)
require.Equal(t, "f", r.ServerName)
require.Equal(t, "g", r.Domain)
require.Equal(t, "tls12", r.TLSMinVersion)
require.Equal(t, []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, r.CipherSuites)
}
func TestRuntime_ToTLSUtilConfig_AutoConfig(t *testing.T) {
c := &RuntimeConfig{
VerifyIncoming: true,
VerifyIncomingRPC: true,
VerifyIncomingHTTPS: true,
VerifyOutgoing: true,
VerifyServerHostname: true,
CAFile: "a",
CAPath: "b",
CertFile: "c",
KeyFile: "d",
NodeName: "e",
ServerName: "f",
DNSDomain: "g",
TLSMinVersion: "tls12",
TLSCipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
TLSPreferServerCipherSuites: true,
EnableAgentTLSForChecks: true,
AutoConfig: AutoConfig{Enabled: true},
}
r := c.ToTLSUtilConfig()
require.True(t, r.VerifyIncoming)
require.True(t, r.VerifyIncomingRPC)
require.True(t, r.VerifyIncomingHTTPS)
require.True(t, r.VerifyOutgoing)
require.True(t, r.EnableAgentTLSForChecks)
require.True(t, r.AutoTLS)
require.True(t, r.VerifyServerHostname) require.True(t, r.VerifyServerHostname)
require.True(t, r.PreferServerCipherSuites) require.True(t, r.PreferServerCipherSuites)
require.Equal(t, "a", r.CAFile) require.Equal(t, "a", r.CAFile)

View File

@ -89,7 +89,7 @@ func TestAutoEncryptSign(t *testing.T) {
} }
cfg := test.Config cfg := test.Config
cfg.AutoEncryptTLS = true cfg.AutoTLS = true
cfg.Domain = "consul" cfg.Domain = "consul"
codec, err := insecureRPCClient(s, cfg) codec, err := insecureRPCClient(s, cfg)
if test.ConnError { if test.ConnError {

View File

@ -647,7 +647,7 @@ func (s *Server) connectCARootsMonitor(ctx context.Context) {
for _, ca := range cas { for _, ca := range cas {
caPems = append(caPems, ca.RootCert) caPems = append(caPems, ca.RootCert)
} }
if err := s.tlsConfigurator.UpdateAutoEncryptCA(caPems); err != nil { if err := s.tlsConfigurator.UpdateAutoTLSCA(caPems); err != nil {
s.logger.Error("Failed to update AutoEncrypt CAPems", "error", err) s.logger.Error("Failed to update AutoEncrypt CAPems", "error", err)
} }

View File

@ -127,9 +127,9 @@ type Config struct {
// and key). // and key).
EnableAgentTLSForChecks bool EnableAgentTLSForChecks bool
// AutoEncryptTLS opts the agent into provisioning agent // AutoTLS opts the agent into provisioning agent
// TLS certificates. // TLS certificates.
AutoEncryptTLS bool AutoTLS bool
} }
func tlsVersions() []string { func tlsVersions() []string {
@ -159,14 +159,14 @@ func SpecificDC(dc string, tlsWrap DCWrapper) Wrapper {
} }
} }
type autoEncrypt struct { type autoTLS struct {
manualCAPems []string manualCAPems []string
connectCAPems []string connectCAPems []string
cert *tls.Certificate cert *tls.Certificate
verifyServerHostname bool verifyServerHostname bool
} }
func (a *autoEncrypt) caPems() []string { func (a *autoTLS) caPems() []string {
return append(a.manualCAPems, a.connectCAPems...) return append(a.manualCAPems, a.connectCAPems...)
} }
@ -180,7 +180,7 @@ type manual struct {
type Configurator struct { type Configurator struct {
sync.RWMutex sync.RWMutex
base *Config base *Config
autoEncrypt *autoEncrypt autoTLS *autoTLS
manual *manual manual *manual
peerDatacenterUseTLS map[string]bool peerDatacenterUseTLS map[string]bool
@ -201,7 +201,7 @@ func NewConfigurator(config Config, logger hclog.Logger) (*Configurator, error)
c := &Configurator{ c := &Configurator{
logger: logger.Named(logging.TLSUtil), logger: logger.Named(logging.TLSUtil),
manual: &manual{}, manual: &manual{},
autoEncrypt: &autoEncrypt{}, autoTLS: &autoTLS{},
peerDatacenterUseTLS: map[string]bool{}, peerDatacenterUseTLS: map[string]bool{},
} }
err := c.Update(config) err := c.Update(config)
@ -215,7 +215,7 @@ func NewConfigurator(config Config, logger hclog.Logger) (*Configurator, error)
func (c *Configurator) CAPems() []string { func (c *Configurator) CAPems() []string {
c.RLock() c.RLock()
defer c.RUnlock() defer c.RUnlock()
return append(c.manual.caPems, c.autoEncrypt.caPems()...) return append(c.manual.caPems, c.autoTLS.caPems()...)
} }
// ManualCAPems returns the currently loaded CAs in PEM format. // ManualCAPems returns the currently loaded CAs in PEM format.
@ -242,7 +242,7 @@ func (c *Configurator) Update(config Config) error {
if err != nil { if err != nil {
return err return err
} }
pool, err := pool(append(pems, c.autoEncrypt.caPems()...)) pool, err := pool(append(pems, c.autoTLS.caPems()...))
if err != nil { if err != nil {
return err return err
} }
@ -257,17 +257,17 @@ func (c *Configurator) Update(config Config) error {
return nil return nil
} }
// UpdateAutoEncryptCA updates the autoEncrypt.caPems. This is supposed to be called // UpdateAutoTLSCA updates the autoEncrypt.caPems. This is supposed to be called
// from the server in order to be able to accept TLS connections with TLS // from the server in order to be able to accept TLS connections with TLS
// certificates. // certificates.
// Or it is being called on the client side when CA changes are detected. // Or it is being called on the client side when CA changes are detected.
func (c *Configurator) UpdateAutoEncryptCA(connectCAPems []string) error { func (c *Configurator) UpdateAutoTLSCA(connectCAPems []string) error {
c.Lock() c.Lock()
// order of defers matters because log acquires a RLock() // order of defers matters because log acquires a RLock()
defer c.log("UpdateAutoEncryptCA") defer c.log("UpdateAutoEncryptCA")
defer c.Unlock() defer c.Unlock()
pool, err := pool(append(c.manual.caPems, append(c.autoEncrypt.manualCAPems, connectCAPems...)...)) pool, err := pool(append(c.manual.caPems, append(c.autoTLS.manualCAPems, connectCAPems...)...))
if err != nil { if err != nil {
c.RUnlock() c.RUnlock()
return err return err
@ -276,14 +276,14 @@ func (c *Configurator) UpdateAutoEncryptCA(connectCAPems []string) error {
c.RUnlock() c.RUnlock()
return err return err
} }
c.autoEncrypt.connectCAPems = connectCAPems c.autoTLS.connectCAPems = connectCAPems
c.caPool = pool c.caPool = pool
c.version++ c.version++
return nil return nil
} }
// UpdateAutoEncryptCert // UpdateAutoTLSCert
func (c *Configurator) UpdateAutoEncryptCert(pub, priv string) error { func (c *Configurator) UpdateAutoTLSCert(pub, priv string) error {
// order of defers matters because log acquires a RLock() // order of defers matters because log acquires a RLock()
defer c.log("UpdateAutoEncryptCert") defer c.log("UpdateAutoEncryptCert")
cert, err := tls.X509KeyPair([]byte(pub), []byte(priv)) cert, err := tls.X509KeyPair([]byte(pub), []byte(priv))
@ -294,14 +294,14 @@ func (c *Configurator) UpdateAutoEncryptCert(pub, priv string) error {
c.Lock() c.Lock()
defer c.Unlock() defer c.Unlock()
c.autoEncrypt.cert = &cert c.autoTLS.cert = &cert
c.version++ c.version++
return nil return nil
} }
// UpdateAutoEncrypt sets everything under autoEncrypt. This is being called on the // UpdateAutoTLS sets everything under autoEncrypt. This is being called on the
// client when it received its cert from AutoEncrypt endpoint. // client when it received its cert from AutoEncrypt/AutoConfig endpoints.
func (c *Configurator) UpdateAutoEncrypt(manualCAPems, connectCAPems []string, pub, priv string, verifyServerHostname bool) error { func (c *Configurator) UpdateAutoTLS(manualCAPems, connectCAPems []string, pub, priv string, verifyServerHostname bool) error {
// order of defers matters because log acquires a RLock() // order of defers matters because log acquires a RLock()
defer c.log("UpdateAutoEncrypt") defer c.log("UpdateAutoEncrypt")
cert, err := tls.X509KeyPair([]byte(pub), []byte(priv)) cert, err := tls.X509KeyPair([]byte(pub), []byte(priv))
@ -316,11 +316,11 @@ func (c *Configurator) UpdateAutoEncrypt(manualCAPems, connectCAPems []string, p
if err != nil { if err != nil {
return err return err
} }
c.autoEncrypt.manualCAPems = manualCAPems c.autoTLS.manualCAPems = manualCAPems
c.autoEncrypt.connectCAPems = connectCAPems c.autoTLS.connectCAPems = connectCAPems
c.autoEncrypt.cert = &cert c.autoTLS.cert = &cert
c.caPool = pool c.caPool = pool
c.autoEncrypt.verifyServerHostname = verifyServerHostname c.autoTLS.verifyServerHostname = verifyServerHostname
c.version++ c.version++
return nil return nil
} }
@ -375,20 +375,19 @@ func (c *Configurator) check(config Config, pool *x509.CertPool, cert *tls.Certi
// Ensure we have a CA and cert if VerifyIncoming is set // Ensure we have a CA and cert if VerifyIncoming is set
if config.anyVerifyIncoming() { if config.anyVerifyIncoming() {
autoEncryptMsg := " AutoEncrypt only secures the connection between client and server and doesn't affect incoming connections on the client."
if pool == nil { if pool == nil {
errMsg := "VerifyIncoming set, and no CA certificate provided!" // both auto-config and auto-encrypt require verifying the connection from the client to the server for secure
if config.AutoEncryptTLS { // operation. In order to be able to verify the servers certificate we must have some CA certs already provided.
errMsg += autoEncryptMsg // Therefore, even though both of those features can push down extra CA certificates which could be used to
} // verify incoming connections, we still must consider it an error if none are provided in the initial configuration
return fmt.Errorf(errMsg) // as those features cannot be successfully enabled without providing CA certificates to use those features.
return fmt.Errorf("VerifyIncoming set but no CA certificates were provided")
} }
if cert == nil {
errMsg := "VerifyIncoming set, and no Cert/Key pair provided!" // We will use the auto_encrypt/auto_config cert for TLS in the incoming APIs when available. Therefore the check
if config.AutoEncryptTLS { // here will ensure that either we enabled one of those two features or a certificate and key were provided manually
errMsg += autoEncryptMsg if cert == nil && !config.AutoTLS {
} return fmt.Errorf("VerifyIncoming requires either a Cert and Key pair in the configuration file, or auto_encrypt/auto_config be enabled")
return fmt.Errorf(errMsg)
} }
} }
return nil return nil
@ -500,7 +499,7 @@ func (c *Configurator) commonTLSConfig(verifyIncoming bool) *tls.Config {
// to a server requesting a certificate. Return the autoEncrypt certificate // to a server requesting a certificate. Return the autoEncrypt certificate
// if possible, otherwise default to the manually provisioned one. // if possible, otherwise default to the manually provisioned one.
tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
cert := c.autoEncrypt.cert cert := c.autoTLS.cert
if cert == nil { if cert == nil {
cert = c.manual.cert cert = c.manual.cert
} }
@ -536,7 +535,7 @@ func (c *Configurator) Cert() *tls.Certificate {
defer c.RUnlock() defer c.RUnlock()
cert := c.manual.cert cert := c.manual.cert
if cert == nil { if cert == nil {
cert = c.autoEncrypt.cert cert = c.autoTLS.cert
} }
return cert return cert
} }
@ -554,7 +553,7 @@ func (c *Configurator) outgoingRPCTLSDisabled() bool {
defer c.RUnlock() defer c.RUnlock()
// if AutoEncrypt enabled, always use TLS // if AutoEncrypt enabled, always use TLS
if c.base.AutoEncryptTLS { if c.base.AutoTLS {
return false return false
} }
@ -574,7 +573,7 @@ func (c *Configurator) MutualTLSCapable() bool {
func (c *Configurator) mutualTLSCapable() bool { func (c *Configurator) mutualTLSCapable() bool {
c.RLock() c.RLock()
defer c.RUnlock() defer c.RUnlock()
return c.caPool != nil && (c.autoEncrypt.cert != nil || c.manual.cert != nil) return c.caPool != nil && (c.autoTLS.cert != nil || c.manual.cert != nil)
} }
// This function acquires a read lock because it reads from the config. // This function acquires a read lock because it reads from the config.
@ -584,7 +583,7 @@ func (c *Configurator) verifyOutgoing() bool {
// If AutoEncryptTLS is enabled and there is a CA, then verify // If AutoEncryptTLS is enabled and there is a CA, then verify
// outgoing. // outgoing.
if c.base.AutoEncryptTLS && c.caPool != nil { if c.base.AutoTLS && c.caPool != nil {
return true return true
} }
@ -644,7 +643,7 @@ func (c *Configurator) serverNameOrNodeName() string {
func (c *Configurator) VerifyServerHostname() bool { func (c *Configurator) VerifyServerHostname() bool {
c.RLock() c.RLock()
defer c.RUnlock() defer c.RUnlock()
return c.base.VerifyServerHostname || c.autoEncrypt.verifyServerHostname return c.base.VerifyServerHostname || c.autoTLS.verifyServerHostname
} }
// IncomingGRPCConfig generates a *tls.Config for incoming GRPC connections. // IncomingGRPCConfig generates a *tls.Config for incoming GRPC connections.
@ -798,7 +797,7 @@ func (c *Configurator) OutgoingALPNRPCWrapper() ALPNWrapper {
func (c *Configurator) AutoEncryptCertNotAfter() time.Time { func (c *Configurator) AutoEncryptCertNotAfter() time.Time {
c.RLock() c.RLock()
defer c.RUnlock() defer c.RUnlock()
tlsCert := c.autoEncrypt.cert tlsCert := c.autoTLS.cert
if tlsCert == nil || tlsCert.Certificate == nil { if tlsCert == nil || tlsCert.Certificate == nil {
return time.Now().AddDate(0, 0, -1) return time.Now().AddDate(0, 0, -1)
} }

View File

@ -500,15 +500,16 @@ func TestConfigurator_ErrorPropagation(t *testing.T) {
{Config{VerifyIncoming: true, CAFile: "", CAPath: capath}, true, false}, // 18 {Config{VerifyIncoming: true, CAFile: "", CAPath: capath}, true, false}, // 18
{Config{VerifyIncoming: true, CAFile: "", CAPath: capath, {Config{VerifyIncoming: true, CAFile: "", CAPath: capath,
CertFile: certfile, KeyFile: keyfile}, false, false}, // 19 CertFile: certfile, KeyFile: keyfile}, false, false}, // 19
{Config{CertFile: "bogus", KeyFile: "bogus"}, true, true}, // 20 {Config{CertFile: "bogus", KeyFile: "bogus"}, true, true}, // 20
{Config{CAFile: "bogus"}, true, true}, // 21 {Config{CAFile: "bogus"}, true, true}, // 21
{Config{CAPath: "bogus"}, true, true}, // 22 {Config{CAPath: "bogus"}, true, true}, // 22
{Config{VerifyIncoming: true, CAFile: cafile, AutoTLS: true}, false, false}, // 22
} }
for _, v := range tlsVersions() { for _, v := range tlsVersions() {
variants = append(variants, variant{Config{TLSMinVersion: v}, false, false}) variants = append(variants, variant{Config{TLSMinVersion: v}, false, false})
} }
c := Configurator{autoEncrypt: &autoEncrypt{}, manual: &manual{}} c := Configurator{autoTLS: &autoTLS{}, manual: &manual{}}
for i, v := range variants { for i, v := range variants {
info := fmt.Sprintf("case %d, config: %+v", i, v.config) info := fmt.Sprintf("case %d, config: %+v", i, v.config)
_, err1 := NewConfigurator(v.config, nil) _, err1 := NewConfigurator(v.config, nil)
@ -661,10 +662,10 @@ func TestConfigurator_CommonTLSConfigGetClientCertificate(t *testing.T) {
c2, err := loadKeyPair("../test/key/ourdomain.cer", "../test/key/ourdomain.key") c2, err := loadKeyPair("../test/key/ourdomain.cer", "../test/key/ourdomain.key")
require.NoError(t, err) require.NoError(t, err)
c.autoEncrypt.cert = c2 c.autoTLS.cert = c2
cert, err = c.commonTLSConfig(false).GetClientCertificate(nil) cert, err = c.commonTLSConfig(false).GetClientCertificate(nil)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, c.autoEncrypt.cert, cert) require.Equal(t, c.autoTLS.cert, cert)
} }
func TestConfigurator_CommonTLSConfigGetCertificate(t *testing.T) { func TestConfigurator_CommonTLSConfigGetCertificate(t *testing.T) {
@ -678,10 +679,10 @@ func TestConfigurator_CommonTLSConfigGetCertificate(t *testing.T) {
// Setting a certificate as the auto-encrypt cert will return it as the regular server certificate // Setting a certificate as the auto-encrypt cert will return it as the regular server certificate
c1, err := loadKeyPair("../test/key/something_expired.cer", "../test/key/something_expired.key") c1, err := loadKeyPair("../test/key/something_expired.cer", "../test/key/something_expired.key")
require.NoError(t, err) require.NoError(t, err)
c.autoEncrypt.cert = c1 c.autoTLS.cert = c1
cert, err = c.commonTLSConfig(false).GetCertificate(nil) cert, err = c.commonTLSConfig(false).GetCertificate(nil)
require.NoError(t, err) require.NoError(t, err)
require.Equal(t, c.autoEncrypt.cert, cert) require.Equal(t, c.autoTLS.cert, cert)
// Setting a different certificate as a manual cert will override the auto-encrypt cert and instead return the manual cert // Setting a different certificate as a manual cert will override the auto-encrypt cert and instead return the manual cert
c2, err := loadKeyPair("../test/key/ourdomain.cer", "../test/key/ourdomain.key") c2, err := loadKeyPair("../test/key/ourdomain.cer", "../test/key/ourdomain.key")
@ -718,7 +719,7 @@ func TestConfigurator_CommonTLSConfigTLSMinVersion(t *testing.T) {
} }
func TestConfigurator_CommonTLSConfigVerifyIncoming(t *testing.T) { func TestConfigurator_CommonTLSConfigVerifyIncoming(t *testing.T) {
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
type variant struct { type variant struct {
verify bool verify bool
expected tls.ClientAuthType expected tls.ClientAuthType
@ -733,7 +734,7 @@ func TestConfigurator_CommonTLSConfigVerifyIncoming(t *testing.T) {
} }
func TestConfigurator_OutgoingRPCTLSDisabled(t *testing.T) { func TestConfigurator_OutgoingRPCTLSDisabled(t *testing.T) {
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
type variant struct { type variant struct {
verify bool verify bool
autoEncryptTLS bool autoEncryptTLS bool
@ -755,7 +756,7 @@ func TestConfigurator_OutgoingRPCTLSDisabled(t *testing.T) {
info := fmt.Sprintf("case %d", i) info := fmt.Sprintf("case %d", i)
c.caPool = v.pool c.caPool = v.pool
c.base.VerifyOutgoing = v.verify c.base.VerifyOutgoing = v.verify
c.base.AutoEncryptTLS = v.autoEncryptTLS c.base.AutoTLS = v.autoEncryptTLS
require.Equal(t, v.expected, c.outgoingRPCTLSDisabled(), info) require.Equal(t, v.expected, c.outgoingRPCTLSDisabled(), info)
} }
} }
@ -809,7 +810,7 @@ func TestConfigurator_MutualTLSCapable(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
caPEM := loadFile(t, "../test/hostname/CertAuth.crt") caPEM := loadFile(t, "../test/hostname/CertAuth.crt")
require.NoError(t, c.UpdateAutoEncryptCA([]string{caPEM})) require.NoError(t, c.UpdateAutoTLSCA([]string{caPEM}))
require.False(t, c.mutualTLSCapable()) require.False(t, c.mutualTLSCapable())
}) })
@ -824,8 +825,8 @@ func TestConfigurator_MutualTLSCapable(t *testing.T) {
caPEM := loadFile(t, "../test/hostname/CertAuth.crt") caPEM := loadFile(t, "../test/hostname/CertAuth.crt")
certPEM := loadFile(t, "../test/hostname/Bob.crt") certPEM := loadFile(t, "../test/hostname/Bob.crt")
keyPEM := loadFile(t, "../test/hostname/Bob.key") keyPEM := loadFile(t, "../test/hostname/Bob.key")
require.NoError(t, c.UpdateAutoEncryptCA([]string{caPEM})) require.NoError(t, c.UpdateAutoTLSCA([]string{caPEM}))
require.NoError(t, c.UpdateAutoEncryptCert(certPEM, keyPEM)) require.NoError(t, c.UpdateAutoTLSCert(certPEM, keyPEM))
require.True(t, c.mutualTLSCapable()) require.True(t, c.mutualTLSCapable())
}) })
@ -900,7 +901,7 @@ func TestConfigurator_IncomingALPNRPCConfig(t *testing.T) {
} }
func TestConfigurator_IncomingHTTPSConfig(t *testing.T) { func TestConfigurator_IncomingHTTPSConfig(t *testing.T) {
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
require.Equal(t, []string{"h2", "http/1.1"}, c.IncomingHTTPSConfig().NextProtos) require.Equal(t, []string{"h2", "http/1.1"}, c.IncomingHTTPSConfig().NextProtos)
} }
@ -908,7 +909,7 @@ func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) {
c := Configurator{base: &Config{ c := Configurator{base: &Config{
TLSMinVersion: "tls12", TLSMinVersion: "tls12",
EnableAgentTLSForChecks: false, EnableAgentTLSForChecks: false,
}, autoEncrypt: &autoEncrypt{}} }, autoTLS: &autoTLS{}}
tlsConf := c.OutgoingTLSConfigForCheck(true) tlsConf := c.OutgoingTLSConfigForCheck(true)
require.Equal(t, true, tlsConf.InsecureSkipVerify) require.Equal(t, true, tlsConf.InsecureSkipVerify)
require.Equal(t, uint16(0), tlsConf.MinVersion) require.Equal(t, uint16(0), tlsConf.MinVersion)
@ -922,7 +923,7 @@ func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) {
} }
func TestConfigurator_OutgoingRPCConfig(t *testing.T) { func TestConfigurator_OutgoingRPCConfig(t *testing.T) {
c := &Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}}
require.Nil(t, c.OutgoingRPCConfig()) require.Nil(t, c.OutgoingRPCConfig())
c, err := NewConfigurator(Config{ c, err := NewConfigurator(Config{
@ -940,7 +941,7 @@ func TestConfigurator_OutgoingRPCConfig(t *testing.T) {
} }
func TestConfigurator_OutgoingALPNRPCConfig(t *testing.T) { func TestConfigurator_OutgoingALPNRPCConfig(t *testing.T) {
c := &Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}}
require.Nil(t, c.OutgoingALPNRPCConfig()) require.Nil(t, c.OutgoingALPNRPCConfig())
c, err := NewConfigurator(Config{ c, err := NewConfigurator(Config{
@ -960,7 +961,7 @@ func TestConfigurator_OutgoingALPNRPCConfig(t *testing.T) {
} }
func TestConfigurator_OutgoingRPCWrapper(t *testing.T) { func TestConfigurator_OutgoingRPCWrapper(t *testing.T) {
c := &Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}}
wrapper := c.OutgoingRPCWrapper() wrapper := c.OutgoingRPCWrapper()
require.NotNil(t, wrapper) require.NotNil(t, wrapper)
conn := &net.TCPConn{} conn := &net.TCPConn{}
@ -982,7 +983,7 @@ func TestConfigurator_OutgoingRPCWrapper(t *testing.T) {
} }
func TestConfigurator_OutgoingALPNRPCWrapper(t *testing.T) { func TestConfigurator_OutgoingALPNRPCWrapper(t *testing.T) {
c := &Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}}
wrapper := c.OutgoingRPCWrapper() wrapper := c.OutgoingRPCWrapper()
require.NotNil(t, wrapper) require.NotNil(t, wrapper)
conn := &net.TCPConn{} conn := &net.TCPConn{}
@ -1058,7 +1059,7 @@ func TestConfigurator_ServerNameOrNodeName(t *testing.T) {
} }
func TestConfigurator_VerifyOutgoing(t *testing.T) { func TestConfigurator_VerifyOutgoing(t *testing.T) {
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
type variant struct { type variant struct {
verify bool verify bool
autoEncryptTLS bool autoEncryptTLS bool
@ -1080,7 +1081,7 @@ func TestConfigurator_VerifyOutgoing(t *testing.T) {
info := fmt.Sprintf("case %d", i) info := fmt.Sprintf("case %d", i)
c.caPool = v.pool c.caPool = v.pool
c.base.VerifyOutgoing = v.verify c.base.VerifyOutgoing = v.verify
c.base.AutoEncryptTLS = v.autoEncryptTLS c.base.AutoTLS = v.autoEncryptTLS
require.Equal(t, v.expected, c.verifyOutgoing(), info) require.Equal(t, v.expected, c.verifyOutgoing(), info)
} }
} }
@ -1091,34 +1092,34 @@ func TestConfigurator_Domain(t *testing.T) {
} }
func TestConfigurator_VerifyServerHostname(t *testing.T) { func TestConfigurator_VerifyServerHostname(t *testing.T) {
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
require.False(t, c.VerifyServerHostname()) require.False(t, c.VerifyServerHostname())
c.base.VerifyServerHostname = true c.base.VerifyServerHostname = true
c.autoEncrypt.verifyServerHostname = false c.autoTLS.verifyServerHostname = false
require.True(t, c.VerifyServerHostname()) require.True(t, c.VerifyServerHostname())
c.base.VerifyServerHostname = false c.base.VerifyServerHostname = false
c.autoEncrypt.verifyServerHostname = true c.autoTLS.verifyServerHostname = true
require.True(t, c.VerifyServerHostname()) require.True(t, c.VerifyServerHostname())
c.base.VerifyServerHostname = true c.base.VerifyServerHostname = true
c.autoEncrypt.verifyServerHostname = true c.autoTLS.verifyServerHostname = true
require.True(t, c.VerifyServerHostname()) require.True(t, c.VerifyServerHostname())
} }
func TestConfigurator_AutoEncrytCertExpired(t *testing.T) { func TestConfigurator_AutoEncrytCertExpired(t *testing.T) {
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}} c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
require.True(t, c.AutoEncryptCertExpired()) require.True(t, c.AutoEncryptCertExpired())
cert, err := loadKeyPair("../test/key/something_expired.cer", "../test/key/something_expired.key") cert, err := loadKeyPair("../test/key/something_expired.cer", "../test/key/something_expired.key")
require.NoError(t, err) require.NoError(t, err)
c.autoEncrypt.cert = cert c.autoTLS.cert = cert
require.True(t, c.AutoEncryptCertExpired()) require.True(t, c.AutoEncryptCertExpired())
cert, err = loadKeyPair("../test/key/ourdomain.cer", "../test/key/ourdomain.key") cert, err = loadKeyPair("../test/key/ourdomain.cer", "../test/key/ourdomain.key")
require.NoError(t, err) require.NoError(t, err)
c.autoEncrypt.cert = cert c.autoTLS.cert = cert
require.False(t, c.AutoEncryptCertExpired()) require.False(t, c.AutoEncryptCertExpired())
} }