set TLS checksum when parsing config
Refactor checksum comparison, always set checksum if it is empty
This commit is contained in:
Chelsea Holland Komlo
parent
dd5f627feb
commit
2d5af7ff4d
|
|
@ -414,7 +414,6 @@ func (c *Client) reloadTLSConnections(newConfig *nconfig.TLSConfig) error {
|
|||
// decide on what type of connections to accept
|
||||
c.configLock.Lock()
|
||||
c.config.TLSConfig = newConfig
|
||||
c.config.TLSConfig.SetChecksum()
|
||||
c.configLock.Unlock()
|
||||
|
||||
c.connPool.ReloadTLS(tlsWrap)
|
||||
|
|
|
|||
|
|
@ -77,9 +77,6 @@ func NewAgent(config *Config, logOutput io.Writer, inmem *metrics.InmemSink) (*A
|
|||
InmemSink: inmem,
|
||||
}
|
||||
|
||||
// ensure that the TLS configuration is properly set up
|
||||
a.config.TLSConfig.SetChecksum()
|
||||
|
||||
if err := a.setupConsul(config.Consul); err != nil {
|
||||
return nil, fmt.Errorf("Failed to initialize Consul client: %v", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -321,6 +321,13 @@ func (c *Command) readConfig() *Config {
|
|||
c.Ui.Error("WARNING: Bootstrap mode enabled! Potentially unsafe operation.")
|
||||
}
|
||||
|
||||
// Set up the TLS configuration properly if we have one.
|
||||
// XXX chelseakomlo: set up a TLSConfig New method which would wrap
|
||||
// constructor-type actions like this.
|
||||
if !config.TLSConfig.IsEmpty() {
|
||||
config.TLSConfig.SetChecksum()
|
||||
}
|
||||
|
||||
return config
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -471,7 +471,6 @@ func (s *Server) reloadTLSConnections(newTLSConfig *config.TLSConfig) error {
|
|||
// access to config information, such as rpc.go, where we decide on what kind
|
||||
// of network connections to accept depending on the server configuration
|
||||
s.config.TLSConfig = newTLSConfig
|
||||
s.config.TLSConfig.SetChecksum()
|
||||
|
||||
s.rpcTLS = incomingTLS
|
||||
s.connPool.ReloadTLS(tlsWrap)
|
||||
|
|
|
|||
|
|
@ -209,14 +209,27 @@ func (t *TLSConfig) CertificateInfoIsEqual(newConfig *TLSConfig) bool {
|
|||
|
||||
if t.IsEmpty() && newConfig.IsEmpty() {
|
||||
return true
|
||||
}
|
||||
|
||||
newCertChecksum, err := createChecksumOfFiles(newConfig.CAFile, newConfig.CertFile, newConfig.KeyFile)
|
||||
if err != nil {
|
||||
} else if t.IsEmpty() || newConfig.IsEmpty() {
|
||||
return false
|
||||
}
|
||||
|
||||
return t.Checksum == newCertChecksum
|
||||
// Set the checksum if it hasn't yet been set (this should happen when the
|
||||
// config is parsed but this provides safety in depth)
|
||||
if newConfig.Checksum == "" {
|
||||
err := newConfig.SetChecksum()
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
if t.Checksum == "" {
|
||||
err := t.SetChecksum()
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
return t.Checksum == newConfig.Checksum
|
||||
}
|
||||
|
||||
// SetChecksum generates and sets the checksum for a TLS configuration
|
||||
|
|
|
|||
|
|
@ -95,6 +95,18 @@ func TestTLS_CertificateInfoIsEqual_FalseWhenUnequal(t *testing.T) {
|
|||
}
|
||||
require.False(a.CertificateInfoIsEqual(b))
|
||||
}
|
||||
|
||||
// Assert that mismatching empty types are considered unequal
|
||||
{
|
||||
a := &TLSConfig{}
|
||||
|
||||
b := &TLSConfig{
|
||||
CAFile: cafile,
|
||||
CertFile: foocert,
|
||||
KeyFile: fookey2,
|
||||
}
|
||||
require.False(a.CertificateInfoIsEqual(b))
|
||||
}
|
||||
}
|
||||
|
||||
// Certificate info should be equal when the CA file, certificate file, and key
|
||||
|
|
|
|||
Loading…
Reference in a new issue