luxolus/open-nomad
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity

Merge pull request #4328 from hashicorp/r-single-tls-config-constructor

Browse source 
Refactor to prefer using NewTLSConfiguration constructor
This commit is contained in:
Chelsea Komlo 2018-05-24 13:46:29 -04:00 committed by GitHub
parent b1de61e012 38f611a7f2
commit af15dda45a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 45 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
client/client.go
View file

@ -197,11 +197,14 @@ func NewClient(cfg *config.Config, consulCatalog consul.CatalogAPI, consulServic
// Create the tls wrapper // Create the tls wrapper
var tlsWrap tlsutil.RegionWrapper var tlsWrap tlsutil.RegionWrapper
if cfg.TLSConfig.EnableRPC { if cfg.TLSConfig.EnableRPC {
tw, err := cfg.TLSConfiguration().OutgoingTLSWrapper() tw, err := tlsutil.NewTLSConfiguration(cfg.TLSConfig, true, true)
if err != nil {
return nil, err
}
tlsWrap, err = tw.OutgoingTLSWrapper()
if err != nil { if err != nil {
return nil, err return nil, err
} }
tlsWrap = tw
} }
// Create the client // Create the client
@ -399,7 +402,7 @@ func (c *Client) init() error {
func (c *Client) reloadTLSConnections(newConfig *nconfig.TLSConfig) error { func (c *Client) reloadTLSConnections(newConfig *nconfig.TLSConfig) error {
var tlsWrap tlsutil.RegionWrapper var tlsWrap tlsutil.RegionWrapper
if newConfig != nil && newConfig.EnableRPC { if newConfig != nil && newConfig.EnableRPC {
tw, err := tlsutil.NewTLSConfiguration(newConfig) tw, err := tlsutil.NewTLSConfiguration(newConfig, true, true)
if err != nil { if err != nil {
return err return err
} }

15
client/config/config.go
View file

@ -9,7 +9,6 @@ import (
"time" "time"
"github.com/hashicorp/nomad/helper" "github.com/hashicorp/nomad/helper"
"github.com/hashicorp/nomad/helper/tlsutil"
"github.com/hashicorp/nomad/nomad/structs" "github.com/hashicorp/nomad/nomad/structs"
"github.com/hashicorp/nomad/nomad/structs/config" "github.com/hashicorp/nomad/nomad/structs/config"
"github.com/hashicorp/nomad/version" "github.com/hashicorp/nomad/version"
@ -358,17 +357,3 @@ func (c *Config) ReadStringListToMapDefault(key, defaultValue string) map[string
} }
return list return list
} }
// TLSConfiguration returns a TLSUtil Config based on the existing client
// configuration
func (c *Config) TLSConfiguration() *tlsutil.Config {
return &tlsutil.Config{
VerifyIncoming: true,
VerifyOutgoing: true,
VerifyServerHostname: c.TLSConfig.VerifyServerHostname,
CAFile: c.TLSConfig.CAFile,
CertFile: c.TLSConfig.CertFile,
KeyFile: c.TLSConfig.KeyFile,
KeyLoader: c.TLSConfig.GetKeyLoader(),
}
}

12
command/agent/http.go
View file

@ -70,15 +70,11 @@ func NewHTTPServer(agent *Agent, config *Config) (*HTTPServer, error) {
// If TLS is enabled, wrap the listener with a TLS listener // If TLS is enabled, wrap the listener with a TLS listener
if config.TLSConfig.EnableHTTP { if config.TLSConfig.EnableHTTP {
tlsConf := &tlsutil.Config{ tlsConf, err := tlsutil.NewTLSConfiguration(config.TLSConfig, config.TLSConfig.VerifyHTTPSClient, true)
VerifyIncoming: config.TLSConfig.VerifyHTTPSClient, if err != nil {
VerifyOutgoing: true, return nil, err
VerifyServerHostname: config.TLSConfig.VerifyServerHostname,
CAFile: config.TLSConfig.CAFile,
CertFile: config.TLSConfig.CertFile,
KeyFile: config.TLSConfig.KeyFile,
KeyLoader: config.TLSConfig.GetKeyLoader(),
} }
tlsConfig, err := tlsConf.IncomingTLSConfig() tlsConfig, err := tlsConf.IncomingTLSConfig()
if err != nil { if err != nil {
return nil, err return nil, err

6
helper/tlsutil/config.go
View file

@ -109,7 +109,7 @@ type Config struct {
MinVersion uint16 MinVersion uint16
} }
func NewTLSConfiguration(newConf *config.TLSConfig) (*Config, error) { func NewTLSConfiguration(newConf *config.TLSConfig, verifyIncoming, verifyOutgoing bool) (*Config, error) {
ciphers, err := ParseCiphers(newConf.TLSCipherSuites) ciphers, err := ParseCiphers(newConf.TLSCipherSuites)
if err != nil { if err != nil {
return nil, err return nil, err
@ -121,8 +121,8 @@ func NewTLSConfiguration(newConf *config.TLSConfig) (*Config, error) {
} }
return &Config{ return &Config{
VerifyIncoming: true, VerifyIncoming: verifyIncoming,
VerifyOutgoing: true, VerifyOutgoing: verifyOutgoing,
VerifyServerHostname: newConf.VerifyServerHostname, VerifyServerHostname: newConf.VerifyServerHostname,
CAFile: newConf.CAFile, CAFile: newConf.CAFile,
CertFile: newConf.CertFile, CertFile: newConf.CertFile,

19
helper/tlsutil/config_test.go
View file

@ -531,3 +531,22 @@ func TestConfig_ParseMinVersion_Invalid(t *testing.T) {
require.Equal(uint16(0), parsedVersion) require.Equal(uint16(0), parsedVersion)
} }
} }
func TestConfig_NewTLSConfiguration(t *testing.T) {
require := require.New(t)
conf := &config.TLSConfig{
TLSCipherSuites: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
}
tlsConf, err := NewTLSConfiguration(conf, true, true)
require.Nil(err)
require.True(tlsConf.VerifyIncoming)
require.True(tlsConf.VerifyOutgoing)
expectedCiphers := []uint16{
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
}
require.Equal(tlsConf.CipherSuites, expectedCiphers)
}

14
nomad/config.go
View file

@ -9,7 +9,6 @@ import (
"time" "time"
"github.com/hashicorp/memberlist" "github.com/hashicorp/memberlist"
"github.com/hashicorp/nomad/helper/tlsutil"
"github.com/hashicorp/nomad/helper/uuid" "github.com/hashicorp/nomad/helper/uuid"
"github.com/hashicorp/nomad/nomad/structs" "github.com/hashicorp/nomad/nomad/structs"
"github.com/hashicorp/nomad/nomad/structs/config" "github.com/hashicorp/nomad/nomad/structs/config"
@ -388,16 +387,3 @@ func DefaultConfig() *Config {
return c return c
} }
// tlsConfig returns a TLSUtil Config based on the server configuration
func (c *Config) tlsConfig() *tlsutil.Config {
return &tlsutil.Config{
VerifyIncoming: true,
VerifyOutgoing: true,
VerifyServerHostname: c.TLSConfig.VerifyServerHostname,
CAFile: c.TLSConfig.CAFile,
CertFile: c.TLSConfig.CertFile,
KeyFile: c.TLSConfig.KeyFile,
KeyLoader: c.TLSConfig.GetKeyLoader(),
}
}

7
nomad/server.go
View file

@ -273,7 +273,10 @@ func NewServer(config *Config, consulCatalog consul.CatalogAPI, logger *log.Logg
} }
// Configure TLS // Configure TLS
tlsConf := config.tlsConfig() tlsConf, err := tlsutil.NewTLSConfiguration(config.TLSConfig, true, true)
if err != nil {
return nil, err
}
incomingTLS, tlsWrap, err := getTLSConf(config.TLSConfig.EnableRPC, tlsConf) incomingTLS, tlsWrap, err := getTLSConf(config.TLSConfig.EnableRPC, tlsConf)
if err != nil { if err != nil {
return nil, err return nil, err
@ -450,7 +453,7 @@ func (s *Server) reloadTLSConnections(newTLSConfig *config.TLSConfig) error {
return fmt.Errorf("can't reload uninitialized RPC listener") return fmt.Errorf("can't reload uninitialized RPC listener")
} }
tlsConf, err := tlsutil.NewTLSConfiguration(newTLSConfig) tlsConf, err := tlsutil.NewTLSConfiguration(newTLSConfig, true, true)
if err != nil { if err != nil {
s.logger.Printf("[ERR] nomad: unable to create TLS configuration %s", err) s.logger.Printf("[ERR] nomad: unable to create TLS configuration %s", err)
return err return err

6
nomad/structs/config/tls.go
View file

@ -205,6 +205,12 @@ func (t *TLSConfig) Merge(b *TLSConfig) *TLSConfig {
if b.RPCUpgradeMode { if b.RPCUpgradeMode {
result.RPCUpgradeMode = true result.RPCUpgradeMode = true
} }
if b.TLSCipherSuites != "" {
result.TLSCipherSuites = b.TLSCipherSuites
}
if b.TLSMinVersion != "" {
result.TLSMinVersion = b.TLSMinVersion
}
return result return result
} }

2
nomad/structs/config/tls_test.go
View file

@ -21,6 +21,8 @@ func TestTLSConfig_Merge(t *testing.T) {
CAFile: "test-ca-file-2", CAFile: "test-ca-file-2",
CertFile: "test-cert-file-2", CertFile: "test-cert-file-2",
RPCUpgradeMode: true, RPCUpgradeMode: true,
TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
TLSMinVersion: "tls12",
} }
new := a.Merge(b) new := a.Merge(b)