Merge pull request #4328 from hashicorp/r-single-tls-config-constructor

Refactor to prefer using NewTLSConfiguration constructor
This commit is contained in:
Chelsea Komlo 2018-05-24 13:46:29 -04:00 committed by GitHub
commit af15dda45a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 45 additions and 45 deletions

View File

@ -197,11 +197,14 @@ func NewClient(cfg *config.Config, consulCatalog consul.CatalogAPI, consulServic
// Create the tls wrapper
var tlsWrap tlsutil.RegionWrapper
if cfg.TLSConfig.EnableRPC {
tw, err := cfg.TLSConfiguration().OutgoingTLSWrapper()
tw, err := tlsutil.NewTLSConfiguration(cfg.TLSConfig, true, true)
if err != nil {
return nil, err
}
tlsWrap, err = tw.OutgoingTLSWrapper()
if err != nil {
return nil, err
}
tlsWrap = tw
}
// Create the client
@ -399,7 +402,7 @@ func (c *Client) init() error {
func (c *Client) reloadTLSConnections(newConfig *nconfig.TLSConfig) error {
var tlsWrap tlsutil.RegionWrapper
if newConfig != nil && newConfig.EnableRPC {
tw, err := tlsutil.NewTLSConfiguration(newConfig)
tw, err := tlsutil.NewTLSConfiguration(newConfig, true, true)
if err != nil {
return err
}

View File

@ -9,7 +9,6 @@ import (
"time"
"github.com/hashicorp/nomad/helper"
"github.com/hashicorp/nomad/helper/tlsutil"
"github.com/hashicorp/nomad/nomad/structs"
"github.com/hashicorp/nomad/nomad/structs/config"
"github.com/hashicorp/nomad/version"
@ -358,17 +357,3 @@ func (c *Config) ReadStringListToMapDefault(key, defaultValue string) map[string
}
return list
}
// TLSConfiguration returns a TLSUtil Config based on the existing client
// configuration
func (c *Config) TLSConfiguration() *tlsutil.Config {
return &tlsutil.Config{
VerifyIncoming: true,
VerifyOutgoing: true,
VerifyServerHostname: c.TLSConfig.VerifyServerHostname,
CAFile: c.TLSConfig.CAFile,
CertFile: c.TLSConfig.CertFile,
KeyFile: c.TLSConfig.KeyFile,
KeyLoader: c.TLSConfig.GetKeyLoader(),
}
}

View File

@ -70,15 +70,11 @@ func NewHTTPServer(agent *Agent, config *Config) (*HTTPServer, error) {
// If TLS is enabled, wrap the listener with a TLS listener
if config.TLSConfig.EnableHTTP {
tlsConf := &tlsutil.Config{
VerifyIncoming: config.TLSConfig.VerifyHTTPSClient,
VerifyOutgoing: true,
VerifyServerHostname: config.TLSConfig.VerifyServerHostname,
CAFile: config.TLSConfig.CAFile,
CertFile: config.TLSConfig.CertFile,
KeyFile: config.TLSConfig.KeyFile,
KeyLoader: config.TLSConfig.GetKeyLoader(),
tlsConf, err := tlsutil.NewTLSConfiguration(config.TLSConfig, config.TLSConfig.VerifyHTTPSClient, true)
if err != nil {
return nil, err
}
tlsConfig, err := tlsConf.IncomingTLSConfig()
if err != nil {
return nil, err

View File

@ -109,7 +109,7 @@ type Config struct {
MinVersion uint16
}
func NewTLSConfiguration(newConf *config.TLSConfig) (*Config, error) {
func NewTLSConfiguration(newConf *config.TLSConfig, verifyIncoming, verifyOutgoing bool) (*Config, error) {
ciphers, err := ParseCiphers(newConf.TLSCipherSuites)
if err != nil {
return nil, err
@ -121,8 +121,8 @@ func NewTLSConfiguration(newConf *config.TLSConfig) (*Config, error) {
}
return &Config{
VerifyIncoming: true,
VerifyOutgoing: true,
VerifyIncoming: verifyIncoming,
VerifyOutgoing: verifyOutgoing,
VerifyServerHostname: newConf.VerifyServerHostname,
CAFile: newConf.CAFile,
CertFile: newConf.CertFile,

View File

@ -531,3 +531,22 @@ func TestConfig_ParseMinVersion_Invalid(t *testing.T) {
require.Equal(uint16(0), parsedVersion)
}
}
func TestConfig_NewTLSConfiguration(t *testing.T) {
require := require.New(t)
conf := &config.TLSConfig{
TLSCipherSuites: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
}
tlsConf, err := NewTLSConfiguration(conf, true, true)
require.Nil(err)
require.True(tlsConf.VerifyIncoming)
require.True(tlsConf.VerifyOutgoing)
expectedCiphers := []uint16{
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
}
require.Equal(tlsConf.CipherSuites, expectedCiphers)
}

View File

@ -9,7 +9,6 @@ import (
"time"
"github.com/hashicorp/memberlist"
"github.com/hashicorp/nomad/helper/tlsutil"
"github.com/hashicorp/nomad/helper/uuid"
"github.com/hashicorp/nomad/nomad/structs"
"github.com/hashicorp/nomad/nomad/structs/config"
@ -388,16 +387,3 @@ func DefaultConfig() *Config {
return c
}
// tlsConfig returns a TLSUtil Config based on the server configuration
func (c *Config) tlsConfig() *tlsutil.Config {
return &tlsutil.Config{
VerifyIncoming: true,
VerifyOutgoing: true,
VerifyServerHostname: c.TLSConfig.VerifyServerHostname,
CAFile: c.TLSConfig.CAFile,
CertFile: c.TLSConfig.CertFile,
KeyFile: c.TLSConfig.KeyFile,
KeyLoader: c.TLSConfig.GetKeyLoader(),
}
}

View File

@ -273,7 +273,10 @@ func NewServer(config *Config, consulCatalog consul.CatalogAPI, logger *log.Logg
}
// Configure TLS
tlsConf := config.tlsConfig()
tlsConf, err := tlsutil.NewTLSConfiguration(config.TLSConfig, true, true)
if err != nil {
return nil, err
}
incomingTLS, tlsWrap, err := getTLSConf(config.TLSConfig.EnableRPC, tlsConf)
if err != nil {
return nil, err
@ -450,7 +453,7 @@ func (s *Server) reloadTLSConnections(newTLSConfig *config.TLSConfig) error {
return fmt.Errorf("can't reload uninitialized RPC listener")
}
tlsConf, err := tlsutil.NewTLSConfiguration(newTLSConfig)
tlsConf, err := tlsutil.NewTLSConfiguration(newTLSConfig, true, true)
if err != nil {
s.logger.Printf("[ERR] nomad: unable to create TLS configuration %s", err)
return err

View File

@ -205,6 +205,12 @@ func (t *TLSConfig) Merge(b *TLSConfig) *TLSConfig {
if b.RPCUpgradeMode {
result.RPCUpgradeMode = true
}
if b.TLSCipherSuites != "" {
result.TLSCipherSuites = b.TLSCipherSuites
}
if b.TLSMinVersion != "" {
result.TLSMinVersion = b.TLSMinVersion
}
return result
}

View File

@ -21,6 +21,8 @@ func TestTLSConfig_Merge(t *testing.T) {
CAFile: "test-ca-file-2",
CertFile: "test-cert-file-2",
RPCUpgradeMode: true,
TLSCipherSuites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
TLSMinVersion: "tls12",
}
new := a.Merge(b)