From b92098fd085085bf1d7c60abcbf8746b89138bd4 Mon Sep 17 00:00:00 2001
From: Chelsea Holland Komlo <me@chelseakomlo.com>
Date: Mon, 6 Aug 2018 13:54:57 -0400
Subject: [PATCH] change function signature to take entire tls config object

---
 command/agent/config_parse.go |  2 +-
 helper/tlsutil/config.go      |  8 +++---
 helper/tlsutil/config_test.go | 50 ++++++++++++++++++++---------------
 3 files changed, 33 insertions(+), 27 deletions(-)

diff --git a/command/agent/config_parse.go b/command/agent/config_parse.go
index 66f704f6c..28a189df5 100644
--- a/command/agent/config_parse.go
+++ b/command/agent/config_parse.go
@@ -844,7 +844,7 @@ func parseTLSConfig(result **config.TLSConfig, list *ast.ObjectList) error {
 		return err
 	}
 
-	if _, err := tlsutil.ParseCiphers(tlsConfig.TLSCipherSuites); err != nil {
+	if _, err := tlsutil.ParseCiphers(&tlsConfig); err != nil {
 		return err
 	}
 
diff --git a/helper/tlsutil/config.go b/helper/tlsutil/config.go
index 016ecbb1c..1d5813546 100644
--- a/helper/tlsutil/config.go
+++ b/helper/tlsutil/config.go
@@ -125,7 +125,7 @@ type Config struct {
 }
 
 func NewTLSConfiguration(newConf *config.TLSConfig, verifyIncoming, verifyOutgoing bool) (*Config, error) {
-	ciphers, err := ParseCiphers(newConf.TLSCipherSuites)
+	ciphers, err := ParseCiphers(newConf)
 	if err != nil {
 		return nil, err
 	}
@@ -385,17 +385,17 @@ func (c *Config) IncomingTLSConfig() (*tls.Config, error) {
 
 // ParseCiphers parses ciphersuites from the comma-separated string into
 // recognized slice
-func ParseCiphers(cipherStr string) ([]uint16, error) {
+func ParseCiphers(tlsConfig *config.TLSConfig) ([]uint16, error) {
 	suites := []uint16{}
 
-	cipherStr = strings.TrimSpace(cipherStr)
+	cipherStr := strings.TrimSpace(tlsConfig.TLSCipherSuites)
 
 	var ciphers []string
 	if cipherStr == "" {
 		ciphers = defaultTLSCiphers
 
 	} else {
-		ciphers = strings.Split(cipherStr, ",")
+		ciphers = strings.Split(tlsConfig.TLSCipherSuites, ",")
 	}
 	for _, cipher := range ciphers {
 		c, ok := supportedTLSCiphers[cipher]
diff --git a/helper/tlsutil/config_test.go b/helper/tlsutil/config_test.go
index 8b408d763..61585acdf 100644
--- a/helper/tlsutil/config_test.go
+++ b/helper/tlsutil/config_test.go
@@ -647,25 +647,27 @@ func TestConfig_IncomingTLS_TLSCipherSuites(t *testing.T) {
 func TestConfig_ParseCiphers_Valid(t *testing.T) {
 	require := require.New(t)
 
-	validCiphers := strings.Join([]string{
-		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
-		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
-		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
-		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
-		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
-		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
-		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
-		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
-		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
-		"TLS_RSA_WITH_AES_128_GCM_SHA256",
-		"TLS_RSA_WITH_AES_256_GCM_SHA384",
-		"TLS_RSA_WITH_AES_128_CBC_SHA256",
-		"TLS_RSA_WITH_AES_128_CBC_SHA",
-		"TLS_RSA_WITH_AES_256_CBC_SHA",
-	}, ",")
+	tlsConfig := &config.TLSConfig{
+		TLSCipherSuites: strings.Join([]string{
+			"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+			"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+			"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+			"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+			"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+			"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+			"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+			"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+			"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+			"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+			"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+			"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+			"TLS_RSA_WITH_AES_128_GCM_SHA256",
+			"TLS_RSA_WITH_AES_256_GCM_SHA384",
+			"TLS_RSA_WITH_AES_128_CBC_SHA256",
+			"TLS_RSA_WITH_AES_128_CBC_SHA",
+			"TLS_RSA_WITH_AES_256_CBC_SHA",
+		}, ","),
+	}
 
 	expectedCiphers := []uint16{
 		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
@@ -687,7 +689,7 @@ func TestConfig_ParseCiphers_Valid(t *testing.T) {
 		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
 	}
 
-	parsedCiphers, err := ParseCiphers(validCiphers)
+	parsedCiphers, err := ParseCiphers(tlsConfig)
 	require.Nil(err)
 	require.Equal(parsedCiphers, expectedCiphers)
 }
@@ -708,7 +710,8 @@ func TestConfig_ParseCiphers_Default(t *testing.T) {
 		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 	}
 
-	parsedCiphers, err := ParseCiphers("")
+	empty := &config.TLSConfig{}
+	parsedCiphers, err := ParseCiphers(empty)
 	require.Nil(err)
 	require.Equal(parsedCiphers, expectedCiphers)
 }
@@ -722,7 +725,10 @@ func TestConfig_ParseCiphers_Invalid(t *testing.T) {
 	}
 
 	for _, cipher := range invalidCiphers {
-		parsedCiphers, err := ParseCiphers(cipher)
+		tlsConfig := &config.TLSConfig{
+			TLSCipherSuites: cipher,
+		}
+		parsedCiphers, err := ParseCiphers(tlsConfig)
 		require.NotNil(err)
 		require.Equal(fmt.Sprintf("unsupported TLS cipher %q", cipher), err.Error())
 		require.Equal(0, len(parsedCiphers))