1
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-16 21:56:40 -05:00

caddytls: verifier: caddyfile: re-add Caddyfile support (#6127)

* caddytls: verifier: caddyfile: re-add Caddyfile support

* appease the linter

* caddytls: client_auth: verifier: change namespace to `tls.client_auth.verifier`
This commit is contained in:
Mohammed Al Sahaf 2024-02-26 00:13:48 +03:00 committed by GitHub
parent 931656bd68
commit 03f703a00e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 139 additions and 4 deletions

View file

@ -0,0 +1,75 @@
localhost
respond "hello from localhost"
tls {
client_auth {
mode request
trusted_ca_cert_file ../caddy.ca.cer
verifier dummy
}
}
----------
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"routes": [
{
"match": [
{
"host": [
"localhost"
]
}
],
"handle": [
{
"handler": "subroute",
"routes": [
{
"handle": [
{
"body": "hello from localhost",
"handler": "static_response"
}
]
}
]
}
],
"terminal": true
}
],
"tls_connection_policies": [
{
"match": {
"sni": [
"localhost"
]
},
"client_authentication": {
"ca": {
"provider": "inline",
"trusted_ca_certs": [
"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
]
},
"verifiers": [
{
"verifier": "dummy"
}
],
"mode": "request"
}
},
{}
]
}
}
}
}
}

View file

@ -10,6 +10,8 @@ import (
"testing" "testing"
"github.com/caddyserver/caddy/v2/caddytest" "github.com/caddyserver/caddy/v2/caddytest"
_ "github.com/caddyserver/caddy/v2/internal/testmocks"
) )
func TestCaddyfileAdaptToJSON(t *testing.T) { func TestCaddyfileAdaptToJSON(t *testing.T) {

View file

@ -0,0 +1,41 @@
package testmocks
import (
"crypto/x509"
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
"github.com/caddyserver/caddy/v2/modules/caddytls"
)
func init() {
caddy.RegisterModule(new(dummyVerifier))
}
type dummyVerifier struct{}
// UnmarshalCaddyfile implements caddyfile.Unmarshaler.
func (dummyVerifier) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
return nil
}
// CaddyModule implements caddy.Module.
func (dummyVerifier) CaddyModule() caddy.ModuleInfo {
return caddy.ModuleInfo{
ID: "tls.client_auth.verifier.dummy",
New: func() caddy.Module {
return new(dummyVerifier)
},
}
}
// VerifyClientCertificate implements ClientCertificateVerifier.
func (dummyVerifier) VerifyClientCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
return nil
}
var (
_ caddy.Module = dummyVerifier{}
_ caddytls.ClientCertificateVerifier = dummyVerifier{}
_ caddyfile.Unmarshaler = dummyVerifier{}
)

View file

@ -379,7 +379,7 @@ type ClientAuthentication struct {
// DEPRECATED: This field is deprecated and will be removed in // DEPRECATED: This field is deprecated and will be removed in
// a future version. Please use the `validators` field instead // a future version. Please use the `validators` field instead
// with the tls.client_auth.leaf module instead. // with the tls.client_auth.verifier.leaf module instead.
// //
// A list of base64 DER-encoded client leaf certs // A list of base64 DER-encoded client leaf certs
// to accept. If this list is not empty, client certs // to accept. If this list is not empty, client certs
@ -389,7 +389,7 @@ type ClientAuthentication struct {
// Client certificate verification modules. These can perform // Client certificate verification modules. These can perform
// custom client authentication checks, such as ensuring the // custom client authentication checks, such as ensuring the
// certificate is not revoked. // certificate is not revoked.
VerifiersRaw []json.RawMessage `json:"verifiers,omitempty" caddy:"namespace=tls.client_auth inline_key=verifier"` VerifiersRaw []json.RawMessage `json:"verifiers,omitempty" caddy:"namespace=tls.client_auth.verifier inline_key=verifier"`
verifiers []ClientCertificateVerifier verifiers []ClientCertificateVerifier
@ -494,6 +494,23 @@ func (ca *ClientAuthentication) UnmarshalCaddyfile(d *caddyfile.Dispenser) error
return fmt.Errorf("trust_pool module '%s' is not a certificate pool provider", caMod) return fmt.Errorf("trust_pool module '%s' is not a certificate pool provider", caMod)
} }
ca.CARaw = caddyconfig.JSONModuleObject(caMod, "provider", modName, nil) ca.CARaw = caddyconfig.JSONModuleObject(caMod, "provider", modName, nil)
case "verifier":
if !d.NextArg() {
return d.ArgErr()
}
vType := d.Val()
modID := "tls.client_auth.verifier." + vType
unm, err := caddyfile.UnmarshalModule(d, modID)
if err != nil {
return err
}
_, ok := unm.(ClientCertificateVerifier)
if !ok {
return d.Errf("module '%s' is not a caddytls.ClientCertificatVerifier", modID)
}
ca.VerifiersRaw = append(ca.VerifiersRaw, caddyconfig.JSONModuleObject(unm, "verifier", vType, nil))
default: default:
return d.Errf("unknown subdirective for client_auth: %s", subdir) return d.Errf("unknown subdirective for client_auth: %s", subdir)
} }
@ -566,7 +583,7 @@ func (clientauth *ClientAuthentication) provision(ctx caddy.Context) error {
} }
ca, ok := caRaw.(CA) ca, ok := caRaw.(CA)
if !ok { if !ok {
return fmt.Errorf("CARaw module '%s' is not a certificate pool provider", ca) return fmt.Errorf("'ca' module '%s' is not a certificate pool provider", ca)
} }
clientauth.ca = ca clientauth.ca = ca
@ -704,7 +721,7 @@ type LeafCertClientAuth struct {
// CaddyModule returns the Caddy module information. // CaddyModule returns the Caddy module information.
func (LeafCertClientAuth) CaddyModule() caddy.ModuleInfo { func (LeafCertClientAuth) CaddyModule() caddy.ModuleInfo {
return caddy.ModuleInfo{ return caddy.ModuleInfo{
ID: "tls.client_auth.leaf", ID: "tls.client_auth.verifier.leaf",
New: func() caddy.Module { return new(LeafCertClientAuth) }, New: func() caddy.Module { return new(LeafCertClientAuth) },
} }
} }