mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-16 21:56:40 -05:00
tls: modularize trusted CA providers (#5784)
* tls: modularize client authentication trusted CA * add `omitempty` to `CARaw` * docs * initial caddyfile support * revert anything related to leaf cert validation The certs are used differently than the CA pool flow * complete caddyfile unmarshalling implementation * Caddyfile syntax documentation * enhance caddyfile parsing and documentation Apply suggestions from code review Co-authored-by: Francis Lavoie <lavofr@gmail.com> * add client_auth caddyfile tests * add caddyfile unmarshalling tests * fix and add missed adapt tests * fix rebase issue --------- Co-authored-by: Francis Lavoie <lavofr@gmail.com>
This commit is contained in:
parent
b9c40e7111
commit
e965b111cd
10 changed files with 2409 additions and 108 deletions
|
@ -15,12 +15,9 @@
|
|||
package httpcaddyfile
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"html"
|
||||
"net/http"
|
||||
"os"
|
||||
"reflect"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
@ -215,83 +212,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
|
|||
|
||||
case "client_auth":
|
||||
cp.ClientAuthentication = &caddytls.ClientAuthentication{}
|
||||
for nesting := h.Nesting(); h.NextBlock(nesting); {
|
||||
subdir := h.Val()
|
||||
switch subdir {
|
||||
case "verifier":
|
||||
if !h.NextArg() {
|
||||
return nil, h.ArgErr()
|
||||
}
|
||||
|
||||
vType := h.Val()
|
||||
modID := "tls.client_auth." + vType
|
||||
unm, err := caddyfile.UnmarshalModule(h.Dispenser, modID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
_, ok := unm.(caddytls.ClientCertificateVerifier)
|
||||
if !ok {
|
||||
return nil, h.Dispenser.Errf("module %s is not a caddytls.ClientCertificatVerifier", modID)
|
||||
}
|
||||
|
||||
cp.ClientAuthentication.VerifiersRaw = append(cp.ClientAuthentication.VerifiersRaw, caddyconfig.JSONModuleObject(unm, "verifier", vType, h.warnings))
|
||||
case "mode":
|
||||
if !h.Args(&cp.ClientAuthentication.Mode) {
|
||||
return nil, h.ArgErr()
|
||||
}
|
||||
if h.NextArg() {
|
||||
return nil, h.ArgErr()
|
||||
}
|
||||
|
||||
case "trusted_ca_cert",
|
||||
"trusted_leaf_cert":
|
||||
if !h.NextArg() {
|
||||
return nil, h.ArgErr()
|
||||
}
|
||||
if subdir == "trusted_ca_cert" {
|
||||
cp.ClientAuthentication.TrustedCACerts = append(cp.ClientAuthentication.TrustedCACerts, h.Val())
|
||||
} else {
|
||||
cp.ClientAuthentication.TrustedLeafCerts = append(cp.ClientAuthentication.TrustedLeafCerts, h.Val())
|
||||
}
|
||||
|
||||
case "trusted_ca_cert_file",
|
||||
"trusted_leaf_cert_file":
|
||||
if !h.NextArg() {
|
||||
return nil, h.ArgErr()
|
||||
}
|
||||
filename := h.Val()
|
||||
certDataPEM, err := os.ReadFile(filename)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// while block is not nil, we have more certificates in the file
|
||||
for block, rest := pem.Decode(certDataPEM); block != nil; block, rest = pem.Decode(rest) {
|
||||
if block.Type != "CERTIFICATE" {
|
||||
return nil, h.Errf("no CERTIFICATE pem block found in %s", filename)
|
||||
}
|
||||
if subdir == "trusted_ca_cert_file" {
|
||||
cp.ClientAuthentication.TrustedCACerts = append(
|
||||
cp.ClientAuthentication.TrustedCACerts,
|
||||
base64.StdEncoding.EncodeToString(block.Bytes),
|
||||
)
|
||||
} else {
|
||||
cp.ClientAuthentication.TrustedLeafCerts = append(
|
||||
cp.ClientAuthentication.TrustedLeafCerts,
|
||||
base64.StdEncoding.EncodeToString(block.Bytes),
|
||||
)
|
||||
}
|
||||
}
|
||||
// if we decoded nothing, return an error
|
||||
if len(cp.ClientAuthentication.TrustedCACerts) == 0 && len(cp.ClientAuthentication.TrustedLeafCerts) == 0 {
|
||||
return nil, h.Errf("no CERTIFICATE pem block found in %s", filename)
|
||||
}
|
||||
|
||||
default:
|
||||
return nil, h.Errf("unknown subdirective for client_auth: %s", subdir)
|
||||
}
|
||||
if err := cp.ClientAuthentication.UnmarshalCaddyfile(h.NewFromNextSegment()); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
case "alpn":
|
||||
args := h.RemainingArgs()
|
||||
if len(args) == 0 {
|
||||
|
|
|
@ -0,0 +1,69 @@
|
|||
localhost
|
||||
|
||||
respond "hello from localhost"
|
||||
tls {
|
||||
client_auth {
|
||||
mode request
|
||||
trusted_ca_cert_file ../caddy.ca.cer
|
||||
}
|
||||
}
|
||||
----------
|
||||
{
|
||||
"apps": {
|
||||
"http": {
|
||||
"servers": {
|
||||
"srv0": {
|
||||
"listen": [
|
||||
":443"
|
||||
],
|
||||
"routes": [
|
||||
{
|
||||
"match": [
|
||||
{
|
||||
"host": [
|
||||
"localhost"
|
||||
]
|
||||
}
|
||||
],
|
||||
"handle": [
|
||||
{
|
||||
"handler": "subroute",
|
||||
"routes": [
|
||||
{
|
||||
"handle": [
|
||||
{
|
||||
"body": "hello from localhost",
|
||||
"handler": "static_response"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"terminal": true
|
||||
}
|
||||
],
|
||||
"tls_connection_policies": [
|
||||
{
|
||||
"match": {
|
||||
"sni": [
|
||||
"localhost"
|
||||
]
|
||||
},
|
||||
"client_authentication": {
|
||||
"ca": {
|
||||
"provider": "inline",
|
||||
"trusted_ca_certs": [
|
||||
"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
|
||||
]
|
||||
},
|
||||
"mode": "request"
|
||||
}
|
||||
},
|
||||
{}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -4,7 +4,9 @@ respond "hello from localhost"
|
|||
tls {
|
||||
client_auth {
|
||||
mode request
|
||||
trusted_ca_cert_file ../caddy.ca.cer
|
||||
trust_pool file {
|
||||
pem_file ../caddy.ca.cer
|
||||
}
|
||||
}
|
||||
}
|
||||
----------
|
||||
|
@ -51,9 +53,12 @@ tls {
|
|||
]
|
||||
},
|
||||
"client_authentication": {
|
||||
"trusted_ca_certs": [
|
||||
"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
|
||||
],
|
||||
"ca": {
|
||||
"pem_files": [
|
||||
"../caddy.ca.cer"
|
||||
],
|
||||
"provider": "file"
|
||||
},
|
||||
"mode": "request"
|
||||
}
|
||||
},
|
||||
|
|
|
@ -0,0 +1,69 @@
|
|||
localhost
|
||||
|
||||
respond "hello from localhost"
|
||||
tls {
|
||||
client_auth {
|
||||
mode request
|
||||
trusted_ca_cert MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
|
||||
}
|
||||
}
|
||||
----------
|
||||
{
|
||||
"apps": {
|
||||
"http": {
|
||||
"servers": {
|
||||
"srv0": {
|
||||
"listen": [
|
||||
":443"
|
||||
],
|
||||
"routes": [
|
||||
{
|
||||
"match": [
|
||||
{
|
||||
"host": [
|
||||
"localhost"
|
||||
]
|
||||
}
|
||||
],
|
||||
"handle": [
|
||||
{
|
||||
"handler": "subroute",
|
||||
"routes": [
|
||||
{
|
||||
"handle": [
|
||||
{
|
||||
"body": "hello from localhost",
|
||||
"handler": "static_response"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"terminal": true
|
||||
}
|
||||
],
|
||||
"tls_connection_policies": [
|
||||
{
|
||||
"match": {
|
||||
"sni": [
|
||||
"localhost"
|
||||
]
|
||||
},
|
||||
"client_authentication": {
|
||||
"ca": {
|
||||
"provider": "inline",
|
||||
"trusted_ca_certs": [
|
||||
"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
|
||||
]
|
||||
},
|
||||
"mode": "request"
|
||||
}
|
||||
},
|
||||
{}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -4,7 +4,9 @@ respond "hello from localhost"
|
|||
tls {
|
||||
client_auth {
|
||||
mode request
|
||||
trusted_ca_cert MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
|
||||
trust_pool inline {
|
||||
trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
|
||||
}
|
||||
}
|
||||
}
|
||||
----------
|
||||
|
@ -51,9 +53,12 @@ tls {
|
|||
]
|
||||
},
|
||||
"client_authentication": {
|
||||
"trusted_ca_certs": [
|
||||
"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
|
||||
],
|
||||
"ca": {
|
||||
"provider": "inline",
|
||||
"trusted_ca_certs": [
|
||||
"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
|
||||
]
|
||||
},
|
||||
"mode": "request"
|
||||
}
|
||||
},
|
||||
|
|
|
@ -0,0 +1,75 @@
|
|||
localhost
|
||||
|
||||
respond "hello from localhost"
|
||||
tls {
|
||||
client_auth {
|
||||
mode request
|
||||
trust_pool inline {
|
||||
trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
|
||||
}
|
||||
trusted_leaf_cert_file ../caddy.ca.cer
|
||||
}
|
||||
}
|
||||
----------
|
||||
{
|
||||
"apps": {
|
||||
"http": {
|
||||
"servers": {
|
||||
"srv0": {
|
||||
"listen": [
|
||||
":443"
|
||||
],
|
||||
"routes": [
|
||||
{
|
||||
"match": [
|
||||
{
|
||||
"host": [
|
||||
"localhost"
|
||||
]
|
||||
}
|
||||
],
|
||||
"handle": [
|
||||
{
|
||||
"handler": "subroute",
|
||||
"routes": [
|
||||
{
|
||||
"handle": [
|
||||
{
|
||||
"body": "hello from localhost",
|
||||
"handler": "static_response"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"terminal": true
|
||||
}
|
||||
],
|
||||
"tls_connection_policies": [
|
||||
{
|
||||
"match": {
|
||||
"sni": [
|
||||
"localhost"
|
||||
]
|
||||
},
|
||||
"client_authentication": {
|
||||
"ca": {
|
||||
"provider": "inline",
|
||||
"trusted_ca_certs": [
|
||||
"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
|
||||
]
|
||||
},
|
||||
"trusted_leaf_certs": [
|
||||
"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
|
||||
],
|
||||
"mode": "request"
|
||||
}
|
||||
},
|
||||
{}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
820
modules/caddytls/capools.go
Normal file
820
modules/caddytls/capools.go
Normal file
|
@ -0,0 +1,820 @@
|
|||
package caddytls
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"os"
|
||||
"reflect"
|
||||
|
||||
"github.com/caddyserver/certmagic"
|
||||
|
||||
"github.com/caddyserver/caddy/v2"
|
||||
"github.com/caddyserver/caddy/v2/caddyconfig"
|
||||
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
|
||||
"github.com/caddyserver/caddy/v2/modules/caddypki"
|
||||
)
|
||||
|
||||
func init() {
|
||||
caddy.RegisterModule(InlineCAPool{})
|
||||
caddy.RegisterModule(FileCAPool{})
|
||||
caddy.RegisterModule(PKIRootCAPool{})
|
||||
caddy.RegisterModule(PKIIntermediateCAPool{})
|
||||
caddy.RegisterModule(StoragePool{})
|
||||
caddy.RegisterModule(HTTPCertPool{})
|
||||
caddy.RegisterModule(LazyCertPool{})
|
||||
}
|
||||
|
||||
// The interface to be implemented by all guest modules part of
|
||||
// the namespace 'tls.ca_pool.source.'
|
||||
type CA interface {
|
||||
CertPool() *x509.CertPool
|
||||
}
|
||||
|
||||
// InlineCAPool is a certificate authority pool provider coming from
|
||||
// a DER-encoded certificates in the config
|
||||
type InlineCAPool struct {
|
||||
// A list of base64 DER-encoded CA certificates
|
||||
// against which to validate client certificates.
|
||||
// Client certs which are not signed by any of
|
||||
// these CAs will be rejected.
|
||||
TrustedCACerts []string `json:"trusted_ca_certs,omitempty"`
|
||||
|
||||
pool *x509.CertPool
|
||||
}
|
||||
|
||||
// CaddyModule implements caddy.Module.
|
||||
func (icp InlineCAPool) CaddyModule() caddy.ModuleInfo {
|
||||
return caddy.ModuleInfo{
|
||||
ID: "tls.ca_pool.source.inline",
|
||||
New: func() caddy.Module {
|
||||
return new(InlineCAPool)
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// Provision implements caddy.Provisioner.
|
||||
func (icp *InlineCAPool) Provision(ctx caddy.Context) error {
|
||||
caPool := x509.NewCertPool()
|
||||
for i, clientCAString := range icp.TrustedCACerts {
|
||||
clientCA, err := decodeBase64DERCert(clientCAString)
|
||||
if err != nil {
|
||||
return fmt.Errorf("parsing certificate at index %d: %v", i, err)
|
||||
}
|
||||
caPool.AddCert(clientCA)
|
||||
}
|
||||
icp.pool = caPool
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Syntax:
|
||||
//
|
||||
// trust_pool inline {
|
||||
// trust_der <base64_der_cert>...
|
||||
// }
|
||||
//
|
||||
// The 'trust_der' directive can be specified multiple times.
|
||||
func (icp *InlineCAPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||
d.Next() // consume module name
|
||||
if d.CountRemainingArgs() > 0 {
|
||||
return d.ArgErr()
|
||||
}
|
||||
for d.NextBlock(0) {
|
||||
switch d.Val() {
|
||||
case "trust_der":
|
||||
icp.TrustedCACerts = append(icp.TrustedCACerts, d.RemainingArgs()...)
|
||||
default:
|
||||
return d.Errf("unrecognized directive: %s", d.Val())
|
||||
}
|
||||
}
|
||||
if len(icp.TrustedCACerts) == 0 {
|
||||
return d.Err("no certificates specified")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// CertPool implements CA.
|
||||
func (icp InlineCAPool) CertPool() *x509.CertPool {
|
||||
return icp.pool
|
||||
}
|
||||
|
||||
// FileCAPool generates trusted root certificates pool from the designated DER and PEM file
|
||||
type FileCAPool struct {
|
||||
// TrustedCACertPEMFiles is a list of PEM file names
|
||||
// from which to load certificates of trusted CAs.
|
||||
// Client certificates which are not signed by any of
|
||||
// these CA certificates will be rejected.
|
||||
TrustedCACertPEMFiles []string `json:"pem_files,omitempty"`
|
||||
|
||||
pool *x509.CertPool
|
||||
}
|
||||
|
||||
// CaddyModule implements caddy.Module.
|
||||
func (FileCAPool) CaddyModule() caddy.ModuleInfo {
|
||||
return caddy.ModuleInfo{
|
||||
ID: "tls.ca_pool.source.file",
|
||||
New: func() caddy.Module {
|
||||
return new(FileCAPool)
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// Loads and decodes the DER and pem files to generate the certificate pool
|
||||
func (f *FileCAPool) Provision(ctx caddy.Context) error {
|
||||
caPool := x509.NewCertPool()
|
||||
for _, pemFile := range f.TrustedCACertPEMFiles {
|
||||
pemContents, err := os.ReadFile(pemFile)
|
||||
if err != nil {
|
||||
return fmt.Errorf("reading %s: %v", pemFile, err)
|
||||
}
|
||||
caPool.AppendCertsFromPEM(pemContents)
|
||||
}
|
||||
f.pool = caPool
|
||||
return nil
|
||||
}
|
||||
|
||||
// Syntax:
|
||||
//
|
||||
// trust_pool file [<pem_file>...] {
|
||||
// pem_file <pem_file>...
|
||||
// }
|
||||
//
|
||||
// The 'pem_file' directive can be specified multiple times.
|
||||
func (fcap *FileCAPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||
d.Next() // consume module name
|
||||
fcap.TrustedCACertPEMFiles = append(fcap.TrustedCACertPEMFiles, d.RemainingArgs()...)
|
||||
for d.NextBlock(0) {
|
||||
switch d.Val() {
|
||||
case "pem_file":
|
||||
fcap.TrustedCACertPEMFiles = append(fcap.TrustedCACertPEMFiles, d.RemainingArgs()...)
|
||||
default:
|
||||
return d.Errf("unrecognized directive: %s", d.Val())
|
||||
}
|
||||
}
|
||||
if len(fcap.TrustedCACertPEMFiles) == 0 {
|
||||
return d.Err("no certificates specified")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (f FileCAPool) CertPool() *x509.CertPool {
|
||||
return f.pool
|
||||
}
|
||||
|
||||
// PKIRootCAPool extracts the trusted root certificates from Caddy's native 'pki' app
|
||||
type PKIRootCAPool struct {
|
||||
// List of the Authority names that are configured in the `pki` app whose root certificates are trusted
|
||||
Authority []string `json:"authority,omitempty"`
|
||||
|
||||
ca []*caddypki.CA
|
||||
pool *x509.CertPool
|
||||
}
|
||||
|
||||
// CaddyModule implements caddy.Module.
|
||||
func (PKIRootCAPool) CaddyModule() caddy.ModuleInfo {
|
||||
return caddy.ModuleInfo{
|
||||
ID: "tls.ca_pool.source.pki_root",
|
||||
New: func() caddy.Module {
|
||||
return new(PKIRootCAPool)
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// Loads the PKI app and load the root certificates into the certificate pool
|
||||
func (p *PKIRootCAPool) Provision(ctx caddy.Context) error {
|
||||
pkiApp := ctx.AppIfConfigured("pki")
|
||||
if pkiApp == nil {
|
||||
return fmt.Errorf("PKI app not configured")
|
||||
}
|
||||
pki := pkiApp.(*caddypki.PKI)
|
||||
for _, caID := range p.Authority {
|
||||
c, err := pki.GetCA(ctx, caID)
|
||||
if err != nil || c == nil {
|
||||
return fmt.Errorf("getting CA %s: %v", caID, err)
|
||||
}
|
||||
p.ca = append(p.ca, c)
|
||||
}
|
||||
|
||||
caPool := x509.NewCertPool()
|
||||
for _, ca := range p.ca {
|
||||
caPool.AddCert(ca.RootCertificate())
|
||||
}
|
||||
p.pool = caPool
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Syntax:
|
||||
//
|
||||
// trust_pool pki_root [<ca_name>...] {
|
||||
// authority <ca_name>...
|
||||
// }
|
||||
//
|
||||
// The 'authority' directive can be specified multiple times.
|
||||
func (pkir *PKIRootCAPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||
d.Next() // consume module name
|
||||
pkir.Authority = append(pkir.Authority, d.RemainingArgs()...)
|
||||
for nesting := d.Nesting(); d.NextBlock(nesting); {
|
||||
switch d.Val() {
|
||||
case "authority":
|
||||
pkir.Authority = append(pkir.Authority, d.RemainingArgs()...)
|
||||
default:
|
||||
return d.Errf("unrecognized directive: %s", d.Val())
|
||||
}
|
||||
}
|
||||
if len(pkir.Authority) == 0 {
|
||||
return d.Err("no authorities specified")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// return the certificate pool generated with root certificates from the PKI app
|
||||
func (p PKIRootCAPool) CertPool() *x509.CertPool {
|
||||
return p.pool
|
||||
}
|
||||
|
||||
// PKIIntermediateCAPool extracts the trusted intermediate certificates from Caddy's native 'pki' app
|
||||
type PKIIntermediateCAPool struct {
|
||||
// List of the Authority names that are configured in the `pki` app whose intermediate certificates are trusted
|
||||
Authority []string `json:"authority,omitempty"`
|
||||
|
||||
ca []*caddypki.CA
|
||||
pool *x509.CertPool
|
||||
}
|
||||
|
||||
// CaddyModule implements caddy.Module.
|
||||
func (PKIIntermediateCAPool) CaddyModule() caddy.ModuleInfo {
|
||||
return caddy.ModuleInfo{
|
||||
ID: "tls.ca_pool.source.pki_intermediate",
|
||||
New: func() caddy.Module {
|
||||
return new(PKIIntermediateCAPool)
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// Loads the PKI app and load the intermediate certificates into the certificate pool
|
||||
func (p *PKIIntermediateCAPool) Provision(ctx caddy.Context) error {
|
||||
pkiApp := ctx.AppIfConfigured("pki")
|
||||
if pkiApp == nil {
|
||||
return fmt.Errorf("PKI app not configured")
|
||||
}
|
||||
pki := pkiApp.(*caddypki.PKI)
|
||||
for _, caID := range p.Authority {
|
||||
c, err := pki.GetCA(ctx, caID)
|
||||
if err != nil || c == nil {
|
||||
return fmt.Errorf("getting CA %s: %v", caID, err)
|
||||
}
|
||||
p.ca = append(p.ca, c)
|
||||
}
|
||||
|
||||
caPool := x509.NewCertPool()
|
||||
for _, ca := range p.ca {
|
||||
caPool.AddCert(ca.IntermediateCertificate())
|
||||
}
|
||||
p.pool = caPool
|
||||
return nil
|
||||
}
|
||||
|
||||
// Syntax:
|
||||
//
|
||||
// trust_pool pki_intermediate [<ca_name>...] {
|
||||
// authority <ca_name>...
|
||||
// }
|
||||
//
|
||||
// The 'authority' directive can be specified multiple times.
|
||||
func (pic *PKIIntermediateCAPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||
d.Next() // consume module name
|
||||
pic.Authority = append(pic.Authority, d.RemainingArgs()...)
|
||||
for nesting := d.Nesting(); d.NextBlock(nesting); {
|
||||
switch d.Val() {
|
||||
case "authority":
|
||||
pic.Authority = append(pic.Authority, d.RemainingArgs()...)
|
||||
default:
|
||||
return d.Errf("unrecognized directive: %s", d.Val())
|
||||
}
|
||||
}
|
||||
if len(pic.Authority) == 0 {
|
||||
return d.Err("no authorities specified")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// return the certificate pool generated with intermediate certificates from the PKI app
|
||||
func (p PKIIntermediateCAPool) CertPool() *x509.CertPool {
|
||||
return p.pool
|
||||
}
|
||||
|
||||
// StoragePool extracts the trusted certificates root from Caddy storage
|
||||
type StoragePool struct {
|
||||
// The storage module where the trusted root certificates are stored. Absent
|
||||
// explicit storage implies the use of Caddy default storage.
|
||||
StorageRaw json.RawMessage `json:"storage,omitempty" caddy:"namespace=caddy.storage inline_key=module"`
|
||||
|
||||
// The storage key/index to the location of the certificates
|
||||
PEMKeys []string `json:"pem_keys,omitempty"`
|
||||
|
||||
storage certmagic.Storage
|
||||
pool *x509.CertPool
|
||||
}
|
||||
|
||||
// CaddyModule implements caddy.Module.
|
||||
func (StoragePool) CaddyModule() caddy.ModuleInfo {
|
||||
return caddy.ModuleInfo{
|
||||
ID: "tls.ca_pool.source.storage",
|
||||
New: func() caddy.Module {
|
||||
return new(StoragePool)
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// Provision implements caddy.Provisioner.
|
||||
func (ca *StoragePool) Provision(ctx caddy.Context) error {
|
||||
if ca.StorageRaw != nil {
|
||||
val, err := ctx.LoadModule(ca, "StorageRaw")
|
||||
if err != nil {
|
||||
return fmt.Errorf("loading storage module: %v", err)
|
||||
}
|
||||
cmStorage, err := val.(caddy.StorageConverter).CertMagicStorage()
|
||||
if err != nil {
|
||||
return fmt.Errorf("creating storage configuration: %v", err)
|
||||
}
|
||||
ca.storage = cmStorage
|
||||
}
|
||||
if ca.storage == nil {
|
||||
ca.storage = ctx.Storage()
|
||||
}
|
||||
if len(ca.PEMKeys) == 0 {
|
||||
return fmt.Errorf("no PEM keys specified")
|
||||
}
|
||||
caPool := x509.NewCertPool()
|
||||
for _, caID := range ca.PEMKeys {
|
||||
bs, err := ca.storage.Load(ctx, caID)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error loading cert '%s' from storage: %s", caID, err)
|
||||
}
|
||||
if !caPool.AppendCertsFromPEM(bs) {
|
||||
return fmt.Errorf("failed to add certificate '%s' to pool", caID)
|
||||
}
|
||||
}
|
||||
ca.pool = caPool
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Syntax:
|
||||
//
|
||||
// trust_pool storage [<storage_keys>...] {
|
||||
// storage <storage_module>
|
||||
// keys <storage_keys>...
|
||||
// }
|
||||
//
|
||||
// The 'keys' directive can be specified multiple times.
|
||||
// The'storage' directive is optional and defaults to the default storage module.
|
||||
func (sp *StoragePool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||
d.Next() // consume module name
|
||||
sp.PEMKeys = append(sp.PEMKeys, d.RemainingArgs()...)
|
||||
for nesting := d.Nesting(); d.NextBlock(nesting); {
|
||||
switch d.Val() {
|
||||
case "storage":
|
||||
if sp.StorageRaw != nil {
|
||||
return d.Err("storage module already set")
|
||||
}
|
||||
if !d.NextArg() {
|
||||
return d.ArgErr()
|
||||
}
|
||||
modStem := d.Val()
|
||||
modID := "caddy.storage." + modStem
|
||||
unm, err := caddyfile.UnmarshalModule(d, modID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
storage, ok := unm.(caddy.StorageConverter)
|
||||
if !ok {
|
||||
return d.Errf("module %s is not a caddy.StorageConverter", modID)
|
||||
}
|
||||
sp.StorageRaw = caddyconfig.JSONModuleObject(storage, "module", modStem, nil)
|
||||
case "keys":
|
||||
sp.PEMKeys = append(sp.PEMKeys, d.RemainingArgs()...)
|
||||
default:
|
||||
return d.Errf("unrecognized directive: %s", d.Val())
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (p StoragePool) CertPool() *x509.CertPool {
|
||||
return p.pool
|
||||
}
|
||||
|
||||
// TLSConfig holds configuration related to the TLS configuration for the
|
||||
// transport/client.
|
||||
// copied from with minor modifications: modules/caddyhttp/reverseproxy/httptransport.go
|
||||
type TLSConfig struct {
|
||||
// Provides the guest module that provides the trusted certificate authority (CA) certificates
|
||||
CARaw json.RawMessage `json:"ca,omitempty" caddy:"namespace=tls.ca_pool.source inline_key=provider"`
|
||||
|
||||
// If true, TLS verification of server certificates will be disabled.
|
||||
// This is insecure and may be removed in the future. Do not use this
|
||||
// option except in testing or local development environments.
|
||||
InsecureSkipVerify bool `json:"insecure_skip_verify,omitempty"`
|
||||
|
||||
// The duration to allow a TLS handshake to a server. Default: No timeout.
|
||||
HandshakeTimeout caddy.Duration `json:"handshake_timeout,omitempty"`
|
||||
|
||||
// The server name used when verifying the certificate received in the TLS
|
||||
// handshake. By default, this will use the upstream address' host part.
|
||||
// You only need to override this if your upstream address does not match the
|
||||
// certificate the upstream is likely to use. For example if the upstream
|
||||
// address is an IP address, then you would need to configure this to the
|
||||
// hostname being served by the upstream server. Currently, this does not
|
||||
// support placeholders because the TLS config is not provisioned on each
|
||||
// connection, so a static value must be used.
|
||||
ServerName string `json:"server_name,omitempty"`
|
||||
|
||||
// TLS renegotiation level. TLS renegotiation is the act of performing
|
||||
// subsequent handshakes on a connection after the first.
|
||||
// The level can be:
|
||||
// - "never": (the default) disables renegotiation.
|
||||
// - "once": allows a remote server to request renegotiation once per connection.
|
||||
// - "freely": allows a remote server to repeatedly request renegotiation.
|
||||
Renegotiation string `json:"renegotiation,omitempty"`
|
||||
}
|
||||
|
||||
func (t *TLSConfig) unmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||
for nesting := d.Nesting(); d.NextBlock(nesting); {
|
||||
switch d.Val() {
|
||||
case "ca":
|
||||
if !d.NextArg() {
|
||||
return d.ArgErr()
|
||||
}
|
||||
modStem := d.Val()
|
||||
modID := "tls.ca_pool.source." + modStem
|
||||
unm, err := caddyfile.UnmarshalModule(d, modID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
ca, ok := unm.(CA)
|
||||
if !ok {
|
||||
return d.Errf("module %s is not a caddytls.CA", modID)
|
||||
}
|
||||
t.CARaw = caddyconfig.JSONModuleObject(ca, "provider", modStem, nil)
|
||||
case "insecure_skip_verify":
|
||||
t.InsecureSkipVerify = true
|
||||
case "handshake_timeout":
|
||||
if !d.NextArg() {
|
||||
return d.ArgErr()
|
||||
}
|
||||
dur, err := caddy.ParseDuration(d.Val())
|
||||
if err != nil {
|
||||
return d.Errf("bad timeout value '%s': %v", d.Val(), err)
|
||||
}
|
||||
t.HandshakeTimeout = caddy.Duration(dur)
|
||||
case "server_name":
|
||||
if !d.Args(&t.ServerName) {
|
||||
return d.ArgErr()
|
||||
}
|
||||
case "renegotiation":
|
||||
if !d.Args(&t.Renegotiation) {
|
||||
return d.ArgErr()
|
||||
}
|
||||
switch t.Renegotiation {
|
||||
case "never", "once", "freely":
|
||||
continue
|
||||
default:
|
||||
t.Renegotiation = ""
|
||||
return d.Errf("unrecognized renegotiation level: %s", t.Renegotiation)
|
||||
}
|
||||
default:
|
||||
return d.Errf("unrecognized directive: %s", d.Val())
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// MakeTLSClientConfig returns a tls.Config usable by a client to a backend.
|
||||
// If there is no custom TLS configuration, a nil config may be returned.
|
||||
// copied from with minor modifications: modules/caddyhttp/reverseproxy/httptransport.go
|
||||
func (t TLSConfig) makeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) {
|
||||
repl := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
|
||||
if repl == nil {
|
||||
repl = caddy.NewReplacer()
|
||||
}
|
||||
cfg := new(tls.Config)
|
||||
|
||||
if t.CARaw != nil {
|
||||
caRaw, err := ctx.LoadModule(t, "CARaw")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
ca := caRaw.(CA)
|
||||
cfg.RootCAs = ca.CertPool()
|
||||
}
|
||||
|
||||
// Renegotiation
|
||||
switch t.Renegotiation {
|
||||
case "never", "":
|
||||
cfg.Renegotiation = tls.RenegotiateNever
|
||||
case "once":
|
||||
cfg.Renegotiation = tls.RenegotiateOnceAsClient
|
||||
case "freely":
|
||||
cfg.Renegotiation = tls.RenegotiateFreelyAsClient
|
||||
default:
|
||||
return nil, fmt.Errorf("invalid TLS renegotiation level: %v", t.Renegotiation)
|
||||
}
|
||||
|
||||
// override for the server name used verify the TLS handshake
|
||||
cfg.ServerName = repl.ReplaceKnown(cfg.ServerName, "")
|
||||
|
||||
// throw all security out the window
|
||||
cfg.InsecureSkipVerify = t.InsecureSkipVerify
|
||||
|
||||
// only return a config if it's not empty
|
||||
if reflect.DeepEqual(cfg, new(tls.Config)) {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
return cfg, nil
|
||||
}
|
||||
|
||||
// The HTTPCertPool fetches the trusted root certificates from HTTP(S)
|
||||
// endpoints. The TLS connection properties can be customized, including custom
|
||||
// trusted root certificate. One example usage of this module is to get the trusted
|
||||
// certificates from another Caddy instance that is running the PKI app and ACME server.
|
||||
type HTTPCertPool struct {
|
||||
// the list of URLs that respond with PEM-encoded certificates to trust.
|
||||
Endpoints []string `json:"endpoints,omitempty"`
|
||||
|
||||
// Customize the TLS connection knobs to used during the HTTP call
|
||||
TLS *TLSConfig `json:"tls,omitempty"`
|
||||
|
||||
pool *x509.CertPool
|
||||
}
|
||||
|
||||
// CaddyModule implements caddy.Module.
|
||||
func (HTTPCertPool) CaddyModule() caddy.ModuleInfo {
|
||||
return caddy.ModuleInfo{
|
||||
ID: "tls.ca_pool.source.http",
|
||||
New: func() caddy.Module {
|
||||
return new(HTTPCertPool)
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// Provision implements caddy.Provisioner.
|
||||
func (hcp *HTTPCertPool) Provision(ctx caddy.Context) error {
|
||||
caPool := x509.NewCertPool()
|
||||
|
||||
customTransport := http.DefaultTransport.(*http.Transport).Clone()
|
||||
if hcp.TLS != nil {
|
||||
tlsConfig, err := hcp.TLS.makeTLSClientConfig(ctx)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
customTransport.TLSClientConfig = tlsConfig
|
||||
}
|
||||
|
||||
var httpClient *http.Client
|
||||
*httpClient = *http.DefaultClient
|
||||
httpClient.Transport = customTransport
|
||||
|
||||
for _, uri := range hcp.Endpoints {
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodGet, uri, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
res, err := httpClient.Do(req)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
pembs, err := io.ReadAll(res.Body)
|
||||
res.Body.Close()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !caPool.AppendCertsFromPEM(pembs) {
|
||||
return fmt.Errorf("failed to add certs from URL: %s", uri)
|
||||
}
|
||||
}
|
||||
hcp.pool = caPool
|
||||
return nil
|
||||
}
|
||||
|
||||
// Syntax:
|
||||
//
|
||||
// trust_pool http [<endpoints...>] {
|
||||
// endpoints <endpoints...>
|
||||
// tls <tls_config>
|
||||
// }
|
||||
//
|
||||
// tls_config:
|
||||
//
|
||||
// ca <ca_module>
|
||||
// insecure_skip_verify
|
||||
// handshake_timeout <duration>
|
||||
// server_name <name>
|
||||
// renegotiation <never|once|freely>
|
||||
//
|
||||
// <ca_module> is the name of the CA module to source the trust
|
||||
//
|
||||
// certificate pool and follows the syntax of the named CA module.
|
||||
func (hcp *HTTPCertPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||
d.Next() // consume module name
|
||||
hcp.Endpoints = append(hcp.Endpoints, d.RemainingArgs()...)
|
||||
for nesting := d.Nesting(); d.NextBlock(nesting); {
|
||||
switch d.Val() {
|
||||
case "endpoints":
|
||||
if d.CountRemainingArgs() == 0 {
|
||||
return d.ArgErr()
|
||||
}
|
||||
hcp.Endpoints = append(hcp.Endpoints, d.RemainingArgs()...)
|
||||
case "tls":
|
||||
if hcp.TLS != nil {
|
||||
return d.Err("tls block already defined")
|
||||
}
|
||||
hcp.TLS = new(TLSConfig)
|
||||
if err := hcp.TLS.unmarshalCaddyfile(d); err != nil {
|
||||
return err
|
||||
}
|
||||
default:
|
||||
return d.Errf("unrecognized directive: %s", d.Val())
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// report error if the endpoints are not valid URLs
|
||||
func (hcp HTTPCertPool) Validate() (err error) {
|
||||
for _, u := range hcp.Endpoints {
|
||||
_, e := url.Parse(u)
|
||||
if e != nil {
|
||||
err = errors.Join(err, e)
|
||||
}
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
// CertPool return the certificate pool generated from the HTTP responses
|
||||
func (hcp HTTPCertPool) CertPool() *x509.CertPool {
|
||||
return hcp.pool
|
||||
}
|
||||
|
||||
// LazyCertPool defers the generation of the certificate pool from the
|
||||
// guest module to demand-time rather than at provisionig time. The gain of the
|
||||
// lazy load adds a risk of failure to load the certificates at demand time
|
||||
// because the validation that's typically done at provisioning is deferred.
|
||||
// The validation can be enforced to run before runtime by setting
|
||||
// `EagerValidation`/`eager_validation` to `true`. It is the operator's responsibility
|
||||
// to ensure the resources are available if `EagerValidation`/`eager_validation`
|
||||
// is set to `true`. The module also incurs performance cost at every demand.
|
||||
type LazyCertPool struct {
|
||||
// Provides the guest module that provides the trusted certificate authority (CA) certificates
|
||||
CARaw json.RawMessage `json:"ca,omitempty" caddy:"namespace=tls.ca_pool.source inline_key=provider"`
|
||||
|
||||
// Whether the validation step should try to load and provision the guest module to validate
|
||||
// the correctness of the configuration. Depeneding on the type of the guest module,
|
||||
// the resources may not be available at validation time. It is the
|
||||
// operator's responsibility to ensure the resources are available if `EagerValidation`/`eager_validation`
|
||||
// is set to `true`.
|
||||
EagerValidation bool `json:"eager_validation,omitempty"`
|
||||
|
||||
ctx caddy.Context
|
||||
}
|
||||
|
||||
// CaddyModule implements caddy.Module.
|
||||
func (LazyCertPool) CaddyModule() caddy.ModuleInfo {
|
||||
return caddy.ModuleInfo{
|
||||
ID: "tls.ca_pool.source.lazy",
|
||||
New: func() caddy.Module {
|
||||
return new(LazyCertPool)
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// Provision implements caddy.Provisioner.
|
||||
func (lcp *LazyCertPool) Provision(ctx caddy.Context) error {
|
||||
if len(lcp.CARaw) == 0 {
|
||||
return fmt.Errorf("missing backing CA source")
|
||||
}
|
||||
lcp.ctx = ctx
|
||||
return nil
|
||||
}
|
||||
|
||||
// Syntax:
|
||||
//
|
||||
// trust_pool lazy {
|
||||
// backend <ca_module>
|
||||
// eager_validation
|
||||
// }
|
||||
//
|
||||
// The `backend` directive specifies the CA module to use to provision the
|
||||
// certificate pool. The `eager_validation` directive specifies that the
|
||||
// validation step should try to load and provision the guest module to validate
|
||||
// the correctness of the configuration. Depeneding on the type of the guest module,
|
||||
// the resources may not be available at validation time. It is the
|
||||
// operator's responsibility to ensure the resources are available if `EagerValidation`/`eager_validation`
|
||||
// is set to `true`.
|
||||
//
|
||||
// The `backend` directive is required.
|
||||
func (lcp *LazyCertPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||
d.Next() // consume module name
|
||||
for nesting := d.Nesting(); d.NextBlock(nesting); {
|
||||
switch d.Val() {
|
||||
case "backend":
|
||||
if lcp.CARaw != nil {
|
||||
return d.Err("backend block already defined")
|
||||
}
|
||||
if !d.NextArg() {
|
||||
return d.ArgErr()
|
||||
}
|
||||
modStem := d.Val()
|
||||
modID := "tls.ca_pool.source." + modStem
|
||||
unm, err := caddyfile.UnmarshalModule(d, modID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
backend, ok := unm.(CA)
|
||||
if !ok {
|
||||
return d.Errf("module %s is not a caddytls.CA", modID)
|
||||
}
|
||||
lcp.CARaw = caddyconfig.JSONModuleObject(backend, "provider", modStem, nil)
|
||||
case "eager_validation":
|
||||
lcp.EagerValidation = true
|
||||
default:
|
||||
return d.Errf("unrecognized directive: %s", d.Val())
|
||||
}
|
||||
}
|
||||
if lcp.CARaw == nil {
|
||||
return d.Err("backend block is required")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// If EagerValidation is `true`, it attempts to load and provision the guest module
|
||||
// to ensure the guesst module's configuration is correct. Depeneding on the type of the
|
||||
// guest module, the resources may not be available at validation time. It is the
|
||||
// operator's responsibility to ensure the resources are available if `EagerValidation` is
|
||||
// set to `true`.
|
||||
func (lcp LazyCertPool) Validate() error {
|
||||
if lcp.EagerValidation {
|
||||
_, err := lcp.ctx.LoadModule(lcp, "CARaw")
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// CertPool loads the guest module and returns the CertPool from there
|
||||
// TODO: Cache?
|
||||
func (lcp LazyCertPool) CertPool() *x509.CertPool {
|
||||
caRaw, err := lcp.ctx.LoadModule(lcp, "CARaw")
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
ca := caRaw.(CA)
|
||||
return ca.CertPool()
|
||||
}
|
||||
|
||||
var (
|
||||
_ caddy.Module = (*InlineCAPool)(nil)
|
||||
_ caddy.Provisioner = (*InlineCAPool)(nil)
|
||||
_ CA = (*InlineCAPool)(nil)
|
||||
_ caddyfile.Unmarshaler = (*InlineCAPool)(nil)
|
||||
|
||||
_ caddy.Module = (*FileCAPool)(nil)
|
||||
_ caddy.Provisioner = (*FileCAPool)(nil)
|
||||
_ CA = (*FileCAPool)(nil)
|
||||
_ caddyfile.Unmarshaler = (*FileCAPool)(nil)
|
||||
|
||||
_ caddy.Module = (*PKIRootCAPool)(nil)
|
||||
_ caddy.Provisioner = (*PKIRootCAPool)(nil)
|
||||
_ CA = (*PKIRootCAPool)(nil)
|
||||
_ caddyfile.Unmarshaler = (*PKIRootCAPool)(nil)
|
||||
|
||||
_ caddy.Module = (*PKIIntermediateCAPool)(nil)
|
||||
_ caddy.Provisioner = (*PKIIntermediateCAPool)(nil)
|
||||
_ CA = (*PKIIntermediateCAPool)(nil)
|
||||
_ caddyfile.Unmarshaler = (*PKIIntermediateCAPool)(nil)
|
||||
|
||||
_ caddy.Module = (*StoragePool)(nil)
|
||||
_ caddy.Provisioner = (*StoragePool)(nil)
|
||||
_ CA = (*StoragePool)(nil)
|
||||
_ caddyfile.Unmarshaler = (*StoragePool)(nil)
|
||||
|
||||
_ caddy.Module = (*HTTPCertPool)(nil)
|
||||
_ caddy.Provisioner = (*HTTPCertPool)(nil)
|
||||
_ caddy.Validator = (*HTTPCertPool)(nil)
|
||||
_ CA = (*HTTPCertPool)(nil)
|
||||
_ caddyfile.Unmarshaler = (*HTTPCertPool)(nil)
|
||||
|
||||
_ caddy.Module = (*LazyCertPool)(nil)
|
||||
_ caddy.Provisioner = (*LazyCertPool)(nil)
|
||||
_ caddy.Validator = (*LazyCertPool)(nil)
|
||||
_ CA = (*LazyCertPool)(nil)
|
||||
_ caddyfile.Unmarshaler = (*LazyCertPool)(nil)
|
||||
)
|
892
modules/caddytls/capools_test.go
Normal file
892
modules/caddytls/capools_test.go
Normal file
|
@ -0,0 +1,892 @@
|
|||
package caddytls
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"reflect"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/caddyserver/caddy/v2"
|
||||
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
|
||||
_ "github.com/caddyserver/caddy/v2/modules/filestorage"
|
||||
)
|
||||
|
||||
const (
|
||||
test_der_1 = `MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==`
|
||||
test_cert_file_1 = "../../caddytest/caddy.ca.cer"
|
||||
)
|
||||
|
||||
func TestInlineCAPoolUnmarshalCaddyfile(t *testing.T) {
|
||||
type args struct {
|
||||
d *caddyfile.Dispenser
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
expected InlineCAPool
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "configuring no certificatest produces an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
inline {
|
||||
}
|
||||
`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "configuring certificates as arguments in-line produces an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
inline %s
|
||||
`, test_der_1)),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "single cert",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
inline {
|
||||
trust_der %s
|
||||
}
|
||||
`, test_der_1)),
|
||||
},
|
||||
expected: InlineCAPool{
|
||||
TrustedCACerts: []string{test_der_1},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "multiple certs in one line",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
inline {
|
||||
trust_der %s %s
|
||||
}
|
||||
`, test_der_1, test_der_1),
|
||||
),
|
||||
},
|
||||
expected: InlineCAPool{
|
||||
TrustedCACerts: []string{test_der_1, test_der_1},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "multiple certs in multiple lines",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
inline {
|
||||
trust_der %s
|
||||
trust_der %s
|
||||
}
|
||||
`, test_der_1, test_der_1)),
|
||||
},
|
||||
expected: InlineCAPool{
|
||||
TrustedCACerts: []string{test_der_1, test_der_1},
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
icp := &InlineCAPool{}
|
||||
if err := icp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
||||
t.Errorf("InlineCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
if !tt.wantErr && !reflect.DeepEqual(&tt.expected, icp) {
|
||||
t.Errorf("InlineCAPool.UnmarshalCaddyfile() = %v, want %v", icp, tt.expected)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestFileCAPoolUnmarshalCaddyfile(t *testing.T) {
|
||||
type args struct {
|
||||
d *caddyfile.Dispenser
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
expected FileCAPool
|
||||
args args
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "configuring no certificatest produces an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
file {
|
||||
}
|
||||
`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "configuring certificates as arguments in-line produces an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
file %s
|
||||
`, test_cert_file_1)),
|
||||
},
|
||||
expected: FileCAPool{
|
||||
TrustedCACertPEMFiles: []string{test_cert_file_1},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "single cert",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
file {
|
||||
pem_file %s
|
||||
}
|
||||
`, test_cert_file_1)),
|
||||
},
|
||||
expected: FileCAPool{
|
||||
TrustedCACertPEMFiles: []string{test_cert_file_1},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "multiple certs inline and in-block are merged",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
file %s {
|
||||
pem_file %s
|
||||
}
|
||||
`, test_cert_file_1, test_cert_file_1)),
|
||||
},
|
||||
expected: FileCAPool{
|
||||
TrustedCACertPEMFiles: []string{test_cert_file_1, test_cert_file_1},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "multiple certs in one line",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
file {
|
||||
pem_file %s %s
|
||||
}
|
||||
`, test_der_1, test_der_1),
|
||||
),
|
||||
},
|
||||
expected: FileCAPool{
|
||||
TrustedCACertPEMFiles: []string{test_der_1, test_der_1},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "multiple certs in multiple lines",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
file {
|
||||
pem_file %s
|
||||
pem_file %s
|
||||
}
|
||||
`, test_cert_file_1, test_cert_file_1)),
|
||||
},
|
||||
expected: FileCAPool{
|
||||
TrustedCACertPEMFiles: []string{test_cert_file_1, test_cert_file_1},
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
fcap := &FileCAPool{}
|
||||
if err := fcap.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
||||
t.Errorf("FileCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
if !tt.wantErr && !reflect.DeepEqual(&tt.expected, fcap) {
|
||||
t.Errorf("FileCAPool.UnmarshalCaddyfile() = %v, want %v", fcap, tt.expected)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestPKIRootCAPoolUnmarshalCaddyfile(t *testing.T) {
|
||||
type args struct {
|
||||
d *caddyfile.Dispenser
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
expected PKIRootCAPool
|
||||
args args
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "configuring no certificatest produces an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
pki_root {
|
||||
}
|
||||
`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "single authority as arguments in-line",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
pki_root ca_1
|
||||
`),
|
||||
},
|
||||
expected: PKIRootCAPool{
|
||||
Authority: []string{"ca_1"},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "multiple authorities as arguments in-line",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
pki_root ca_1 ca_2
|
||||
`),
|
||||
},
|
||||
expected: PKIRootCAPool{
|
||||
Authority: []string{"ca_1", "ca_2"},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "single authority in block",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
pki_root {
|
||||
authority ca_1
|
||||
}`),
|
||||
},
|
||||
expected: PKIRootCAPool{
|
||||
Authority: []string{"ca_1"},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "multiple authorities in one line",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
pki_root {
|
||||
authority ca_1 ca_2
|
||||
}`),
|
||||
},
|
||||
expected: PKIRootCAPool{
|
||||
Authority: []string{"ca_1", "ca_2"},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "multiple authorities in multiple lines",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
pki_root {
|
||||
authority ca_1
|
||||
authority ca_2
|
||||
}`),
|
||||
},
|
||||
expected: PKIRootCAPool{
|
||||
Authority: []string{"ca_1", "ca_2"},
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
pkir := &PKIRootCAPool{}
|
||||
if err := pkir.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
||||
t.Errorf("PKIRootCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
if !tt.wantErr && !reflect.DeepEqual(&tt.expected, pkir) {
|
||||
t.Errorf("PKIRootCAPool.UnmarshalCaddyfile() = %v, want %v", pkir, tt.expected)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestPKIIntermediateCAPoolUnmarshalCaddyfile(t *testing.T) {
|
||||
type args struct {
|
||||
d *caddyfile.Dispenser
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
expected PKIIntermediateCAPool
|
||||
args args
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "configuring no certificatest produces an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
pki_intermediate {
|
||||
}`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "single authority as arguments in-line",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`pki_intermediate ca_1`),
|
||||
},
|
||||
expected: PKIIntermediateCAPool{
|
||||
Authority: []string{"ca_1"},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "multiple authorities as arguments in-line",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`pki_intermediate ca_1 ca_2`),
|
||||
},
|
||||
expected: PKIIntermediateCAPool{
|
||||
Authority: []string{"ca_1", "ca_2"},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "single authority in block",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
pki_intermediate {
|
||||
authority ca_1
|
||||
}`),
|
||||
},
|
||||
expected: PKIIntermediateCAPool{
|
||||
Authority: []string{"ca_1"},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "multiple authorities in one line",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
pki_intermediate {
|
||||
authority ca_1 ca_2
|
||||
}`),
|
||||
},
|
||||
expected: PKIIntermediateCAPool{
|
||||
Authority: []string{"ca_1", "ca_2"},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "multiple authorities in multiple lines",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
pki_intermediate {
|
||||
authority ca_1
|
||||
authority ca_2
|
||||
}`),
|
||||
},
|
||||
expected: PKIIntermediateCAPool{
|
||||
Authority: []string{"ca_1", "ca_2"},
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
pic := &PKIIntermediateCAPool{}
|
||||
if err := pic.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
||||
t.Errorf("PKIIntermediateCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
if !tt.wantErr && !reflect.DeepEqual(&tt.expected, pic) {
|
||||
t.Errorf("PKIIntermediateCAPool.UnmarshalCaddyfile() = %v, want %v", pic, tt.expected)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestStoragePoolUnmarshalCaddyfile(t *testing.T) {
|
||||
type args struct {
|
||||
d *caddyfile.Dispenser
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
expected StoragePool
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "empty block",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`storage {
|
||||
}`),
|
||||
},
|
||||
expected: StoragePool{},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "providing single storage key inline",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`storage key-1`),
|
||||
},
|
||||
expected: StoragePool{
|
||||
PEMKeys: []string{"key-1"},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "providing multiple storage keys inline",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`storage key-1 key-2`),
|
||||
},
|
||||
expected: StoragePool{
|
||||
PEMKeys: []string{"key-1", "key-2"},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "providing keys inside block without specifying storage type",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
storage {
|
||||
keys key-1 key-2
|
||||
}
|
||||
`),
|
||||
},
|
||||
expected: StoragePool{
|
||||
PEMKeys: []string{"key-1", "key-2"},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "providing keys in-line and inside block merges them",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`storage key-1 key-2 key-3 {
|
||||
keys key-4 key-5
|
||||
}`),
|
||||
},
|
||||
expected: StoragePool{
|
||||
PEMKeys: []string{"key-1", "key-2", "key-3", "key-4", "key-5"},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "specifying storage type in block",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`storage {
|
||||
storage file_system /var/caddy/storage
|
||||
}`),
|
||||
},
|
||||
expected: StoragePool{
|
||||
StorageRaw: json.RawMessage(`{"module":"file_system","root":"/var/caddy/storage"}`),
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
sp := &StoragePool{}
|
||||
if err := sp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
||||
t.Errorf("StoragePool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
if !tt.wantErr && !reflect.DeepEqual(&tt.expected, sp) {
|
||||
t.Errorf("StoragePool.UnmarshalCaddyfile() = %s, want %s", sp.StorageRaw, tt.expected.StorageRaw)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestTLSConfig_unmarshalCaddyfile(t *testing.T) {
|
||||
type args struct {
|
||||
d *caddyfile.Dispenser
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
expected TLSConfig
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "no arguments is valid",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(` {
|
||||
}`),
|
||||
},
|
||||
expected: TLSConfig{},
|
||||
},
|
||||
{
|
||||
name: "setting 'renegotiation' to 'never' is valid",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(` {
|
||||
renegotiation never
|
||||
}`),
|
||||
},
|
||||
expected: TLSConfig{
|
||||
Renegotiation: "never",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "setting 'renegotiation' to 'once' is valid",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(` {
|
||||
renegotiation once
|
||||
}`),
|
||||
},
|
||||
expected: TLSConfig{
|
||||
Renegotiation: "once",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "setting 'renegotiation' to 'freely' is valid",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(` {
|
||||
renegotiation freely
|
||||
}`),
|
||||
},
|
||||
expected: TLSConfig{
|
||||
Renegotiation: "freely",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "setting 'renegotiation' to other than 'none', 'once, or 'freely' is invalid",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(` {
|
||||
renegotiation foo
|
||||
}`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "setting 'renegotiation' without argument is invalid",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(` {
|
||||
renegotiation
|
||||
}`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "setting 'ca' without arguemnt is an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`{
|
||||
ca
|
||||
}`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "setting 'ca' to 'file' with in-line cert is valid",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`{
|
||||
ca file /var/caddy/ca.pem
|
||||
}`),
|
||||
},
|
||||
expected: TLSConfig{
|
||||
CARaw: []byte(`{"pem_files":["/var/caddy/ca.pem"],"provider":"file"}`),
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "setting 'ca' to 'lazy' with appropriate block is valid",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`{
|
||||
ca lazy {
|
||||
backend file {
|
||||
pem_file /var/caddy/ca.pem
|
||||
}
|
||||
}
|
||||
}`),
|
||||
},
|
||||
expected: TLSConfig{
|
||||
CARaw: []byte(`{"ca":{"pem_files":["/var/caddy/ca.pem"],"provider":"file"},"provider":"lazy"}`),
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "setting 'ca' to 'file' with appropriate block is valid",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`{
|
||||
ca file /var/caddy/ca.pem {
|
||||
pem_file /var/caddy/ca.pem
|
||||
}
|
||||
}`),
|
||||
},
|
||||
expected: TLSConfig{
|
||||
CARaw: []byte(`{"pem_files":["/var/caddy/ca.pem","/var/caddy/ca.pem"],"provider":"file"}`),
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "setting 'ca' multiple times is an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`{
|
||||
ca file /var/caddy/ca.pem {
|
||||
pem_file /var/caddy/ca.pem
|
||||
}
|
||||
ca inline %s
|
||||
}`, test_der_1)),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "setting 'handshake_timeout' without value is an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`{
|
||||
handshake_timeout
|
||||
}`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "setting 'handshake_timeout' properly is successful",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`{
|
||||
handshake_timeout 42m
|
||||
}`),
|
||||
},
|
||||
expected: TLSConfig{
|
||||
HandshakeTimeout: caddy.Duration(42 * time.Minute),
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "setting 'server_name' without value is an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`{
|
||||
server_name
|
||||
}`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "setting 'server_name' properly is successful",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`{
|
||||
server_name example.com
|
||||
}`),
|
||||
},
|
||||
expected: TLSConfig{
|
||||
ServerName: "example.com",
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "unsupported directives are errors",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`{
|
||||
foo
|
||||
}`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
tr := &TLSConfig{}
|
||||
if err := tr.unmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
||||
t.Errorf("TLSConfig.unmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
if !tt.wantErr && !reflect.DeepEqual(&tt.expected, tr) {
|
||||
t.Errorf("TLSConfig.UnmarshalCaddyfile() = %v, want %v", tr, tt.expected)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestHTTPCertPoolUnmarshalCaddyfile(t *testing.T) {
|
||||
type args struct {
|
||||
d *caddyfile.Dispenser
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
expected HTTPCertPool
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "no block, inline http endpoint",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`http http://localhost/ca-certs`),
|
||||
},
|
||||
expected: HTTPCertPool{
|
||||
Endpoints: []string{"http://localhost/ca-certs"},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "no block, inline https endpoint",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`http https://localhost/ca-certs`),
|
||||
},
|
||||
expected: HTTPCertPool{
|
||||
Endpoints: []string{"https://localhost/ca-certs"},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "no block, mixed http and https endpoints inline",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`http http://localhost/ca-certs https://localhost/ca-certs`),
|
||||
},
|
||||
expected: HTTPCertPool{
|
||||
Endpoints: []string{"http://localhost/ca-certs", "https://localhost/ca-certs"},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "multiple endpoints in separate lines in block",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
http {
|
||||
endpoints http://localhost/ca-certs
|
||||
endpoints http://remotehost/ca-certs
|
||||
}
|
||||
`),
|
||||
},
|
||||
expected: HTTPCertPool{
|
||||
Endpoints: []string{"http://localhost/ca-certs", "http://remotehost/ca-certs"},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "endpoints defiend inline and in block are merged",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`http http://localhost/ca-certs {
|
||||
endpoints http://remotehost/ca-certs
|
||||
}`),
|
||||
},
|
||||
expected: HTTPCertPool{
|
||||
Endpoints: []string{"http://localhost/ca-certs", "http://remotehost/ca-certs"},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "multiple endpoints defiend in block on the same line",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`http {
|
||||
endpoints http://remotehost/ca-certs http://localhost/ca-certs
|
||||
}`),
|
||||
},
|
||||
expected: HTTPCertPool{
|
||||
Endpoints: []string{"http://remotehost/ca-certs", "http://localhost/ca-certs"},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "declaring 'endpoints' in block without argument is an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`http {
|
||||
endpoints
|
||||
}`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "multiple endpoints in separate lines in block",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
http {
|
||||
endpoints http://localhost/ca-certs
|
||||
endpoints http://remotehost/ca-certs
|
||||
tls {
|
||||
renegotiation freely
|
||||
}
|
||||
}
|
||||
`),
|
||||
},
|
||||
expected: HTTPCertPool{
|
||||
Endpoints: []string{"http://localhost/ca-certs", "http://remotehost/ca-certs"},
|
||||
TLS: &TLSConfig{
|
||||
Renegotiation: "freely",
|
||||
},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
hcp := &HTTPCertPool{}
|
||||
if err := hcp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
||||
t.Errorf("HTTPCertPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
if !tt.wantErr && !reflect.DeepEqual(&tt.expected, hcp) {
|
||||
t.Errorf("HTTPCertPool.UnmarshalCaddyfile() = %v, want %v", hcp, tt.expected)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestLazyCertPoolUnmarshalCaddyfile(t *testing.T) {
|
||||
type args struct {
|
||||
d *caddyfile.Dispenser
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
expected LazyCertPool
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "no block results in error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`lazy`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "empty block results in error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`lazy {
|
||||
}`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "defining 'backend' multiple times results in error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`lazy {
|
||||
backend http {
|
||||
endpoints http://localhost/ca-certs
|
||||
}
|
||||
backend file {
|
||||
pem_file /var/caddy/certs
|
||||
}
|
||||
}`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "defining 'backend' without argument results in error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`lazy {
|
||||
backend
|
||||
}`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "using unrecognized directive results in error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`lazy {
|
||||
foo
|
||||
}`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "defining single 'backend' is successful",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`lazy {
|
||||
backend http {
|
||||
endpoints http://localhost/ca-certs
|
||||
}
|
||||
}`),
|
||||
},
|
||||
expected: LazyCertPool{
|
||||
CARaw: []byte(`{"endpoints":["http://localhost/ca-certs"],"provider":"http"}`),
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "defining single 'backend' with 'eager_validation' successful",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`lazy {
|
||||
backend file {
|
||||
pem_file /var/caddy/certs
|
||||
}
|
||||
eager_validation
|
||||
}`),
|
||||
},
|
||||
expected: LazyCertPool{
|
||||
CARaw: []byte(`{"pem_files":["/var/caddy/certs"],"provider":"file"}`),
|
||||
EagerValidation: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
lcp := &LazyCertPool{}
|
||||
if err := lcp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
||||
t.Errorf("LazyCertPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
if !tt.wantErr && !reflect.DeepEqual(&tt.expected, lcp) {
|
||||
t.Errorf("LazyCertPool.UnmarshalCaddyfile() = %v, want %v", lcp, tt.expected)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
|
@ -19,6 +19,7 @@ import (
|
|||
"crypto/x509"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"io"
|
||||
"os"
|
||||
|
@ -29,6 +30,8 @@ import (
|
|||
"go.uber.org/zap"
|
||||
|
||||
"github.com/caddyserver/caddy/v2"
|
||||
"github.com/caddyserver/caddy/v2/caddyconfig"
|
||||
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
|
||||
)
|
||||
|
||||
func init() {
|
||||
|
@ -301,8 +304,10 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
|
|||
|
||||
// client authentication
|
||||
if p.ClientAuthentication != nil {
|
||||
err := p.ClientAuthentication.ConfigureTLSConfig(cfg)
|
||||
if err != nil {
|
||||
if err := p.ClientAuthentication.provision(ctx); err != nil {
|
||||
return fmt.Errorf("provisioning client CA: %v", err)
|
||||
}
|
||||
if err := p.ClientAuthentication.ConfigureTLSConfig(cfg); err != nil {
|
||||
return fmt.Errorf("configuring TLS client authentication: %v", err)
|
||||
}
|
||||
}
|
||||
|
@ -354,12 +359,18 @@ func (p ConnectionPolicy) SettingsEmpty() bool {
|
|||
|
||||
// ClientAuthentication configures TLS client auth.
|
||||
type ClientAuthentication struct {
|
||||
// Certificate authority module which provides the certificate pool of trusted certificates
|
||||
CARaw json.RawMessage `json:"ca,omitempty" caddy:"namespace=tls.ca_pool.source inline_key=provider"`
|
||||
ca CA
|
||||
|
||||
// DEPRECATED: Use the `ca` field with the `tls.ca_pool.source.inline` module instead.
|
||||
// A list of base64 DER-encoded CA certificates
|
||||
// against which to validate client certificates.
|
||||
// Client certs which are not signed by any of
|
||||
// these CAs will be rejected.
|
||||
TrustedCACerts []string `json:"trusted_ca_certs,omitempty"`
|
||||
|
||||
// DEPRECATED: Use the `ca` field with the `tls.ca_pool.source.file` module instead.
|
||||
// TrustedCACertPEMFiles is a list of PEM file names
|
||||
// from which to load certificates of trusted CAs.
|
||||
// Client certificates which are not signed by any of
|
||||
|
@ -399,13 +410,177 @@ type ClientAuthentication struct {
|
|||
existingVerifyPeerCert func([][]byte, [][]*x509.Certificate) error
|
||||
}
|
||||
|
||||
// UnmarshalCaddyfile parses the Caddyfile segment to set up the client authentication. Syntax:
|
||||
//
|
||||
// client_auth {
|
||||
// mode [request|require|verify_if_given|require_and_verify]
|
||||
// trust_pool <module> {
|
||||
// ...
|
||||
// }
|
||||
// trusted_leaf_cert <base64_der>
|
||||
// trusted_leaf_cert_file <filename>
|
||||
// }
|
||||
//
|
||||
// If `mode` is not provided, it defaults to `require_and_verify` if any of the following are provided:
|
||||
// - `trusted_leaf_certs`
|
||||
// - `trusted_leaf_cert_file`
|
||||
// - `trust_pool`
|
||||
//
|
||||
// Otherwise, it defaults to `require`.
|
||||
func (ca *ClientAuthentication) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||
for d.NextArg() {
|
||||
// consume any tokens on the same line, if any.
|
||||
}
|
||||
for nesting := d.Nesting(); d.NextBlock(nesting); {
|
||||
subdir := d.Val()
|
||||
switch subdir {
|
||||
case "mode":
|
||||
if d.CountRemainingArgs() > 1 {
|
||||
return d.ArgErr()
|
||||
}
|
||||
if !d.Args(&ca.Mode) {
|
||||
return d.ArgErr()
|
||||
}
|
||||
case "trusted_ca_cert":
|
||||
if len(ca.CARaw) != 0 {
|
||||
return d.Err("cannot specify both 'trust_pool' and 'trusted_ca_cert' or 'trusted_ca_cert_file'")
|
||||
}
|
||||
if !d.NextArg() {
|
||||
return d.ArgErr()
|
||||
}
|
||||
ca.TrustedCACerts = append(ca.TrustedCACerts, d.Val())
|
||||
case "trusted_leaf_cert":
|
||||
if !d.NextArg() {
|
||||
return d.ArgErr()
|
||||
}
|
||||
ca.TrustedLeafCerts = append(ca.TrustedLeafCerts, d.Val())
|
||||
case "trusted_ca_cert_file":
|
||||
if len(ca.CARaw) != 0 {
|
||||
return d.Err("cannot specify both 'trust_pool' and 'trusted_ca_cert' or 'trusted_ca_cert_file'")
|
||||
}
|
||||
if !d.NextArg() {
|
||||
return d.ArgErr()
|
||||
}
|
||||
filename := d.Val()
|
||||
ders, err := convertPEMFilesToDER(filename)
|
||||
if err != nil {
|
||||
return d.WrapErr(err)
|
||||
}
|
||||
ca.TrustedCACerts = append(ca.TrustedCACerts, ders...)
|
||||
case "trusted_leaf_cert_file":
|
||||
if !d.NextArg() {
|
||||
return d.ArgErr()
|
||||
}
|
||||
filename := d.Val()
|
||||
ders, err := convertPEMFilesToDER(filename)
|
||||
if err != nil {
|
||||
return d.WrapErr(err)
|
||||
}
|
||||
ca.TrustedLeafCerts = append(ca.TrustedLeafCerts, ders...)
|
||||
case "trust_pool":
|
||||
if len(ca.TrustedCACerts) != 0 {
|
||||
return d.Err("cannot specify both 'trust_pool' and 'trusted_ca_cert' or 'trusted_ca_cert_file'")
|
||||
}
|
||||
if !d.NextArg() {
|
||||
return d.ArgErr()
|
||||
}
|
||||
modName := d.Val()
|
||||
mod, err := caddyfile.UnmarshalModule(d, "tls.ca_pool.source."+modName)
|
||||
if err != nil {
|
||||
return d.WrapErr(err)
|
||||
}
|
||||
caMod, ok := mod.(CA)
|
||||
if !ok {
|
||||
return fmt.Errorf("trust_pool module '%s' is not a certificate pool provider", caMod)
|
||||
}
|
||||
ca.CARaw = caddyconfig.JSONModuleObject(caMod, "provider", modName, nil)
|
||||
default:
|
||||
return d.Errf("unknown subdirective for client_auth: %s", subdir)
|
||||
}
|
||||
}
|
||||
|
||||
// only trust_ca_cert or trust_ca_cert_file was specified
|
||||
if len(ca.TrustedCACerts) > 0 {
|
||||
fileMod := &InlineCAPool{}
|
||||
fileMod.TrustedCACerts = append(fileMod.TrustedCACerts, ca.TrustedCACerts...)
|
||||
ca.CARaw = caddyconfig.JSONModuleObject(fileMod, "provider", "inline", nil)
|
||||
ca.TrustedCACertPEMFiles, ca.TrustedCACerts = nil, nil
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func convertPEMFilesToDER(filename string) ([]string, error) {
|
||||
certDataPEM, err := os.ReadFile(filename)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var ders []string
|
||||
// while block is not nil, we have more certificates in the file
|
||||
for block, rest := pem.Decode(certDataPEM); block != nil; block, rest = pem.Decode(rest) {
|
||||
if block.Type != "CERTIFICATE" {
|
||||
return nil, fmt.Errorf("no CERTIFICATE pem block found in %s", filename)
|
||||
}
|
||||
ders = append(
|
||||
ders,
|
||||
base64.StdEncoding.EncodeToString(block.Bytes),
|
||||
)
|
||||
}
|
||||
// if we decoded nothing, return an error
|
||||
if len(ders) == 0 {
|
||||
return nil, fmt.Errorf("no CERTIFICATE pem block found in %s", filename)
|
||||
}
|
||||
return ders, nil
|
||||
}
|
||||
|
||||
func (clientauth *ClientAuthentication) provision(ctx caddy.Context) error {
|
||||
if len(clientauth.CARaw) > 0 && (len(clientauth.TrustedCACerts) > 0 || len(clientauth.TrustedCACertPEMFiles) > 0) {
|
||||
return fmt.Errorf("conflicting config for client authentication trust CA")
|
||||
}
|
||||
|
||||
// convert all named file paths to inline
|
||||
if len(clientauth.TrustedCACertPEMFiles) > 0 {
|
||||
for _, fpath := range clientauth.TrustedCACertPEMFiles {
|
||||
ders, err := convertPEMFilesToDER(fpath)
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
clientauth.TrustedCACerts = append(clientauth.TrustedCACerts, ders...)
|
||||
}
|
||||
}
|
||||
|
||||
// if we have TrustedCACerts explicitly set, create an 'inline' CA and return
|
||||
if len(clientauth.TrustedCACerts) > 0 {
|
||||
clientauth.ca = InlineCAPool{
|
||||
TrustedCACerts: clientauth.TrustedCACerts,
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// if we don't have any CARaw set, there's not much work to do
|
||||
if clientauth.CARaw == nil {
|
||||
return nil
|
||||
}
|
||||
caRaw, err := ctx.LoadModule(clientauth, "CARaw")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
ca, ok := caRaw.(CA)
|
||||
if !ok {
|
||||
return fmt.Errorf("CARaw module '%s' is not a certificate pool provider", ca)
|
||||
}
|
||||
clientauth.ca = ca
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Active returns true if clientauth has an actionable configuration.
|
||||
func (clientauth ClientAuthentication) Active() bool {
|
||||
return len(clientauth.TrustedCACerts) > 0 ||
|
||||
len(clientauth.TrustedCACertPEMFiles) > 0 ||
|
||||
len(clientauth.TrustedLeafCerts) > 0 || // TODO: DEPRECATED
|
||||
len(clientauth.VerifiersRaw) > 0 ||
|
||||
len(clientauth.Mode) > 0
|
||||
len(clientauth.Mode) > 0 ||
|
||||
clientauth.CARaw != nil || clientauth.ca != nil
|
||||
}
|
||||
|
||||
// ConfigureTLSConfig sets up cfg to enforce clientauth's configuration.
|
||||
|
@ -434,7 +609,8 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
|
|||
// otherwise, set a safe default mode
|
||||
if len(clientauth.TrustedCACerts) > 0 ||
|
||||
len(clientauth.TrustedCACertPEMFiles) > 0 ||
|
||||
len(clientauth.TrustedLeafCerts) > 0 {
|
||||
len(clientauth.TrustedLeafCerts) > 0 ||
|
||||
clientauth.CARaw != nil {
|
||||
cfg.ClientAuth = tls.RequireAndVerifyClientCert
|
||||
} else {
|
||||
cfg.ClientAuth = tls.RequireAnyClientCert
|
||||
|
@ -442,23 +618,8 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
|
|||
}
|
||||
|
||||
// enforce CA verification by adding CA certs to the ClientCAs pool
|
||||
if len(clientauth.TrustedCACerts) > 0 || len(clientauth.TrustedCACertPEMFiles) > 0 {
|
||||
caPool := x509.NewCertPool()
|
||||
for _, clientCAString := range clientauth.TrustedCACerts {
|
||||
clientCA, err := decodeBase64DERCert(clientCAString)
|
||||
if err != nil {
|
||||
return fmt.Errorf("parsing certificate: %v", err)
|
||||
}
|
||||
caPool.AddCert(clientCA)
|
||||
}
|
||||
for _, pemFile := range clientauth.TrustedCACertPEMFiles {
|
||||
pemContents, err := os.ReadFile(pemFile)
|
||||
if err != nil {
|
||||
return fmt.Errorf("reading %s: %v", pemFile, err)
|
||||
}
|
||||
caPool.AppendCertsFromPEM(pemContents)
|
||||
}
|
||||
cfg.ClientCAs = caPool
|
||||
if clientauth.ca != nil {
|
||||
cfg.ClientCAs = clientauth.ca.CertPool()
|
||||
}
|
||||
|
||||
// TODO: DEPRECATED: Only here for backwards compatibility.
|
||||
|
@ -600,3 +761,5 @@ type destructableWriter struct{ *os.File }
|
|||
func (d destructableWriter) Destruct() error { return d.Close() }
|
||||
|
||||
var secretsLogPool = caddy.NewUsagePool()
|
||||
|
||||
var _ caddyfile.Unmarshaler = (*ClientAuthentication)(nil)
|
||||
|
|
280
modules/caddytls/connpolicy_test.go
Normal file
280
modules/caddytls/connpolicy_test.go
Normal file
|
@ -0,0 +1,280 @@
|
|||
// Copyright 2015 Matthew Holt and The Caddy Authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package caddytls
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"reflect"
|
||||
"testing"
|
||||
|
||||
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
|
||||
)
|
||||
|
||||
func TestClientAuthenticationUnmarshalCaddyfileWithDirectiveName(t *testing.T) {
|
||||
const test_der_1 = `MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==`
|
||||
const test_cert_file_1 = "../../caddytest/caddy.ca.cer"
|
||||
type args struct {
|
||||
d *caddyfile.Dispenser
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
args args
|
||||
expected ClientAuthentication
|
||||
wantErr bool
|
||||
}{
|
||||
{
|
||||
name: "empty client_auth block does not error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(
|
||||
`client_auth {
|
||||
}`,
|
||||
),
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "providing both 'trust_pool' and 'trusted_ca_cert' returns an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(
|
||||
`client_auth {
|
||||
trust_pool inline MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
|
||||
trusted_ca_cert MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
|
||||
}`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "trust_pool without a module argument returns an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(
|
||||
`client_auth {
|
||||
trust_pool
|
||||
}`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "providing more than 1 mode produces an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
client_auth {
|
||||
mode require request
|
||||
}
|
||||
`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "not providing 'mode' argument produces an error",
|
||||
args: args{d: caddyfile.NewTestDispenser(`
|
||||
client_auth {
|
||||
mode
|
||||
}
|
||||
`)},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "providing a single 'mode' argument sets the mode",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
client_auth {
|
||||
mode require
|
||||
}
|
||||
`),
|
||||
},
|
||||
expected: ClientAuthentication{
|
||||
Mode: "require",
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "not providing an argument to 'trusted_ca_cert' produces an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
client_auth {
|
||||
trusted_ca_cert
|
||||
}
|
||||
`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "not providing an argument to 'trusted_leaf_cert' produces an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
client_auth {
|
||||
trusted_leaf_cert
|
||||
}
|
||||
`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "not providing an argument to 'trusted_ca_cert_file' produces an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
client_auth {
|
||||
trusted_ca_cert_file
|
||||
}
|
||||
`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "not providing an argument to 'trusted_leaf_cert_file' produces an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
client_auth {
|
||||
trusted_leaf_cert_file
|
||||
}
|
||||
`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "using 'trusted_ca_cert' adapts sucessfully",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
client_auth {
|
||||
trusted_ca_cert %s
|
||||
}`, test_der_1)),
|
||||
},
|
||||
expected: ClientAuthentication{
|
||||
CARaw: json.RawMessage(fmt.Sprintf(`{"provider":"inline","trusted_ca_certs":["%s"]}`, test_der_1)),
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "using 'inline' trust_pool loads the module successfully",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
client_auth {
|
||||
trust_pool inline {
|
||||
trust_der %s
|
||||
}
|
||||
}
|
||||
`, test_der_1)),
|
||||
},
|
||||
expected: ClientAuthentication{
|
||||
CARaw: json.RawMessage(fmt.Sprintf(`{"provider":"inline","trusted_ca_certs":["%s"]}`, test_der_1)),
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "setting 'trusted_ca_cert' and 'trust_pool' produces an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
client_auth {
|
||||
trusted_ca_cert %s
|
||||
trust_pool inline {
|
||||
trust_der %s
|
||||
}
|
||||
}`, test_der_1, test_der_1)),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "setting 'trust_pool' and 'trusted_ca_cert' produces an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
client_auth {
|
||||
trust_pool inline {
|
||||
trust_der %s
|
||||
}
|
||||
trusted_ca_cert %s
|
||||
}`, test_der_1, test_der_1)),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "setting 'trust_pool' and 'trusted_ca_cert' produces an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
client_auth {
|
||||
trust_pool inline {
|
||||
trust_der %s
|
||||
}
|
||||
trusted_ca_cert_file %s
|
||||
}`, test_der_1, test_cert_file_1)),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "configuring 'trusted_ca_cert_file' without an argument is an error",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(`
|
||||
client_auth {
|
||||
trusted_ca_cert_file
|
||||
}
|
||||
`),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
{
|
||||
name: "configuring 'trusted_ca_cert_file' produces config with 'inline' provider",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
client_auth {
|
||||
trusted_ca_cert_file %s
|
||||
}`, test_cert_file_1),
|
||||
),
|
||||
},
|
||||
expected: ClientAuthentication{
|
||||
CARaw: json.RawMessage(fmt.Sprintf(`{"provider":"inline","trusted_ca_certs":["%s"]}`, test_der_1)),
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
{
|
||||
name: "configuring leaf certs does not conflict with 'trust_pool'",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
client_auth {
|
||||
trust_pool inline {
|
||||
trust_der %s
|
||||
}
|
||||
trusted_leaf_cert %s
|
||||
}`, test_der_1, test_der_1)),
|
||||
},
|
||||
expected: ClientAuthentication{
|
||||
CARaw: json.RawMessage(fmt.Sprintf(`{"provider":"inline","trusted_ca_certs":["%s"]}`, test_der_1)),
|
||||
TrustedLeafCerts: []string{test_der_1},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "providing trusted leaf certificate file loads the cert successfully",
|
||||
args: args{
|
||||
d: caddyfile.NewTestDispenser(fmt.Sprintf(`
|
||||
client_auth {
|
||||
trusted_leaf_cert_file %s
|
||||
}`, test_cert_file_1)),
|
||||
},
|
||||
expected: ClientAuthentication{
|
||||
TrustedLeafCerts: []string{test_der_1},
|
||||
},
|
||||
wantErr: false,
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
ca := &ClientAuthentication{}
|
||||
if err := ca.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
|
||||
t.Errorf("ClientAuthentication.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
|
||||
return
|
||||
}
|
||||
if !tt.wantErr && !reflect.DeepEqual(&tt.expected, ca) {
|
||||
t.Errorf("ClientAuthentication.UnmarshalCaddyfile() = %v, want %v", ca, tt.expected)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
Loading…
Reference in a new issue