config: move mTLS settings to new struct

Move downstream mTLS settings to a nested config file object, under the key 'downstream_mtls', and add a new DownstreamMTLSSettings struct for these settings. Deprecate the existing ClientCA and ClientCAFile fields in the Options struct, but continue to honor them for now (log a warning if either is populated). Delete the ClientCRL and ClientCRLFile fields entirely (in current releases these cannot be set without causing an Envoy error, so this should not be a breaking change). Update the Settings proto to mirror this nested structure.
2025-07-23 03:29:51 +02:00 · 2023-08-04 15:03:13 -07:00 · 2023-08-04 15:03:13 -07:00 · d45a5d1bee
commit d45a5d1bee
parent a16bdd9cb0
14 changed files with 665 additions and 395 deletions
--- a/config/mtls_test.go
+++ b/config/mtls_test.go
@ -0,0 +1,100 @@
+package config
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDownstreamMTLSSettingsGetCA(t *testing.T) {
+	t.Parallel()
+
+	fakeCACert := []byte("--- FAKE CA CERT ---")
+	caFile := filepath.Join(t.TempDir(), "CA.pem")
+	os.WriteFile(caFile, fakeCACert, 0644)
+
+	cases := []struct {
+		label    string
+		settings DownstreamMTLSSettings
+		expected []byte
+	}{
+		{"not set", DownstreamMTLSSettings{}, nil},
+		{"CA", DownstreamMTLSSettings{CA: "LS0tIEZBS0UgQ0EgQ0VSVCAtLS0="}, fakeCACert},
+		{"CA file", DownstreamMTLSSettings{CAFile: caFile}, fakeCACert},
+	}
+
+	for i := range cases {
+		c := &cases[i]
+		t.Run(c.label, func(t *testing.T) {
+			ca, err := c.settings.GetCA()
+			require.NoError(t, err)
+			assert.Equal(t, c.expected, ca)
+		})
+	}
+}
+
+func TestDownstreamMTLSSettingsGetCRL(t *testing.T) {
+	t.Parallel()
+
+	fakeCRL := []byte("--- FAKE CRL ---")
+	crlFile := filepath.Join(t.TempDir(), "CRL.pem")
+	os.WriteFile(crlFile, fakeCRL, 0644)
+
+	cases := []struct {
+		label    string
+		settings DownstreamMTLSSettings
+		expected []byte
+	}{
+		{"not set", DownstreamMTLSSettings{}, nil},
+		{"CRL", DownstreamMTLSSettings{CRL: "LS0tIEZBS0UgQ1JMIC0tLQ=="}, fakeCRL},
+		{"CRL file", DownstreamMTLSSettings{CRLFile: crlFile}, fakeCRL},
+	}
+
+	for i := range cases {
+		c := &cases[i]
+		t.Run(c.label, func(t *testing.T) {
+			crl, err := c.settings.GetCRL()
+			require.NoError(t, err)
+			assert.Equal(t, c.expected, crl)
+		})
+	}
+}
+
+func TestDownstreamMTLSSettingsValidate(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		label    string
+		settings DownstreamMTLSSettings
+		errorMsg string
+	}{
+		{"not set", DownstreamMTLSSettings{}, ""},
+		{"bad CA", DownstreamMTLSSettings{CA: "not%valid%base64%data"},
+			"CA: illegal base64 data at input byte 3"},
+		{"bad CA file", DownstreamMTLSSettings{CAFile: "-"},
+			"CA file: open -: no such file or directory"},
+		{"bad CRL", DownstreamMTLSSettings{CRL: "dGhpc2lzZmluZQo="},
+			"CRL: cryptutil: invalid crl, no X509 CRL block found"},
+		{"bad CRL file", DownstreamMTLSSettings{CRLFile: "-"},
+			"CRL file: cryptutil: failed to read crl file (-): open -: no such file or directory"},
+		{"OK", DownstreamMTLSSettings{
+			CA:  "dGhpc2lzZmluZQo=",
+			CRL: "LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUNOVENCbmdJQkFUQU5CZ2txaGtpRzl3MEJBUXNGQURBNk1SNHdIQVlEVlFRS0V4VnRhMk5sY25RZ1pHVjIKWld4dmNHMWxiblFnUTBFeEdEQVdCZ05WQkFNVEQyUnZkMjV6ZEhKbFlXMGdRMEVnTWhjTk1qTXdOekU1TWpFMQpNREUxV2hjTk16TXdOekUyTWpFMU1ERTFXcUF3TUM0d0h3WURWUjBqQkJnd0ZvQVVDeFEyY0JhNVl6cVZ6YW1wCmlOQ3g4S3dGRnlRd0N3WURWUjBVQkFRQ0FoQUFNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJnUUNZYW14OHBNK1IKQ2x5c2tjdTdvdWh1L1IxSnkxbldHeVd0S3BoWXEwWEZiT0xsbmsyWjdlRGZBWDhFZWoyRmF2cXh6YXBSMngyTwo0aUpORENtaXdZWVlVUzJYMkxKM3JSUkpYeVh2V2h0ZkhyeFVSZDZCaXRDMklYcHlrQnRWbGYzekFuWjhHWkZRClMxamRmeUxNdUVBaUR3SWFpM1l0OEhzRHAvcUcwODlvWGNvU3R5UWcvdVJwbVd5MDVBOXVDVk9mTkhTTFNadTgKbHI0cWF0bGV1MHdXYlYxYW1MOHRPOXg0Q1JrTzBvMVlhUXE0RG9PcnVQciszTmtUbVB2R2lkaDNGNzFWNklFQQpoK0t6ZGJSWHhGbUNDV0xXbXBKRGNyZ1I3S1VxWk9oVVV0K0RVcWFxaFY0NHFJMG5ycFIrUVpMb2hvRG9yOUx3CksrdWZqM24yOWVTUlgrM1B4K29WV1BUOFlaUDJ1S1BkaXppOTZtZTJqV1RyNTF4OUFqRW9KRHNUbllSbDkrdVkKU2hpVXhXblRkUXNvb2tuSWZjUy8wemZnWjg3R3ZVVnppbkNRekpwd1Z4ZDRBbHQ4QWxSK2ZYQXFOSW9PZ3V5dgpwL0N0UlZualZFN2w3SFcvaFFScTFKMGlqQ0NLd215Zi9LVGQ2RUs0VGRydmJYL1U5bXNWTThZPQotLS0tLUVORCBYNTA5IENSTC0tLS0tCg==",
+		}, ""},
+	}
+
+	for i := range cases {
+		c := &cases[i]
+		t.Run(c.label, func(t *testing.T) {
+			err := c.settings.validate()
+			if c.errorMsg == "" {
+				assert.NoError(t, err)
+			} else {
+				assert.Equal(t, c.errorMsg, err.Error())
+			}
+		})
+	}
+}