3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-19 09:38:03 +02:00
Code Issues Projects Releases Packages Wiki Activity

config: move mTLS settings to new struct

Browse source 
Move downstream mTLS settings to a nested config file object, under the
key 'downstream_mtls', and add a new DownstreamMTLSSettings struct for
these settings.

Deprecate the existing ClientCA and ClientCAFile fields in the Options
struct, but continue to honor them for now (log a warning if either is
populated).

Delete the ClientCRL and ClientCRLFile fields entirely (in current
releases these cannot be set without causing an Envoy error, so this
should not be a breaking change).

Update the Settings proto to mirror this nested structure.
This commit is contained in:
Kenneth Jenkins 2023-08-04 15:03:13 -07:00
parent a16bdd9cb0
commit d45a5d1bee
14 changed files with 665 additions and 395 deletions
Download patch file Download diff file Expand all files Collapse all files

26
config/options_test.go
View file

@ -1,6 +1,7 @@
package config
import (
"bytes"
"context"
"crypto/tls"
"crypto/x509"
@ -19,12 +20,14 @@ import (
"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
"github.com/rs/zerolog"
"github.com/spf13/viper"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/pomerium/csrf"
"github.com/pomerium/pomerium/internal/identity/oauth/apple"
"github.com/pomerium/pomerium/internal/testutil"
"github.com/pomerium/pomerium/pkg/cryptutil"
"github.com/pomerium/pomerium/pkg/grpc/config"
)
@ -693,6 +696,29 @@ func TestCompareByteSliceSlice(t *testing.T) {
}
}
func TestDeprecatedClientCAOptions(t *testing.T) {
fakeCACert := []byte("--- FAKE CA CERT ---")
caFile := filepath.Join(t.TempDir(), "CA.pem")
os.WriteFile(caFile, fakeCACert, 0644)
var logOutput bytes.Buffer
zl := zerolog.New(&logOutput)
testutil.SetLogger(t, &zl)
o := NewDefaultOptions()
o.ClientCA = "LS0tIEZBS0UgQ0EgQ0VSVCAtLS0="
o.ClientCAFile = caFile
o.AutocertOptions.Enable = true // suppress an unrelated warning
err := o.Validate()
require.NoError(t, err)
assert.Equal(t, "LS0tIEZBS0UgQ0EgQ0VSVCAtLS0=", o.DownstreamMTLS.CA)
assert.Equal(t, caFile, o.DownstreamMTLS.CAFile)
assert.Equal(t, `{"level":"warn","message":"config: client_ca is deprecated, set downstream_mtls.ca instead"}
{"level":"warn","message":"config: client_ca_file is deprecated, set downstream_mtls.ca_file instead"}
`, logOutput.String())
}
func TestOptions_DefaultURL(t *testing.T) {
t.Parallel()