mirror of
				https://github.com/caddyserver/caddy.git
				synced 2025-10-25 07:49:19 -04:00 
			
		
		
		
	tls: modularize trusted CA providers (#5784)
* tls: modularize client authentication trusted CA * add `omitempty` to `CARaw` * docs * initial caddyfile support * revert anything related to leaf cert validation The certs are used differently than the CA pool flow * complete caddyfile unmarshalling implementation * Caddyfile syntax documentation * enhance caddyfile parsing and documentation Apply suggestions from code review Co-authored-by: Francis Lavoie <lavofr@gmail.com> * add client_auth caddyfile tests * add caddyfile unmarshalling tests * fix and add missed adapt tests * fix rebase issue --------- Co-authored-by: Francis Lavoie <lavofr@gmail.com>
This commit is contained in:
		
							parent
							
								
									b9c40e7111
								
							
						
					
					
						commit
						e965b111cd
					
				| @ -15,12 +15,9 @@ | ||||
| package httpcaddyfile | ||||
| 
 | ||||
| import ( | ||||
| 	"encoding/base64" | ||||
| 	"encoding/pem" | ||||
| 	"fmt" | ||||
| 	"html" | ||||
| 	"net/http" | ||||
| 	"os" | ||||
| 	"reflect" | ||||
| 	"strconv" | ||||
| 	"strings" | ||||
| @ -215,83 +212,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) { | ||||
| 
 | ||||
| 		case "client_auth": | ||||
| 			cp.ClientAuthentication = &caddytls.ClientAuthentication{} | ||||
| 			for nesting := h.Nesting(); h.NextBlock(nesting); { | ||||
| 				subdir := h.Val() | ||||
| 				switch subdir { | ||||
| 				case "verifier": | ||||
| 					if !h.NextArg() { | ||||
| 						return nil, h.ArgErr() | ||||
| 					} | ||||
| 
 | ||||
| 					vType := h.Val() | ||||
| 					modID := "tls.client_auth." + vType | ||||
| 					unm, err := caddyfile.UnmarshalModule(h.Dispenser, modID) | ||||
| 					if err != nil { | ||||
| 			if err := cp.ClientAuthentication.UnmarshalCaddyfile(h.NewFromNextSegment()); err != nil { | ||||
| 				return nil, err | ||||
| 			} | ||||
| 
 | ||||
| 					_, ok := unm.(caddytls.ClientCertificateVerifier) | ||||
| 					if !ok { | ||||
| 						return nil, h.Dispenser.Errf("module %s is not a caddytls.ClientCertificatVerifier", modID) | ||||
| 					} | ||||
| 
 | ||||
| 					cp.ClientAuthentication.VerifiersRaw = append(cp.ClientAuthentication.VerifiersRaw, caddyconfig.JSONModuleObject(unm, "verifier", vType, h.warnings)) | ||||
| 				case "mode": | ||||
| 					if !h.Args(&cp.ClientAuthentication.Mode) { | ||||
| 						return nil, h.ArgErr() | ||||
| 					} | ||||
| 					if h.NextArg() { | ||||
| 						return nil, h.ArgErr() | ||||
| 					} | ||||
| 
 | ||||
| 				case "trusted_ca_cert", | ||||
| 					"trusted_leaf_cert": | ||||
| 					if !h.NextArg() { | ||||
| 						return nil, h.ArgErr() | ||||
| 					} | ||||
| 					if subdir == "trusted_ca_cert" { | ||||
| 						cp.ClientAuthentication.TrustedCACerts = append(cp.ClientAuthentication.TrustedCACerts, h.Val()) | ||||
| 					} else { | ||||
| 						cp.ClientAuthentication.TrustedLeafCerts = append(cp.ClientAuthentication.TrustedLeafCerts, h.Val()) | ||||
| 					} | ||||
| 
 | ||||
| 				case "trusted_ca_cert_file", | ||||
| 					"trusted_leaf_cert_file": | ||||
| 					if !h.NextArg() { | ||||
| 						return nil, h.ArgErr() | ||||
| 					} | ||||
| 					filename := h.Val() | ||||
| 					certDataPEM, err := os.ReadFile(filename) | ||||
| 					if err != nil { | ||||
| 						return nil, err | ||||
| 					} | ||||
| 					// while block is not nil, we have more certificates in the file | ||||
| 					for block, rest := pem.Decode(certDataPEM); block != nil; block, rest = pem.Decode(rest) { | ||||
| 						if block.Type != "CERTIFICATE" { | ||||
| 							return nil, h.Errf("no CERTIFICATE pem block found in %s", filename) | ||||
| 						} | ||||
| 						if subdir == "trusted_ca_cert_file" { | ||||
| 							cp.ClientAuthentication.TrustedCACerts = append( | ||||
| 								cp.ClientAuthentication.TrustedCACerts, | ||||
| 								base64.StdEncoding.EncodeToString(block.Bytes), | ||||
| 							) | ||||
| 						} else { | ||||
| 							cp.ClientAuthentication.TrustedLeafCerts = append( | ||||
| 								cp.ClientAuthentication.TrustedLeafCerts, | ||||
| 								base64.StdEncoding.EncodeToString(block.Bytes), | ||||
| 							) | ||||
| 						} | ||||
| 					} | ||||
| 					// if we decoded nothing, return an error | ||||
| 					if len(cp.ClientAuthentication.TrustedCACerts) == 0 && len(cp.ClientAuthentication.TrustedLeafCerts) == 0 { | ||||
| 						return nil, h.Errf("no CERTIFICATE pem block found in %s", filename) | ||||
| 					} | ||||
| 
 | ||||
| 				default: | ||||
| 					return nil, h.Errf("unknown subdirective for client_auth: %s", subdir) | ||||
| 				} | ||||
| 			} | ||||
| 
 | ||||
| 		case "alpn": | ||||
| 			args := h.RemainingArgs() | ||||
| 			if len(args) == 0 { | ||||
|  | ||||
| @ -0,0 +1,69 @@ | ||||
| localhost | ||||
| 
 | ||||
| respond "hello from localhost" | ||||
| tls { | ||||
| 	client_auth { | ||||
| 		mode request | ||||
| 		trusted_ca_cert_file ../caddy.ca.cer | ||||
| 	} | ||||
| } | ||||
| ---------- | ||||
| { | ||||
| 	"apps": { | ||||
| 		"http": { | ||||
| 			"servers": { | ||||
| 				"srv0": { | ||||
| 					"listen": [ | ||||
| 						":443" | ||||
| 					], | ||||
| 					"routes": [ | ||||
| 						{ | ||||
| 							"match": [ | ||||
| 								{ | ||||
| 									"host": [ | ||||
| 										"localhost" | ||||
| 									] | ||||
| 								} | ||||
| 							], | ||||
| 							"handle": [ | ||||
| 								{ | ||||
| 									"handler": "subroute", | ||||
| 									"routes": [ | ||||
| 										{ | ||||
| 											"handle": [ | ||||
| 												{ | ||||
| 													"body": "hello from localhost", | ||||
| 													"handler": "static_response" | ||||
| 												} | ||||
| 											] | ||||
| 										} | ||||
| 									] | ||||
| 								} | ||||
| 							], | ||||
| 							"terminal": true | ||||
| 						} | ||||
| 					], | ||||
| 					"tls_connection_policies": [ | ||||
| 						{ | ||||
| 							"match": { | ||||
| 								"sni": [ | ||||
| 									"localhost" | ||||
| 								] | ||||
| 							}, | ||||
| 							"client_authentication": { | ||||
| 								"ca": { | ||||
| 									"provider": "inline", | ||||
| 									"trusted_ca_certs": [ | ||||
| 										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==" | ||||
| 									] | ||||
| 								}, | ||||
| 								"mode": "request" | ||||
| 							} | ||||
| 						}, | ||||
| 						{} | ||||
| 					] | ||||
| 				} | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
| } | ||||
| @ -4,7 +4,9 @@ respond "hello from localhost" | ||||
| tls { | ||||
| 	client_auth { | ||||
| 		mode request | ||||
| 		trusted_ca_cert_file ../caddy.ca.cer | ||||
| 		trust_pool file { | ||||
| 			pem_file ../caddy.ca.cer | ||||
| 		} | ||||
| 	} | ||||
| } | ||||
| ---------- | ||||
| @ -51,9 +53,12 @@ tls { | ||||
| 								] | ||||
| 							}, | ||||
| 							"client_authentication": { | ||||
| 								"trusted_ca_certs": [ | ||||
| 									"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==" | ||||
| 								"ca": { | ||||
| 									"pem_files": [ | ||||
| 										"../caddy.ca.cer" | ||||
| 									], | ||||
| 									"provider": "file" | ||||
| 								}, | ||||
| 								"mode": "request" | ||||
| 							} | ||||
| 						}, | ||||
|  | ||||
| @ -0,0 +1,69 @@ | ||||
| localhost | ||||
| 
 | ||||
| respond "hello from localhost" | ||||
| tls { | ||||
| 	client_auth { | ||||
| 		mode request | ||||
| 		trusted_ca_cert MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ== | ||||
| 	} | ||||
| } | ||||
| ---------- | ||||
| { | ||||
| 	"apps": { | ||||
| 		"http": { | ||||
| 			"servers": { | ||||
| 				"srv0": { | ||||
| 					"listen": [ | ||||
| 						":443" | ||||
| 					], | ||||
| 					"routes": [ | ||||
| 						{ | ||||
| 							"match": [ | ||||
| 								{ | ||||
| 									"host": [ | ||||
| 										"localhost" | ||||
| 									] | ||||
| 								} | ||||
| 							], | ||||
| 							"handle": [ | ||||
| 								{ | ||||
| 									"handler": "subroute", | ||||
| 									"routes": [ | ||||
| 										{ | ||||
| 											"handle": [ | ||||
| 												{ | ||||
| 													"body": "hello from localhost", | ||||
| 													"handler": "static_response" | ||||
| 												} | ||||
| 											] | ||||
| 										} | ||||
| 									] | ||||
| 								} | ||||
| 							], | ||||
| 							"terminal": true | ||||
| 						} | ||||
| 					], | ||||
| 					"tls_connection_policies": [ | ||||
| 						{ | ||||
| 							"match": { | ||||
| 								"sni": [ | ||||
| 									"localhost" | ||||
| 								] | ||||
| 							}, | ||||
| 							"client_authentication": { | ||||
| 								"ca": { | ||||
| 									"provider": "inline", | ||||
| 									"trusted_ca_certs": [ | ||||
| 										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==" | ||||
| 									] | ||||
| 								}, | ||||
| 								"mode": "request" | ||||
| 							} | ||||
| 						}, | ||||
| 						{} | ||||
| 					] | ||||
| 				} | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
| } | ||||
| @ -4,7 +4,9 @@ respond "hello from localhost" | ||||
| tls { | ||||
| 	client_auth { | ||||
| 		mode request | ||||
| 		trusted_ca_cert MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ== | ||||
| 		trust_pool inline { | ||||
| 			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ== | ||||
| 		} | ||||
| 	} | ||||
| } | ||||
| ---------- | ||||
| @ -51,9 +53,12 @@ tls { | ||||
| 								] | ||||
| 							}, | ||||
| 							"client_authentication": { | ||||
| 								"ca": { | ||||
| 									"provider": "inline", | ||||
| 									"trusted_ca_certs": [ | ||||
| 										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==" | ||||
| 								], | ||||
| 									] | ||||
| 								}, | ||||
| 								"mode": "request" | ||||
| 							} | ||||
| 						}, | ||||
|  | ||||
| @ -0,0 +1,75 @@ | ||||
| localhost | ||||
| 
 | ||||
| respond "hello from localhost" | ||||
| tls { | ||||
| 	client_auth { | ||||
| 		mode request | ||||
| 		trust_pool inline { | ||||
| 			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ== | ||||
| 		} | ||||
| 		trusted_leaf_cert_file ../caddy.ca.cer | ||||
| 	} | ||||
| } | ||||
| ---------- | ||||
| { | ||||
| 	"apps": { | ||||
| 		"http": { | ||||
| 			"servers": { | ||||
| 				"srv0": { | ||||
| 					"listen": [ | ||||
| 						":443" | ||||
| 					], | ||||
| 					"routes": [ | ||||
| 						{ | ||||
| 							"match": [ | ||||
| 								{ | ||||
| 									"host": [ | ||||
| 										"localhost" | ||||
| 									] | ||||
| 								} | ||||
| 							], | ||||
| 							"handle": [ | ||||
| 								{ | ||||
| 									"handler": "subroute", | ||||
| 									"routes": [ | ||||
| 										{ | ||||
| 											"handle": [ | ||||
| 												{ | ||||
| 													"body": "hello from localhost", | ||||
| 													"handler": "static_response" | ||||
| 												} | ||||
| 											] | ||||
| 										} | ||||
| 									] | ||||
| 								} | ||||
| 							], | ||||
| 							"terminal": true | ||||
| 						} | ||||
| 					], | ||||
| 					"tls_connection_policies": [ | ||||
| 						{ | ||||
| 							"match": { | ||||
| 								"sni": [ | ||||
| 									"localhost" | ||||
| 								] | ||||
| 							}, | ||||
| 							"client_authentication": { | ||||
| 								"ca": { | ||||
| 									"provider": "inline", | ||||
| 									"trusted_ca_certs": [ | ||||
| 										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==" | ||||
| 									] | ||||
| 								}, | ||||
| 								"trusted_leaf_certs": [ | ||||
| 									"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==" | ||||
| 								], | ||||
| 								"mode": "request" | ||||
| 							} | ||||
| 						}, | ||||
| 						{} | ||||
| 					] | ||||
| 				} | ||||
| 			} | ||||
| 		} | ||||
| 	} | ||||
| } | ||||
							
								
								
									
										820
									
								
								modules/caddytls/capools.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										820
									
								
								modules/caddytls/capools.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,820 @@ | ||||
| package caddytls | ||||
| 
 | ||||
| import ( | ||||
| 	"crypto/tls" | ||||
| 	"crypto/x509" | ||||
| 	"encoding/json" | ||||
| 	"errors" | ||||
| 	"fmt" | ||||
| 	"io" | ||||
| 	"net/http" | ||||
| 	"net/url" | ||||
| 	"os" | ||||
| 	"reflect" | ||||
| 
 | ||||
| 	"github.com/caddyserver/certmagic" | ||||
| 
 | ||||
| 	"github.com/caddyserver/caddy/v2" | ||||
| 	"github.com/caddyserver/caddy/v2/caddyconfig" | ||||
| 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile" | ||||
| 	"github.com/caddyserver/caddy/v2/modules/caddypki" | ||||
| ) | ||||
| 
 | ||||
| func init() { | ||||
| 	caddy.RegisterModule(InlineCAPool{}) | ||||
| 	caddy.RegisterModule(FileCAPool{}) | ||||
| 	caddy.RegisterModule(PKIRootCAPool{}) | ||||
| 	caddy.RegisterModule(PKIIntermediateCAPool{}) | ||||
| 	caddy.RegisterModule(StoragePool{}) | ||||
| 	caddy.RegisterModule(HTTPCertPool{}) | ||||
| 	caddy.RegisterModule(LazyCertPool{}) | ||||
| } | ||||
| 
 | ||||
| // The interface to be implemented by all guest modules part of | ||||
| // the namespace 'tls.ca_pool.source.' | ||||
| type CA interface { | ||||
| 	CertPool() *x509.CertPool | ||||
| } | ||||
| 
 | ||||
| // InlineCAPool is a certificate authority pool provider coming from | ||||
| // a DER-encoded certificates in the config | ||||
| type InlineCAPool struct { | ||||
| 	// A list of base64 DER-encoded CA certificates | ||||
| 	// against which to validate client certificates. | ||||
| 	// Client certs which are not signed by any of | ||||
| 	// these CAs will be rejected. | ||||
| 	TrustedCACerts []string `json:"trusted_ca_certs,omitempty"` | ||||
| 
 | ||||
| 	pool *x509.CertPool | ||||
| } | ||||
| 
 | ||||
| // CaddyModule implements caddy.Module. | ||||
| func (icp InlineCAPool) CaddyModule() caddy.ModuleInfo { | ||||
| 	return caddy.ModuleInfo{ | ||||
| 		ID: "tls.ca_pool.source.inline", | ||||
| 		New: func() caddy.Module { | ||||
| 			return new(InlineCAPool) | ||||
| 		}, | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| // Provision implements caddy.Provisioner. | ||||
| func (icp *InlineCAPool) Provision(ctx caddy.Context) error { | ||||
| 	caPool := x509.NewCertPool() | ||||
| 	for i, clientCAString := range icp.TrustedCACerts { | ||||
| 		clientCA, err := decodeBase64DERCert(clientCAString) | ||||
| 		if err != nil { | ||||
| 			return fmt.Errorf("parsing certificate at index %d: %v", i, err) | ||||
| 		} | ||||
| 		caPool.AddCert(clientCA) | ||||
| 	} | ||||
| 	icp.pool = caPool | ||||
| 
 | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // Syntax: | ||||
| // | ||||
| //	trust_pool inline { | ||||
| //		trust_der <base64_der_cert>... | ||||
| //	} | ||||
| // | ||||
| // The 'trust_der' directive can be specified multiple times. | ||||
| func (icp *InlineCAPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { | ||||
| 	d.Next() // consume module name | ||||
| 	if d.CountRemainingArgs() > 0 { | ||||
| 		return d.ArgErr() | ||||
| 	} | ||||
| 	for d.NextBlock(0) { | ||||
| 		switch d.Val() { | ||||
| 		case "trust_der": | ||||
| 			icp.TrustedCACerts = append(icp.TrustedCACerts, d.RemainingArgs()...) | ||||
| 		default: | ||||
| 			return d.Errf("unrecognized directive: %s", d.Val()) | ||||
| 		} | ||||
| 	} | ||||
| 	if len(icp.TrustedCACerts) == 0 { | ||||
| 		return d.Err("no certificates specified") | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // CertPool implements CA. | ||||
| func (icp InlineCAPool) CertPool() *x509.CertPool { | ||||
| 	return icp.pool | ||||
| } | ||||
| 
 | ||||
| // FileCAPool generates trusted root certificates pool from the designated DER and PEM file | ||||
| type FileCAPool struct { | ||||
| 	// TrustedCACertPEMFiles is a list of PEM file names | ||||
| 	// from which to load certificates of trusted CAs. | ||||
| 	// Client certificates which are not signed by any of | ||||
| 	// these CA certificates will be rejected. | ||||
| 	TrustedCACertPEMFiles []string `json:"pem_files,omitempty"` | ||||
| 
 | ||||
| 	pool *x509.CertPool | ||||
| } | ||||
| 
 | ||||
| // CaddyModule implements caddy.Module. | ||||
| func (FileCAPool) CaddyModule() caddy.ModuleInfo { | ||||
| 	return caddy.ModuleInfo{ | ||||
| 		ID: "tls.ca_pool.source.file", | ||||
| 		New: func() caddy.Module { | ||||
| 			return new(FileCAPool) | ||||
| 		}, | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| // Loads and decodes the DER and pem files to generate the certificate pool | ||||
| func (f *FileCAPool) Provision(ctx caddy.Context) error { | ||||
| 	caPool := x509.NewCertPool() | ||||
| 	for _, pemFile := range f.TrustedCACertPEMFiles { | ||||
| 		pemContents, err := os.ReadFile(pemFile) | ||||
| 		if err != nil { | ||||
| 			return fmt.Errorf("reading %s: %v", pemFile, err) | ||||
| 		} | ||||
| 		caPool.AppendCertsFromPEM(pemContents) | ||||
| 	} | ||||
| 	f.pool = caPool | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // Syntax: | ||||
| // | ||||
| //	trust_pool file [<pem_file>...] { | ||||
| //		pem_file <pem_file>... | ||||
| //	} | ||||
| // | ||||
| // The 'pem_file' directive can be specified multiple times. | ||||
| func (fcap *FileCAPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { | ||||
| 	d.Next() // consume module name | ||||
| 	fcap.TrustedCACertPEMFiles = append(fcap.TrustedCACertPEMFiles, d.RemainingArgs()...) | ||||
| 	for d.NextBlock(0) { | ||||
| 		switch d.Val() { | ||||
| 		case "pem_file": | ||||
| 			fcap.TrustedCACertPEMFiles = append(fcap.TrustedCACertPEMFiles, d.RemainingArgs()...) | ||||
| 		default: | ||||
| 			return d.Errf("unrecognized directive: %s", d.Val()) | ||||
| 		} | ||||
| 	} | ||||
| 	if len(fcap.TrustedCACertPEMFiles) == 0 { | ||||
| 		return d.Err("no certificates specified") | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| func (f FileCAPool) CertPool() *x509.CertPool { | ||||
| 	return f.pool | ||||
| } | ||||
| 
 | ||||
| // PKIRootCAPool extracts the trusted root certificates from Caddy's native 'pki' app | ||||
| type PKIRootCAPool struct { | ||||
| 	// List of the Authority names that are configured in the `pki` app whose root certificates are trusted | ||||
| 	Authority []string `json:"authority,omitempty"` | ||||
| 
 | ||||
| 	ca   []*caddypki.CA | ||||
| 	pool *x509.CertPool | ||||
| } | ||||
| 
 | ||||
| // CaddyModule implements caddy.Module. | ||||
| func (PKIRootCAPool) CaddyModule() caddy.ModuleInfo { | ||||
| 	return caddy.ModuleInfo{ | ||||
| 		ID: "tls.ca_pool.source.pki_root", | ||||
| 		New: func() caddy.Module { | ||||
| 			return new(PKIRootCAPool) | ||||
| 		}, | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| // Loads the PKI app and load the root certificates into the certificate pool | ||||
| func (p *PKIRootCAPool) Provision(ctx caddy.Context) error { | ||||
| 	pkiApp := ctx.AppIfConfigured("pki") | ||||
| 	if pkiApp == nil { | ||||
| 		return fmt.Errorf("PKI app not configured") | ||||
| 	} | ||||
| 	pki := pkiApp.(*caddypki.PKI) | ||||
| 	for _, caID := range p.Authority { | ||||
| 		c, err := pki.GetCA(ctx, caID) | ||||
| 		if err != nil || c == nil { | ||||
| 			return fmt.Errorf("getting CA %s: %v", caID, err) | ||||
| 		} | ||||
| 		p.ca = append(p.ca, c) | ||||
| 	} | ||||
| 
 | ||||
| 	caPool := x509.NewCertPool() | ||||
| 	for _, ca := range p.ca { | ||||
| 		caPool.AddCert(ca.RootCertificate()) | ||||
| 	} | ||||
| 	p.pool = caPool | ||||
| 
 | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // Syntax: | ||||
| // | ||||
| //	trust_pool pki_root [<ca_name>...] { | ||||
| //		authority <ca_name>... | ||||
| //	} | ||||
| // | ||||
| // The 'authority' directive can be specified multiple times. | ||||
| func (pkir *PKIRootCAPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { | ||||
| 	d.Next() // consume module name | ||||
| 	pkir.Authority = append(pkir.Authority, d.RemainingArgs()...) | ||||
| 	for nesting := d.Nesting(); d.NextBlock(nesting); { | ||||
| 		switch d.Val() { | ||||
| 		case "authority": | ||||
| 			pkir.Authority = append(pkir.Authority, d.RemainingArgs()...) | ||||
| 		default: | ||||
| 			return d.Errf("unrecognized directive: %s", d.Val()) | ||||
| 		} | ||||
| 	} | ||||
| 	if len(pkir.Authority) == 0 { | ||||
| 		return d.Err("no authorities specified") | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // return the certificate pool generated with root certificates from the PKI app | ||||
| func (p PKIRootCAPool) CertPool() *x509.CertPool { | ||||
| 	return p.pool | ||||
| } | ||||
| 
 | ||||
| // PKIIntermediateCAPool extracts the trusted intermediate certificates from Caddy's native 'pki' app | ||||
| type PKIIntermediateCAPool struct { | ||||
| 	// List of the Authority names that are configured in the `pki` app whose intermediate certificates are trusted | ||||
| 	Authority []string `json:"authority,omitempty"` | ||||
| 
 | ||||
| 	ca   []*caddypki.CA | ||||
| 	pool *x509.CertPool | ||||
| } | ||||
| 
 | ||||
| // CaddyModule implements caddy.Module. | ||||
| func (PKIIntermediateCAPool) CaddyModule() caddy.ModuleInfo { | ||||
| 	return caddy.ModuleInfo{ | ||||
| 		ID: "tls.ca_pool.source.pki_intermediate", | ||||
| 		New: func() caddy.Module { | ||||
| 			return new(PKIIntermediateCAPool) | ||||
| 		}, | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| // Loads the PKI app and load the intermediate certificates into the certificate pool | ||||
| func (p *PKIIntermediateCAPool) Provision(ctx caddy.Context) error { | ||||
| 	pkiApp := ctx.AppIfConfigured("pki") | ||||
| 	if pkiApp == nil { | ||||
| 		return fmt.Errorf("PKI app not configured") | ||||
| 	} | ||||
| 	pki := pkiApp.(*caddypki.PKI) | ||||
| 	for _, caID := range p.Authority { | ||||
| 		c, err := pki.GetCA(ctx, caID) | ||||
| 		if err != nil || c == nil { | ||||
| 			return fmt.Errorf("getting CA %s: %v", caID, err) | ||||
| 		} | ||||
| 		p.ca = append(p.ca, c) | ||||
| 	} | ||||
| 
 | ||||
| 	caPool := x509.NewCertPool() | ||||
| 	for _, ca := range p.ca { | ||||
| 		caPool.AddCert(ca.IntermediateCertificate()) | ||||
| 	} | ||||
| 	p.pool = caPool | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // Syntax: | ||||
| // | ||||
| //	trust_pool pki_intermediate [<ca_name>...] { | ||||
| //		authority <ca_name>... | ||||
| //	} | ||||
| // | ||||
| // The 'authority' directive can be specified multiple times. | ||||
| func (pic *PKIIntermediateCAPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { | ||||
| 	d.Next() // consume module name | ||||
| 	pic.Authority = append(pic.Authority, d.RemainingArgs()...) | ||||
| 	for nesting := d.Nesting(); d.NextBlock(nesting); { | ||||
| 		switch d.Val() { | ||||
| 		case "authority": | ||||
| 			pic.Authority = append(pic.Authority, d.RemainingArgs()...) | ||||
| 		default: | ||||
| 			return d.Errf("unrecognized directive: %s", d.Val()) | ||||
| 		} | ||||
| 	} | ||||
| 	if len(pic.Authority) == 0 { | ||||
| 		return d.Err("no authorities specified") | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // return the certificate pool generated with intermediate certificates from the PKI app | ||||
| func (p PKIIntermediateCAPool) CertPool() *x509.CertPool { | ||||
| 	return p.pool | ||||
| } | ||||
| 
 | ||||
| // StoragePool extracts the trusted certificates root from Caddy storage | ||||
| type StoragePool struct { | ||||
| 	// The storage module where the trusted root certificates are stored. Absent | ||||
| 	// explicit storage implies the use of Caddy default storage. | ||||
| 	StorageRaw json.RawMessage `json:"storage,omitempty" caddy:"namespace=caddy.storage inline_key=module"` | ||||
| 
 | ||||
| 	// The storage key/index to the location of the certificates | ||||
| 	PEMKeys []string `json:"pem_keys,omitempty"` | ||||
| 
 | ||||
| 	storage certmagic.Storage | ||||
| 	pool    *x509.CertPool | ||||
| } | ||||
| 
 | ||||
| // CaddyModule implements caddy.Module. | ||||
| func (StoragePool) CaddyModule() caddy.ModuleInfo { | ||||
| 	return caddy.ModuleInfo{ | ||||
| 		ID: "tls.ca_pool.source.storage", | ||||
| 		New: func() caddy.Module { | ||||
| 			return new(StoragePool) | ||||
| 		}, | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| // Provision implements caddy.Provisioner. | ||||
| func (ca *StoragePool) Provision(ctx caddy.Context) error { | ||||
| 	if ca.StorageRaw != nil { | ||||
| 		val, err := ctx.LoadModule(ca, "StorageRaw") | ||||
| 		if err != nil { | ||||
| 			return fmt.Errorf("loading storage module: %v", err) | ||||
| 		} | ||||
| 		cmStorage, err := val.(caddy.StorageConverter).CertMagicStorage() | ||||
| 		if err != nil { | ||||
| 			return fmt.Errorf("creating storage configuration: %v", err) | ||||
| 		} | ||||
| 		ca.storage = cmStorage | ||||
| 	} | ||||
| 	if ca.storage == nil { | ||||
| 		ca.storage = ctx.Storage() | ||||
| 	} | ||||
| 	if len(ca.PEMKeys) == 0 { | ||||
| 		return fmt.Errorf("no PEM keys specified") | ||||
| 	} | ||||
| 	caPool := x509.NewCertPool() | ||||
| 	for _, caID := range ca.PEMKeys { | ||||
| 		bs, err := ca.storage.Load(ctx, caID) | ||||
| 		if err != nil { | ||||
| 			return fmt.Errorf("error loading cert '%s' from storage: %s", caID, err) | ||||
| 		} | ||||
| 		if !caPool.AppendCertsFromPEM(bs) { | ||||
| 			return fmt.Errorf("failed to add certificate '%s' to pool", caID) | ||||
| 		} | ||||
| 	} | ||||
| 	ca.pool = caPool | ||||
| 
 | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // Syntax: | ||||
| // | ||||
| //	trust_pool storage [<storage_keys>...] { | ||||
| //		storage <storage_module> | ||||
| //		keys	<storage_keys>... | ||||
| //	} | ||||
| // | ||||
| // The 'keys' directive can be specified multiple times. | ||||
| // The'storage' directive is optional and defaults to the default storage module. | ||||
| func (sp *StoragePool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { | ||||
| 	d.Next() // consume module name | ||||
| 	sp.PEMKeys = append(sp.PEMKeys, d.RemainingArgs()...) | ||||
| 	for nesting := d.Nesting(); d.NextBlock(nesting); { | ||||
| 		switch d.Val() { | ||||
| 		case "storage": | ||||
| 			if sp.StorageRaw != nil { | ||||
| 				return d.Err("storage module already set") | ||||
| 			} | ||||
| 			if !d.NextArg() { | ||||
| 				return d.ArgErr() | ||||
| 			} | ||||
| 			modStem := d.Val() | ||||
| 			modID := "caddy.storage." + modStem | ||||
| 			unm, err := caddyfile.UnmarshalModule(d, modID) | ||||
| 			if err != nil { | ||||
| 				return err | ||||
| 			} | ||||
| 			storage, ok := unm.(caddy.StorageConverter) | ||||
| 			if !ok { | ||||
| 				return d.Errf("module %s is not a caddy.StorageConverter", modID) | ||||
| 			} | ||||
| 			sp.StorageRaw = caddyconfig.JSONModuleObject(storage, "module", modStem, nil) | ||||
| 		case "keys": | ||||
| 			sp.PEMKeys = append(sp.PEMKeys, d.RemainingArgs()...) | ||||
| 		default: | ||||
| 			return d.Errf("unrecognized directive: %s", d.Val()) | ||||
| 		} | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| func (p StoragePool) CertPool() *x509.CertPool { | ||||
| 	return p.pool | ||||
| } | ||||
| 
 | ||||
| // TLSConfig holds configuration related to the TLS configuration for the | ||||
| // transport/client. | ||||
| // copied from with minor modifications: modules/caddyhttp/reverseproxy/httptransport.go | ||||
| type TLSConfig struct { | ||||
| 	// Provides the guest module that provides the trusted certificate authority (CA) certificates | ||||
| 	CARaw json.RawMessage `json:"ca,omitempty" caddy:"namespace=tls.ca_pool.source inline_key=provider"` | ||||
| 
 | ||||
| 	// If true, TLS verification of server certificates will be disabled. | ||||
| 	// This is insecure and may be removed in the future. Do not use this | ||||
| 	// option except in testing or local development environments. | ||||
| 	InsecureSkipVerify bool `json:"insecure_skip_verify,omitempty"` | ||||
| 
 | ||||
| 	// The duration to allow a TLS handshake to a server. Default: No timeout. | ||||
| 	HandshakeTimeout caddy.Duration `json:"handshake_timeout,omitempty"` | ||||
| 
 | ||||
| 	// The server name used when verifying the certificate received in the TLS | ||||
| 	// handshake. By default, this will use the upstream address' host part. | ||||
| 	// You only need to override this if your upstream address does not match the | ||||
| 	// certificate the upstream is likely to use. For example if the upstream | ||||
| 	// address is an IP address, then you would need to configure this to the | ||||
| 	// hostname being served by the upstream server. Currently, this does not | ||||
| 	// support placeholders because the TLS config is not provisioned on each | ||||
| 	// connection, so a static value must be used. | ||||
| 	ServerName string `json:"server_name,omitempty"` | ||||
| 
 | ||||
| 	// TLS renegotiation level. TLS renegotiation is the act of performing | ||||
| 	// subsequent handshakes on a connection after the first. | ||||
| 	// The level can be: | ||||
| 	//  - "never": (the default) disables renegotiation. | ||||
| 	//  - "once": allows a remote server to request renegotiation once per connection. | ||||
| 	//  - "freely": allows a remote server to repeatedly request renegotiation. | ||||
| 	Renegotiation string `json:"renegotiation,omitempty"` | ||||
| } | ||||
| 
 | ||||
| func (t *TLSConfig) unmarshalCaddyfile(d *caddyfile.Dispenser) error { | ||||
| 	for nesting := d.Nesting(); d.NextBlock(nesting); { | ||||
| 		switch d.Val() { | ||||
| 		case "ca": | ||||
| 			if !d.NextArg() { | ||||
| 				return d.ArgErr() | ||||
| 			} | ||||
| 			modStem := d.Val() | ||||
| 			modID := "tls.ca_pool.source." + modStem | ||||
| 			unm, err := caddyfile.UnmarshalModule(d, modID) | ||||
| 			if err != nil { | ||||
| 				return err | ||||
| 			} | ||||
| 			ca, ok := unm.(CA) | ||||
| 			if !ok { | ||||
| 				return d.Errf("module %s is not a caddytls.CA", modID) | ||||
| 			} | ||||
| 			t.CARaw = caddyconfig.JSONModuleObject(ca, "provider", modStem, nil) | ||||
| 		case "insecure_skip_verify": | ||||
| 			t.InsecureSkipVerify = true | ||||
| 		case "handshake_timeout": | ||||
| 			if !d.NextArg() { | ||||
| 				return d.ArgErr() | ||||
| 			} | ||||
| 			dur, err := caddy.ParseDuration(d.Val()) | ||||
| 			if err != nil { | ||||
| 				return d.Errf("bad timeout value '%s': %v", d.Val(), err) | ||||
| 			} | ||||
| 			t.HandshakeTimeout = caddy.Duration(dur) | ||||
| 		case "server_name": | ||||
| 			if !d.Args(&t.ServerName) { | ||||
| 				return d.ArgErr() | ||||
| 			} | ||||
| 		case "renegotiation": | ||||
| 			if !d.Args(&t.Renegotiation) { | ||||
| 				return d.ArgErr() | ||||
| 			} | ||||
| 			switch t.Renegotiation { | ||||
| 			case "never", "once", "freely": | ||||
| 				continue | ||||
| 			default: | ||||
| 				t.Renegotiation = "" | ||||
| 				return d.Errf("unrecognized renegotiation level: %s", t.Renegotiation) | ||||
| 			} | ||||
| 		default: | ||||
| 			return d.Errf("unrecognized directive: %s", d.Val()) | ||||
| 		} | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // MakeTLSClientConfig returns a tls.Config usable by a client to a backend. | ||||
| // If there is no custom TLS configuration, a nil config may be returned. | ||||
| // copied from with minor modifications: modules/caddyhttp/reverseproxy/httptransport.go | ||||
| func (t TLSConfig) makeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) { | ||||
| 	repl := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer) | ||||
| 	if repl == nil { | ||||
| 		repl = caddy.NewReplacer() | ||||
| 	} | ||||
| 	cfg := new(tls.Config) | ||||
| 
 | ||||
| 	if t.CARaw != nil { | ||||
| 		caRaw, err := ctx.LoadModule(t, "CARaw") | ||||
| 		if err != nil { | ||||
| 			return nil, err | ||||
| 		} | ||||
| 		ca := caRaw.(CA) | ||||
| 		cfg.RootCAs = ca.CertPool() | ||||
| 	} | ||||
| 
 | ||||
| 	// Renegotiation | ||||
| 	switch t.Renegotiation { | ||||
| 	case "never", "": | ||||
| 		cfg.Renegotiation = tls.RenegotiateNever | ||||
| 	case "once": | ||||
| 		cfg.Renegotiation = tls.RenegotiateOnceAsClient | ||||
| 	case "freely": | ||||
| 		cfg.Renegotiation = tls.RenegotiateFreelyAsClient | ||||
| 	default: | ||||
| 		return nil, fmt.Errorf("invalid TLS renegotiation level: %v", t.Renegotiation) | ||||
| 	} | ||||
| 
 | ||||
| 	// override for the server name used verify the TLS handshake | ||||
| 	cfg.ServerName = repl.ReplaceKnown(cfg.ServerName, "") | ||||
| 
 | ||||
| 	// throw all security out the window | ||||
| 	cfg.InsecureSkipVerify = t.InsecureSkipVerify | ||||
| 
 | ||||
| 	// only return a config if it's not empty | ||||
| 	if reflect.DeepEqual(cfg, new(tls.Config)) { | ||||
| 		return nil, nil | ||||
| 	} | ||||
| 
 | ||||
| 	return cfg, nil | ||||
| } | ||||
| 
 | ||||
| // The HTTPCertPool fetches the trusted root certificates from HTTP(S) | ||||
| // endpoints. The TLS connection properties can be customized, including custom | ||||
| // trusted root certificate. One example usage of this module is to get the trusted | ||||
| // certificates from another Caddy instance that is running the PKI app and ACME server. | ||||
| type HTTPCertPool struct { | ||||
| 	// the list of URLs that respond with PEM-encoded certificates to trust. | ||||
| 	Endpoints []string `json:"endpoints,omitempty"` | ||||
| 
 | ||||
| 	// Customize the TLS connection knobs to used during the HTTP call | ||||
| 	TLS *TLSConfig `json:"tls,omitempty"` | ||||
| 
 | ||||
| 	pool *x509.CertPool | ||||
| } | ||||
| 
 | ||||
| // CaddyModule implements caddy.Module. | ||||
| func (HTTPCertPool) CaddyModule() caddy.ModuleInfo { | ||||
| 	return caddy.ModuleInfo{ | ||||
| 		ID: "tls.ca_pool.source.http", | ||||
| 		New: func() caddy.Module { | ||||
| 			return new(HTTPCertPool) | ||||
| 		}, | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| // Provision implements caddy.Provisioner. | ||||
| func (hcp *HTTPCertPool) Provision(ctx caddy.Context) error { | ||||
| 	caPool := x509.NewCertPool() | ||||
| 
 | ||||
| 	customTransport := http.DefaultTransport.(*http.Transport).Clone() | ||||
| 	if hcp.TLS != nil { | ||||
| 		tlsConfig, err := hcp.TLS.makeTLSClientConfig(ctx) | ||||
| 		if err != nil { | ||||
| 			return err | ||||
| 		} | ||||
| 		customTransport.TLSClientConfig = tlsConfig | ||||
| 	} | ||||
| 
 | ||||
| 	var httpClient *http.Client | ||||
| 	*httpClient = *http.DefaultClient | ||||
| 	httpClient.Transport = customTransport | ||||
| 
 | ||||
| 	for _, uri := range hcp.Endpoints { | ||||
| 		req, err := http.NewRequestWithContext(ctx, http.MethodGet, uri, nil) | ||||
| 		if err != nil { | ||||
| 			return err | ||||
| 		} | ||||
| 		res, err := httpClient.Do(req) | ||||
| 		if err != nil { | ||||
| 			return err | ||||
| 		} | ||||
| 		pembs, err := io.ReadAll(res.Body) | ||||
| 		res.Body.Close() | ||||
| 		if err != nil { | ||||
| 			return err | ||||
| 		} | ||||
| 		if !caPool.AppendCertsFromPEM(pembs) { | ||||
| 			return fmt.Errorf("failed to add certs from URL: %s", uri) | ||||
| 		} | ||||
| 	} | ||||
| 	hcp.pool = caPool | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // Syntax: | ||||
| // | ||||
| //	trust_pool http [<endpoints...>] { | ||||
| //			endpoints 	<endpoints...> | ||||
| //			tls 		<tls_config> | ||||
| //	} | ||||
| // | ||||
| // tls_config: | ||||
| // | ||||
| //		ca <ca_module> | ||||
| //		insecure_skip_verify | ||||
| //		handshake_timeout <duration> | ||||
| //		server_name <name> | ||||
| //		renegotiation <never|once|freely> | ||||
| // | ||||
| //	<ca_module> is the name of the CA module to source the trust | ||||
| // | ||||
| // certificate pool and follows the syntax of the named CA module. | ||||
| func (hcp *HTTPCertPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { | ||||
| 	d.Next() // consume module name | ||||
| 	hcp.Endpoints = append(hcp.Endpoints, d.RemainingArgs()...) | ||||
| 	for nesting := d.Nesting(); d.NextBlock(nesting); { | ||||
| 		switch d.Val() { | ||||
| 		case "endpoints": | ||||
| 			if d.CountRemainingArgs() == 0 { | ||||
| 				return d.ArgErr() | ||||
| 			} | ||||
| 			hcp.Endpoints = append(hcp.Endpoints, d.RemainingArgs()...) | ||||
| 		case "tls": | ||||
| 			if hcp.TLS != nil { | ||||
| 				return d.Err("tls block already defined") | ||||
| 			} | ||||
| 			hcp.TLS = new(TLSConfig) | ||||
| 			if err := hcp.TLS.unmarshalCaddyfile(d); err != nil { | ||||
| 				return err | ||||
| 			} | ||||
| 		default: | ||||
| 			return d.Errf("unrecognized directive: %s", d.Val()) | ||||
| 		} | ||||
| 	} | ||||
| 
 | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // report error if the endpoints are not valid URLs | ||||
| func (hcp HTTPCertPool) Validate() (err error) { | ||||
| 	for _, u := range hcp.Endpoints { | ||||
| 		_, e := url.Parse(u) | ||||
| 		if e != nil { | ||||
| 			err = errors.Join(err, e) | ||||
| 		} | ||||
| 	} | ||||
| 	return err | ||||
| } | ||||
| 
 | ||||
| // CertPool return the certificate pool generated from the HTTP responses | ||||
| func (hcp HTTPCertPool) CertPool() *x509.CertPool { | ||||
| 	return hcp.pool | ||||
| } | ||||
| 
 | ||||
| // LazyCertPool defers the generation of the certificate pool from the | ||||
| // guest module to demand-time rather than at provisionig time. The gain of the | ||||
| // lazy load adds a risk of failure to load the certificates at demand time | ||||
| // because the validation that's typically done at provisioning is deferred. | ||||
| // The validation can be enforced to run before runtime by setting | ||||
| // `EagerValidation`/`eager_validation` to `true`. It is the operator's responsibility | ||||
| // to ensure the resources are available if `EagerValidation`/`eager_validation` | ||||
| // is set to `true`. The module also incurs performance cost at every demand. | ||||
| type LazyCertPool struct { | ||||
| 	// Provides the guest module that provides the trusted certificate authority (CA) certificates | ||||
| 	CARaw json.RawMessage `json:"ca,omitempty" caddy:"namespace=tls.ca_pool.source inline_key=provider"` | ||||
| 
 | ||||
| 	// Whether the validation step should try to load and provision the guest module to validate | ||||
| 	// the correctness of the configuration. Depeneding on the type of the guest module, | ||||
| 	// the resources may not be available at validation time. It is the | ||||
| 	// operator's responsibility to ensure the resources are available if `EagerValidation`/`eager_validation` | ||||
| 	// is set to `true`. | ||||
| 	EagerValidation bool `json:"eager_validation,omitempty"` | ||||
| 
 | ||||
| 	ctx caddy.Context | ||||
| } | ||||
| 
 | ||||
| // CaddyModule implements caddy.Module. | ||||
| func (LazyCertPool) CaddyModule() caddy.ModuleInfo { | ||||
| 	return caddy.ModuleInfo{ | ||||
| 		ID: "tls.ca_pool.source.lazy", | ||||
| 		New: func() caddy.Module { | ||||
| 			return new(LazyCertPool) | ||||
| 		}, | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| // Provision implements caddy.Provisioner. | ||||
| func (lcp *LazyCertPool) Provision(ctx caddy.Context) error { | ||||
| 	if len(lcp.CARaw) == 0 { | ||||
| 		return fmt.Errorf("missing backing CA source") | ||||
| 	} | ||||
| 	lcp.ctx = ctx | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // Syntax: | ||||
| // | ||||
| //	trust_pool lazy { | ||||
| //		backend <ca_module> | ||||
| //		eager_validation | ||||
| //	} | ||||
| // | ||||
| // The `backend` directive specifies the CA module to use to provision the | ||||
| // certificate pool. The `eager_validation` directive specifies that the | ||||
| // validation step should try to load and provision the guest module to validate | ||||
| // the correctness of the configuration. Depeneding on the type of the guest module, | ||||
| // the resources may not be available at validation time. It is the | ||||
| // operator's responsibility to ensure the resources are available if `EagerValidation`/`eager_validation` | ||||
| // is set to `true`. | ||||
| // | ||||
| // The `backend` directive is required. | ||||
| func (lcp *LazyCertPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { | ||||
| 	d.Next() // consume module name | ||||
| 	for nesting := d.Nesting(); d.NextBlock(nesting); { | ||||
| 		switch d.Val() { | ||||
| 		case "backend": | ||||
| 			if lcp.CARaw != nil { | ||||
| 				return d.Err("backend block already defined") | ||||
| 			} | ||||
| 			if !d.NextArg() { | ||||
| 				return d.ArgErr() | ||||
| 			} | ||||
| 			modStem := d.Val() | ||||
| 			modID := "tls.ca_pool.source." + modStem | ||||
| 			unm, err := caddyfile.UnmarshalModule(d, modID) | ||||
| 			if err != nil { | ||||
| 				return err | ||||
| 			} | ||||
| 			backend, ok := unm.(CA) | ||||
| 			if !ok { | ||||
| 				return d.Errf("module %s is not a caddytls.CA", modID) | ||||
| 			} | ||||
| 			lcp.CARaw = caddyconfig.JSONModuleObject(backend, "provider", modStem, nil) | ||||
| 		case "eager_validation": | ||||
| 			lcp.EagerValidation = true | ||||
| 		default: | ||||
| 			return d.Errf("unrecognized directive: %s", d.Val()) | ||||
| 		} | ||||
| 	} | ||||
| 	if lcp.CARaw == nil { | ||||
| 		return d.Err("backend block is required") | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // If EagerValidation is `true`, it attempts to load and provision the guest module | ||||
| // to ensure the guesst module's configuration is correct. Depeneding on the type of the | ||||
| // guest module, the resources may not be available at validation time. It is the | ||||
| // operator's responsibility to ensure the resources are available if `EagerValidation` is | ||||
| // set to `true`. | ||||
| func (lcp LazyCertPool) Validate() error { | ||||
| 	if lcp.EagerValidation { | ||||
| 		_, err := lcp.ctx.LoadModule(lcp, "CARaw") | ||||
| 		return err | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // CertPool loads the guest module and returns the CertPool from there | ||||
| // TODO: Cache? | ||||
| func (lcp LazyCertPool) CertPool() *x509.CertPool { | ||||
| 	caRaw, err := lcp.ctx.LoadModule(lcp, "CARaw") | ||||
| 	if err != nil { | ||||
| 		return nil | ||||
| 	} | ||||
| 	ca := caRaw.(CA) | ||||
| 	return ca.CertPool() | ||||
| } | ||||
| 
 | ||||
| var ( | ||||
| 	_ caddy.Module          = (*InlineCAPool)(nil) | ||||
| 	_ caddy.Provisioner     = (*InlineCAPool)(nil) | ||||
| 	_ CA                    = (*InlineCAPool)(nil) | ||||
| 	_ caddyfile.Unmarshaler = (*InlineCAPool)(nil) | ||||
| 
 | ||||
| 	_ caddy.Module          = (*FileCAPool)(nil) | ||||
| 	_ caddy.Provisioner     = (*FileCAPool)(nil) | ||||
| 	_ CA                    = (*FileCAPool)(nil) | ||||
| 	_ caddyfile.Unmarshaler = (*FileCAPool)(nil) | ||||
| 
 | ||||
| 	_ caddy.Module          = (*PKIRootCAPool)(nil) | ||||
| 	_ caddy.Provisioner     = (*PKIRootCAPool)(nil) | ||||
| 	_ CA                    = (*PKIRootCAPool)(nil) | ||||
| 	_ caddyfile.Unmarshaler = (*PKIRootCAPool)(nil) | ||||
| 
 | ||||
| 	_ caddy.Module          = (*PKIIntermediateCAPool)(nil) | ||||
| 	_ caddy.Provisioner     = (*PKIIntermediateCAPool)(nil) | ||||
| 	_ CA                    = (*PKIIntermediateCAPool)(nil) | ||||
| 	_ caddyfile.Unmarshaler = (*PKIIntermediateCAPool)(nil) | ||||
| 
 | ||||
| 	_ caddy.Module          = (*StoragePool)(nil) | ||||
| 	_ caddy.Provisioner     = (*StoragePool)(nil) | ||||
| 	_ CA                    = (*StoragePool)(nil) | ||||
| 	_ caddyfile.Unmarshaler = (*StoragePool)(nil) | ||||
| 
 | ||||
| 	_ caddy.Module          = (*HTTPCertPool)(nil) | ||||
| 	_ caddy.Provisioner     = (*HTTPCertPool)(nil) | ||||
| 	_ caddy.Validator       = (*HTTPCertPool)(nil) | ||||
| 	_ CA                    = (*HTTPCertPool)(nil) | ||||
| 	_ caddyfile.Unmarshaler = (*HTTPCertPool)(nil) | ||||
| 
 | ||||
| 	_ caddy.Module          = (*LazyCertPool)(nil) | ||||
| 	_ caddy.Provisioner     = (*LazyCertPool)(nil) | ||||
| 	_ caddy.Validator       = (*LazyCertPool)(nil) | ||||
| 	_ CA                    = (*LazyCertPool)(nil) | ||||
| 	_ caddyfile.Unmarshaler = (*LazyCertPool)(nil) | ||||
| ) | ||||
							
								
								
									
										892
									
								
								modules/caddytls/capools_test.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										892
									
								
								modules/caddytls/capools_test.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,892 @@ | ||||
| package caddytls | ||||
| 
 | ||||
| import ( | ||||
| 	"encoding/json" | ||||
| 	"fmt" | ||||
| 	"reflect" | ||||
| 	"testing" | ||||
| 	"time" | ||||
| 
 | ||||
| 	"github.com/caddyserver/caddy/v2" | ||||
| 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile" | ||||
| 	_ "github.com/caddyserver/caddy/v2/modules/filestorage" | ||||
| ) | ||||
| 
 | ||||
| const ( | ||||
| 	test_der_1       = `MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==` | ||||
| 	test_cert_file_1 = "../../caddytest/caddy.ca.cer" | ||||
| ) | ||||
| 
 | ||||
| func TestInlineCAPoolUnmarshalCaddyfile(t *testing.T) { | ||||
| 	type args struct { | ||||
| 		d *caddyfile.Dispenser | ||||
| 	} | ||||
| 	tests := []struct { | ||||
| 		name     string | ||||
| 		args     args | ||||
| 		expected InlineCAPool | ||||
| 		wantErr  bool | ||||
| 	}{ | ||||
| 		{ | ||||
| 			name: "configuring no certificatest produces an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 					inline { | ||||
| 					} | ||||
| 				`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "configuring certificates as arguments in-line produces an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 					inline %s | ||||
| 				`, test_der_1)), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "single cert", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 				inline { | ||||
| 					trust_der %s | ||||
| 				} | ||||
| 				`, test_der_1)), | ||||
| 			}, | ||||
| 			expected: InlineCAPool{ | ||||
| 				TrustedCACerts: []string{test_der_1}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "multiple certs in one line", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 				inline { | ||||
| 					trust_der %s %s | ||||
| 				} | ||||
| 				`, test_der_1, test_der_1), | ||||
| 				), | ||||
| 			}, | ||||
| 			expected: InlineCAPool{ | ||||
| 				TrustedCACerts: []string{test_der_1, test_der_1}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "multiple certs in multiple lines", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 					inline { | ||||
| 						trust_der %s | ||||
| 						trust_der %s | ||||
| 					} | ||||
| 				`, test_der_1, test_der_1)), | ||||
| 			}, | ||||
| 			expected: InlineCAPool{ | ||||
| 				TrustedCACerts: []string{test_der_1, test_der_1}, | ||||
| 			}, | ||||
| 		}, | ||||
| 	} | ||||
| 	for _, tt := range tests { | ||||
| 		t.Run(tt.name, func(t *testing.T) { | ||||
| 			icp := &InlineCAPool{} | ||||
| 			if err := icp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr { | ||||
| 				t.Errorf("InlineCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr) | ||||
| 			} | ||||
| 			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, icp) { | ||||
| 				t.Errorf("InlineCAPool.UnmarshalCaddyfile() = %v, want %v", icp, tt.expected) | ||||
| 			} | ||||
| 		}) | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| func TestFileCAPoolUnmarshalCaddyfile(t *testing.T) { | ||||
| 	type args struct { | ||||
| 		d *caddyfile.Dispenser | ||||
| 	} | ||||
| 	tests := []struct { | ||||
| 		name     string | ||||
| 		expected FileCAPool | ||||
| 		args     args | ||||
| 		wantErr  bool | ||||
| 	}{ | ||||
| 		{ | ||||
| 			name: "configuring no certificatest produces an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 					file { | ||||
| 					} | ||||
| 				`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "configuring certificates as arguments in-line produces an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 				file %s | ||||
| 				`, test_cert_file_1)), | ||||
| 			}, | ||||
| 			expected: FileCAPool{ | ||||
| 				TrustedCACertPEMFiles: []string{test_cert_file_1}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "single cert", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 				file { | ||||
| 					pem_file %s | ||||
| 				} | ||||
| 				`, test_cert_file_1)), | ||||
| 			}, | ||||
| 			expected: FileCAPool{ | ||||
| 				TrustedCACertPEMFiles: []string{test_cert_file_1}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "multiple certs inline and in-block are merged", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 				file %s { | ||||
| 					pem_file %s | ||||
| 				} | ||||
| 				`, test_cert_file_1, test_cert_file_1)), | ||||
| 			}, | ||||
| 			expected: FileCAPool{ | ||||
| 				TrustedCACertPEMFiles: []string{test_cert_file_1, test_cert_file_1}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "multiple certs in one line", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 				file { | ||||
| 					pem_file %s %s | ||||
| 				} | ||||
| 				`, test_der_1, test_der_1), | ||||
| 				), | ||||
| 			}, | ||||
| 			expected: FileCAPool{ | ||||
| 				TrustedCACertPEMFiles: []string{test_der_1, test_der_1}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "multiple certs in multiple lines", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 					file { | ||||
| 						pem_file %s | ||||
| 						pem_file %s | ||||
| 					} | ||||
| 				`, test_cert_file_1, test_cert_file_1)), | ||||
| 			}, | ||||
| 			expected: FileCAPool{ | ||||
| 				TrustedCACertPEMFiles: []string{test_cert_file_1, test_cert_file_1}, | ||||
| 			}, | ||||
| 		}, | ||||
| 	} | ||||
| 	for _, tt := range tests { | ||||
| 		t.Run(tt.name, func(t *testing.T) { | ||||
| 			fcap := &FileCAPool{} | ||||
| 			if err := fcap.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr { | ||||
| 				t.Errorf("FileCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr) | ||||
| 			} | ||||
| 			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, fcap) { | ||||
| 				t.Errorf("FileCAPool.UnmarshalCaddyfile() = %v, want %v", fcap, tt.expected) | ||||
| 			} | ||||
| 		}) | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| func TestPKIRootCAPoolUnmarshalCaddyfile(t *testing.T) { | ||||
| 	type args struct { | ||||
| 		d *caddyfile.Dispenser | ||||
| 	} | ||||
| 	tests := []struct { | ||||
| 		name     string | ||||
| 		expected PKIRootCAPool | ||||
| 		args     args | ||||
| 		wantErr  bool | ||||
| 	}{ | ||||
| 		{ | ||||
| 			name: "configuring no certificatest produces an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 					pki_root { | ||||
| 					} | ||||
| 				`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "single authority as arguments in-line", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 				pki_root ca_1 | ||||
| 				`), | ||||
| 			}, | ||||
| 			expected: PKIRootCAPool{ | ||||
| 				Authority: []string{"ca_1"}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "multiple authorities as arguments in-line", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 				pki_root ca_1 ca_2 | ||||
| 				`), | ||||
| 			}, | ||||
| 			expected: PKIRootCAPool{ | ||||
| 				Authority: []string{"ca_1", "ca_2"}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "single authority in block", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 				pki_root { | ||||
| 					authority ca_1 | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: PKIRootCAPool{ | ||||
| 				Authority: []string{"ca_1"}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "multiple authorities in one line", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 				pki_root { | ||||
| 					authority ca_1 ca_2 | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: PKIRootCAPool{ | ||||
| 				Authority: []string{"ca_1", "ca_2"}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "multiple authorities in multiple lines", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 					pki_root { | ||||
| 						authority ca_1 | ||||
| 						authority ca_2 | ||||
| 					}`), | ||||
| 			}, | ||||
| 			expected: PKIRootCAPool{ | ||||
| 				Authority: []string{"ca_1", "ca_2"}, | ||||
| 			}, | ||||
| 		}, | ||||
| 	} | ||||
| 	for _, tt := range tests { | ||||
| 		t.Run(tt.name, func(t *testing.T) { | ||||
| 			pkir := &PKIRootCAPool{} | ||||
| 			if err := pkir.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr { | ||||
| 				t.Errorf("PKIRootCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr) | ||||
| 			} | ||||
| 			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, pkir) { | ||||
| 				t.Errorf("PKIRootCAPool.UnmarshalCaddyfile() = %v, want %v", pkir, tt.expected) | ||||
| 			} | ||||
| 		}) | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| func TestPKIIntermediateCAPoolUnmarshalCaddyfile(t *testing.T) { | ||||
| 	type args struct { | ||||
| 		d *caddyfile.Dispenser | ||||
| 	} | ||||
| 	tests := []struct { | ||||
| 		name     string | ||||
| 		expected PKIIntermediateCAPool | ||||
| 		args     args | ||||
| 		wantErr  bool | ||||
| 	}{ | ||||
| 		{ | ||||
| 			name: "configuring no certificatest produces an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 				pki_intermediate { | ||||
| 				}`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "single authority as arguments in-line", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`pki_intermediate ca_1`), | ||||
| 			}, | ||||
| 			expected: PKIIntermediateCAPool{ | ||||
| 				Authority: []string{"ca_1"}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "multiple authorities as arguments in-line", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`pki_intermediate ca_1 ca_2`), | ||||
| 			}, | ||||
| 			expected: PKIIntermediateCAPool{ | ||||
| 				Authority: []string{"ca_1", "ca_2"}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "single authority in block", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 				pki_intermediate { | ||||
| 					authority ca_1 | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: PKIIntermediateCAPool{ | ||||
| 				Authority: []string{"ca_1"}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "multiple authorities in one line", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 				pki_intermediate { | ||||
| 					authority ca_1 ca_2 | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: PKIIntermediateCAPool{ | ||||
| 				Authority: []string{"ca_1", "ca_2"}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "multiple authorities in multiple lines", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 					pki_intermediate { | ||||
| 						authority ca_1 | ||||
| 						authority ca_2 | ||||
| 					}`), | ||||
| 			}, | ||||
| 			expected: PKIIntermediateCAPool{ | ||||
| 				Authority: []string{"ca_1", "ca_2"}, | ||||
| 			}, | ||||
| 		}, | ||||
| 	} | ||||
| 	for _, tt := range tests { | ||||
| 		t.Run(tt.name, func(t *testing.T) { | ||||
| 			pic := &PKIIntermediateCAPool{} | ||||
| 			if err := pic.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr { | ||||
| 				t.Errorf("PKIIntermediateCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr) | ||||
| 			} | ||||
| 			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, pic) { | ||||
| 				t.Errorf("PKIIntermediateCAPool.UnmarshalCaddyfile() = %v, want %v", pic, tt.expected) | ||||
| 			} | ||||
| 		}) | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| func TestStoragePoolUnmarshalCaddyfile(t *testing.T) { | ||||
| 	type args struct { | ||||
| 		d *caddyfile.Dispenser | ||||
| 	} | ||||
| 	tests := []struct { | ||||
| 		name     string | ||||
| 		args     args | ||||
| 		expected StoragePool | ||||
| 		wantErr  bool | ||||
| 	}{ | ||||
| 		{ | ||||
| 			name: "empty block", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`storage { | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: StoragePool{}, | ||||
| 			wantErr:  false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "providing single storage key inline", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`storage key-1`), | ||||
| 			}, | ||||
| 			expected: StoragePool{ | ||||
| 				PEMKeys: []string{"key-1"}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "providing multiple storage keys inline", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`storage key-1 key-2`), | ||||
| 			}, | ||||
| 			expected: StoragePool{ | ||||
| 				PEMKeys: []string{"key-1", "key-2"}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "providing keys inside block without specifying storage type", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 					storage { | ||||
| 						keys key-1 key-2 | ||||
| 					} | ||||
| 				`), | ||||
| 			}, | ||||
| 			expected: StoragePool{ | ||||
| 				PEMKeys: []string{"key-1", "key-2"}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "providing keys in-line and inside block merges them", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`storage key-1 key-2 key-3 { | ||||
| 					keys key-4 key-5 | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: StoragePool{ | ||||
| 				PEMKeys: []string{"key-1", "key-2", "key-3", "key-4", "key-5"}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "specifying storage type in block", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`storage { | ||||
| 					storage file_system /var/caddy/storage | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: StoragePool{ | ||||
| 				StorageRaw: json.RawMessage(`{"module":"file_system","root":"/var/caddy/storage"}`), | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 	} | ||||
| 	for _, tt := range tests { | ||||
| 		t.Run(tt.name, func(t *testing.T) { | ||||
| 			sp := &StoragePool{} | ||||
| 			if err := sp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr { | ||||
| 				t.Errorf("StoragePool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr) | ||||
| 			} | ||||
| 			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, sp) { | ||||
| 				t.Errorf("StoragePool.UnmarshalCaddyfile() = %s, want %s", sp.StorageRaw, tt.expected.StorageRaw) | ||||
| 			} | ||||
| 		}) | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| func TestTLSConfig_unmarshalCaddyfile(t *testing.T) { | ||||
| 	type args struct { | ||||
| 		d *caddyfile.Dispenser | ||||
| 	} | ||||
| 	tests := []struct { | ||||
| 		name     string | ||||
| 		args     args | ||||
| 		expected TLSConfig | ||||
| 		wantErr  bool | ||||
| 	}{ | ||||
| 		{ | ||||
| 			name: "no arguments is valid", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` { | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: TLSConfig{}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'renegotiation' to 'never' is valid", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` { | ||||
| 					renegotiation never | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: TLSConfig{ | ||||
| 				Renegotiation: "never", | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'renegotiation' to 'once' is valid", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` { | ||||
| 					renegotiation once | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: TLSConfig{ | ||||
| 				Renegotiation: "once", | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'renegotiation' to 'freely' is valid", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` { | ||||
| 					renegotiation freely | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: TLSConfig{ | ||||
| 				Renegotiation: "freely", | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'renegotiation' to other than 'none', 'once, or 'freely' is invalid", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` { | ||||
| 					renegotiation foo | ||||
| 				}`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'renegotiation' without argument is invalid", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` { | ||||
| 					renegotiation | ||||
| 				}`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'ca' without arguemnt is an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`{ | ||||
| 					ca | ||||
| 				}`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'ca' to 'file' with in-line cert is valid", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`{ | ||||
| 					ca file /var/caddy/ca.pem | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: TLSConfig{ | ||||
| 				CARaw: []byte(`{"pem_files":["/var/caddy/ca.pem"],"provider":"file"}`), | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'ca' to 'lazy' with appropriate block is valid", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`{ | ||||
| 					ca lazy { | ||||
| 						backend file { | ||||
| 							pem_file /var/caddy/ca.pem | ||||
| 						} | ||||
| 					} | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: TLSConfig{ | ||||
| 				CARaw: []byte(`{"ca":{"pem_files":["/var/caddy/ca.pem"],"provider":"file"},"provider":"lazy"}`), | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'ca' to 'file' with appropriate block is valid", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`{ | ||||
| 					ca file /var/caddy/ca.pem { | ||||
| 						pem_file /var/caddy/ca.pem | ||||
| 					} | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: TLSConfig{ | ||||
| 				CARaw: []byte(`{"pem_files":["/var/caddy/ca.pem","/var/caddy/ca.pem"],"provider":"file"}`), | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'ca' multiple times is an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(`{ | ||||
| 					ca file /var/caddy/ca.pem { | ||||
| 						pem_file /var/caddy/ca.pem | ||||
| 					} | ||||
| 					ca inline %s | ||||
| 				}`, test_der_1)), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'handshake_timeout' without value is an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`{ | ||||
| 					handshake_timeout | ||||
| 				}`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'handshake_timeout' properly is successful", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`{ | ||||
| 					handshake_timeout 42m | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: TLSConfig{ | ||||
| 				HandshakeTimeout: caddy.Duration(42 * time.Minute), | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'server_name' without value is an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`{ | ||||
| 					server_name | ||||
| 				}`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'server_name' properly is successful", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`{ | ||||
| 					server_name example.com | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: TLSConfig{ | ||||
| 				ServerName: "example.com", | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "unsupported directives are errors", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`{ | ||||
| 					foo | ||||
| 				}`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 	} | ||||
| 	for _, tt := range tests { | ||||
| 		t.Run(tt.name, func(t *testing.T) { | ||||
| 			tr := &TLSConfig{} | ||||
| 			if err := tr.unmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr { | ||||
| 				t.Errorf("TLSConfig.unmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr) | ||||
| 			} | ||||
| 			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, tr) { | ||||
| 				t.Errorf("TLSConfig.UnmarshalCaddyfile() = %v, want %v", tr, tt.expected) | ||||
| 			} | ||||
| 		}) | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| func TestHTTPCertPoolUnmarshalCaddyfile(t *testing.T) { | ||||
| 	type args struct { | ||||
| 		d *caddyfile.Dispenser | ||||
| 	} | ||||
| 	tests := []struct { | ||||
| 		name     string | ||||
| 		args     args | ||||
| 		expected HTTPCertPool | ||||
| 		wantErr  bool | ||||
| 	}{ | ||||
| 		{ | ||||
| 			name: "no block, inline http endpoint", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`http http://localhost/ca-certs`), | ||||
| 			}, | ||||
| 			expected: HTTPCertPool{ | ||||
| 				Endpoints: []string{"http://localhost/ca-certs"}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "no block, inline https endpoint", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`http https://localhost/ca-certs`), | ||||
| 			}, | ||||
| 			expected: HTTPCertPool{ | ||||
| 				Endpoints: []string{"https://localhost/ca-certs"}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "no block, mixed http and https endpoints inline", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`http http://localhost/ca-certs https://localhost/ca-certs`), | ||||
| 			}, | ||||
| 			expected: HTTPCertPool{ | ||||
| 				Endpoints: []string{"http://localhost/ca-certs", "https://localhost/ca-certs"}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "multiple endpoints in separate lines in block", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 					http { | ||||
| 						endpoints http://localhost/ca-certs | ||||
| 						endpoints http://remotehost/ca-certs | ||||
| 					} | ||||
| 				`), | ||||
| 			}, | ||||
| 			expected: HTTPCertPool{ | ||||
| 				Endpoints: []string{"http://localhost/ca-certs", "http://remotehost/ca-certs"}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "endpoints defiend inline and in block are merged", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`http http://localhost/ca-certs { | ||||
| 					endpoints http://remotehost/ca-certs | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: HTTPCertPool{ | ||||
| 				Endpoints: []string{"http://localhost/ca-certs", "http://remotehost/ca-certs"}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "multiple endpoints defiend in block on the same line", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`http { | ||||
| 					endpoints http://remotehost/ca-certs http://localhost/ca-certs | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: HTTPCertPool{ | ||||
| 				Endpoints: []string{"http://remotehost/ca-certs", "http://localhost/ca-certs"}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "declaring 'endpoints' in block without argument is an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`http { | ||||
| 					endpoints | ||||
| 				}`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "multiple endpoints in separate lines in block", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 					http { | ||||
| 						endpoints http://localhost/ca-certs | ||||
| 						endpoints http://remotehost/ca-certs | ||||
| 						tls { | ||||
| 							renegotiation freely | ||||
| 						} | ||||
| 					} | ||||
| 				`), | ||||
| 			}, | ||||
| 			expected: HTTPCertPool{ | ||||
| 				Endpoints: []string{"http://localhost/ca-certs", "http://remotehost/ca-certs"}, | ||||
| 				TLS: &TLSConfig{ | ||||
| 					Renegotiation: "freely", | ||||
| 				}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 	} | ||||
| 	for _, tt := range tests { | ||||
| 		t.Run(tt.name, func(t *testing.T) { | ||||
| 			hcp := &HTTPCertPool{} | ||||
| 			if err := hcp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr { | ||||
| 				t.Errorf("HTTPCertPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr) | ||||
| 			} | ||||
| 			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, hcp) { | ||||
| 				t.Errorf("HTTPCertPool.UnmarshalCaddyfile() = %v, want %v", hcp, tt.expected) | ||||
| 			} | ||||
| 		}) | ||||
| 	} | ||||
| } | ||||
| 
 | ||||
| func TestLazyCertPoolUnmarshalCaddyfile(t *testing.T) { | ||||
| 	type args struct { | ||||
| 		d *caddyfile.Dispenser | ||||
| 	} | ||||
| 	tests := []struct { | ||||
| 		name     string | ||||
| 		args     args | ||||
| 		expected LazyCertPool | ||||
| 		wantErr  bool | ||||
| 	}{ | ||||
| 		{ | ||||
| 			name: "no block results in error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`lazy`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "empty block results in error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`lazy { | ||||
| 				}`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "defining 'backend' multiple times results in error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`lazy { | ||||
| 					backend http { | ||||
| 						endpoints http://localhost/ca-certs | ||||
| 					} | ||||
| 					backend file { | ||||
| 						pem_file /var/caddy/certs | ||||
| 					} | ||||
| 				}`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "defining 'backend' without argument results in error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`lazy { | ||||
| 					backend | ||||
| 				}`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "using unrecognized directive results in error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`lazy { | ||||
| 					foo | ||||
| 				}`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "defining single 'backend' is successful", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`lazy { | ||||
| 					backend http { | ||||
| 						endpoints http://localhost/ca-certs | ||||
| 					} | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: LazyCertPool{ | ||||
| 				CARaw: []byte(`{"endpoints":["http://localhost/ca-certs"],"provider":"http"}`), | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "defining single 'backend' with 'eager_validation' successful", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(`lazy { | ||||
| 					backend file { | ||||
| 						pem_file /var/caddy/certs | ||||
| 					} | ||||
| 					eager_validation | ||||
| 				}`), | ||||
| 			}, | ||||
| 			expected: LazyCertPool{ | ||||
| 				CARaw:           []byte(`{"pem_files":["/var/caddy/certs"],"provider":"file"}`), | ||||
| 				EagerValidation: true, | ||||
| 			}, | ||||
| 		}, | ||||
| 	} | ||||
| 	for _, tt := range tests { | ||||
| 		t.Run(tt.name, func(t *testing.T) { | ||||
| 			lcp := &LazyCertPool{} | ||||
| 			if err := lcp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr { | ||||
| 				t.Errorf("LazyCertPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr) | ||||
| 			} | ||||
| 			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, lcp) { | ||||
| 				t.Errorf("LazyCertPool.UnmarshalCaddyfile() = %v, want %v", lcp, tt.expected) | ||||
| 			} | ||||
| 		}) | ||||
| 	} | ||||
| } | ||||
| @ -19,6 +19,7 @@ import ( | ||||
| 	"crypto/x509" | ||||
| 	"encoding/base64" | ||||
| 	"encoding/json" | ||||
| 	"encoding/pem" | ||||
| 	"fmt" | ||||
| 	"io" | ||||
| 	"os" | ||||
| @ -29,6 +30,8 @@ import ( | ||||
| 	"go.uber.org/zap" | ||||
| 
 | ||||
| 	"github.com/caddyserver/caddy/v2" | ||||
| 	"github.com/caddyserver/caddy/v2/caddyconfig" | ||||
| 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile" | ||||
| ) | ||||
| 
 | ||||
| func init() { | ||||
| @ -301,8 +304,10 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error { | ||||
| 
 | ||||
| 	// client authentication | ||||
| 	if p.ClientAuthentication != nil { | ||||
| 		err := p.ClientAuthentication.ConfigureTLSConfig(cfg) | ||||
| 		if err != nil { | ||||
| 		if err := p.ClientAuthentication.provision(ctx); err != nil { | ||||
| 			return fmt.Errorf("provisioning client CA: %v", err) | ||||
| 		} | ||||
| 		if err := p.ClientAuthentication.ConfigureTLSConfig(cfg); err != nil { | ||||
| 			return fmt.Errorf("configuring TLS client authentication: %v", err) | ||||
| 		} | ||||
| 	} | ||||
| @ -354,12 +359,18 @@ func (p ConnectionPolicy) SettingsEmpty() bool { | ||||
| 
 | ||||
| // ClientAuthentication configures TLS client auth. | ||||
| type ClientAuthentication struct { | ||||
| 	// Certificate authority module which provides the certificate pool of trusted certificates | ||||
| 	CARaw json.RawMessage `json:"ca,omitempty" caddy:"namespace=tls.ca_pool.source inline_key=provider"` | ||||
| 	ca    CA | ||||
| 
 | ||||
| 	// DEPRECATED: Use the `ca` field with the `tls.ca_pool.source.inline` module instead. | ||||
| 	// A list of base64 DER-encoded CA certificates | ||||
| 	// against which to validate client certificates. | ||||
| 	// Client certs which are not signed by any of | ||||
| 	// these CAs will be rejected. | ||||
| 	TrustedCACerts []string `json:"trusted_ca_certs,omitempty"` | ||||
| 
 | ||||
| 	// DEPRECATED: Use the `ca` field with the `tls.ca_pool.source.file` module instead. | ||||
| 	// TrustedCACertPEMFiles is a list of PEM file names | ||||
| 	// from which to load certificates of trusted CAs. | ||||
| 	// Client certificates which are not signed by any of | ||||
| @ -399,13 +410,177 @@ type ClientAuthentication struct { | ||||
| 	existingVerifyPeerCert func([][]byte, [][]*x509.Certificate) error | ||||
| } | ||||
| 
 | ||||
| // UnmarshalCaddyfile parses the Caddyfile segment to set up the client authentication. Syntax: | ||||
| // | ||||
| //	client_auth { | ||||
| //		mode                   [request|require|verify_if_given|require_and_verify] | ||||
| //	 	trust_pool			   <module> { | ||||
| //			... | ||||
| //		} | ||||
| //		trusted_leaf_cert      <base64_der> | ||||
| //		trusted_leaf_cert_file <filename> | ||||
| //	} | ||||
| // | ||||
| // If `mode` is not provided, it defaults to `require_and_verify` if any of the following are provided: | ||||
| // - `trusted_leaf_certs` | ||||
| // - `trusted_leaf_cert_file` | ||||
| // - `trust_pool` | ||||
| // | ||||
| // Otherwise, it defaults to `require`. | ||||
| func (ca *ClientAuthentication) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { | ||||
| 	for d.NextArg() { | ||||
| 		// consume any tokens on the same line, if any. | ||||
| 	} | ||||
| 	for nesting := d.Nesting(); d.NextBlock(nesting); { | ||||
| 		subdir := d.Val() | ||||
| 		switch subdir { | ||||
| 		case "mode": | ||||
| 			if d.CountRemainingArgs() > 1 { | ||||
| 				return d.ArgErr() | ||||
| 			} | ||||
| 			if !d.Args(&ca.Mode) { | ||||
| 				return d.ArgErr() | ||||
| 			} | ||||
| 		case "trusted_ca_cert": | ||||
| 			if len(ca.CARaw) != 0 { | ||||
| 				return d.Err("cannot specify both 'trust_pool' and 'trusted_ca_cert' or 'trusted_ca_cert_file'") | ||||
| 			} | ||||
| 			if !d.NextArg() { | ||||
| 				return d.ArgErr() | ||||
| 			} | ||||
| 			ca.TrustedCACerts = append(ca.TrustedCACerts, d.Val()) | ||||
| 		case "trusted_leaf_cert": | ||||
| 			if !d.NextArg() { | ||||
| 				return d.ArgErr() | ||||
| 			} | ||||
| 			ca.TrustedLeafCerts = append(ca.TrustedLeafCerts, d.Val()) | ||||
| 		case "trusted_ca_cert_file": | ||||
| 			if len(ca.CARaw) != 0 { | ||||
| 				return d.Err("cannot specify both 'trust_pool' and 'trusted_ca_cert' or 'trusted_ca_cert_file'") | ||||
| 			} | ||||
| 			if !d.NextArg() { | ||||
| 				return d.ArgErr() | ||||
| 			} | ||||
| 			filename := d.Val() | ||||
| 			ders, err := convertPEMFilesToDER(filename) | ||||
| 			if err != nil { | ||||
| 				return d.WrapErr(err) | ||||
| 			} | ||||
| 			ca.TrustedCACerts = append(ca.TrustedCACerts, ders...) | ||||
| 		case "trusted_leaf_cert_file": | ||||
| 			if !d.NextArg() { | ||||
| 				return d.ArgErr() | ||||
| 			} | ||||
| 			filename := d.Val() | ||||
| 			ders, err := convertPEMFilesToDER(filename) | ||||
| 			if err != nil { | ||||
| 				return d.WrapErr(err) | ||||
| 			} | ||||
| 			ca.TrustedLeafCerts = append(ca.TrustedLeafCerts, ders...) | ||||
| 		case "trust_pool": | ||||
| 			if len(ca.TrustedCACerts) != 0 { | ||||
| 				return d.Err("cannot specify both 'trust_pool' and 'trusted_ca_cert' or 'trusted_ca_cert_file'") | ||||
| 			} | ||||
| 			if !d.NextArg() { | ||||
| 				return d.ArgErr() | ||||
| 			} | ||||
| 			modName := d.Val() | ||||
| 			mod, err := caddyfile.UnmarshalModule(d, "tls.ca_pool.source."+modName) | ||||
| 			if err != nil { | ||||
| 				return d.WrapErr(err) | ||||
| 			} | ||||
| 			caMod, ok := mod.(CA) | ||||
| 			if !ok { | ||||
| 				return fmt.Errorf("trust_pool module '%s' is not a certificate pool provider", caMod) | ||||
| 			} | ||||
| 			ca.CARaw = caddyconfig.JSONModuleObject(caMod, "provider", modName, nil) | ||||
| 		default: | ||||
| 			return d.Errf("unknown subdirective for client_auth: %s", subdir) | ||||
| 		} | ||||
| 	} | ||||
| 
 | ||||
| 	// only trust_ca_cert or trust_ca_cert_file was specified | ||||
| 	if len(ca.TrustedCACerts) > 0 { | ||||
| 		fileMod := &InlineCAPool{} | ||||
| 		fileMod.TrustedCACerts = append(fileMod.TrustedCACerts, ca.TrustedCACerts...) | ||||
| 		ca.CARaw = caddyconfig.JSONModuleObject(fileMod, "provider", "inline", nil) | ||||
| 		ca.TrustedCACertPEMFiles, ca.TrustedCACerts = nil, nil | ||||
| 	} | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| func convertPEMFilesToDER(filename string) ([]string, error) { | ||||
| 	certDataPEM, err := os.ReadFile(filename) | ||||
| 	if err != nil { | ||||
| 		return nil, err | ||||
| 	} | ||||
| 	var ders []string | ||||
| 	// while block is not nil, we have more certificates in the file | ||||
| 	for block, rest := pem.Decode(certDataPEM); block != nil; block, rest = pem.Decode(rest) { | ||||
| 		if block.Type != "CERTIFICATE" { | ||||
| 			return nil, fmt.Errorf("no CERTIFICATE pem block found in %s", filename) | ||||
| 		} | ||||
| 		ders = append( | ||||
| 			ders, | ||||
| 			base64.StdEncoding.EncodeToString(block.Bytes), | ||||
| 		) | ||||
| 	} | ||||
| 	// if we decoded nothing, return an error | ||||
| 	if len(ders) == 0 { | ||||
| 		return nil, fmt.Errorf("no CERTIFICATE pem block found in %s", filename) | ||||
| 	} | ||||
| 	return ders, nil | ||||
| } | ||||
| 
 | ||||
| func (clientauth *ClientAuthentication) provision(ctx caddy.Context) error { | ||||
| 	if len(clientauth.CARaw) > 0 && (len(clientauth.TrustedCACerts) > 0 || len(clientauth.TrustedCACertPEMFiles) > 0) { | ||||
| 		return fmt.Errorf("conflicting config for client authentication trust CA") | ||||
| 	} | ||||
| 
 | ||||
| 	// convert all named file paths to inline | ||||
| 	if len(clientauth.TrustedCACertPEMFiles) > 0 { | ||||
| 		for _, fpath := range clientauth.TrustedCACertPEMFiles { | ||||
| 			ders, err := convertPEMFilesToDER(fpath) | ||||
| 			if err != nil { | ||||
| 				return nil | ||||
| 			} | ||||
| 			clientauth.TrustedCACerts = append(clientauth.TrustedCACerts, ders...) | ||||
| 		} | ||||
| 	} | ||||
| 
 | ||||
| 	// if we have TrustedCACerts explicitly set, create an 'inline' CA and return | ||||
| 	if len(clientauth.TrustedCACerts) > 0 { | ||||
| 		clientauth.ca = InlineCAPool{ | ||||
| 			TrustedCACerts: clientauth.TrustedCACerts, | ||||
| 		} | ||||
| 		return nil | ||||
| 	} | ||||
| 
 | ||||
| 	// if we don't have any CARaw set, there's not much work to do | ||||
| 	if clientauth.CARaw == nil { | ||||
| 		return nil | ||||
| 	} | ||||
| 	caRaw, err := ctx.LoadModule(clientauth, "CARaw") | ||||
| 	if err != nil { | ||||
| 		return err | ||||
| 	} | ||||
| 	ca, ok := caRaw.(CA) | ||||
| 	if !ok { | ||||
| 		return fmt.Errorf("CARaw module '%s' is not a certificate pool provider", ca) | ||||
| 	} | ||||
| 	clientauth.ca = ca | ||||
| 
 | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| // Active returns true if clientauth has an actionable configuration. | ||||
| func (clientauth ClientAuthentication) Active() bool { | ||||
| 	return len(clientauth.TrustedCACerts) > 0 || | ||||
| 		len(clientauth.TrustedCACertPEMFiles) > 0 || | ||||
| 		len(clientauth.TrustedLeafCerts) > 0 || // TODO: DEPRECATED | ||||
| 		len(clientauth.VerifiersRaw) > 0 || | ||||
| 		len(clientauth.Mode) > 0 | ||||
| 		len(clientauth.Mode) > 0 || | ||||
| 		clientauth.CARaw != nil || clientauth.ca != nil | ||||
| } | ||||
| 
 | ||||
| // ConfigureTLSConfig sets up cfg to enforce clientauth's configuration. | ||||
| @ -434,7 +609,8 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro | ||||
| 		// otherwise, set a safe default mode | ||||
| 		if len(clientauth.TrustedCACerts) > 0 || | ||||
| 			len(clientauth.TrustedCACertPEMFiles) > 0 || | ||||
| 			len(clientauth.TrustedLeafCerts) > 0 { | ||||
| 			len(clientauth.TrustedLeafCerts) > 0 || | ||||
| 			clientauth.CARaw != nil { | ||||
| 			cfg.ClientAuth = tls.RequireAndVerifyClientCert | ||||
| 		} else { | ||||
| 			cfg.ClientAuth = tls.RequireAnyClientCert | ||||
| @ -442,23 +618,8 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro | ||||
| 	} | ||||
| 
 | ||||
| 	// enforce CA verification by adding CA certs to the ClientCAs pool | ||||
| 	if len(clientauth.TrustedCACerts) > 0 || len(clientauth.TrustedCACertPEMFiles) > 0 { | ||||
| 		caPool := x509.NewCertPool() | ||||
| 		for _, clientCAString := range clientauth.TrustedCACerts { | ||||
| 			clientCA, err := decodeBase64DERCert(clientCAString) | ||||
| 			if err != nil { | ||||
| 				return fmt.Errorf("parsing certificate: %v", err) | ||||
| 			} | ||||
| 			caPool.AddCert(clientCA) | ||||
| 		} | ||||
| 		for _, pemFile := range clientauth.TrustedCACertPEMFiles { | ||||
| 			pemContents, err := os.ReadFile(pemFile) | ||||
| 			if err != nil { | ||||
| 				return fmt.Errorf("reading %s: %v", pemFile, err) | ||||
| 			} | ||||
| 			caPool.AppendCertsFromPEM(pemContents) | ||||
| 		} | ||||
| 		cfg.ClientCAs = caPool | ||||
| 	if clientauth.ca != nil { | ||||
| 		cfg.ClientCAs = clientauth.ca.CertPool() | ||||
| 	} | ||||
| 
 | ||||
| 	// TODO: DEPRECATED: Only here for backwards compatibility. | ||||
| @ -600,3 +761,5 @@ type destructableWriter struct{ *os.File } | ||||
| func (d destructableWriter) Destruct() error { return d.Close() } | ||||
| 
 | ||||
| var secretsLogPool = caddy.NewUsagePool() | ||||
| 
 | ||||
| var _ caddyfile.Unmarshaler = (*ClientAuthentication)(nil) | ||||
|  | ||||
							
								
								
									
										280
									
								
								modules/caddytls/connpolicy_test.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										280
									
								
								modules/caddytls/connpolicy_test.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,280 @@ | ||||
| // Copyright 2015 Matthew Holt and The Caddy Authors | ||||
| // | ||||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||||
| // you may not use this file except in compliance with the License. | ||||
| // You may obtain a copy of the License at | ||||
| // | ||||
| //     http://www.apache.org/licenses/LICENSE-2.0 | ||||
| // | ||||
| // Unless required by applicable law or agreed to in writing, software | ||||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
| // See the License for the specific language governing permissions and | ||||
| // limitations under the License. | ||||
| 
 | ||||
| package caddytls | ||||
| 
 | ||||
| import ( | ||||
| 	"encoding/json" | ||||
| 	"fmt" | ||||
| 	"reflect" | ||||
| 	"testing" | ||||
| 
 | ||||
| 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile" | ||||
| ) | ||||
| 
 | ||||
| func TestClientAuthenticationUnmarshalCaddyfileWithDirectiveName(t *testing.T) { | ||||
| 	const test_der_1 = `MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==` | ||||
| 	const test_cert_file_1 = "../../caddytest/caddy.ca.cer" | ||||
| 	type args struct { | ||||
| 		d *caddyfile.Dispenser | ||||
| 	} | ||||
| 	tests := []struct { | ||||
| 		name     string | ||||
| 		args     args | ||||
| 		expected ClientAuthentication | ||||
| 		wantErr  bool | ||||
| 	}{ | ||||
| 		{ | ||||
| 			name: "empty client_auth block does not error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser( | ||||
| 					`client_auth { | ||||
| 					}`, | ||||
| 				), | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "providing both 'trust_pool' and 'trusted_ca_cert' returns an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser( | ||||
| 					`client_auth { | ||||
| 					trust_pool inline MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ== | ||||
| 					trusted_ca_cert MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ== | ||||
| 				}`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "trust_pool without a module argument returns an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser( | ||||
| 					`client_auth { | ||||
| 					trust_pool | ||||
| 				}`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "providing more than 1 mode produces an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 					client_auth { | ||||
| 						mode require request | ||||
| 					} | ||||
| 				`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "not providing 'mode' argument produces an error", | ||||
| 			args: args{d: caddyfile.NewTestDispenser(` | ||||
| 				client_auth { | ||||
| 					mode | ||||
| 				} | ||||
| 			`)}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "providing a single 'mode' argument sets the mode", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 					client_auth { | ||||
| 						mode require | ||||
| 					} | ||||
| 				`), | ||||
| 			}, | ||||
| 			expected: ClientAuthentication{ | ||||
| 				Mode: "require", | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "not providing an argument to 'trusted_ca_cert' produces an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 				client_auth { | ||||
| 					trusted_ca_cert | ||||
| 				} | ||||
| 				`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "not providing an argument to 'trusted_leaf_cert' produces an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 				client_auth { | ||||
| 					trusted_leaf_cert | ||||
| 				} | ||||
| 				`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "not providing an argument to 'trusted_ca_cert_file' produces an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 				client_auth { | ||||
| 					trusted_ca_cert_file | ||||
| 				} | ||||
| 				`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "not providing an argument to 'trusted_leaf_cert_file' produces an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 				client_auth { | ||||
| 					trusted_leaf_cert_file | ||||
| 				} | ||||
| 				`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "using 'trusted_ca_cert' adapts sucessfully", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 				client_auth { | ||||
| 					trusted_ca_cert %s | ||||
| 				}`, test_der_1)), | ||||
| 			}, | ||||
| 			expected: ClientAuthentication{ | ||||
| 				CARaw: json.RawMessage(fmt.Sprintf(`{"provider":"inline","trusted_ca_certs":["%s"]}`, test_der_1)), | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "using 'inline' trust_pool loads the module successfully", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 					client_auth { | ||||
| 						trust_pool inline { | ||||
| 							trust_der	%s | ||||
| 						} | ||||
| 					} | ||||
| 				`, test_der_1)), | ||||
| 			}, | ||||
| 			expected: ClientAuthentication{ | ||||
| 				CARaw: json.RawMessage(fmt.Sprintf(`{"provider":"inline","trusted_ca_certs":["%s"]}`, test_der_1)), | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'trusted_ca_cert' and 'trust_pool' produces an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 				client_auth { | ||||
| 					trusted_ca_cert %s | ||||
| 					trust_pool inline { | ||||
| 						trust_der	%s | ||||
| 					} | ||||
| 				}`, test_der_1, test_der_1)), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'trust_pool' and 'trusted_ca_cert' produces an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 				client_auth { | ||||
| 					trust_pool inline { | ||||
| 						trust_der	%s | ||||
| 					} | ||||
| 					trusted_ca_cert %s | ||||
| 				}`, test_der_1, test_der_1)), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "setting 'trust_pool' and 'trusted_ca_cert' produces an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 				client_auth { | ||||
| 					trust_pool inline { | ||||
| 						trust_der	%s | ||||
| 					} | ||||
| 					trusted_ca_cert_file %s | ||||
| 				}`, test_der_1, test_cert_file_1)), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "configuring 'trusted_ca_cert_file' without an argument is an error", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(` | ||||
| 				client_auth { | ||||
| 					trusted_ca_cert_file | ||||
| 				} | ||||
| 				`), | ||||
| 			}, | ||||
| 			wantErr: true, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "configuring 'trusted_ca_cert_file' produces config with 'inline' provider", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 				client_auth { | ||||
| 					trusted_ca_cert_file %s | ||||
| 				}`, test_cert_file_1), | ||||
| 				), | ||||
| 			}, | ||||
| 			expected: ClientAuthentication{ | ||||
| 				CARaw: json.RawMessage(fmt.Sprintf(`{"provider":"inline","trusted_ca_certs":["%s"]}`, test_der_1)), | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "configuring leaf certs does not conflict with 'trust_pool'", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 				client_auth { | ||||
| 					trust_pool inline { | ||||
| 						trust_der	%s | ||||
| 					} | ||||
| 					trusted_leaf_cert %s | ||||
| 				}`, test_der_1, test_der_1)), | ||||
| 			}, | ||||
| 			expected: ClientAuthentication{ | ||||
| 				CARaw:            json.RawMessage(fmt.Sprintf(`{"provider":"inline","trusted_ca_certs":["%s"]}`, test_der_1)), | ||||
| 				TrustedLeafCerts: []string{test_der_1}, | ||||
| 			}, | ||||
| 		}, | ||||
| 		{ | ||||
| 			name: "providing trusted leaf certificate file loads the cert successfully", | ||||
| 			args: args{ | ||||
| 				d: caddyfile.NewTestDispenser(fmt.Sprintf(` | ||||
| 				client_auth { | ||||
| 					trusted_leaf_cert_file %s | ||||
| 				}`, test_cert_file_1)), | ||||
| 			}, | ||||
| 			expected: ClientAuthentication{ | ||||
| 				TrustedLeafCerts: []string{test_der_1}, | ||||
| 			}, | ||||
| 			wantErr: false, | ||||
| 		}, | ||||
| 	} | ||||
| 	for _, tt := range tests { | ||||
| 		t.Run(tt.name, func(t *testing.T) { | ||||
| 			ca := &ClientAuthentication{} | ||||
| 			if err := ca.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr { | ||||
| 				t.Errorf("ClientAuthentication.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr) | ||||
| 				return | ||||
| 			} | ||||
| 			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, ca) { | ||||
| 				t.Errorf("ClientAuthentication.UnmarshalCaddyfile() = %v, want %v", ca, tt.expected) | ||||
| 			} | ||||
| 		}) | ||||
| 	} | ||||
| } | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user