-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: add cipher flag #9216
tls: add cipher flag #9216
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,10 +18,13 @@ package ctlv2 | |
import ( | ||
"fmt" | ||
"os" | ||
"strings" | ||
"time" | ||
|
||
"github.com/coreos/etcd/etcdctl/ctlv2/command" | ||
"github.com/coreos/etcd/internal/version" | ||
"github.com/coreos/etcd/pkg/flags" | ||
"github.com/coreos/etcd/pkg/tlsutil" | ||
|
||
"github.com/urfave/cli" | ||
) | ||
|
@@ -55,6 +58,12 @@ func Start(apiv string) { | |
cli.StringFlag{Name: "cert-file", Value: "", Usage: "identify HTTPS client using this SSL certificate file"}, | ||
cli.StringFlag{Name: "key-file", Value: "", Usage: "identify HTTPS client using this SSL key file"}, | ||
cli.StringFlag{Name: "ca-file", Value: "", Usage: "verify certificates of HTTPS-enabled servers using this CA bundle"}, | ||
cli.BoolFlag{Name: "insecure-skip-tls-verify", Usage: "skip server certificate verification"}, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. do we need this in this PR? or it can be separated to another one? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I added it to make local testing easier, can break it out if you want There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. yea. please break it out. |
||
cli.GenericFlag{Name: "cipher-suites", | ||
Value: flags.NewStringSliceFlag(tlsutil.AvailableCipherSuites()...), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. does this mean AvailableCipherSuites() is the default value? I didn't think all available ciphers were included in the default set in go There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It is used to validate the provided list, but the default value is still a nil slice (which is what is currently used) |
||
Usage: "comma-separated list of cipher suites for the server. " + | ||
"Available cipher suites include " + strings.Join(tlsutil.AvailableCipherSuites(), ",") + ". " + | ||
"If omitted, the default Go cipher suites will be used"}, | ||
cli.StringFlag{Name: "username, u", Value: "", Usage: "provide username[:password] and prompt if password is not supplied."}, | ||
cli.DurationFlag{Name: "timeout", Value: 2 * time.Second, Usage: "connection timeout per request"}, | ||
cli.DurationFlag{Name: "total-timeout", Value: 5 * time.Second, Usage: "timeout for the command execution (except watch)"}, | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,9 +16,11 @@ | |
package ctlv3 | ||
|
||
import ( | ||
"strings" | ||
"time" | ||
|
||
"github.com/coreos/etcd/etcdctl/ctlv3/command" | ||
"github.com/coreos/etcd/pkg/tlsutil" | ||
"github.com/spf13/cobra" | ||
) | ||
|
||
|
@@ -63,6 +65,9 @@ func init() { | |
rootCmd.PersistentFlags().StringVar(&globalFlags.TLS.CertFile, "cert", "", "identify secure client using this TLS certificate file") | ||
rootCmd.PersistentFlags().StringVar(&globalFlags.TLS.KeyFile, "key", "", "identify secure client using this TLS key file") | ||
rootCmd.PersistentFlags().StringVar(&globalFlags.TLS.CAFile, "cacert", "", "verify certificates of TLS-enabled secure servers using this CA bundle") | ||
rootCmd.PersistentFlags().StringSliceVar(&globalFlags.TLS.CipherSuites, "cipher-suites", nil, "comma-separated list of cipher suites for the server. "+ | ||
"Available cipher suites include "+strings.Join(tlsutil.AvailableCipherSuites(), ",")+". "+ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: join with |
||
"If omitted, the default Go cipher suites will be used") | ||
rootCmd.PersistentFlags().StringVar(&globalFlags.User, "user", "", "username[:password] for authentication (prompt if password is not supplied)") | ||
rootCmd.PersistentFlags().StringVarP(&globalFlags.TLS.ServerName, "discovery-srv", "d", "", "domain name to query for SRV records describing cluster endpoints") | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -16,8 +16,10 @@ package etcdmain | |
|
||
import ( | ||
"strconv" | ||
"strings" | ||
|
||
"github.com/coreos/etcd/embed" | ||
"github.com/coreos/etcd/pkg/tlsutil" | ||
) | ||
|
||
var ( | ||
|
@@ -158,6 +160,8 @@ security flags: | |
peer TLS using self-generated certificates if --peer-key-file and --peer-cert-file are not provided. | ||
--peer-crl-file '' | ||
path to the peer certificate revocation list file. | ||
--cipher-suites '' | ||
comma-separated list of cipher suites for the server. Available cipher suites include ` + strings.Join(tlsutil.AvailableCipherSuites(), ",") + `. If omitted, the default Go cipher suites will be used. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
|
||
logging flags | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,7 +14,10 @@ | |
|
||
package flags | ||
|
||
import "errors" | ||
import ( | ||
"errors" | ||
"strings" | ||
) | ||
|
||
// NewStringsFlag creates a new string flag for which any one of the given | ||
// strings is a valid value, and any other value is an error. | ||
|
@@ -25,25 +28,87 @@ func NewStringsFlag(valids ...string) *StringsFlag { | |
return &StringsFlag{Values: valids, val: valids[0]} | ||
} | ||
|
||
// StringsFlag implements the flag.Value interface. | ||
// StringsFlag implements the flag.Value and pflag.Value interfaces. | ||
type StringsFlag struct { | ||
Values []string | ||
val string | ||
} | ||
|
||
// Set verifies the argument to be a valid member of the allowed values | ||
// before setting the underlying flag value. | ||
func (ss *StringsFlag) Set(s string) error { | ||
for _, v := range ss.Values { | ||
func (sf *StringsFlag) Set(s string) error { | ||
for _, v := range sf.Values { | ||
if s == v { | ||
ss.val = s | ||
sf.val = s | ||
return nil | ||
} | ||
} | ||
return errors.New("invalid value") | ||
} | ||
|
||
// String returns the set value (if any) of the StringsFlag | ||
func (ss *StringsFlag) String() string { | ||
return ss.val | ||
func (sf *StringsFlag) String() string { | ||
return sf.val | ||
} | ||
|
||
// Type returns the given type as string | ||
func (sf *StringsFlag) Type() string { | ||
return "string" | ||
} | ||
|
||
// StringSliceFlag implements the flag.Value and pflag.Value interfaces. | ||
type StringSliceFlag struct { | ||
Values []string | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this is a confusing name, maybe ValidValues instead? |
||
val []string | ||
} | ||
|
||
// NewStringSliceFlag creates a new string slice flag for which any one of the given | ||
// strings is a valid value, and any other value is an error. | ||
func NewStringSliceFlag(valids ...string) *StringSliceFlag { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. suggest giving separate control over valid values and default value(s), instead of assuming |
||
return &StringSliceFlag{Values: valids, val: []string{}} | ||
} | ||
|
||
// Set verifies the argument to be a valid member of the allowed values | ||
// before setting the underlying flag value. | ||
func (ssf *StringSliceFlag) Set(s string) error { | ||
sl := strings.Split(s, ",") | ||
ssf.val = []string{} | ||
|
||
for _, s := range sl { | ||
if !ssf.has(s) { | ||
return errors.New("invalid value") | ||
} | ||
|
||
ssf.val = append(ssf.val, s) | ||
} | ||
|
||
return nil | ||
} | ||
|
||
// String returns the set value (if any) of the StringSliceFlag | ||
func (ssf *StringSliceFlag) String() string { | ||
return strings.Join(ssf.val, ",") | ||
} | ||
|
||
// Slice returns the set value (if any) of the StringSliceFlag as a slice | ||
func (ssf *StringSliceFlag) Slice() []string { | ||
clone := make([]string, len(ssf.val)) | ||
copy(clone, ssf.val) | ||
return clone | ||
} | ||
|
||
// Type returns the given type as stringSlice | ||
func (ssf *StringSliceFlag) Type() string { | ||
return "stringSlice" | ||
} | ||
|
||
// has checks to see if value in in allowed slice | ||
func (ssf *StringSliceFlag) has(s string) bool { | ||
for _, v := range ssf.Values { | ||
if v == s { | ||
return true | ||
} | ||
} | ||
|
||
return false | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do we need this in this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree, would like this removed