diff --git a/internal/config/tls.go b/internal/config/tls.go index e8bd1f35cb..64c08d8c71 100644 --- a/internal/config/tls.go +++ b/internal/config/tls.go @@ -34,6 +34,7 @@ type TLS struct { CA string `yaml:"ca" json:"ca"` } +// Bind returns TLS object whose every value except Enabled is field value of environment value. func (t *TLS) Bind() *TLS { t.Cert = GetActualValue(t.Cert) t.Key = GetActualValue(t.Key) @@ -41,6 +42,7 @@ func (t *TLS) Bind() *TLS { return t } +// Opts returns []tls.Option object whose every value is field value. func (t *TLS) Opts() []tls.Option { return []tls.Option{ tls.WithCa(t.CA), diff --git a/internal/config/tls_test.go b/internal/config/tls_test.go index 70f85de72b..b8bb9b447b 100644 --- a/internal/config/tls_test.go +++ b/internal/config/tls_test.go @@ -18,6 +18,7 @@ package config import ( + "os" "reflect" "testing" @@ -50,37 +51,56 @@ func TestTLS_Bind(t *testing.T) { return nil } tests := []test{ - // TODO test cases - /* - { - name: "test_case_1", - fields: fields { - Enabled: false, - Cert: "", - Key: "", - CA: "", - }, - want: want{}, - checkFunc: defaultCheckFunc, - }, - */ - - // TODO test cases - /* - func() test { - return test { - name: "test_case_2", - fields: fields { - Enabled: false, - Cert: "", - Key: "", - CA: "", - }, - want: want{}, - checkFunc: defaultCheckFunc, - } - }(), - */ + { + name: "returns TLS when all fields contain no prefix/suffix symbol", + fields: fields{ + Enabled: true, + Cert: "cert", + Key: "key", + CA: "ca", + }, + want: want{ + want: &TLS{ + Enabled: true, + Cert: "cert", + Key: "key", + CA: "ca", + }, + }, + }, + { + name: "returns TLS with environment variable when it contains `_` prefix and suffix", + fields: fields{ + Enabled: true, + Cert: "_cert_", + Key: "_key_", + CA: "_ca_", + }, + beforeFunc: func() { + _ = os.Setenv("cert", "tls_cert") + _ = os.Setenv("key", "tls_key") + _ = os.Setenv("ca", "tls_ca") + }, + afterFunc: func() { + _ = os.Unsetenv("cert") + _ = os.Unsetenv("key") + _ = os.Unsetenv("ca") + }, + want: want{ + want: &TLS{ + Enabled: true, + Cert: "tls_cert", + Key: "tls_key", + CA: "tls_ca", + }, + }, + }, + { + name: "returns TLS when all fields are empty", + want: want{ + want: new(TLS), + }, + }, } for _, test := range tests { @@ -129,43 +149,50 @@ func TestTLS_Opts(t *testing.T) { afterFunc func() } defaultCheckFunc := func(w want, got []tls.Option) error { - if !reflect.DeepEqual(got, w.want) { - return errors.Errorf("got = %v, want %v", got, w.want) + if len(w.want) != len(got) { + return errors.Errorf("len(got) = %d, len(want) = %d", len(got), len(w.want)) + } + for i := range w.want { + ok := false + for j := range got { + if reflect.ValueOf(w.want[i]).Pointer() == reflect.ValueOf(got[j]).Pointer() { + ok = true + break + } + } + if !ok { + return errors.Errorf("got = %v, want %v", got, w.want) + } } return nil } tests := []test{ - // TODO test cases - /* - { - name: "test_case_1", - fields: fields { - Enabled: false, - Cert: "", - Key: "", - CA: "", - }, - want: want{}, - checkFunc: defaultCheckFunc, - }, - */ - - // TODO test cases - /* - func() test { - return test { - name: "test_case_2", - fields: fields { - Enabled: false, - Cert: "", - Key: "", - CA: "", - }, - want: want{}, - checkFunc: defaultCheckFunc, - } - }(), - */ + { + name: "returns []tls.Option", + fields: fields{ + Enabled: true, + Cert: "cert", + Key: "key", + CA: "ca", + }, + want: want{ + want: []tls.Option{ + tls.WithCa("ca"), + tls.WithCert("cert"), + tls.WithKey("key"), + }, + }, + }, + { + name: "returns []tls.Option", + want: want{ + want: []tls.Option{ + tls.WithCa(""), + tls.WithCert(""), + tls.WithKey(""), + }, + }, + }, } for _, test := range tests { diff --git a/internal/tls/option.go b/internal/tls/option.go index 324e188616..4a41d887c1 100644 --- a/internal/tls/option.go +++ b/internal/tls/option.go @@ -22,49 +22,7 @@ import "crypto/tls" type Option func(*credentials) error var ( - defaultOpts = []Option{ - WithTLSConfig(&tls.Config{ - MinVersion: tls.VersionTLS12, - NextProtos: []string{ - "http/1.1", - "h2", - }, - CurvePreferences: []tls.CurveID{ - tls.CurveP521, - tls.CurveP384, - tls.CurveP256, - tls.X25519, - }, - SessionTicketsDisabled: true, - // PreferServerCipherSuites: true, - // CipherSuites: []uint16{ - // tls.TLS_RSA_WITH_RC4_128_SHA, - // tls.TLS_RSA_WITH_AES_128_CBC_SHA, - // tls.TLS_RSA_WITH_AES_256_CBC_SHA, - // tls.TLS_RSA_WITH_AES_128_CBC_SHA256, - // tls.TLS_RSA_WITH_AES_128_GCM_SHA256, - // tls.TLS_RSA_WITH_AES_256_GCM_SHA384, - // tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, - // tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - // tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - // tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, - // tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - // tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - // tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - // tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, - // tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - // tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - // tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - // tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - // tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, // Maybe this is work on TLS 1.2 - // tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, // TLS1.3 Feature - // tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, // TLS1.3 Feature - // tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, // Go 1.8 only - // tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, // Go 1.8 only - // }, - ClientAuth: tls.NoClientCert, - }), - } + defaultOpts = []Option{} ) func WithCert(cert string) Option { diff --git a/internal/tls/tls.go b/internal/tls/tls.go index 2f8c8f17ba..578f6444ba 100644 --- a/internal/tls/tls.go +++ b/internal/tls/tls.go @@ -53,6 +53,49 @@ func New(opts ...Option) (*Config, error) { return nil, errors.ErrTLSCertOrKeyNotFound } + if c.cfg == nil { + c.cfg = &tls.Config{ + MinVersion: tls.VersionTLS12, + NextProtos: []string{ + "http/1.1", + "h2", + }, + CurvePreferences: []tls.CurveID{ + tls.CurveP521, + tls.CurveP384, + tls.CurveP256, + tls.X25519, + }, + SessionTicketsDisabled: true, + // PreferServerCipherSuites: true, + // CipherSuites: []uint16{ + // tls.TLS_RSA_WITH_RC4_128_SHA, + // tls.TLS_RSA_WITH_AES_128_CBC_SHA, + // tls.TLS_RSA_WITH_AES_256_CBC_SHA, + // tls.TLS_RSA_WITH_AES_128_CBC_SHA256, + // tls.TLS_RSA_WITH_AES_128_GCM_SHA256, + // tls.TLS_RSA_WITH_AES_256_GCM_SHA384, + // tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + // tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + // tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + // tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, + // tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + // tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + // tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + // tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + // tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + // tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + // tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + // tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + // tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, // Maybe this is work on TLS 1.2 + // tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, // TLS1.3 Feature + // tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, // TLS1.3 Feature + // tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, // Go 1.8 only + // tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, // Go 1.8 only + // }, + ClientAuth: tls.NoClientCert, + } + } c.cfg.Certificates = make([]tls.Certificate, 1) c.cfg.Certificates[0], err = tls.LoadX509KeyPair(c.cert, c.key) if err != nil {