all: resync with master
This commit is contained in:
Eugene Burkov
@@ -121,6 +121,8 @@ func (clients *clientsContainer) Init(
|
||||
|
||||
sigHdlr.addClientStorage(clients.storage)
|
||||
|
||||
filteringConf.ApplyClientFiltering = clients.storage.ApplyClientFiltering
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
@@ -247,7 +247,6 @@ func newServerConfig(
|
||||
hosts := aghalg.CoalesceSlice(dnsConf.BindHosts, []netip.Addr{netutil.IPv4Localhost()})
|
||||
|
||||
fwdConf := dnsConf.Config
|
||||
fwdConf.FilterHandler = applyAdditionalFiltering
|
||||
fwdConf.ClientsContainer = clientsContainer
|
||||
|
||||
newConf = &dnsforward.ServerConfig{
|
||||
@@ -411,57 +410,6 @@ func getDNSEncryption(tlsMgr *tlsManager) (de dnsEncryption) {
|
||||
return de
|
||||
}
|
||||
|
||||
// applyAdditionalFiltering adds additional client information and settings if
|
||||
// the client has them.
|
||||
func applyAdditionalFiltering(clientIP netip.Addr, clientID string, setts *filtering.Settings) {
|
||||
// pref is a prefix for logging messages around the scope.
|
||||
const pref = "applying filters"
|
||||
|
||||
globalContext.filters.ApplyBlockedServices(setts)
|
||||
|
||||
log.Debug("%s: looking for client with ip %s and clientid %q", pref, clientIP, clientID)
|
||||
|
||||
if !clientIP.IsValid() {
|
||||
return
|
||||
}
|
||||
|
||||
setts.ClientIP = clientIP
|
||||
|
||||
c, ok := globalContext.clients.storage.Find(clientID)
|
||||
if !ok {
|
||||
c, ok = globalContext.clients.storage.Find(clientIP.String())
|
||||
if !ok {
|
||||
log.Debug("%s: no clients with ip %s and clientid %q", pref, clientIP, clientID)
|
||||
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
log.Debug("%s: using settings for client %q (%s; %q)", pref, c.Name, clientIP, clientID)
|
||||
|
||||
if c.UseOwnBlockedServices {
|
||||
// TODO(e.burkov): Get rid of this crutch.
|
||||
setts.ServicesRules = nil
|
||||
svcs := c.BlockedServices.IDs
|
||||
if !c.BlockedServices.Schedule.Contains(time.Now()) {
|
||||
globalContext.filters.ApplyBlockedServicesList(setts, svcs)
|
||||
log.Debug("%s: services for client %q set: %s", pref, c.Name, svcs)
|
||||
}
|
||||
}
|
||||
|
||||
setts.ClientName = c.Name
|
||||
setts.ClientTags = c.Tags
|
||||
if !c.UseOwnSettings {
|
||||
return
|
||||
}
|
||||
|
||||
setts.FilteringEnabled = c.FilteringEnabled
|
||||
setts.SafeSearchEnabled = c.SafeSearchConf.Enabled
|
||||
setts.ClientSafeSearch = c.SafeSearch
|
||||
setts.SafeBrowsingEnabled = c.SafeBrowsingEnabled
|
||||
setts.ParentalEnabled = c.ParentalEnabled
|
||||
}
|
||||
|
||||
func startDNSServer() error {
|
||||
config.RLock()
|
||||
defer config.RUnlock()
|
||||
@@ -495,31 +443,6 @@ func startDNSServer() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// reconfigureDNSServer updates the DNS server configuration using the provided
|
||||
// TLS settings. tlsMgr must not be nil.
|
||||
func reconfigureDNSServer(tlsMgr *tlsManager) (err error) {
|
||||
tlsConf := &tlsConfigSettings{}
|
||||
tlsMgr.WriteDiskConfig(tlsConf)
|
||||
|
||||
newConf, err := newServerConfig(
|
||||
&config.DNS,
|
||||
config.Clients.Sources,
|
||||
tlsConf,
|
||||
httpRegister,
|
||||
globalContext.clients.storage,
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("generating forwarding dns server config: %w", err)
|
||||
}
|
||||
|
||||
err = globalContext.dnsServer.Reconfigure(newConf)
|
||||
if err != nil {
|
||||
return fmt.Errorf("starting forwarding dns server: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func stopDNSServer() (err error) {
|
||||
if !isRunning() {
|
||||
return nil
|
||||
|
||||
@@ -1,206 +0,0 @@
|
||||
package home
|
||||
|
||||
import (
|
||||
"net/netip"
|
||||
"testing"
|
||||
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/client"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/filtering"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/schedule"
|
||||
"github.com/AdguardTeam/golibs/logutil/slogutil"
|
||||
"github.com/AdguardTeam/golibs/testutil"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
var testIPv4 = netip.AddrFrom4([4]byte{1, 2, 3, 4})
|
||||
|
||||
// newStorage is a helper function that returns a client storage filled with
|
||||
// persistent clients. It also generates a UID for each client.
|
||||
func newStorage(tb testing.TB, clients []*client.Persistent) (s *client.Storage) {
|
||||
tb.Helper()
|
||||
|
||||
ctx := testutil.ContextWithTimeout(tb, testTimeout)
|
||||
s, err := client.NewStorage(ctx, &client.StorageConfig{
|
||||
Logger: slogutil.NewDiscardLogger(),
|
||||
})
|
||||
require.NoError(tb, err)
|
||||
|
||||
for _, p := range clients {
|
||||
p.UID = client.MustNewUID()
|
||||
require.NoError(tb, s.Add(ctx, p))
|
||||
}
|
||||
|
||||
return s
|
||||
}
|
||||
|
||||
func TestApplyAdditionalFiltering(t *testing.T) {
|
||||
var err error
|
||||
|
||||
globalContext.filters, err = filtering.New(&filtering.Config{
|
||||
BlockedServices: &filtering.BlockedServices{
|
||||
Schedule: schedule.EmptyWeekly(),
|
||||
},
|
||||
}, nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
globalContext.clients.storage = newStorage(t, []*client.Persistent{{
|
||||
Name: "default",
|
||||
ClientIDs: []string{"default"},
|
||||
UseOwnSettings: false,
|
||||
SafeSearchConf: filtering.SafeSearchConfig{Enabled: false},
|
||||
FilteringEnabled: false,
|
||||
SafeBrowsingEnabled: false,
|
||||
ParentalEnabled: false,
|
||||
}, {
|
||||
Name: "custom_filtering",
|
||||
ClientIDs: []string{"custom_filtering"},
|
||||
UseOwnSettings: true,
|
||||
SafeSearchConf: filtering.SafeSearchConfig{Enabled: true},
|
||||
FilteringEnabled: true,
|
||||
SafeBrowsingEnabled: true,
|
||||
ParentalEnabled: true,
|
||||
}, {
|
||||
Name: "partial_custom_filtering",
|
||||
ClientIDs: []string{"partial_custom_filtering"},
|
||||
UseOwnSettings: true,
|
||||
SafeSearchConf: filtering.SafeSearchConfig{Enabled: true},
|
||||
FilteringEnabled: true,
|
||||
SafeBrowsingEnabled: false,
|
||||
ParentalEnabled: false,
|
||||
}})
|
||||
|
||||
testCases := []struct {
|
||||
name string
|
||||
id string
|
||||
FilteringEnabled assert.BoolAssertionFunc
|
||||
SafeSearchEnabled assert.BoolAssertionFunc
|
||||
SafeBrowsingEnabled assert.BoolAssertionFunc
|
||||
ParentalEnabled assert.BoolAssertionFunc
|
||||
}{{
|
||||
name: "global_settings",
|
||||
id: "default",
|
||||
FilteringEnabled: assert.False,
|
||||
SafeSearchEnabled: assert.False,
|
||||
SafeBrowsingEnabled: assert.False,
|
||||
ParentalEnabled: assert.False,
|
||||
}, {
|
||||
name: "custom_settings",
|
||||
id: "custom_filtering",
|
||||
FilteringEnabled: assert.True,
|
||||
SafeSearchEnabled: assert.True,
|
||||
SafeBrowsingEnabled: assert.True,
|
||||
ParentalEnabled: assert.True,
|
||||
}, {
|
||||
name: "partial",
|
||||
id: "partial_custom_filtering",
|
||||
FilteringEnabled: assert.True,
|
||||
SafeSearchEnabled: assert.True,
|
||||
SafeBrowsingEnabled: assert.False,
|
||||
ParentalEnabled: assert.False,
|
||||
}}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
setts := &filtering.Settings{}
|
||||
|
||||
applyAdditionalFiltering(testIPv4, tc.id, setts)
|
||||
tc.FilteringEnabled(t, setts.FilteringEnabled)
|
||||
tc.SafeSearchEnabled(t, setts.SafeSearchEnabled)
|
||||
tc.SafeBrowsingEnabled(t, setts.SafeBrowsingEnabled)
|
||||
tc.ParentalEnabled(t, setts.ParentalEnabled)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestApplyAdditionalFiltering_blockedServices(t *testing.T) {
|
||||
filtering.InitModule()
|
||||
|
||||
var (
|
||||
globalBlockedServices = []string{"ok"}
|
||||
clientBlockedServices = []string{"ok", "mail_ru", "vk"}
|
||||
invalidBlockedServices = []string{"invalid"}
|
||||
|
||||
err error
|
||||
)
|
||||
|
||||
globalContext.filters, err = filtering.New(&filtering.Config{
|
||||
BlockedServices: &filtering.BlockedServices{
|
||||
Schedule: schedule.EmptyWeekly(),
|
||||
IDs: globalBlockedServices,
|
||||
},
|
||||
}, nil)
|
||||
require.NoError(t, err)
|
||||
|
||||
globalContext.clients.storage = newStorage(t, []*client.Persistent{{
|
||||
Name: "default",
|
||||
ClientIDs: []string{"default"},
|
||||
UseOwnBlockedServices: false,
|
||||
}, {
|
||||
Name: "no_services",
|
||||
ClientIDs: []string{"no_services"},
|
||||
BlockedServices: &filtering.BlockedServices{
|
||||
Schedule: schedule.EmptyWeekly(),
|
||||
},
|
||||
UseOwnBlockedServices: true,
|
||||
}, {
|
||||
Name: "services",
|
||||
ClientIDs: []string{"services"},
|
||||
BlockedServices: &filtering.BlockedServices{
|
||||
Schedule: schedule.EmptyWeekly(),
|
||||
IDs: clientBlockedServices,
|
||||
},
|
||||
UseOwnBlockedServices: true,
|
||||
}, {
|
||||
Name: "invalid_services",
|
||||
ClientIDs: []string{"invalid_services"},
|
||||
BlockedServices: &filtering.BlockedServices{
|
||||
Schedule: schedule.EmptyWeekly(),
|
||||
IDs: invalidBlockedServices,
|
||||
},
|
||||
UseOwnBlockedServices: true,
|
||||
}, {
|
||||
Name: "allow_all",
|
||||
ClientIDs: []string{"allow_all"},
|
||||
BlockedServices: &filtering.BlockedServices{
|
||||
Schedule: schedule.FullWeekly(),
|
||||
IDs: clientBlockedServices,
|
||||
},
|
||||
UseOwnBlockedServices: true,
|
||||
}})
|
||||
|
||||
testCases := []struct {
|
||||
name string
|
||||
id string
|
||||
wantLen int
|
||||
}{{
|
||||
name: "global_settings",
|
||||
id: "default",
|
||||
wantLen: len(globalBlockedServices),
|
||||
}, {
|
||||
name: "custom_settings",
|
||||
id: "no_services",
|
||||
wantLen: 0,
|
||||
}, {
|
||||
name: "custom_settings_block",
|
||||
id: "services",
|
||||
wantLen: len(clientBlockedServices),
|
||||
}, {
|
||||
name: "custom_settings_invalid",
|
||||
id: "invalid_services",
|
||||
wantLen: 0,
|
||||
}, {
|
||||
name: "custom_settings_inactive_schedule",
|
||||
id: "allow_all",
|
||||
wantLen: 0,
|
||||
}}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
setts := &filtering.Settings{}
|
||||
|
||||
applyAdditionalFiltering(testIPv4, tc.id, setts)
|
||||
require.Len(t, setts.ServicesRules, tc.wantLen)
|
||||
})
|
||||
}
|
||||
}
|
||||
@@ -664,7 +664,8 @@ func run(opts options, clientBuildFS fs.FS, done chan struct{}, sigHdlr *signalH
|
||||
globalContext.auth, err = initUsers()
|
||||
fatalOnError(err)
|
||||
|
||||
tlsMgr, err := newTLSManager(config.TLS, config.DNS.ServePlainDNS)
|
||||
tlsMgrLogger := slogLogger.With(slogutil.KeyPrefix, "tls_manager")
|
||||
tlsMgr, err := newTLSManager(ctx, tlsMgrLogger, config.TLS, config.DNS.ServePlainDNS)
|
||||
if err != nil {
|
||||
log.Error("initializing tls: %s", err)
|
||||
onConfigModified()
|
||||
|
||||
@@ -116,6 +116,6 @@ func (h *signalHandler) reloadConfig(ctx context.Context) {
|
||||
}
|
||||
|
||||
if h.tlsManager != nil {
|
||||
h.tlsManager.reload()
|
||||
h.tlsManager.reload(ctx)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -12,6 +12,7 @@ import (
|
||||
"encoding/json"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"log/slog"
|
||||
"net/http"
|
||||
"os"
|
||||
"strings"
|
||||
@@ -23,13 +24,17 @@ import (
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
|
||||
"github.com/AdguardTeam/golibs/errors"
|
||||
"github.com/AdguardTeam/golibs/log"
|
||||
"github.com/AdguardTeam/golibs/logutil/slogutil"
|
||||
"github.com/c2h5oh/datasize"
|
||||
"github.com/google/go-cmp/cmp"
|
||||
)
|
||||
|
||||
// tlsManager contains the current configuration and state of AdGuard Home TLS
|
||||
// encryption.
|
||||
type tlsManager struct {
|
||||
// logger is used for logging the operation of the TLS Manager.
|
||||
logger *slog.Logger
|
||||
|
||||
// status is the current status of the configuration. It is never nil.
|
||||
status *tlsConfigStatus
|
||||
|
||||
@@ -45,31 +50,38 @@ type tlsManager struct {
|
||||
|
||||
// newTLSManager initializes the manager of TLS configuration. m is always
|
||||
// non-nil while any returned error indicates that the TLS configuration isn't
|
||||
// valid. Thus TLS may be initialized later, e.g. via the web UI.
|
||||
func newTLSManager(conf tlsConfigSettings, servePlainDNS bool) (m *tlsManager, err error) {
|
||||
// valid. Thus TLS may be initialized later, e.g. via the web UI. logger must
|
||||
// not be nil.
|
||||
func newTLSManager(
|
||||
ctx context.Context,
|
||||
logger *slog.Logger,
|
||||
conf tlsConfigSettings,
|
||||
servePlainDNS bool,
|
||||
) (m *tlsManager, err error) {
|
||||
m = &tlsManager{
|
||||
logger: logger,
|
||||
status: &tlsConfigStatus{},
|
||||
conf: conf,
|
||||
servePlainDNS: servePlainDNS,
|
||||
}
|
||||
|
||||
if m.conf.Enabled {
|
||||
err = m.load()
|
||||
err = m.load(ctx)
|
||||
if err != nil {
|
||||
m.conf.Enabled = false
|
||||
|
||||
return m, err
|
||||
}
|
||||
|
||||
m.setCertFileTime()
|
||||
m.setCertFileTime(ctx)
|
||||
}
|
||||
|
||||
return m, nil
|
||||
}
|
||||
|
||||
// load reloads the TLS configuration from files or data from the config file.
|
||||
func (m *tlsManager) load() (err error) {
|
||||
err = loadTLSConf(&m.conf, m.status)
|
||||
func (m *tlsManager) load(ctx context.Context) (err error) {
|
||||
err = m.loadTLSConf(ctx, &m.conf, m.status)
|
||||
if err != nil {
|
||||
return fmt.Errorf("loading config: %w", err)
|
||||
}
|
||||
@@ -84,16 +96,16 @@ func (m *tlsManager) WriteDiskConfig(conf *tlsConfigSettings) {
|
||||
m.confLock.Unlock()
|
||||
}
|
||||
|
||||
// setCertFileTime sets t.certLastMod from the certificate. If there are
|
||||
// errors, setCertFileTime logs them.
|
||||
func (m *tlsManager) setCertFileTime() {
|
||||
// setCertFileTime sets [tlsManager.certLastMod] from the certificate. If there
|
||||
// are errors, setCertFileTime logs them.
|
||||
func (m *tlsManager) setCertFileTime(ctx context.Context) {
|
||||
if len(m.conf.CertificatePath) == 0 {
|
||||
return
|
||||
}
|
||||
|
||||
fi, err := os.Stat(m.conf.CertificatePath)
|
||||
if err != nil {
|
||||
log.Error("tls: looking up certificate path: %s", err)
|
||||
m.logger.ErrorContext(ctx, "looking up certificate path", slogutil.KeyError, err)
|
||||
|
||||
return
|
||||
}
|
||||
@@ -117,8 +129,8 @@ func (m *tlsManager) start(_ context.Context) {
|
||||
globalContext.web.tlsConfigChanged(context.Background(), tlsConf)
|
||||
}
|
||||
|
||||
// reload updates the configuration and restarts t.
|
||||
func (m *tlsManager) reload() {
|
||||
// reload updates the configuration and restarts the TLS manager.
|
||||
func (m *tlsManager) reload(ctx context.Context) {
|
||||
m.confLock.Lock()
|
||||
tlsConf := m.conf
|
||||
m.confLock.Unlock()
|
||||
@@ -127,33 +139,37 @@ func (m *tlsManager) reload() {
|
||||
return
|
||||
}
|
||||
|
||||
fi, err := os.Stat(tlsConf.CertificatePath)
|
||||
certPath := tlsConf.CertificatePath
|
||||
fi, err := os.Stat(certPath)
|
||||
if err != nil {
|
||||
log.Error("tls: %s", err)
|
||||
m.logger.ErrorContext(ctx, "checking certificate file", slogutil.KeyError, err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
if fi.ModTime().UTC().Equal(m.certLastMod) {
|
||||
log.Debug("tls: certificate file isn't modified")
|
||||
m.logger.InfoContext(ctx, "certificate file is not modified")
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
log.Debug("tls: certificate file is modified")
|
||||
m.logger.InfoContext(ctx, "certificate file is modified")
|
||||
|
||||
m.confLock.Lock()
|
||||
err = m.load()
|
||||
err = m.load(ctx)
|
||||
m.confLock.Unlock()
|
||||
if err != nil {
|
||||
log.Error("tls: reloading: %s", err)
|
||||
m.logger.ErrorContext(ctx, "reloading", slogutil.KeyError, err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
m.certLastMod = fi.ModTime().UTC()
|
||||
|
||||
_ = reconfigureDNSServer(m)
|
||||
err = m.reconfigureDNSServer()
|
||||
if err != nil {
|
||||
m.logger.ErrorContext(ctx, "reconfiguring dns server", slogutil.KeyError, err)
|
||||
}
|
||||
|
||||
m.confLock.Lock()
|
||||
tlsConf = m.conf
|
||||
@@ -165,9 +181,38 @@ func (m *tlsManager) reload() {
|
||||
globalContext.web.tlsConfigChanged(context.Background(), tlsConf)
|
||||
}
|
||||
|
||||
// reconfigureDNSServer updates the DNS server configuration using the stored
|
||||
// TLS settings.
|
||||
func (m *tlsManager) reconfigureDNSServer() (err error) {
|
||||
tlsConf := &tlsConfigSettings{}
|
||||
m.WriteDiskConfig(tlsConf)
|
||||
|
||||
newConf, err := newServerConfig(
|
||||
&config.DNS,
|
||||
config.Clients.Sources,
|
||||
tlsConf,
|
||||
httpRegister,
|
||||
globalContext.clients.storage,
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("generating forwarding dns server config: %w", err)
|
||||
}
|
||||
|
||||
err = globalContext.dnsServer.Reconfigure(newConf)
|
||||
if err != nil {
|
||||
return fmt.Errorf("starting forwarding dns server: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// loadTLSConf loads and validates the TLS configuration. The returned error is
|
||||
// also set in status.WarningValidation.
|
||||
func loadTLSConf(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (err error) {
|
||||
func (m *tlsManager) loadTLSConf(
|
||||
ctx context.Context,
|
||||
tlsConf *tlsConfigSettings,
|
||||
status *tlsConfigStatus,
|
||||
) (err error) {
|
||||
defer func() {
|
||||
if err != nil {
|
||||
status.WarningValidation = err.Error()
|
||||
@@ -190,7 +235,8 @@ func loadTLSConf(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (err error
|
||||
return err
|
||||
}
|
||||
|
||||
err = validateCertificates(
|
||||
err = m.validateCertificates(
|
||||
ctx,
|
||||
status,
|
||||
tlsConf.CertificateChainData,
|
||||
tlsConf.PrivateKeyData,
|
||||
@@ -342,7 +388,7 @@ func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
|
||||
// Skip the error check, since we are only interested in the value of
|
||||
// status.WarningValidation.
|
||||
status := &tlsConfigStatus{}
|
||||
_ = loadTLSConf(&setts.tlsConfigSettings, status)
|
||||
_ = m.loadTLSConf(r.Context(), &setts.tlsConfigSettings, status)
|
||||
resp := tlsConfig{
|
||||
tlsConfigSettingsExt: setts,
|
||||
tlsConfigStatus: status,
|
||||
@@ -353,6 +399,7 @@ func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
// setConfig updates manager conf with the given one.
|
||||
func (m *tlsManager) setConfig(
|
||||
ctx context.Context,
|
||||
newConf tlsConfigSettings,
|
||||
status *tlsConfigStatus,
|
||||
servePlain aghalg.NullBool,
|
||||
@@ -367,10 +414,10 @@ func (m *tlsManager) setConfig(
|
||||
newConf.DNSCryptConfigFile = m.conf.DNSCryptConfigFile
|
||||
newConf.PortDNSCrypt = m.conf.PortDNSCrypt
|
||||
if !cmp.Equal(m.conf, newConf, cmp.AllowUnexported(dnsforward.TLSConfig{})) {
|
||||
log.Info("tls config has changed, restarting https server")
|
||||
m.logger.InfoContext(ctx, "config has changed, restarting https server")
|
||||
restartHTTPS = true
|
||||
} else {
|
||||
log.Info("tls: config has not changed")
|
||||
m.logger.InfoContext(ctx, "config has not changed")
|
||||
}
|
||||
|
||||
// Note: don't do just `t.conf = data` because we must preserve all other members of t.conf
|
||||
@@ -398,6 +445,8 @@ func (m *tlsManager) setConfig(
|
||||
// handleTLSConfigure is the handler for the POST /control/tls/configure HTTP
|
||||
// API.
|
||||
func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
|
||||
ctx := r.Context()
|
||||
|
||||
req, err := unmarshalTLS(r)
|
||||
if err != nil {
|
||||
aghhttp.Error(r, w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
|
||||
@@ -416,7 +465,7 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
|
||||
}
|
||||
|
||||
status := &tlsConfigStatus{}
|
||||
err = loadTLSConf(&req.tlsConfigSettings, status)
|
||||
err = m.loadTLSConf(ctx, &req.tlsConfigSettings, status)
|
||||
if err != nil {
|
||||
resp := tlsConfig{
|
||||
tlsConfigSettingsExt: req,
|
||||
@@ -428,8 +477,8 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
|
||||
return
|
||||
}
|
||||
|
||||
restartHTTPS := m.setConfig(req.tlsConfigSettings, status, req.ServePlainDNS)
|
||||
m.setCertFileTime()
|
||||
restartHTTPS := m.setConfig(ctx, req.tlsConfigSettings, status, req.ServePlainDNS)
|
||||
m.setCertFileTime(ctx)
|
||||
|
||||
if req.ServePlainDNS != aghalg.NBNull {
|
||||
func() {
|
||||
@@ -442,8 +491,10 @@ func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request)
|
||||
|
||||
onConfigModified()
|
||||
|
||||
err = reconfigureDNSServer(m)
|
||||
err = m.reconfigureDNSServer()
|
||||
if err != nil {
|
||||
m.logger.ErrorContext(ctx, "reconfiguring dns server", slogutil.KeyError, err)
|
||||
|
||||
aghhttp.Error(r, w, http.StatusInternalServerError, "%s", err)
|
||||
|
||||
return
|
||||
@@ -530,15 +581,27 @@ func validatePorts(
|
||||
|
||||
// validateCertChain verifies certs using the first as the main one and others
|
||||
// as intermediate. srvName stands for the expected DNS name.
|
||||
func validateCertChain(certs []*x509.Certificate, srvName string) (err error) {
|
||||
func (m *tlsManager) validateCertChain(
|
||||
ctx context.Context,
|
||||
certs []*x509.Certificate,
|
||||
srvName string,
|
||||
) (err error) {
|
||||
main, others := certs[0], certs[1:]
|
||||
|
||||
pool := x509.NewCertPool()
|
||||
for _, cert := range others {
|
||||
log.Info("tls: got an intermediate cert")
|
||||
pool.AddCert(cert)
|
||||
}
|
||||
|
||||
othersLen := len(others)
|
||||
if othersLen > 0 {
|
||||
m.logger.InfoContext(
|
||||
ctx,
|
||||
"verifying certificate chain: got an intermediate cert",
|
||||
"num", othersLen,
|
||||
)
|
||||
}
|
||||
|
||||
opts := x509.VerifyOptions{
|
||||
DNSName: srvName,
|
||||
Roots: globalContext.tlsRoots,
|
||||
@@ -552,15 +615,18 @@ func validateCertChain(certs []*x509.Certificate, srvName string) (err error) {
|
||||
return nil
|
||||
}
|
||||
|
||||
// errNoIPInCert is the error that is returned from [parseCertChain] if the leaf
|
||||
// certificate doesn't contain IPs.
|
||||
// errNoIPInCert is the error that is returned from [tlsManager.parseCertChain]
|
||||
// if the leaf certificate doesn't contain IPs.
|
||||
const errNoIPInCert errors.Error = `certificates has no IP addresses; ` +
|
||||
`DNS-over-TLS won't be advertised via DDR`
|
||||
|
||||
// parseCertChain parses the certificate chain from raw data, and returns it.
|
||||
// If ok is true, the returned error, if any, is not critical.
|
||||
func parseCertChain(chain []byte) (parsedCerts []*x509.Certificate, ok bool, err error) {
|
||||
log.Debug("tls: got certificate chain: %d bytes", len(chain))
|
||||
func (m *tlsManager) parseCertChain(
|
||||
ctx context.Context,
|
||||
chain []byte,
|
||||
) (parsedCerts []*x509.Certificate, ok bool, err error) {
|
||||
m.logger.DebugContext(ctx, "parsing certificate chain", "size", datasize.ByteSize(len(chain)))
|
||||
|
||||
var certs []*pem.Block
|
||||
for decoded, pemblock := pem.Decode(chain); decoded != nil; {
|
||||
@@ -576,7 +642,7 @@ func parseCertChain(chain []byte) (parsedCerts []*x509.Certificate, ok bool, err
|
||||
return nil, false, err
|
||||
}
|
||||
|
||||
log.Info("tls: number of certs: %d", len(parsedCerts))
|
||||
m.logger.InfoContext(ctx, "parsing multiple pem certificates", "num", len(parsedCerts))
|
||||
|
||||
if !aghtls.CertificateHasIP(parsedCerts[0]) {
|
||||
err = errNoIPInCert
|
||||
@@ -643,7 +709,8 @@ func validatePKey(pkey []byte) (keyType string, err error) {
|
||||
// validateCertificates processes certificate data and its private key. status
|
||||
// must not be nil, since it's used to accumulate the validation results. Other
|
||||
// parameters are optional.
|
||||
func validateCertificates(
|
||||
func (m *tlsManager) validateCertificates(
|
||||
ctx context.Context,
|
||||
status *tlsConfigStatus,
|
||||
certChain []byte,
|
||||
pkey []byte,
|
||||
@@ -652,7 +719,7 @@ func validateCertificates(
|
||||
// Check only the public certificate separately from the key.
|
||||
if len(certChain) > 0 {
|
||||
var certs []*x509.Certificate
|
||||
certs, status.ValidCert, err = parseCertChain(certChain)
|
||||
certs, status.ValidCert, err = m.parseCertChain(ctx, certChain)
|
||||
if !status.ValidCert {
|
||||
// Don't wrap the error, since it's informative enough as is.
|
||||
return err
|
||||
@@ -665,7 +732,7 @@ func validateCertificates(
|
||||
status.NotBefore = mainCert.NotBefore
|
||||
status.DNSNames = mainCert.DNSNames
|
||||
|
||||
if chainErr := validateCertChain(certs, serverName); chainErr != nil {
|
||||
if chainErr := m.validateCertChain(ctx, certs, serverName); chainErr != nil {
|
||||
// Let self-signed certs through and don't return this error to set
|
||||
// its message into the status.WarningValidation afterwards.
|
||||
err = chainErr
|
||||
|
||||
@@ -1,11 +1,33 @@
|
||||
package home
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"math/big"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"net/netip"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/client"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
|
||||
"github.com/AdguardTeam/golibs/logutil/slogutil"
|
||||
"github.com/AdguardTeam/golibs/testutil"
|
||||
"github.com/AdguardTeam/golibs/timeutil"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
var testCertChainData = []byte(`-----BEGIN CERTIFICATE-----
|
||||
@@ -41,9 +63,15 @@ kXS9jgARhhiWXJrk
|
||||
-----END PRIVATE KEY-----`)
|
||||
|
||||
func TestValidateCertificates(t *testing.T) {
|
||||
ctx := testutil.ContextWithTimeout(t, testTimeout)
|
||||
logger := slogutil.NewDiscardLogger()
|
||||
|
||||
m, err := newTLSManager(ctx, logger, tlsConfigSettings{}, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
t.Run("bad_certificate", func(t *testing.T) {
|
||||
status := &tlsConfigStatus{}
|
||||
err := validateCertificates(status, []byte("bad cert"), nil, "")
|
||||
err = m.validateCertificates(ctx, status, []byte("bad cert"), nil, "")
|
||||
testutil.AssertErrorMsg(t, "empty certificate", err)
|
||||
assert.False(t, status.ValidCert)
|
||||
assert.False(t, status.ValidChain)
|
||||
@@ -51,14 +79,14 @@ func TestValidateCertificates(t *testing.T) {
|
||||
|
||||
t.Run("bad_private_key", func(t *testing.T) {
|
||||
status := &tlsConfigStatus{}
|
||||
err := validateCertificates(status, nil, []byte("bad priv key"), "")
|
||||
err = m.validateCertificates(ctx, status, nil, []byte("bad priv key"), "")
|
||||
testutil.AssertErrorMsg(t, "no valid keys were found", err)
|
||||
assert.False(t, status.ValidKey)
|
||||
})
|
||||
|
||||
t.Run("valid", func(t *testing.T) {
|
||||
status := &tlsConfigStatus{}
|
||||
err := validateCertificates(status, testCertChainData, testPrivateKeyData, "")
|
||||
err = m.validateCertificates(ctx, status, testCertChainData, testPrivateKeyData, "")
|
||||
assert.Error(t, err)
|
||||
|
||||
notBefore := time.Date(2019, 2, 27, 9, 24, 23, 0, time.UTC)
|
||||
@@ -75,3 +103,422 @@ func TestValidateCertificates(t *testing.T) {
|
||||
assert.True(t, status.ValidPair)
|
||||
})
|
||||
}
|
||||
|
||||
// storeGlobals is a test helper function that saves global variables and
|
||||
// restores them once the test is complete.
|
||||
//
|
||||
// The global variables are:
|
||||
// - [configuration.dns]
|
||||
// - [homeContext.clients.storage]
|
||||
// - [homeContext.dnsServer]
|
||||
// - [homeContext.mux]
|
||||
// - [homeContext.web]
|
||||
//
|
||||
// TODO(s.chzhen): Remove this once the TLS manager no longer accesses global
|
||||
// variables. Make tests that use this helper concurrent.
|
||||
func storeGlobals(tb testing.TB) {
|
||||
tb.Helper()
|
||||
|
||||
prevConfig := config
|
||||
storage := globalContext.clients.storage
|
||||
dnsServer := globalContext.dnsServer
|
||||
mux := globalContext.mux
|
||||
web := globalContext.web
|
||||
|
||||
tb.Cleanup(func() {
|
||||
config = prevConfig
|
||||
globalContext.clients.storage = storage
|
||||
globalContext.dnsServer = dnsServer
|
||||
globalContext.mux = mux
|
||||
globalContext.web = web
|
||||
})
|
||||
}
|
||||
|
||||
// newCertAndKey is a helper function that generates certificate and key.
|
||||
func newCertAndKey(tb testing.TB, n int64) (certDER []byte, key *rsa.PrivateKey) {
|
||||
tb.Helper()
|
||||
|
||||
key, err := rsa.GenerateKey(rand.Reader, 2048)
|
||||
require.NoError(tb, err)
|
||||
|
||||
certTmpl := &x509.Certificate{
|
||||
SerialNumber: big.NewInt(n),
|
||||
}
|
||||
|
||||
certDER, err = x509.CreateCertificate(rand.Reader, certTmpl, certTmpl, &key.PublicKey, key)
|
||||
require.NoError(tb, err)
|
||||
|
||||
return certDER, key
|
||||
}
|
||||
|
||||
// writeCertAndKey is a helper function that writes certificate and key to
|
||||
// specified paths.
|
||||
func writeCertAndKey(
|
||||
tb testing.TB,
|
||||
certDER []byte,
|
||||
certPath string,
|
||||
key *rsa.PrivateKey,
|
||||
keyPath string,
|
||||
) {
|
||||
tb.Helper()
|
||||
|
||||
certFile, err := os.OpenFile(certPath, os.O_WRONLY|os.O_CREATE, 0o600)
|
||||
require.NoError(tb, err)
|
||||
|
||||
defer func() {
|
||||
err = certFile.Close()
|
||||
require.NoError(tb, err)
|
||||
}()
|
||||
|
||||
err = pem.Encode(certFile, &pem.Block{Type: "CERTIFICATE", Bytes: certDER})
|
||||
require.NoError(tb, err)
|
||||
|
||||
keyFile, err := os.OpenFile(keyPath, os.O_WRONLY|os.O_CREATE, 0o600)
|
||||
require.NoError(tb, err)
|
||||
|
||||
defer func() {
|
||||
err = keyFile.Close()
|
||||
require.NoError(tb, err)
|
||||
}()
|
||||
|
||||
err = pem.Encode(keyFile, &pem.Block{
|
||||
Type: "RSA PRIVATE KEY",
|
||||
Bytes: x509.MarshalPKCS1PrivateKey(key),
|
||||
})
|
||||
require.NoError(tb, err)
|
||||
}
|
||||
|
||||
// assertCertSerialNumber is a helper function that checks serial number of the
|
||||
// TLS certificate.
|
||||
func assertCertSerialNumber(tb testing.TB, conf *tlsConfigSettings, wantSN int64) {
|
||||
tb.Helper()
|
||||
|
||||
cert, err := tls.X509KeyPair(conf.CertificateChainData, conf.PrivateKeyData)
|
||||
require.NoError(tb, err)
|
||||
|
||||
assert.Equal(tb, wantSN, cert.Leaf.SerialNumber.Int64())
|
||||
}
|
||||
|
||||
func TestTLSManager_Reload(t *testing.T) {
|
||||
storeGlobals(t)
|
||||
|
||||
var (
|
||||
logger = slogutil.NewDiscardLogger()
|
||||
ctx = testutil.ContextWithTimeout(t, testTimeout)
|
||||
err error
|
||||
)
|
||||
|
||||
globalContext.dnsServer, err = dnsforward.NewServer(dnsforward.DNSCreateParams{
|
||||
Logger: logger,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
globalContext.clients.storage, err = client.NewStorage(ctx, &client.StorageConfig{
|
||||
Logger: logger,
|
||||
Clock: timeutil.SystemClock{},
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
globalContext.mux = http.NewServeMux()
|
||||
|
||||
globalContext.web, err = initWeb(ctx, options{}, nil, nil, logger, nil, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
const (
|
||||
snBefore int64 = 1
|
||||
snAfter int64 = 2
|
||||
)
|
||||
|
||||
tmpDir := t.TempDir()
|
||||
certPath := filepath.Join(tmpDir, "cert.pem")
|
||||
keyPath := filepath.Join(tmpDir, "key.pem")
|
||||
|
||||
certDER, key := newCertAndKey(t, snBefore)
|
||||
writeCertAndKey(t, certDER, certPath, key, keyPath)
|
||||
|
||||
m, err := newTLSManager(ctx, logger, tlsConfigSettings{
|
||||
Enabled: true,
|
||||
TLSConfig: dnsforward.TLSConfig{
|
||||
CertificatePath: certPath,
|
||||
PrivateKeyPath: keyPath,
|
||||
},
|
||||
}, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
conf := &tlsConfigSettings{}
|
||||
m.WriteDiskConfig(conf)
|
||||
assertCertSerialNumber(t, conf, snBefore)
|
||||
|
||||
certDER, key = newCertAndKey(t, snAfter)
|
||||
writeCertAndKey(t, certDER, certPath, key, keyPath)
|
||||
|
||||
m.reload(ctx)
|
||||
|
||||
m.WriteDiskConfig(conf)
|
||||
assertCertSerialNumber(t, conf, snAfter)
|
||||
}
|
||||
|
||||
func TestTLSManager_HandleTLSStatus(t *testing.T) {
|
||||
var (
|
||||
logger = slogutil.NewDiscardLogger()
|
||||
ctx = testutil.ContextWithTimeout(t, testTimeout)
|
||||
err error
|
||||
)
|
||||
|
||||
m, err := newTLSManager(ctx, logger, tlsConfigSettings{
|
||||
Enabled: true,
|
||||
TLSConfig: dnsforward.TLSConfig{
|
||||
CertificateChain: string(testCertChainData),
|
||||
PrivateKey: string(testPrivateKeyData),
|
||||
},
|
||||
}, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
w := httptest.NewRecorder()
|
||||
r := httptest.NewRequest(http.MethodGet, "/control/tls/status", nil)
|
||||
m.handleTLSStatus(w, r)
|
||||
|
||||
res := &tlsConfigSettingsExt{}
|
||||
err = json.NewDecoder(w.Body).Decode(res)
|
||||
require.NoError(t, err)
|
||||
|
||||
wantCertificateChain := base64.StdEncoding.EncodeToString(testCertChainData)
|
||||
assert.True(t, res.Enabled)
|
||||
assert.Equal(t, wantCertificateChain, res.CertificateChain)
|
||||
assert.True(t, res.PrivateKeySaved)
|
||||
}
|
||||
|
||||
func TestValidateTLSSettings(t *testing.T) {
|
||||
storeGlobals(t)
|
||||
|
||||
var (
|
||||
logger = slogutil.NewDiscardLogger()
|
||||
ctx = testutil.ContextWithTimeout(t, testTimeout)
|
||||
err error
|
||||
)
|
||||
|
||||
ln, err := net.Listen("tcp", ":0")
|
||||
require.NoError(t, err)
|
||||
|
||||
testutil.CleanupAndRequireSuccess(t, ln.Close)
|
||||
|
||||
addr := testutil.RequireTypeAssert[*net.TCPAddr](t, ln.Addr())
|
||||
|
||||
busyPort := addr.Port
|
||||
|
||||
globalContext.mux = http.NewServeMux()
|
||||
|
||||
globalContext.web, err = initWeb(ctx, options{}, nil, nil, logger, nil, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
testCases := []struct {
|
||||
setts tlsConfigSettingsExt
|
||||
name string
|
||||
wantErr string
|
||||
}{{
|
||||
name: "basic",
|
||||
setts: tlsConfigSettingsExt{},
|
||||
wantErr: "",
|
||||
}, {
|
||||
setts: tlsConfigSettingsExt{
|
||||
ServePlainDNS: aghalg.NBFalse,
|
||||
},
|
||||
name: "disabled_all",
|
||||
wantErr: "plain DNS is required in case encryption protocols are disabled",
|
||||
}, {
|
||||
setts: tlsConfigSettingsExt{
|
||||
tlsConfigSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
PortHTTPS: uint16(busyPort),
|
||||
},
|
||||
},
|
||||
name: "busy_port",
|
||||
wantErr: fmt.Sprintf("port %d is not available, cannot enable HTTPS on it", busyPort),
|
||||
}, {
|
||||
setts: tlsConfigSettingsExt{
|
||||
tlsConfigSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
PortHTTPS: 4433,
|
||||
PortDNSOverTLS: 4433,
|
||||
},
|
||||
},
|
||||
name: "duplicate_port",
|
||||
wantErr: "validating tcp ports: duplicated values: [4433]",
|
||||
}}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
err = validateTLSSettings(tc.setts)
|
||||
testutil.AssertErrorMsg(t, tc.wantErr, err)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestTLSManager_HandleTLSValidate(t *testing.T) {
|
||||
storeGlobals(t)
|
||||
|
||||
var (
|
||||
logger = slogutil.NewDiscardLogger()
|
||||
ctx = testutil.ContextWithTimeout(t, testTimeout)
|
||||
err error
|
||||
)
|
||||
|
||||
globalContext.mux = http.NewServeMux()
|
||||
|
||||
globalContext.web, err = initWeb(ctx, options{}, nil, nil, logger, nil, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
m, err := newTLSManager(ctx, logger, tlsConfigSettings{
|
||||
Enabled: true,
|
||||
TLSConfig: dnsforward.TLSConfig{
|
||||
CertificateChain: string(testCertChainData),
|
||||
PrivateKey: string(testPrivateKeyData),
|
||||
},
|
||||
}, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
setts := &tlsConfigSettingsExt{
|
||||
tlsConfigSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
TLSConfig: dnsforward.TLSConfig{
|
||||
CertificateChain: base64.StdEncoding.EncodeToString(testCertChainData),
|
||||
PrivateKey: base64.StdEncoding.EncodeToString(testPrivateKeyData),
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
req, err := json.Marshal(setts)
|
||||
require.NoError(t, err)
|
||||
|
||||
w := httptest.NewRecorder()
|
||||
r := httptest.NewRequest(http.MethodPost, "/control/tls/validate", bytes.NewReader(req))
|
||||
m.handleTLSValidate(w, r)
|
||||
|
||||
res := &tlsConfigStatus{}
|
||||
err = json.NewDecoder(w.Body).Decode(res)
|
||||
require.NoError(t, err)
|
||||
|
||||
cert, err := tls.X509KeyPair(testCertChainData, testPrivateKeyData)
|
||||
require.NoError(t, err)
|
||||
|
||||
wantIssuer := cert.Leaf.Issuer.String()
|
||||
assert.Equal(t, wantIssuer, res.Issuer)
|
||||
}
|
||||
|
||||
func TestTLSManager_HandleTLSConfigure(t *testing.T) {
|
||||
// Store the global state before making any changes.
|
||||
storeGlobals(t)
|
||||
|
||||
var (
|
||||
logger = slogutil.NewDiscardLogger()
|
||||
ctx = testutil.ContextWithTimeout(t, testTimeout)
|
||||
err error
|
||||
)
|
||||
|
||||
globalContext.dnsServer, err = dnsforward.NewServer(dnsforward.DNSCreateParams{
|
||||
Logger: logger,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
err = globalContext.dnsServer.Prepare(&dnsforward.ServerConfig{
|
||||
Config: dnsforward.Config{
|
||||
UpstreamMode: dnsforward.UpstreamModeLoadBalance,
|
||||
EDNSClientSubnet: &dnsforward.EDNSClientSubnet{Enabled: false},
|
||||
ClientsContainer: dnsforward.EmptyClientsContainer{},
|
||||
},
|
||||
ServePlainDNS: true,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
globalContext.clients.storage, err = client.NewStorage(ctx, &client.StorageConfig{
|
||||
Logger: logger,
|
||||
Clock: timeutil.SystemClock{},
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
globalContext.mux = http.NewServeMux()
|
||||
|
||||
globalContext.web, err = initWeb(ctx, options{}, nil, nil, logger, nil, false)
|
||||
require.NoError(t, err)
|
||||
|
||||
config.DNS.BindHosts = []netip.Addr{netip.MustParseAddr("127.0.0.1")}
|
||||
config.DNS.Port = 0
|
||||
|
||||
const wantSerialNumber int64 = 1
|
||||
|
||||
// Prepare the TLS manager configuration.
|
||||
tmpDir := t.TempDir()
|
||||
certPath := filepath.Join(tmpDir, "cert.pem")
|
||||
keyPath := filepath.Join(tmpDir, "key.pem")
|
||||
|
||||
certDER, key := newCertAndKey(t, wantSerialNumber)
|
||||
writeCertAndKey(t, certDER, certPath, key, keyPath)
|
||||
|
||||
// Initialize the TLS manager and assert its configuration.
|
||||
m, err := newTLSManager(ctx, logger, tlsConfigSettings{
|
||||
Enabled: true,
|
||||
TLSConfig: dnsforward.TLSConfig{
|
||||
CertificatePath: certPath,
|
||||
PrivateKeyPath: keyPath,
|
||||
},
|
||||
}, true)
|
||||
require.NoError(t, err)
|
||||
|
||||
conf := &tlsConfigSettings{}
|
||||
m.WriteDiskConfig(conf)
|
||||
assertCertSerialNumber(t, conf, wantSerialNumber)
|
||||
|
||||
// Prepare a request with the new TLS configuration.
|
||||
setts := &tlsConfigSettingsExt{
|
||||
tlsConfigSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
PortHTTPS: 4433,
|
||||
TLSConfig: dnsforward.TLSConfig{
|
||||
CertificateChain: base64.StdEncoding.EncodeToString(testCertChainData),
|
||||
PrivateKey: base64.StdEncoding.EncodeToString(testPrivateKeyData),
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
req, err := json.Marshal(setts)
|
||||
require.NoError(t, err)
|
||||
|
||||
r := httptest.NewRequest(http.MethodPost, "/control/tls/configure", bytes.NewReader(req))
|
||||
w := httptest.NewRecorder()
|
||||
|
||||
// Reconfigure the TLS manager.
|
||||
m.handleTLSConfigure(w, r)
|
||||
|
||||
// The [tlsManager.handleTLSConfigure] method will start the DNS server and
|
||||
// it should be stopped after the test ends.
|
||||
testutil.CleanupAndRequireSuccess(t, globalContext.dnsServer.Stop)
|
||||
|
||||
res := &tlsConfig{
|
||||
tlsConfigStatus: &tlsConfigStatus{},
|
||||
}
|
||||
err = json.NewDecoder(w.Body).Decode(res)
|
||||
require.NoError(t, err)
|
||||
|
||||
cert, err := tls.X509KeyPair(testCertChainData, testPrivateKeyData)
|
||||
require.NoError(t, err)
|
||||
|
||||
wantIssuer := cert.Leaf.Issuer.String()
|
||||
assert.Equal(t, wantIssuer, res.tlsConfigStatus.Issuer)
|
||||
|
||||
// Assert that the Web API's TLS configuration has been updated.
|
||||
//
|
||||
// TODO(s.chzhen): Remove when [httpsServer.cond] is removed.
|
||||
assert.Eventually(t, func() bool {
|
||||
globalContext.web.httpsServer.condLock.Lock()
|
||||
defer globalContext.web.httpsServer.condLock.Unlock()
|
||||
|
||||
cert = globalContext.web.httpsServer.cert
|
||||
if cert.Leaf == nil {
|
||||
return false
|
||||
}
|
||||
|
||||
assert.Equal(t, wantIssuer, cert.Leaf.Issuer.String())
|
||||
|
||||
return true
|
||||
}, testTimeout, testTimeout/10)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user