aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorMohammed Al Sahaf <[email protected]>2024-02-26 00:13:48 +0300
committerGitHub <[email protected]>2024-02-26 00:13:48 +0300
commit03f703a00e006a1e53a2eaf5f4e33a1b3a5e4237 (patch)
treef17295075e29942f9ff97e790d9db835a0a6c7b3
parent931656bd6868a87eef4814cc02b5125a907662bf (diff)
downloadcaddy-03f703a00e006a1e53a2eaf5f4e33a1b3a5e4237.tar.gz
caddy-03f703a00e006a1e53a2eaf5f4e33a1b3a5e4237.zip
caddytls: verifier: caddyfile: re-add Caddyfile support (#6127)
* caddytls: verifier: caddyfile: re-add Caddyfile support * appease the linter * caddytls: client_auth: verifier: change namespace to `tls.client_auth.verifier`
-rw-r--r--caddytest/integration/caddyfile_adapt/tls_client_auth_cert_file-legacy-with-verifier.caddyfiletest75
-rw-r--r--caddytest/integration/caddyfile_adapt_test.go2
-rw-r--r--internal/testmocks/dummyverifier.go41
-rw-r--r--modules/caddytls/connpolicy.go25
4 files changed, 139 insertions, 4 deletions
diff --git a/caddytest/integration/caddyfile_adapt/tls_client_auth_cert_file-legacy-with-verifier.caddyfiletest b/caddytest/integration/caddyfile_adapt/tls_client_auth_cert_file-legacy-with-verifier.caddyfiletest
new file mode 100644
index 000000000..302d8fd1e
--- /dev/null
+++ b/caddytest/integration/caddyfile_adapt/tls_client_auth_cert_file-legacy-with-verifier.caddyfiletest
@@ -0,0 +1,75 @@
+localhost
+
+respond "hello from localhost"
+tls {
+ client_auth {
+ mode request
+ trusted_ca_cert_file ../caddy.ca.cer
+ verifier dummy
+ }
+}
+----------
+{
+ "apps": {
+ "http": {
+ "servers": {
+ "srv0": {
+ "listen": [
+ ":443"
+ ],
+ "routes": [
+ {
+ "match": [
+ {
+ "host": [
+ "localhost"
+ ]
+ }
+ ],
+ "handle": [
+ {
+ "handler": "subroute",
+ "routes": [
+ {
+ "handle": [
+ {
+ "body": "hello from localhost",
+ "handler": "static_response"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "terminal": true
+ }
+ ],
+ "tls_connection_policies": [
+ {
+ "match": {
+ "sni": [
+ "localhost"
+ ]
+ },
+ "client_authentication": {
+ "ca": {
+ "provider": "inline",
+ "trusted_ca_certs": [
+ "MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+ ]
+ },
+ "verifiers": [
+ {
+ "verifier": "dummy"
+ }
+ ],
+ "mode": "request"
+ }
+ },
+ {}
+ ]
+ }
+ }
+ }
+ }
+} \ No newline at end of file
diff --git a/caddytest/integration/caddyfile_adapt_test.go b/caddytest/integration/caddyfile_adapt_test.go
index 5b052df49..0d9f0fa47 100644
--- a/caddytest/integration/caddyfile_adapt_test.go
+++ b/caddytest/integration/caddyfile_adapt_test.go
@@ -10,6 +10,8 @@ import (
"testing"
"github.com/caddyserver/caddy/v2/caddytest"
+
+ _ "github.com/caddyserver/caddy/v2/internal/testmocks"
)
func TestCaddyfileAdaptToJSON(t *testing.T) {
diff --git a/internal/testmocks/dummyverifier.go b/internal/testmocks/dummyverifier.go
new file mode 100644
index 000000000..1fbef32bf
--- /dev/null
+++ b/internal/testmocks/dummyverifier.go
@@ -0,0 +1,41 @@
+package testmocks
+
+import (
+ "crypto/x509"
+
+ "github.com/caddyserver/caddy/v2"
+ "github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
+ "github.com/caddyserver/caddy/v2/modules/caddytls"
+)
+
+func init() {
+ caddy.RegisterModule(new(dummyVerifier))
+}
+
+type dummyVerifier struct{}
+
+// UnmarshalCaddyfile implements caddyfile.Unmarshaler.
+func (dummyVerifier) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+ return nil
+}
+
+// CaddyModule implements caddy.Module.
+func (dummyVerifier) CaddyModule() caddy.ModuleInfo {
+ return caddy.ModuleInfo{
+ ID: "tls.client_auth.verifier.dummy",
+ New: func() caddy.Module {
+ return new(dummyVerifier)
+ },
+ }
+}
+
+// VerifyClientCertificate implements ClientCertificateVerifier.
+func (dummyVerifier) VerifyClientCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+ return nil
+}
+
+var (
+ _ caddy.Module = dummyVerifier{}
+ _ caddytls.ClientCertificateVerifier = dummyVerifier{}
+ _ caddyfile.Unmarshaler = dummyVerifier{}
+)
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 081b9c80c..20b781274 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -379,7 +379,7 @@ type ClientAuthentication struct {
// DEPRECATED: This field is deprecated and will be removed in
// a future version. Please use the `validators` field instead
- // with the tls.client_auth.leaf module instead.
+ // with the tls.client_auth.verifier.leaf module instead.
//
// A list of base64 DER-encoded client leaf certs
// to accept. If this list is not empty, client certs
@@ -389,7 +389,7 @@ type ClientAuthentication struct {
// Client certificate verification modules. These can perform
// custom client authentication checks, such as ensuring the
// certificate is not revoked.
- VerifiersRaw []json.RawMessage `json:"verifiers,omitempty" caddy:"namespace=tls.client_auth inline_key=verifier"`
+ VerifiersRaw []json.RawMessage `json:"verifiers,omitempty" caddy:"namespace=tls.client_auth.verifier inline_key=verifier"`
verifiers []ClientCertificateVerifier
@@ -494,6 +494,23 @@ func (ca *ClientAuthentication) UnmarshalCaddyfile(d *caddyfile.Dispenser) error
return fmt.Errorf("trust_pool module '%s' is not a certificate pool provider", caMod)
}
ca.CARaw = caddyconfig.JSONModuleObject(caMod, "provider", modName, nil)
+ case "verifier":
+ if !d.NextArg() {
+ return d.ArgErr()
+ }
+
+ vType := d.Val()
+ modID := "tls.client_auth.verifier." + vType
+ unm, err := caddyfile.UnmarshalModule(d, modID)
+ if err != nil {
+ return err
+ }
+
+ _, ok := unm.(ClientCertificateVerifier)
+ if !ok {
+ return d.Errf("module '%s' is not a caddytls.ClientCertificatVerifier", modID)
+ }
+ ca.VerifiersRaw = append(ca.VerifiersRaw, caddyconfig.JSONModuleObject(unm, "verifier", vType, nil))
default:
return d.Errf("unknown subdirective for client_auth: %s", subdir)
}
@@ -566,7 +583,7 @@ func (clientauth *ClientAuthentication) provision(ctx caddy.Context) error {
}
ca, ok := caRaw.(CA)
if !ok {
- return fmt.Errorf("CARaw module '%s' is not a certificate pool provider", ca)
+ return fmt.Errorf("'ca' module '%s' is not a certificate pool provider", ca)
}
clientauth.ca = ca
@@ -704,7 +721,7 @@ type LeafCertClientAuth struct {
// CaddyModule returns the Caddy module information.
func (LeafCertClientAuth) CaddyModule() caddy.ModuleInfo {
return caddy.ModuleInfo{
- ID: "tls.client_auth.leaf",
+ ID: "tls.client_auth.verifier.leaf",
New: func() caddy.Module { return new(LeafCertClientAuth) },
}
}