summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--modules/caddyhttp/reverseproxy/httptransport.go2
-rw-r--r--modules/caddytls/capools.go124
-rw-r--r--modules/caddytls/capools_test.go114
3 files changed, 2 insertions, 238 deletions
diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go
index 93ed84ad6..f52a08053 100644
--- a/modules/caddyhttp/reverseproxy/httptransport.go
+++ b/modules/caddyhttp/reverseproxy/httptransport.go
@@ -541,7 +541,7 @@ type TLSConfig struct {
// MakeTLSClientConfig returns a tls.Config usable by a client to a backend.
// If there is no custom TLS configuration, a nil config may be returned.
-func (t TLSConfig) MakeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) {
+func (t *TLSConfig) MakeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) {
cfg := new(tls.Config)
// client auth
diff --git a/modules/caddytls/capools.go b/modules/caddytls/capools.go
index 7e378aac4..dc5e60087 100644
--- a/modules/caddytls/capools.go
+++ b/modules/caddytls/capools.go
@@ -27,7 +27,6 @@ func init() {
caddy.RegisterModule(PKIIntermediateCAPool{})
caddy.RegisterModule(StoragePool{})
caddy.RegisterModule(HTTPCertPool{})
- caddy.RegisterModule(LazyCertPool{})
}
// The interface to be implemented by all guest modules part of
@@ -500,7 +499,7 @@ func (t *TLSConfig) unmarshalCaddyfile(d *caddyfile.Dispenser) error {
// MakeTLSClientConfig returns a tls.Config usable by a client to a backend.
// If there is no custom TLS configuration, a nil config may be returned.
// copied from with minor modifications: modules/caddyhttp/reverseproxy/httptransport.go
-func (t TLSConfig) makeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) {
+func (t *TLSConfig) makeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) {
repl := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
if repl == nil {
repl = caddy.NewReplacer()
@@ -664,121 +663,6 @@ func (hcp HTTPCertPool) CertPool() *x509.CertPool {
return hcp.pool
}
-// LazyCertPool defers the generation of the certificate pool from the
-// guest module to demand-time rather than at provisionig time. The gain of the
-// lazy load adds a risk of failure to load the certificates at demand time
-// because the validation that's typically done at provisioning is deferred.
-// The validation can be enforced to run before runtime by setting
-// `EagerValidation`/`eager_validation` to `true`. It is the operator's responsibility
-// to ensure the resources are available if `EagerValidation`/`eager_validation`
-// is set to `true`. The module also incurs performance cost at every demand.
-type LazyCertPool struct {
- // Provides the guest module that provides the trusted certificate authority (CA) certificates
- CARaw json.RawMessage `json:"ca,omitempty" caddy:"namespace=tls.ca_pool.source inline_key=provider"`
-
- // Whether the validation step should try to load and provision the guest module to validate
- // the correctness of the configuration. Depeneding on the type of the guest module,
- // the resources may not be available at validation time. It is the
- // operator's responsibility to ensure the resources are available if `EagerValidation`/`eager_validation`
- // is set to `true`.
- EagerValidation bool `json:"eager_validation,omitempty"`
-
- ctx caddy.Context
-}
-
-// CaddyModule implements caddy.Module.
-func (LazyCertPool) CaddyModule() caddy.ModuleInfo {
- return caddy.ModuleInfo{
- ID: "tls.ca_pool.source.lazy",
- New: func() caddy.Module {
- return new(LazyCertPool)
- },
- }
-}
-
-// Provision implements caddy.Provisioner.
-func (lcp *LazyCertPool) Provision(ctx caddy.Context) error {
- if len(lcp.CARaw) == 0 {
- return fmt.Errorf("missing backing CA source")
- }
- lcp.ctx = ctx
- return nil
-}
-
-// Syntax:
-//
-// trust_pool lazy {
-// backend <ca_module>
-// eager_validation
-// }
-//
-// The `backend` directive specifies the CA module to use to provision the
-// certificate pool. The `eager_validation` directive specifies that the
-// validation step should try to load and provision the guest module to validate
-// the correctness of the configuration. Depeneding on the type of the guest module,
-// the resources may not be available at validation time. It is the
-// operator's responsibility to ensure the resources are available if `EagerValidation`/`eager_validation`
-// is set to `true`.
-//
-// The `backend` directive is required.
-func (lcp *LazyCertPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
- d.Next() // consume module name
- for nesting := d.Nesting(); d.NextBlock(nesting); {
- switch d.Val() {
- case "backend":
- if lcp.CARaw != nil {
- return d.Err("backend block already defined")
- }
- if !d.NextArg() {
- return d.ArgErr()
- }
- modStem := d.Val()
- modID := "tls.ca_pool.source." + modStem
- unm, err := caddyfile.UnmarshalModule(d, modID)
- if err != nil {
- return err
- }
- backend, ok := unm.(CA)
- if !ok {
- return d.Errf("module %s is not a caddytls.CA", modID)
- }
- lcp.CARaw = caddyconfig.JSONModuleObject(backend, "provider", modStem, nil)
- case "eager_validation":
- lcp.EagerValidation = true
- default:
- return d.Errf("unrecognized directive: %s", d.Val())
- }
- }
- if lcp.CARaw == nil {
- return d.Err("backend block is required")
- }
- return nil
-}
-
-// If EagerValidation is `true`, it attempts to load and provision the guest module
-// to ensure the guesst module's configuration is correct. Depeneding on the type of the
-// guest module, the resources may not be available at validation time. It is the
-// operator's responsibility to ensure the resources are available if `EagerValidation` is
-// set to `true`.
-func (lcp LazyCertPool) Validate() error {
- if lcp.EagerValidation {
- _, err := lcp.ctx.LoadModule(lcp, "CARaw")
- return err
- }
- return nil
-}
-
-// CertPool loads the guest module and returns the CertPool from there
-// TODO: Cache?
-func (lcp LazyCertPool) CertPool() *x509.CertPool {
- caRaw, err := lcp.ctx.LoadModule(lcp, "CARaw")
- if err != nil {
- return nil
- }
- ca := caRaw.(CA)
- return ca.CertPool()
-}
-
var (
_ caddy.Module = (*InlineCAPool)(nil)
_ caddy.Provisioner = (*InlineCAPool)(nil)
@@ -810,10 +694,4 @@ var (
_ caddy.Validator = (*HTTPCertPool)(nil)
_ CA = (*HTTPCertPool)(nil)
_ caddyfile.Unmarshaler = (*HTTPCertPool)(nil)
-
- _ caddy.Module = (*LazyCertPool)(nil)
- _ caddy.Provisioner = (*LazyCertPool)(nil)
- _ caddy.Validator = (*LazyCertPool)(nil)
- _ CA = (*LazyCertPool)(nil)
- _ caddyfile.Unmarshaler = (*LazyCertPool)(nil)
)
diff --git a/modules/caddytls/capools_test.go b/modules/caddytls/capools_test.go
index d04354a18..67244b59a 100644
--- a/modules/caddytls/capools_test.go
+++ b/modules/caddytls/capools_test.go
@@ -567,21 +567,6 @@ func TestTLSConfig_unmarshalCaddyfile(t *testing.T) {
},
},
{
- name: "setting 'ca' to 'lazy' with appropriate block is valid",
- args: args{
- d: caddyfile.NewTestDispenser(`{
- ca lazy {
- backend file {
- pem_file /var/caddy/ca.pem
- }
- }
- }`),
- },
- expected: TLSConfig{
- CARaw: []byte(`{"ca":{"pem_files":["/var/caddy/ca.pem"],"provider":"file"},"provider":"lazy"}`),
- },
- },
- {
name: "setting 'ca' to 'file' with appropriate block is valid",
args: args{
d: caddyfile.NewTestDispenser(`{
@@ -791,102 +776,3 @@ func TestHTTPCertPoolUnmarshalCaddyfile(t *testing.T) {
})
}
}
-
-func TestLazyCertPoolUnmarshalCaddyfile(t *testing.T) {
- type args struct {
- d *caddyfile.Dispenser
- }
- tests := []struct {
- name string
- args args
- expected LazyCertPool
- wantErr bool
- }{
- {
- name: "no block results in error",
- args: args{
- d: caddyfile.NewTestDispenser(`lazy`),
- },
- wantErr: true,
- },
- {
- name: "empty block results in error",
- args: args{
- d: caddyfile.NewTestDispenser(`lazy {
- }`),
- },
- wantErr: true,
- },
- {
- name: "defining 'backend' multiple times results in error",
- args: args{
- d: caddyfile.NewTestDispenser(`lazy {
- backend http {
- endpoints http://localhost/ca-certs
- }
- backend file {
- pem_file /var/caddy/certs
- }
- }`),
- },
- wantErr: true,
- },
- {
- name: "defining 'backend' without argument results in error",
- args: args{
- d: caddyfile.NewTestDispenser(`lazy {
- backend
- }`),
- },
- wantErr: true,
- },
- {
- name: "using unrecognized directive results in error",
- args: args{
- d: caddyfile.NewTestDispenser(`lazy {
- foo
- }`),
- },
- wantErr: true,
- },
- {
- name: "defining single 'backend' is successful",
- args: args{
- d: caddyfile.NewTestDispenser(`lazy {
- backend http {
- endpoints http://localhost/ca-certs
- }
- }`),
- },
- expected: LazyCertPool{
- CARaw: []byte(`{"endpoints":["http://localhost/ca-certs"],"provider":"http"}`),
- },
- },
- {
- name: "defining single 'backend' with 'eager_validation' successful",
- args: args{
- d: caddyfile.NewTestDispenser(`lazy {
- backend file {
- pem_file /var/caddy/certs
- }
- eager_validation
- }`),
- },
- expected: LazyCertPool{
- CARaw: []byte(`{"pem_files":["/var/caddy/certs"],"provider":"file"}`),
- EagerValidation: true,
- },
- },
- }
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- lcp := &LazyCertPool{}
- if err := lcp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
- t.Errorf("LazyCertPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
- }
- if !tt.wantErr && !reflect.DeepEqual(&tt.expected, lcp) {
- t.Errorf("LazyCertPool.UnmarshalCaddyfile() = %v, want %v", lcp, tt.expected)
- }
- })
- }
-}