Added a check to ensure clientTLS configuration contains either a cert or a key
This commit is contained in:
Alex Antonov
Traefiker
parent
87e6285cf6
commit
98dfd2ba0e
2 changed files with 55 additions and 15 deletions
|
|
@ -157,24 +157,30 @@ func (clientTLS *ClientTLS) CreateTLSConfig() (*tls.Config, error) {
|
||||||
cert := tls.Certificate{}
|
cert := tls.Certificate{}
|
||||||
_, errKeyIsFile := os.Stat(clientTLS.Key)
|
_, errKeyIsFile := os.Stat(clientTLS.Key)
|
||||||
|
|
||||||
if _, errCertIsFile := os.Stat(clientTLS.Cert); errCertIsFile == nil {
|
if !clientTLS.InsecureSkipVerify && (len(clientTLS.Cert) == 0 || len(clientTLS.Key) == 0) {
|
||||||
if errKeyIsFile == nil {
|
return nil, fmt.Errorf("TLS Certificate or Key file must be set when TLS configuration is created")
|
||||||
cert, err = tls.LoadX509KeyPair(clientTLS.Cert, clientTLS.Key)
|
}
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("Failed to load TLS keypair: %v", err)
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
return nil, fmt.Errorf("tls cert is a file, but tls key is not")
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
if errKeyIsFile != nil {
|
|
||||||
cert, err = tls.X509KeyPair([]byte(clientTLS.Cert), []byte(clientTLS.Key))
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("Failed to load TLS keypair: %v", err)
|
|
||||||
|
|
||||||
|
if len(clientTLS.Cert) > 0 && len(clientTLS.Key) > 0 {
|
||||||
|
if _, errCertIsFile := os.Stat(clientTLS.Cert); errCertIsFile == nil {
|
||||||
|
if errKeyIsFile == nil {
|
||||||
|
cert, err = tls.LoadX509KeyPair(clientTLS.Cert, clientTLS.Key)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Failed to load TLS keypair: %v", err)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return nil, fmt.Errorf("tls cert is a file, but tls key is not")
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
return nil, fmt.Errorf("tls key is a file, but tls cert is not")
|
if errKeyIsFile != nil {
|
||||||
|
cert, err = tls.X509KeyPair([]byte(clientTLS.Cert), []byte(clientTLS.Key))
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Failed to load TLS keypair: %v", err)
|
||||||
|
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return nil, fmt.Errorf("tls key is a file, but tls cert is not")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -197,6 +197,40 @@ func TestNilClientTLS(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestInsecureSkipVerifyClientTLS(t *testing.T) {
|
||||||
|
provider := &myProvider{
|
||||||
|
BaseProvider{
|
||||||
|
Filename: "",
|
||||||
|
},
|
||||||
|
&ClientTLS{
|
||||||
|
InsecureSkipVerify: true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
config, err := provider.TLS.CreateTLSConfig()
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal("CreateTLSConfig should assume that consumer does not want a TLS configuration if input is nil")
|
||||||
|
}
|
||||||
|
if !config.InsecureSkipVerify {
|
||||||
|
t.Fatal("CreateTLSConfig should support setting only InsecureSkipVerify property")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestInsecureSkipVerifyFalseClientTLS(t *testing.T) {
|
||||||
|
provider := &myProvider{
|
||||||
|
BaseProvider{
|
||||||
|
Filename: "",
|
||||||
|
},
|
||||||
|
&ClientTLS{
|
||||||
|
InsecureSkipVerify: false,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
_, err := provider.TLS.CreateTLSConfig()
|
||||||
|
if err == nil {
|
||||||
|
t.Fatal("CreateTLSConfig should error if consumer does not set a TLS cert or key configuration and not chooses InsecureSkipVerify to be true")
|
||||||
|
}
|
||||||
|
t.Log(err)
|
||||||
|
}
|
||||||
|
|
||||||
func TestMatchingConstraints(t *testing.T) {
|
func TestMatchingConstraints(t *testing.T) {
|
||||||
cases := []struct {
|
cases := []struct {
|
||||||
constraints types.Constraints
|
constraints types.Constraints
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue