johanels/akvorado
1
0
Fork 0
mirror of https://github.com/akvorado/akvorado.git synced 2025-12-11 22:14:02 +01:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

common/helpers: migrate from verify to skip-verify in TLS config
Some checks failed
CI / 🤖 Check dependabot status (push) Has been cancelled
Details
CI / 🐧 Test on Linux (${{ github.ref_type == 'tag' }}, misc) (push) Has been cancelled
Details
CI / 🐧 Test on Linux (coverage) (push) Has been cancelled
Details
CI / 🐧 Test on Linux (regular) (push) Has been cancelled
Details
CI / ❄️ Build on Nix (push) Has been cancelled
Details
CI / 🍏 Build and test on macOS (push) Has been cancelled
Details
CI / 🧪 End-to-end testing (push) Has been cancelled
Details
CI / 🔍 Upload code coverage (push) Has been cancelled
Details
CI / 🔬 Test only Go (push) Has been cancelled
Details
CI / 🔬 Test only JS (${{ needs.dependabot.outputs.package-ecosystem }}, 20) (push) Has been cancelled
Details
CI / 🔬 Test only JS (${{ needs.dependabot.outputs.package-ecosystem }}, 22) (push) Has been cancelled
Details
CI / 🔬 Test only JS (${{ needs.dependabot.outputs.package-ecosystem }}, 24) (push) Has been cancelled
Details
CI / ⚖️ Check licenses (push) Has been cancelled
Details
CI / 🐋 Build Docker images (push) Has been cancelled
Details
CI / 🐋 Tag Docker images (push) Has been cancelled
Details
CI / 🚀 Publish release (push) Has been cancelled
Details

Browse Source 
Otherwise, the default is "false" for verify. This is a breaking change.

Fix #2055.
This commit is contained in:
Vincent Bernat
2025-10-30 08:31:27 +01:00
parent a2339312ac
commit e68b2de72c
13 changed files with 155 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
common/helpers/tls.go
View File

@@ -9,17 +9,20 @@ import (
"errors"
"fmt"
"os"
"reflect"
"github.com/go-viper/mapstructure/v2"
)
// TLSConfiguration defines TLS configuration.
type TLSConfiguration struct {
// Enable says if TLS should be used to connect to remote servers.
Enable bool `validate:"required_with=CAFile CertFile KeyFile"`
// Verify says if we need to check remote certificates
Verify bool
// SkipVerify removes validity checks of remote certificates
SkipVerify bool
// CAFile tells the location of the CA certificate to check broker
// certificate. If empty, the system CA certificates are used instead.
CAFile string // no validation as the orchestrator may not have the file
CAFile string // no file as the orchestrator may not have the file
// CertFile tells the location of the user certificate if any.
CertFile string `validate:"required_with=KeyFile"`
// KeyFile tells the location of the user key if any.
@@ -33,7 +36,7 @@ func (config TLSConfiguration) MakeTLSConfig() (*tls.Config, error) {
return nil, nil
}
tlsConfig := &tls.Config{
InsecureSkipVerify: !config.Verify,
InsecureSkipVerify: config.SkipVerify,
}
// Read CA certificate if provided
if config.CAFile != "" {
@@ -60,3 +63,45 @@ func (config TLSConfiguration) MakeTLSConfig() (*tls.Config, error) {
}
return tlsConfig, nil
}
// RenameKeyUnmarshallerHook move a configuration setting from one place to another.
func tlsUnmarshallerHook() mapstructure.DecodeHookFunc {
var zeroConfiguration TLSConfiguration
return func(from, to reflect.Value) (any, error) {
if from.Kind() != reflect.Map || from.IsNil() || to.Type() != reflect.TypeOf(zeroConfiguration) {
return from.Interface(), nil
}
// verify → skip-verify
var verifyKey, skipVerifyKey *reflect.Value
fromMap := from.MapKeys()
for i, k := range fromMap {
k = ElemOrIdentity(k)
if k.Kind() != reflect.String {
return from.Interface(), nil
}
if MapStructureMatchName(k.String(), "Verify") {
verifyKey = &fromMap[i]
} else if MapStructureMatchName(k.String(), "SkipVerify") {
skipVerifyKey = &fromMap[i]
}
}
if verifyKey != nil && skipVerifyKey != nil {
return nil, fmt.Errorf("cannot have both %q and %q", verifyKey.String(), skipVerifyKey.String())
}
if verifyKey != nil {
value := ElemOrIdentity(from.MapIndex(*verifyKey))
if value.Kind() != reflect.Bool {
return from.Interface(), nil
}
from.SetMapIndex(reflect.ValueOf("skip-verify"), reflect.ValueOf(!value.Bool()))
from.SetMapIndex(*verifyKey, reflect.Value{})
}
return from.Interface(), nil
}
}
func init() {
RegisterMapstructureUnmarshallerHook(tlsUnmarshallerHook())
}

80
common/helpers/tls_test.go Normal file
View File

@@ -0,0 +1,80 @@
// SPDX-FileCopyrightText: 2025 Free Mobile
// SPDX-License-Identifier: AGPL-3.0-only
package helpers_test
import (
"testing"
"github.com/gin-gonic/gin"
"akvorado/common/helpers"
)
func TestTLSConfigurationMigration(t *testing.T) {
helpers.TestConfigurationDecode(t, helpers.ConfigurationDecodeCases{
{
Description: "new skip-verify field",
Initial: func() any { return helpers.TLSConfiguration{} },
Configuration: func() any {
return gin.H{
"enable": true,
"skip-verify": true,
}
},
Expected: helpers.TLSConfiguration{
Enable: true,
SkipVerify: true,
},
}, {
Description: "no verify/skip-verify",
Initial: func() any { return helpers.TLSConfiguration{} },
Configuration: func() any {
return gin.H{
"enable": true,
}
},
Expected: helpers.TLSConfiguration{
Enable: true,
SkipVerify: false,
},
}, {
Description: "old verify=true migrates to skip-verify=false",
Initial: func() any { return helpers.TLSConfiguration{} },
Configuration: func() any {
return gin.H{
"enable": true,
"verify": true,
}
},
Expected: helpers.TLSConfiguration{
Enable: true,
SkipVerify: false,
},
}, {
Description: "old verify=false migrates to skip-verify=true",
Initial: func() any { return helpers.TLSConfiguration{} },
Configuration: func() any {
return gin.H{
"enable": true,
"verify": false,
}
},
Expected: helpers.TLSConfiguration{
Enable: true,
SkipVerify: true,
},
}, {
Description: "both verify and skip-verify causes error",
Initial: func() any { return helpers.TLSConfiguration{} },
Configuration: func() any {
return gin.H{
"enable": true,
"verify": true,
"skip-verify": false,
}
},
Error: true,
},
})
}