common/helpers: migrate from verify to skip-verify in TLS config

Otherwise, the default is "false" for verify. This is a breaking change. Fix #2055.
2025-12-11 22:14:02 +01:00 · 2025-10-30 08:31:27 +01:00
parent a2339312ac
commit e68b2de72c
13 changed files with 155 additions and 41 deletions
--- a/cmd/testdata/configurations/clickhouse-network-sources/expected.yaml
+++ b/cmd/testdata/configurations/clickhouse-network-sources/expected.yaml
@@ -4,7 +4,7 @@ paths:
    url: https://ip-ranges.amazonaws.com/ip-ranges.json
    tls:
      enable: false
-      verify: true
+      skipverify: false
      cafile: ""
      certfile: ""
      keyfile: ""
--- a/cmd/testdata/configurations/orchestrator-clickhousedb/expected.yaml
+++ b/cmd/testdata/configurations/orchestrator-clickhousedb/expected.yaml
@@ -12,7 +12,7 @@ paths:
    dialtimeout: 5s
    tls:
      enable: true
-      verify: true
+      skipverify: false
      cafile: ""
      certfile: ""
      keyfile: ""
--- a/common/clickhousedb/config.go
+++ b/common/clickhousedb/config.go
@@ -41,10 +41,6 @@ func DefaultConfiguration() Configuration {
 		Username:     "default",
 		MaxOpenConns: 10,
 		DialTimeout:  5 * time.Second,
 		TLS: helpers.TLSConfiguration{
 			Enable: false,
 			Verify: true,
 		},
 	}
 }
--- a/common/helpers/tls.go
+++ b/common/helpers/tls.go
@@ -9,17 +9,20 @@ import (
 	"errors"
 	"fmt"
 	"os"
 	"reflect"
 	"github.com/go-viper/mapstructure/v2"
 )
 // TLSConfiguration defines TLS configuration.
 type TLSConfiguration struct {
 	// Enable says if TLS should be used to connect to remote servers.
 	Enable bool `validate:"required_with=CAFile CertFile KeyFile"`
-	// Verify says if we need to check remote certificates
+	// SkipVerify removes validity checks of remote certificates
-	Verify bool
+	SkipVerify bool
 	// CAFile tells the location of the CA certificate to check broker
 	// certificate. If empty, the system CA certificates are used instead.
-	CAFile string // no validation as the orchestrator may not have the file
+	CAFile string // no file as the orchestrator may not have the file
 	// CertFile tells the location of the user certificate if any.
 	CertFile string `validate:"required_with=KeyFile"`
 	// KeyFile tells the location of the user key if any.
@@ -33,7 +36,7 @@ func (config TLSConfiguration) MakeTLSConfig() (*tls.Config, error) {
 		return nil, nil
 	}
 	tlsConfig := &tls.Config{
-		InsecureSkipVerify: !config.Verify,
+		InsecureSkipVerify: config.SkipVerify,
 	}
 	// Read CA certificate if provided
 	if config.CAFile != "" {
@@ -60,3 +63,45 @@ func (config TLSConfiguration) MakeTLSConfig() (*tls.Config, error) {
 	}
 	return tlsConfig, nil
 }
 // RenameKeyUnmarshallerHook move a configuration setting from one place to another.
 func tlsUnmarshallerHook() mapstructure.DecodeHookFunc {
 	var zeroConfiguration TLSConfiguration
 	return func(from, to reflect.Value) (any, error) {
 		if from.Kind() != reflect.Map || from.IsNil() || to.Type() != reflect.TypeOf(zeroConfiguration) {
 			return from.Interface(), nil
 		}
 		// verify → skip-verify
 		var verifyKey, skipVerifyKey *reflect.Value
 		fromMap := from.MapKeys()
 		for i, k := range fromMap {
 			k = ElemOrIdentity(k)
 			if k.Kind() != reflect.String {
 				return from.Interface(), nil
 			}
 			if MapStructureMatchName(k.String(), "Verify") {
 				verifyKey = &fromMap[i]
 			} else if MapStructureMatchName(k.String(), "SkipVerify") {
 				skipVerifyKey = &fromMap[i]
 			}
 		}
 		if verifyKey != nil && skipVerifyKey != nil {
 			return nil, fmt.Errorf("cannot have both %q and %q", verifyKey.String(), skipVerifyKey.String())
 		}
 		if verifyKey != nil {
 			value := ElemOrIdentity(from.MapIndex(*verifyKey))
 			if value.Kind() != reflect.Bool {
 				return from.Interface(), nil
 			}
 			from.SetMapIndex(reflect.ValueOf("skip-verify"), reflect.ValueOf(!value.Bool()))
 			from.SetMapIndex(*verifyKey, reflect.Value{})
 		}
 		return from.Interface(), nil
 	}
 }
 func init() {
 	RegisterMapstructureUnmarshallerHook(tlsUnmarshallerHook())
 }
--- a/common/helpers/tls_test.go
+++ b/common/helpers/tls_test.go
@@ -0,0 +1,80 @@
 // SPDX-FileCopyrightText: 2025 Free Mobile
 // SPDX-License-Identifier: AGPL-3.0-only
 package helpers_test
 import (
 	"testing"
 	"github.com/gin-gonic/gin"
 	"akvorado/common/helpers"
 )
 func TestTLSConfigurationMigration(t *testing.T) {
 	helpers.TestConfigurationDecode(t, helpers.ConfigurationDecodeCases{
 		{
 			Description: "new skip-verify field",
 			Initial:     func() any { return helpers.TLSConfiguration{} },
 			Configuration: func() any {
 				return gin.H{
 					"enable":      true,
 					"skip-verify": true,
 				}
 			},
 			Expected: helpers.TLSConfiguration{
 				Enable:     true,
 				SkipVerify: true,
 			},
 		}, {
 			Description: "no verify/skip-verify",
 			Initial:     func() any { return helpers.TLSConfiguration{} },
 			Configuration: func() any {
 				return gin.H{
 					"enable": true,
 				}
 			},
 			Expected: helpers.TLSConfiguration{
 				Enable:     true,
 				SkipVerify: false,
 			},
 		}, {
 			Description: "old verify=true migrates to skip-verify=false",
 			Initial:     func() any { return helpers.TLSConfiguration{} },
 			Configuration: func() any {
 				return gin.H{
 					"enable": true,
 					"verify": true,
 				}
 			},
 			Expected: helpers.TLSConfiguration{
 				Enable:     true,
 				SkipVerify: false,
 			},
 		}, {
 			Description: "old verify=false migrates to skip-verify=true",
 			Initial:     func() any { return helpers.TLSConfiguration{} },
 			Configuration: func() any {
 				return gin.H{
 					"enable": true,
 					"verify": false,
 				}
 			},
 			Expected: helpers.TLSConfiguration{
 				Enable:     true,
 				SkipVerify: true,
 			},
 		}, {
 			Description: "both verify and skip-verify causes error",
 			Initial:     func() any { return helpers.TLSConfiguration{} },
 			Configuration: func() any {
 				return gin.H{
 					"enable":      true,
 					"verify":      true,
 					"skip-verify": false,
 				}
 			},
 			Error: true,
 		},
 	})
 }
--- a/common/kafka/config.go
+++ b/common/kafka/config.go
@@ -53,10 +53,6 @@ func DefaultConfiguration() Configuration {
 	return Configuration{
 		Topic:   "flows",
 		Brokers: []string{"127.0.0.1:9092"},
 		TLS: helpers.TLSConfiguration{
 			Enable: false,
 			Verify: true,
 		},
 	}
 }
--- a/common/kafka/config_test.go
+++ b/common/kafka/config_test.go
@@ -110,8 +110,8 @@ func TestTLSConfiguration(t *testing.T) {
 				Topic:   "flows",
 				Brokers: []string{"127.0.0.1:9092"},
 				TLS: helpers.TLSConfiguration{
-					Enable: true,
+					Enable:     true,
-					Verify: true,
+					SkipVerify: false,
 				},
 			},
 		}, {
@@ -132,8 +132,8 @@ func TestTLSConfiguration(t *testing.T) {
 				Topic:   "flows",
 				Brokers: []string{"127.0.0.1:9092"},
 				TLS: helpers.TLSConfiguration{
-					Enable: true,
+					Enable:     true,
-					Verify: false,
+					SkipVerify: true,
 				},
 				SASL: SASLConfiguration{
 					Username:  "hello",
@@ -157,8 +157,8 @@ func TestTLSConfiguration(t *testing.T) {
 				Topic:   "flows",
 				Brokers: []string{"127.0.0.1:9092"},
 				TLS: helpers.TLSConfiguration{
-					Enable: false,
+					Enable:     false,
-					Verify: true,
+					SkipVerify: false,
 				},
 				SASL: SASLConfiguration{
 					Username:  "hello",
@@ -187,7 +187,7 @@ func TestTLSConfiguration(t *testing.T) {
 				TLS: helpers.TLSConfiguration{
 					Enable: true,
 					// Value from DefaultConfig is true
-					Verify: true,
+					SkipVerify: false,
 				},
 				SASL: SASLConfiguration{
 					Username:  "hello",
@@ -218,7 +218,7 @@ func TestTLSConfiguration(t *testing.T) {
 				TLS: helpers.TLSConfiguration{
 					Enable: true,
 					// Value from DefaultConfig is true
-					Verify: true,
+					SkipVerify: false,
 				},
 				SASL: SASLConfiguration{
 					Username:      "hello",
--- a/common/kafka/tests.go
+++ b/common/kafka/tests.go
@@ -30,10 +30,6 @@ func SetupKafkaBroker(t *testing.T) (*kgo.Client, []string) {
 	r := reporter.NewMock(t)
 	opts, err := NewConfig(r, Configuration{
 		Brokers: []string{broker},
 		TLS: helpers.TLSConfiguration{
 			Enable: false,
 			Verify: true,
 		},
 	})
 	if err != nil {
 		t.Fatalf("NewConfig() error: %v", err)
--- a/common/remotedatasource/config.go
+++ b/common/remotedatasource/config.go
@@ -68,10 +68,6 @@ func DefaultSourceConfiguration() Source {
 	return Source{
 		Method:  "GET",
 		Timeout: time.Minute,
 		TLS: helpers.TLSConfiguration{
 			Enable: false,
 			Verify: true,
 		},
 	}
 }
--- a/common/remotedatasource/config_test.go
+++ b/common/remotedatasource/config_test.go
@@ -29,7 +29,7 @@ func TestSourceDecode(t *testing.T) {
 				Timeout:  time.Minute,
 				Interval: 10 * time.Minute,
 				TLS: helpers.TLSConfiguration{
-					Verify: true,
+					SkipVerify: false,
 				},
 			},
 		}, {
@@ -49,7 +49,7 @@ func TestSourceDecode(t *testing.T) {
 				Interval:  10 * time.Minute,
 				Transform: MustParseTransformQuery(".[]"),
 				TLS: helpers.TLSConfiguration{
-					Verify: true,
+					SkipVerify: false,
 				},
 			},
 		}, {
@@ -71,7 +71,7 @@ func TestSourceDecode(t *testing.T) {
 				Interval:  10 * time.Minute,
 				Transform: MustParseTransformQuery(".[]"),
 				TLS: helpers.TLSConfiguration{
-					Verify: true,
+					SkipVerify: false,
 				},
 			},
 		}, {
@@ -93,9 +93,9 @@ func TestSourceDecode(t *testing.T) {
 				Timeout:  time.Minute,
 				Interval: 10 * time.Minute,
 				TLS: helpers.TLSConfiguration{
-					Enable: true,
+					Enable:     true,
-					Verify: false, // TODO this should be fixed
+					SkipVerify: false,
-					CAFile: "something.crt",
+					CAFile:     "something.crt",
 				},
 			},
 		}, {
@@ -119,7 +119,7 @@ func TestSourceDecode(t *testing.T) {
 .prefixes[] | {prefix: .ip_prefix, tenant: "amazon", region: .region, role: .service|ascii_downcase}
 `),
 				TLS: helpers.TLSConfiguration{
-					Verify: true,
+					SkipVerify: false,
 				},
 			},
 		}, {
--- a/common/remotedatasource/root_test.go
+++ b/common/remotedatasource/root_test.go
@@ -314,8 +314,8 @@ func TestSourceWithTLS(t *testing.T) {
 				Timeout:  1 * time.Second,
 				Interval: 1 * time.Minute,
 				TLS: helpers.TLSConfiguration{
-					Enable: true,
+					Enable:     true,
-					Verify: false,
+					SkipVerify: true,
 				},
 				Transform: MustParseTransformQuery(".results[]"),
 			},
--- a/console/data/docs/02-configuration.md
+++ b/console/data/docs/02-configuration.md
@@ -767,7 +767,7 @@ flows. It accepts the following keys:
 The following keys are accepted for the TLS configuration:
 - `enable` should be set to `true` to enable TLS.
- `verify` can be set to `false` to skip checking server certificate (not recommended).
+- `skip-verify` can be set to `true` to skip checking server certificate (not recommended).
 - `ca-file` gives the location of the file containing the CA certificate in PEM
  format to check the server certificate. If not provided, the system
  certificates are used instead.
--- a/console/data/docs/99-changelog.md
+++ b/console/data/docs/99-changelog.md
@@ -12,7 +12,12 @@ identified with a specific icon:
 ## Unreleased
- 🌱 *common*: remote data sources accept a specific TLS configuration
+- 💥 *config*: `skip-verify` is false by default in TLS configurations for
  ClickHouse, Kafka and remote data sources (previously, `verify` was set to
  false by default)
 - 🌱 *config*: rename `verify` to `skip-verify` in TLS configurations for
  ClickHouse, Kafka and remote data sources (with inverted logic)
 - 🌱 *config*: remote data sources accept a specific TLS configuration
 ## 2.0.2 - 2025-10-29