From 1ac9bf19abcb0bc2d47099f3118415254e398231 Mon Sep 17 00:00:00 2001 From: Antoine Grondin Date: Tue, 4 Aug 2020 13:58:54 -0700 Subject: [PATCH] adjust trickle down occurences of tlsconfig.Trace Signed-off-by: Antoine Grondin --- v2/examples/spiffe-grpc/client/main.go | 11 +---- v2/examples/spiffe-grpc/server/main.go | 11 +---- v2/examples/spiffe-http/client/main.go | 11 +---- v2/examples/spiffe-http/server/main.go | 11 +---- .../spiffe-jwt-using-proxy/proxy/main.go | 11 +---- .../spiffe-jwt-using-proxy/server/main.go | 11 +---- v2/examples/spiffe-jwt/server/main.go | 11 +---- v2/federation/examples_test.go | 12 +----- v2/internal/test/fakebundleendpoint/server.go | 11 +---- v2/spiffetls/dial.go | 4 +- v2/spiffetls/listen.go | 4 +- v2/spiffetls/option.go | 42 ++++++++++++++++--- 12 files changed, 50 insertions(+), 100 deletions(-) diff --git a/v2/examples/spiffe-grpc/client/main.go b/v2/examples/spiffe-grpc/client/main.go index e5f8db6d..579455e2 100644 --- a/v2/examples/spiffe-grpc/client/main.go +++ b/v2/examples/spiffe-grpc/client/main.go @@ -30,17 +30,8 @@ func main() { // Allowed SPIFFE ID serverID := spiffeid.Must("example.org", "server") - localTrace := tlsconfig.Trace{ - GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) { - log.Printf("got start of GetTLSCertificate\n") - }, - GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) { - log.Printf("got end of GetTLSCertificate\n") - }, - } - // Create a `tls.Config` to allow mTLS connections, and verify that presented certificate has SPIFFE ID `spiffe://example.org/server` - tlsConfig := tlsconfig.MTLSClientConfig(source, source, tlsconfig.AuthorizeID(serverID), localTrace) + tlsConfig := tlsconfig.MTLSClientConfig(source, source, tlsconfig.AuthorizeID(serverID)) conn, err := grpc.DialContext(ctx, "localhost:50051", grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig))) if err != nil { log.Fatalf("Error creating dial: %v", err) diff --git a/v2/examples/spiffe-grpc/server/main.go b/v2/examples/spiffe-grpc/server/main.go index 454065ea..367399a0 100644 --- a/v2/examples/spiffe-grpc/server/main.go +++ b/v2/examples/spiffe-grpc/server/main.go @@ -41,17 +41,8 @@ func main() { // Allowed SPIFFE ID clientID := spiffeid.Must("example.org", "client") - localTrace := tlsconfig.Trace{ - GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) { - log.Printf("got start of GetTLSCertificate\n") - }, - GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) { - log.Printf("got end of GetTLSCertificate\n") - }, - } - // Create a `tls.Config` to allow mTLS connections, and verify that presented certificate has SPIFFE ID `spiffe://example.org/client` - tlsConfig := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeID(clientID), localTrace) + tlsConfig := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeID(clientID)) s := grpc.NewServer(grpc.Creds(credentials.NewTLS(tlsConfig))) lis, err := net.Listen("tcp", "127.0.0.1:50051") diff --git a/v2/examples/spiffe-http/client/main.go b/v2/examples/spiffe-http/client/main.go index 062d9171..71ac8b2c 100644 --- a/v2/examples/spiffe-http/client/main.go +++ b/v2/examples/spiffe-http/client/main.go @@ -32,17 +32,8 @@ func main() { // Allowed SPIFFE ID serverID := spiffeid.Must("example.org", "server") - localTrace := tlsconfig.Trace{ - GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) { - log.Printf("got start of GetTLSCertificate\n") - }, - GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) { - log.Printf("got end of GetTLSCertificate\n") - }, - } - // Create a `tls.Config` to allow mTLS connections, and verify that presented certificate has SPIFFE ID `spiffe://example.org/server` - tlsConfig := tlsconfig.MTLSClientConfig(source, source, tlsconfig.AuthorizeID(serverID), localTrace) + tlsConfig := tlsconfig.MTLSClientConfig(source, source, tlsconfig.AuthorizeID(serverID)) client := &http.Client{ Transport: &http.Transport{ TLSClientConfig: tlsConfig, diff --git a/v2/examples/spiffe-http/server/main.go b/v2/examples/spiffe-http/server/main.go index 650acb64..ac8b5746 100644 --- a/v2/examples/spiffe-http/server/main.go +++ b/v2/examples/spiffe-http/server/main.go @@ -35,17 +35,8 @@ func main() { // Allowed SPIFFE ID clientID := spiffeid.Must("example.org", "client") - localTrace := tlsconfig.Trace{ - GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) { - log.Printf("got start of GetTLSCertificate\n") - }, - GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) { - log.Printf("got end of GetTLSCertificate\n") - }, - } - // Create a `tls.Config` to allow mTLS connections, and verify that presented certificate has SPIFFE ID `spiffe://example.org/client` - tlsConfig := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeID(clientID), localTrace) + tlsConfig := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeID(clientID)) server := &http.Server{ Addr: ":8443", TLSConfig: tlsConfig, diff --git a/v2/examples/spiffe-jwt-using-proxy/proxy/main.go b/v2/examples/spiffe-jwt-using-proxy/proxy/main.go index d4e167cc..7e6bb198 100644 --- a/v2/examples/spiffe-jwt-using-proxy/proxy/main.go +++ b/v2/examples/spiffe-jwt-using-proxy/proxy/main.go @@ -49,21 +49,12 @@ func main() { http.HandleFunc("/", handler(proxy)) - localTrace := tlsconfig.Trace{ - GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) { - log.Printf("got start of GetTLSCertificate\n") - }, - GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) { - log.Printf("got end of GetTLSCertificate\n") - }, - } - // Create an HTTP server using a TLS configuration that doesn't require // client certificates, because the proxy is not in charge of authenticating // the clients. server := &http.Server{ Addr: ":8443", - TLSConfig: tlsconfig.TLSServerConfig(x509Source, localTrace), + TLSConfig: tlsconfig.TLSServerConfig(x509Source), } log.Fatal(server.ListenAndServeTLS("", "")) } diff --git a/v2/examples/spiffe-jwt-using-proxy/server/main.go b/v2/examples/spiffe-jwt-using-proxy/server/main.go index 9ef0d69e..4fe5038f 100644 --- a/v2/examples/spiffe-jwt-using-proxy/server/main.go +++ b/v2/examples/spiffe-jwt-using-proxy/server/main.go @@ -80,18 +80,9 @@ func main() { } http.Handle("/", auth.authenticateClient(http.HandlerFunc(index))) - localTrace := tlsconfig.Trace{ - GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) { - log.Printf("got start of GetTLSCertificate\n") - }, - GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) { - log.Printf("got end of GetTLSCertificate\n") - }, - } - server := &http.Server{ Addr: ":8080", - TLSConfig: tlsconfig.TLSServerConfig(x509Source, localTrace), + TLSConfig: tlsconfig.TLSServerConfig(x509Source), } log.Fatal(server.ListenAndServeTLS("", "")) } diff --git a/v2/examples/spiffe-jwt/server/main.go b/v2/examples/spiffe-jwt/server/main.go index f0a96c71..52f1b765 100644 --- a/v2/examples/spiffe-jwt/server/main.go +++ b/v2/examples/spiffe-jwt/server/main.go @@ -65,17 +65,8 @@ func main() { } defer x509Source.Close() - localTrace := tlsconfig.Trace{ - GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) { - log.Printf("got start of GetTLSCertificate\n") - }, - GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) { - log.Printf("got end of GetTLSCertificate\n") - }, - } - // Create a `tls.Config` with configuration to allow TLS communication with client - tlsConfig := tlsconfig.TLSServerConfig(x509Source, localTrace) + tlsConfig := tlsconfig.TLSServerConfig(x509Source) server := &http.Server{ Addr: ":8443", TLSConfig: tlsConfig, diff --git a/v2/federation/examples_test.go b/v2/federation/examples_test.go index aaf41a79..ea918dfb 100644 --- a/v2/federation/examples_test.go +++ b/v2/federation/examples_test.go @@ -2,7 +2,6 @@ package federation_test import ( "context" - "log" "net/http" "github.com/spiffe/go-spiffe/v2/bundle/spiffebundle" @@ -143,19 +142,10 @@ func ExampleHandler_sPIFFEAuth() { } defer bundleSource.Close() - localTrace := tlsconfig.Trace{ - GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) { - log.Printf("got start of GetTLSCertificate\n") - }, - GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) { - log.Printf("got end of GetTLSCertificate\n") - }, - } - server := http.Server{ Addr: ":8443", Handler: federation.Handler(trustDomain, bundleSource, logger.Null), - TLSConfig: tlsconfig.TLSServerConfig(x509Source, localTrace), + TLSConfig: tlsconfig.TLSServerConfig(x509Source), } if err := server.ListenAndServeTLS("", ""); err != nil { // TODO: handle error diff --git a/v2/internal/test/fakebundleendpoint/server.go b/v2/internal/test/fakebundleendpoint/server.go index 16bdb826..4eb3372a 100644 --- a/v2/internal/test/fakebundleendpoint/server.go +++ b/v2/internal/test/fakebundleendpoint/server.go @@ -127,18 +127,9 @@ func WithTestBundles(bundles ...*spiffebundle.Bundle) ServerOption { } func WithSPIFFEAuth(bundle *spiffebundle.Bundle, svid *x509svid.SVID) ServerOption { - localTrace := tlsconfig.Trace{ - GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) { - fmt.Printf("got start of GetTLSCertificate\n") - }, - GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) { - fmt.Printf("got end of GetTLSCertificate\n") - }, - } - return serverOption(func(s *Server) { s.rootCAs = x509util.NewCertPool(bundle.X509Authorities()) - s.tlscfg = tlsconfig.TLSServerConfig(svid, localTrace) + s.tlscfg = tlsconfig.TLSServerConfig(svid) }) } diff --git a/v2/spiffetls/dial.go b/v2/spiffetls/dial.go index 3dd5a28e..27a20e4d 100644 --- a/v2/spiffetls/dial.go +++ b/v2/spiffetls/dial.go @@ -59,9 +59,9 @@ func DialWithMode(ctx context.Context, network, addr string, mode DialMode, opti case tlsClientMode: tlsconfig.HookTLSClientConfig(tlsConfig, m.bundle, m.authorizer) case mtlsClientMode: - tlsconfig.HookMTLSClientConfig(tlsConfig, m.svid, m.bundle, m.authorizer, opt.tlsConfigTrace) + tlsconfig.HookMTLSClientConfig(tlsConfig, m.svid, m.bundle, m.authorizer, opt.mtlsClientConfigOpts...) case mtlsWebClientMode: - tlsconfig.HookMTLSWebClientConfig(tlsConfig, m.svid, m.roots, opt.tlsConfigTrace) + tlsconfig.HookMTLSWebClientConfig(tlsConfig, m.svid, m.roots, opt.mtlsWebClientConfigOpts...) default: return nil, spiffetlsErr.New("unknown client mode: %v", m.mode) } diff --git a/v2/spiffetls/listen.go b/v2/spiffetls/listen.go index f2f80dd5..0e1129fc 100644 --- a/v2/spiffetls/listen.go +++ b/v2/spiffetls/listen.go @@ -89,9 +89,9 @@ func NewListenerWithMode(ctx context.Context, inner net.Listener, mode ListenMod switch m.mode { case tlsServerMode: - tlsconfig.HookTLSServerConfig(tlsConfig, m.svid, opt.tlsConfigTrace) + tlsconfig.HookTLSServerConfig(tlsConfig, m.svid, opt.tlsServerConfigOpts...) case mtlsServerMode: - tlsconfig.HookMTLSServerConfig(tlsConfig, m.svid, m.bundle, m.authorizer, opt.tlsConfigTrace) + tlsconfig.HookMTLSServerConfig(tlsConfig, m.svid, m.bundle, m.authorizer, opt.mtlsServerConfigOpts...) case mtlsWebServerMode: tlsconfig.HookMTLSWebServerConfig(tlsConfig, m.cert, m.bundle, m.authorizer) default: diff --git a/v2/spiffetls/option.go b/v2/spiffetls/option.go index 7d8637bd..52e47b6a 100644 --- a/v2/spiffetls/option.go +++ b/v2/spiffetls/option.go @@ -22,16 +22,18 @@ func (fn dialOption) apply(c *dialConfig) { } type dialConfig struct { - baseTLSConf *tls.Config - dialer *net.Dialer - tlsConfigTrace tlsconfig.Trace + baseTLSConf *tls.Config + dialer *net.Dialer + mtlsClientConfigOpts []tlsconfig.MTLSClientConfigOption + mtlsWebClientConfigOpts []tlsconfig.MTLSWebClientConfigOption } type listenOption func(*listenConfig) type listenConfig struct { - baseTLSConf *tls.Config - tlsConfigTrace tlsconfig.Trace + baseTLSConf *tls.Config + tlsServerConfigOpts []tlsconfig.TLSServerConfigOption + mtlsServerConfigOpts []tlsconfig.MTLSServerConfigOption } func (fn listenOption) apply(c *listenConfig) { @@ -47,6 +49,21 @@ func WithDialTLSConfigBase(base *tls.Config) DialOption { }) } +// WithDialMTLSClientConfigOption provides options to use when doing Client mTLS. +func WithDialMTLSClientConfigOption(opts ...tlsconfig.MTLSClientConfigOption) DialOption { + return dialOption(func(c *dialConfig) { + c.mtlsClientConfigOpts = opts + }) +} + +// WithDialMTLSWebClientConfigOption provides options to use when doing Client mTLS +// as a web client. +func WithDialMTLSWebClientConfigOption(opts ...tlsconfig.MTLSWebClientConfigOption) DialOption { + return dialOption(func(c *dialConfig) { + c.mtlsWebClientConfigOpts = opts + }) +} + // WithDialer provides a net dialer to use. If unset, the standard net dialer // will be used. func WithDialer(dialer *net.Dialer) DialOption { @@ -68,3 +85,18 @@ func WithListenTLSConfigBase(base *tls.Config) ListenOption { c.baseTLSConf = base }) } + +// WithDialTLSServerConfigOption provides options to use when doing Server mTLS. +func WithDialTLSServerConfigOption(opts ...tlsconfig.TLSServerConfigOption) ListenOption { + return listenOption(func(c *listenConfig) { + c.tlsServerConfigOpts = opts + }) +} + +// WithDialMTLSServerConfigOption provides options to use when doing Server mTLS +// as a web client. +func WithDialMTLSServerConfigOption(opts ...tlsconfig.MTLSServerConfigOption) ListenOption { + return listenOption(func(c *listenConfig) { + c.mtlsServerConfigOpts = opts + }) +}