From 2ab5b9c760aa8ad643ceb61bd539956405474b54 Mon Sep 17 00:00:00 2001 From: Antoine Grondin Date: Tue, 4 Aug 2020 13:44:46 -0700 Subject: [PATCH] introduce func. opts. pattern and convert GetCertificate tracing to it --- v2/spiffetls/tlsconfig/config.go | 141 ++++++++++++++++++++---- v2/spiffetls/tlsconfig/config_test.go | 121 ++++++++++---------- v2/spiffetls/tlsconfig/examples_test.go | 23 +--- 3 files changed, 186 insertions(+), 99 deletions(-) diff --git a/v2/spiffetls/tlsconfig/config.go b/v2/spiffetls/tlsconfig/config.go index 8281e912..36c6777d 100644 --- a/v2/spiffetls/tlsconfig/config.go +++ b/v2/spiffetls/tlsconfig/config.go @@ -27,11 +27,26 @@ func HookTLSClientConfig(config *tls.Config, bundle x509bundle.Source, authorize config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer) } +type mtlsClientConfigOption struct { + getCertificateOptions []GetCertificateOption +} + +// A MTLSClientConfigOption changes the defaults used to by mTLS ClientConfig functions. +type MTLSClientConfigOption func(*mtlsClientConfigOption) + +// WithMTLSClientGetCertificateOption makes the ClientConfig use the given GetCertificateOption +// to obtain certificates. +func WithMTLSClientGetCertificateOption(opts ...GetCertificateOption) MTLSClientConfigOption { + return func(cco *mtlsClientConfigOption) { + cco.getCertificateOptions = opts + } +} + // MTLSClientConfig returns a TLS configuration which presents an X509-SVID // to the server and verifies and authorizes the server X509-SVID. -func MTLSClientConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, trace Trace) *tls.Config { +func MTLSClientConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...MTLSClientConfigOption) *tls.Config { config := new(tls.Config) - HookMTLSClientConfig(config, svid, bundle, authorizer, trace) + HookMTLSClientConfig(config, svid, bundle, authorizer, opts...) return config } @@ -39,51 +54,108 @@ func MTLSClientConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer // to the server and verify and authorize the server X509-SVID. If there is an // existing callback set for VerifyPeerCertificate it will be wrapped by by // this package and invoked after SPIFFE authentication has completed. -func HookMTLSClientConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, trace Trace) { +func HookMTLSClientConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...MTLSClientConfigOption) { + dftlOpt := &mtlsClientConfigOption{} + for _, opt := range opts { + opt(dftlOpt) + } resetAuthFields(config) - config.GetClientCertificate = GetClientCertificate(svid, trace) + config.GetClientCertificate = GetClientCertificate(svid, dftlOpt.getCertificateOptions...) config.InsecureSkipVerify = true config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer) } +type mtlsWebClientConfigOption struct { + getCertificateOptions []GetCertificateOption +} + +// A MTLSWebClientConfigOption changes the defaults used to by mTLS ClientConfig functions. +type MTLSWebClientConfigOption func(*mtlsWebClientConfigOption) + +// WithMTLSWebClientGetCertificateOption makes the ClientConfig use the given GetCertificateOption +// to obtain certificates. +func WithMTLSWebClientGetCertificateOption(opts ...GetCertificateOption) MTLSWebClientConfigOption { + return func(cco *mtlsWebClientConfigOption) { + cco.getCertificateOptions = opts + } +} + // MTLSWebClientConfig returns a TLS configuration which presents an X509-SVID // to the server and verifies the server certificate using provided roots (or // the system roots if nil). -func MTLSWebClientConfig(svid x509svid.Source, roots *x509.CertPool, trace Trace) *tls.Config { +func MTLSWebClientConfig(svid x509svid.Source, roots *x509.CertPool, opts ...MTLSWebClientConfigOption) *tls.Config { config := new(tls.Config) - HookMTLSWebClientConfig(config, svid, roots, trace) + HookMTLSWebClientConfig(config, svid, roots, opts...) return config } // HookMTLSWebClientConfig sets up the TLS configuration to present an // X509-SVID to the server and verifies the server certificate using the // provided roots (or the system roots if nil). -func HookMTLSWebClientConfig(config *tls.Config, svid x509svid.Source, roots *x509.CertPool, trace Trace) { +func HookMTLSWebClientConfig(config *tls.Config, svid x509svid.Source, roots *x509.CertPool, opts ...MTLSWebClientConfigOption) { + dftlOpt := &mtlsWebClientConfigOption{} + for _, opt := range opts { + opt(dftlOpt) + } resetAuthFields(config) - config.GetClientCertificate = GetClientCertificate(svid, trace) + config.GetClientCertificate = GetClientCertificate(svid, dftlOpt.getCertificateOptions...) config.RootCAs = roots } +type tlsServerConfigOption struct { + getCertificateOptions []GetCertificateOption +} + +// A TLSServerConfigOption changes the defaults used to by mTLS ClientConfig functions. +type TLSServerConfigOption func(*tlsServerConfigOption) + +// WithTLSServerGetCertificateOption makes the ServerConfig use the given GetCertificateOption +// to obtain certificates. +func WithTLSServerGetCertificateOption(opts ...GetCertificateOption) TLSServerConfigOption { + return func(cco *tlsServerConfigOption) { + cco.getCertificateOptions = opts + } +} + // TLSServerConfig returns a TLS configuration which presents an X509-SVID // to the client and does not require or verify client certificates. -func TLSServerConfig(svid x509svid.Source, trace Trace) *tls.Config { +func TLSServerConfig(svid x509svid.Source, opts ...TLSServerConfigOption) *tls.Config { config := new(tls.Config) - HookTLSServerConfig(config, svid, trace) + HookTLSServerConfig(config, svid, opts...) return config } // HookTLSServerConfig sets up the TLS configuration to present an X509-SVID // to the client and to not require or verify client certificates. -func HookTLSServerConfig(config *tls.Config, svid x509svid.Source, trace Trace) { +func HookTLSServerConfig(config *tls.Config, svid x509svid.Source, opts ...TLSServerConfigOption) { + dftlOpt := &tlsServerConfigOption{} + for _, opt := range opts { + opt(dftlOpt) + } resetAuthFields(config) - config.GetCertificate = GetCertificate(svid, trace) + config.GetCertificate = GetCertificate(svid, dftlOpt.getCertificateOptions...) +} + +type mtlsServerConfigOption struct { + getCertificateOptions []GetCertificateOption +} + +// A MTLSServerConfigOption changes the defaults used to by mTLS ClientConfig functions. +type MTLSServerConfigOption func(*mtlsServerConfigOption) + +// WithMTLSServerGetCertificateOption makes the ServerConfig use the given GetCertificateOption +// to obtain certificates. +func WithMTLSServerGetCertificateOption(opts ...GetCertificateOption) MTLSServerConfigOption { + return func(cco *mtlsServerConfigOption) { + cco.getCertificateOptions = opts + } } // MTLSServerConfig returns a TLS configuration which presents an X509-SVID // to the client and requires, verifies, and authorizes client X509-SVIDs. -func MTLSServerConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, trace Trace) *tls.Config { +func MTLSServerConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...MTLSServerConfigOption) *tls.Config { config := new(tls.Config) - HookMTLSServerConfig(config, svid, bundle, authorizer, trace) + HookMTLSServerConfig(config, svid, bundle, authorizer, opts...) return config } @@ -92,10 +164,14 @@ func MTLSServerConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer // there is an existing callback set for VerifyPeerCertificate it will be // wrapped by by this package and invoked after SPIFFE authentication has // completed. -func HookMTLSServerConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, trace Trace) { +func HookMTLSServerConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...MTLSServerConfigOption) { + dftlOpt := &mtlsServerConfigOption{} + for _, opt := range opts { + opt(dftlOpt) + } resetAuthFields(config) config.ClientAuth = tls.RequireAnyClientCert - config.GetCertificate = GetCertificate(svid, trace) + config.GetCertificate = GetCertificate(svid, dftlOpt.getCertificateOptions...) config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer) } @@ -120,20 +196,45 @@ func HookMTLSWebServerConfig(config *tls.Config, cert *tls.Certificate, bundle x config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer) } +type getCertificateOption struct { + trace Trace +} + +func newGetCertificateOption(opts []GetCertificateOption) *getCertificateOption { + out := &getCertificateOption{} + for _, opt := range opts { + opt(out) + } + return out +} + +// GetCertificateOption modifies the default used by the GetCertificate function. +type GetCertificateOption func(*getCertificateOption) + +// WithGetCertificateTrace will use the provided tracing callbacks +// when `GetCertificate` gets invoked. +func WithGetCertificateTrace(trace Trace) GetCertificateOption { + return func(gco *getCertificateOption) { + gco.trace = trace + } +} + // GetCertificate returns a GetCertificate callback for tls.Config. It uses the // given X509-SVID getter to obtain a server X509-SVID for the TLS handshake. -func GetCertificate(svid x509svid.Source, trace Trace) func(*tls.ClientHelloInfo) (*tls.Certificate, error) { +func GetCertificate(svid x509svid.Source, opts ...GetCertificateOption) func(*tls.ClientHelloInfo) (*tls.Certificate, error) { + opt := newGetCertificateOption(opts) return func(*tls.ClientHelloInfo) (*tls.Certificate, error) { - return getTLSCertificate(svid, trace) + return getTLSCertificate(svid, opt.trace) } } // GetClientCertificate returns a GetClientCertificate callback for tls.Config. // It uses the given X509-SVID getter to obtain a client X509-SVID for the TLS // handshake. -func GetClientCertificate(svid x509svid.Source, trace Trace) func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { +func GetClientCertificate(svid x509svid.Source, opts ...GetCertificateOption) func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { + opt := newGetCertificateOption(opts) return func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { - return getTLSCertificate(svid, trace) + return getTLSCertificate(svid, opt.trace) } } diff --git a/v2/spiffetls/tlsconfig/config_test.go b/v2/spiffetls/tlsconfig/config_test.go index de5888bd..0a312d97 100644 --- a/v2/spiffetls/tlsconfig/config_test.go +++ b/v2/spiffetls/tlsconfig/config_test.go @@ -69,7 +69,11 @@ func TestMTLSClientConfig(t *testing.T) { }, } - config := tlsconfig.MTLSClientConfig(svid, bundle, tlsconfig.AuthorizeAny(), localTrace) + config := tlsconfig.MTLSClientConfig(svid, bundle, tlsconfig.AuthorizeAny(), + tlsconfig.WithMTLSClientGetCertificateOption( + tlsconfig.WithGetCertificateTrace(localTrace), + ), + ) assert.Nil(t, config.Certificates) assert.Equal(t, tls.NoClientCert, config.ClientAuth) @@ -97,7 +101,11 @@ func TestHookMTLSClientConfig(t *testing.T) { }, } - tlsconfig.HookMTLSClientConfig(config, svid, bundle, tlsconfig.AuthorizeAny(), localTrace) + tlsconfig.HookMTLSClientConfig(config, svid, bundle, tlsconfig.AuthorizeAny(), + tlsconfig.WithMTLSClientGetCertificateOption( + tlsconfig.WithGetCertificateTrace(localTrace), + ), + ) assert.Nil(t, config.Certificates) assert.Equal(t, tls.NoClientCert, config.ClientAuth) @@ -123,7 +131,11 @@ func TestMTLSWebClientConfig(t *testing.T) { }, } - config := tlsconfig.MTLSWebClientConfig(svid, roots, localTrace) + config := tlsconfig.MTLSWebClientConfig(svid, roots, + tlsconfig.WithMTLSWebClientGetCertificateOption( + tlsconfig.WithGetCertificateTrace(localTrace), + ), + ) assert.Nil(t, config.Certificates) assert.Equal(t, tls.NoClientCert, config.ClientAuth) @@ -150,7 +162,11 @@ func TestHookMTLSWebClientConfig(t *testing.T) { }, } - tlsconfig.HookMTLSWebClientConfig(config, svid, roots, localTrace) + tlsconfig.HookMTLSWebClientConfig(config, svid, roots, + tlsconfig.WithMTLSWebClientGetCertificateOption( + tlsconfig.WithGetCertificateTrace(localTrace), + ), + ) // Expected AuthFields assert.Nil(t, config.Certificates) @@ -176,7 +192,11 @@ func TestTLSServerConfig(t *testing.T) { }, } - config := tlsconfig.TLSServerConfig(svid, localTrace) + config := tlsconfig.TLSServerConfig(svid, + tlsconfig.WithTLSServerGetCertificateOption( + tlsconfig.WithGetCertificateTrace(localTrace), + ), + ) assert.Nil(t, config.Certificates) assert.Equal(t, tls.NoClientCert, config.ClientAuth) @@ -202,7 +222,11 @@ func TestHookTLSServerConfig(t *testing.T) { }, } - tlsconfig.HookTLSServerConfig(config, svid, localTrace) + tlsconfig.HookTLSServerConfig(config, svid, + tlsconfig.WithTLSServerGetCertificateOption( + tlsconfig.WithGetCertificateTrace(localTrace), + ), + ) assert.Nil(t, config.Certificates) assert.Equal(t, tls.NoClientCert, config.ClientAuth) @@ -229,7 +253,11 @@ func TestMTLSServerConfig(t *testing.T) { }, } - config := tlsconfig.MTLSServerConfig(svid, bundle, tlsconfig.AuthorizeAny(), localTrace) + config := tlsconfig.MTLSServerConfig(svid, bundle, tlsconfig.AuthorizeAny(), + tlsconfig.WithMTLSServerGetCertificateOption( + tlsconfig.WithGetCertificateTrace(localTrace), + ), + ) assert.Nil(t, config.Certificates) assert.Equal(t, tls.RequireAnyClientCert, config.ClientAuth) @@ -257,7 +285,11 @@ func TestHookMTLSServerConfig(t *testing.T) { }, } - tlsconfig.HookMTLSServerConfig(config, svid, bundle, tlsconfig.AuthorizeAny(), localTrace) + tlsconfig.HookMTLSServerConfig(config, svid, bundle, tlsconfig.AuthorizeAny(), + tlsconfig.WithMTLSServerGetCertificateOption( + tlsconfig.WithGetCertificateTrace(localTrace), + ), + ) assert.Nil(t, config.Certificates) assert.Equal(t, tls.RequireAnyClientCert, config.ClientAuth) @@ -348,7 +380,7 @@ func TestGetCertificate(t *testing.T) { for _, testCase := range testCases { testCase := testCase t.Run(testCase.name, func(t *testing.T) { - getCertificate := tlsconfig.GetCertificate(testCase.source, localTrace) + getCertificate := tlsconfig.GetCertificate(testCase.source, tlsconfig.WithGetCertificateTrace(localTrace)) require.NotNil(t, getCertificate) tlsCert, err := getCertificate(&tls.ClientHelloInfo{}) @@ -405,7 +437,7 @@ func TestGetClientCertificate(t *testing.T) { for _, testCase := range testCases { testCase := testCase t.Run(testCase.name, func(t *testing.T) { - getClientCertificate := tlsconfig.GetClientCertificate(testCase.source, localTrace) + getClientCertificate := tlsconfig.GetClientCertificate(testCase.source, tlsconfig.WithGetCertificateTrace(localTrace)) require.NotNil(t, getClientCertificate) tlsCert, err := getClientCertificate(&tls.CertificateRequestInfo{}) @@ -567,15 +599,6 @@ func TestTLSHandshake(t *testing.T) { ca3 := test.NewCA(t, td) bundle3 := ca3.Bundle() - localTrace := tlsconfig.Trace{ - GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) { - fmt.Printf("got start of GetTLSCertificate\n") - }, - GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) { - fmt.Printf("got end of GetTLSCertificate\n") - }, - } - testCases := []struct { name string serverConfig *tls.Config @@ -585,26 +608,26 @@ func TestTLSHandshake(t *testing.T) { }{ { name: "success", - serverConfig: tlsconfig.TLSServerConfig(serverSVID, localTrace), + serverConfig: tlsconfig.TLSServerConfig(serverSVID), clientConfig: tlsconfig.TLSClientConfig(bundle1, tlsconfig.AuthorizeAny()), }, { name: "authentication fails", - serverConfig: tlsconfig.TLSServerConfig(serverSVID, localTrace), + serverConfig: tlsconfig.TLSServerConfig(serverSVID), clientConfig: tlsconfig.TLSClientConfig(bundle1, tlsconfig.AuthorizeMemberOf(td2)), clientErr: `unexpected trust domain "domain1.test"`, serverErr: "remote error: tls: bad certificate", }, { name: "handshake fails", - serverConfig: tlsconfig.TLSServerConfig(serverSVID, localTrace), + serverConfig: tlsconfig.TLSServerConfig(serverSVID), clientConfig: tlsconfig.TLSClientConfig(bundle2, tlsconfig.AuthorizeMemberOf(td)), clientErr: `x509svid: could not get X509 bundle: x509bundle: no X.509 bundle found for trust domain: "domain1.test"`, serverErr: "remote error: tls: bad certificate", }, { name: "unknown authority", - serverConfig: tlsconfig.TLSServerConfig(serverSVID, localTrace), + serverConfig: tlsconfig.TLSServerConfig(serverSVID), clientConfig: tlsconfig.TLSClientConfig(bundle3, tlsconfig.AuthorizeMemberOf(td)), clientErr: `x509svid: could not verify leaf certificate: x509: certificate signed by unknown authority`, serverErr: "remote error: tls: bad certificate", @@ -642,15 +665,6 @@ func TestMTLSHandshake(t *testing.T) { svid3ID := td.NewID("client") client3SVID := ca3.CreateX509SVID(svid3ID) - localTrace := tlsconfig.Trace{ - GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) { - fmt.Printf("got start of GetTLSCertificate\n") - }, - GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) { - fmt.Printf("got end of GetTLSCertificate\n") - }, - } - testCases := []struct { name string serverConfig *tls.Config @@ -660,41 +674,41 @@ func TestMTLSHandshake(t *testing.T) { }{ { name: "success", - serverConfig: tlsconfig.MTLSServerConfig(serverSVID, bundle1, tlsconfig.AuthorizeAny(), localTrace), - clientConfig: tlsconfig.MTLSClientConfig(clientSVID, bundle1, tlsconfig.AuthorizeAny(), localTrace), + serverConfig: tlsconfig.MTLSServerConfig(serverSVID, bundle1, tlsconfig.AuthorizeAny()), + clientConfig: tlsconfig.MTLSClientConfig(clientSVID, bundle1, tlsconfig.AuthorizeAny()), }, { name: "client authentication fails", - serverConfig: tlsconfig.MTLSServerConfig(serverSVID, bundle1, tlsconfig.AuthorizeAny(), localTrace), - clientConfig: tlsconfig.MTLSClientConfig(clientSVID, bundle1, tlsconfig.AuthorizeMemberOf(td2), localTrace), + serverConfig: tlsconfig.MTLSServerConfig(serverSVID, bundle1, tlsconfig.AuthorizeAny()), + clientConfig: tlsconfig.MTLSClientConfig(clientSVID, bundle1, tlsconfig.AuthorizeMemberOf(td2)), clientErr: `unexpected trust domain "domain1.test"`, serverErr: "remote error: tls: bad certificate", }, { name: "client handshake fails", - serverConfig: tlsconfig.MTLSServerConfig(serverSVID, bundle1, tlsconfig.AuthorizeAny(), localTrace), - clientConfig: tlsconfig.MTLSClientConfig(clientSVID, bundle2, tlsconfig.AuthorizeAny(), localTrace), + serverConfig: tlsconfig.MTLSServerConfig(serverSVID, bundle1, tlsconfig.AuthorizeAny()), + clientConfig: tlsconfig.MTLSClientConfig(clientSVID, bundle2, tlsconfig.AuthorizeAny()), clientErr: `x509svid: could not get X509 bundle: x509bundle: no X.509 bundle found for trust domain: "domain1.test"`, serverErr: "remote error: tls: bad certificate", }, { name: "server authentication", - serverConfig: tlsconfig.MTLSServerConfig(serverSVID, bundle1, tlsconfig.AuthorizeMemberOf(td2), localTrace), - clientConfig: tlsconfig.MTLSClientConfig(clientSVID, bundle1, tlsconfig.AuthorizeAny(), localTrace), + serverConfig: tlsconfig.MTLSServerConfig(serverSVID, bundle1, tlsconfig.AuthorizeMemberOf(td2)), + clientConfig: tlsconfig.MTLSClientConfig(clientSVID, bundle1, tlsconfig.AuthorizeAny()), clientErr: "remote error: tls: bad certificate", serverErr: `unexpected trust domain "domain1.test"`, }, { name: "server handshake fails", - serverConfig: tlsconfig.MTLSServerConfig(serverSVID, bundle2, tlsconfig.AuthorizeAny(), localTrace), - clientConfig: tlsconfig.MTLSClientConfig(clientSVID, bundle1, tlsconfig.AuthorizeAny(), localTrace), + serverConfig: tlsconfig.MTLSServerConfig(serverSVID, bundle2, tlsconfig.AuthorizeAny()), + clientConfig: tlsconfig.MTLSClientConfig(clientSVID, bundle1, tlsconfig.AuthorizeAny()), clientErr: "remote error: tls: bad certificate", serverErr: `x509svid: could not get X509 bundle: x509bundle: no X.509 bundle found for trust domain: "domain1.test"`, }, { name: "unknown authority", - serverConfig: tlsconfig.MTLSServerConfig(serverSVID, bundle1, tlsconfig.AuthorizeAny(), localTrace), - clientConfig: tlsconfig.MTLSClientConfig(client3SVID, bundle3, tlsconfig.AuthorizeAny(), localTrace), + serverConfig: tlsconfig.MTLSServerConfig(serverSVID, bundle1, tlsconfig.AuthorizeAny()), + clientConfig: tlsconfig.MTLSClientConfig(client3SVID, bundle3, tlsconfig.AuthorizeAny()), serverErr: "remote error: tls: bad certificate", clientErr: "x509svid: could not verify leaf certificate: x509: certificate signed by unknown authority", }, @@ -733,15 +747,6 @@ func TestMTLSWebHandshake(t *testing.T) { svid3ID := td.NewID("client") client3SVID := ca3.CreateX509SVID(svid3ID) - localTrace := tlsconfig.Trace{ - GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) { - fmt.Printf("got start of GetTLSCertificate\n") - }, - GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) { - fmt.Printf("got end of GetTLSCertificate\n") - }, - } - testCases := []struct { name string clientConfig *tls.Config @@ -751,33 +756,33 @@ func TestMTLSWebHandshake(t *testing.T) { }{ { name: "success", - clientConfig: tlsconfig.MTLSWebClientConfig(clientSVID, roots, localTrace), + clientConfig: tlsconfig.MTLSWebClientConfig(clientSVID, roots), serverConfig: tlsconfig.MTLSWebServerConfig(tlsCert, bundle1, tlsconfig.AuthorizeAny()), }, { name: "server authentication fails", - clientConfig: tlsconfig.MTLSWebClientConfig(clientSVID, roots, localTrace), + clientConfig: tlsconfig.MTLSWebClientConfig(clientSVID, roots), clientErr: "remote error: tls: bad certificate", serverConfig: tlsconfig.MTLSWebServerConfig(tlsCert, bundle1, tlsconfig.AuthorizeMemberOf(td2)), serverErr: `unexpected trust domain "domain1.test"`, }, { name: "server handshake fails", - clientConfig: tlsconfig.MTLSWebClientConfig(clientSVID, roots, localTrace), + clientConfig: tlsconfig.MTLSWebClientConfig(clientSVID, roots), clientErr: "remote error: tls: bad certificate", serverConfig: tlsconfig.MTLSWebServerConfig(tlsCert, bundle2, tlsconfig.AuthorizeMemberOf(td2)), serverErr: `x509svid: could not get X509 bundle: x509bundle: no X.509 bundle found for trust domain: "domain1.test"`, }, { name: "client no valid certificate", - clientConfig: tlsconfig.MTLSWebClientConfig(clientSVID, roots2, localTrace), + clientConfig: tlsconfig.MTLSWebClientConfig(clientSVID, roots2), clientErr: "x509: certificate signed by unknown authority", serverConfig: tlsconfig.MTLSWebServerConfig(tlsCert, bundle1, tlsconfig.AuthorizeAny()), serverErr: "remote error: tls: bad certificate", }, { name: "unknown authority", - clientConfig: tlsconfig.MTLSWebClientConfig(client3SVID, roots, localTrace), + clientConfig: tlsconfig.MTLSWebClientConfig(client3SVID, roots), serverConfig: tlsconfig.MTLSWebServerConfig(tlsCert, bundle1, tlsconfig.AuthorizeAny()), clientErr: "remote error: tls: bad certificate", serverErr: "x509svid: could not verify leaf certificate: x509: certificate signed by unknown authority", diff --git a/v2/spiffetls/tlsconfig/examples_test.go b/v2/spiffetls/tlsconfig/examples_test.go index 5f81cb67..92bfdfea 100644 --- a/v2/spiffetls/tlsconfig/examples_test.go +++ b/v2/spiffetls/tlsconfig/examples_test.go @@ -2,7 +2,6 @@ package tlsconfig_test import ( "context" - "fmt" "github.com/spiffe/go-spiffe/v2/bundle/x509bundle" "github.com/spiffe/go-spiffe/v2/spiffeid" @@ -27,16 +26,7 @@ func ExampleMTLSServerConfig_fileSource() { // TODO: handle error } - localTrace := tlsconfig.Trace{ - GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) { - fmt.Printf("got start of GetTLSCertificate\n") - }, - GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) { - fmt.Printf("got end of GetTLSCertificate\n") - }, - } - - config := tlsconfig.MTLSServerConfig(svid, bundle, tlsconfig.AuthorizeMemberOf(td), localTrace) + config := tlsconfig.MTLSServerConfig(svid, bundle, tlsconfig.AuthorizeMemberOf(td)) // TODO: use the config config = config } @@ -53,16 +43,7 @@ func ExampleMTLSServerConfig_workloadAPISource() { } defer source.Close() - localTrace := tlsconfig.Trace{ - GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) { - fmt.Printf("got start of GetTLSCertificate\n") - }, - GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) { - fmt.Printf("got end of GetTLSCertificate\n") - }, - } - - config := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeMemberOf(td), localTrace) + config := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeMemberOf(td)) // TODO: use the config config = config }