adjust trickle down occurences of tlsconfig.Trace

Signed-off-by: Antoine Grondin <[email protected]>

v2/examples/spiffe-grpc/client/main.go

@@ -30,17 +30,8 @@ func main() {
 	// Allowed SPIFFE ID
 	serverID := spiffeid.Must("example.org", "server")
 
-	localTrace := tlsconfig.Trace{
-		GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) {
-			log.Printf("got start of GetTLSCertificate\n")
-		},
-		GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) {
-			log.Printf("got end of GetTLSCertificate\n")
-		},
-	}
-
 	// Create a `tls.Config` to allow mTLS connections, and verify that presented certificate has SPIFFE ID `spiffe://example.org/server`
-	tlsConfig := tlsconfig.MTLSClientConfig(source, source, tlsconfig.AuthorizeID(serverID), localTrace)
+	tlsConfig := tlsconfig.MTLSClientConfig(source, source, tlsconfig.AuthorizeID(serverID))
 	conn, err := grpc.DialContext(ctx, "localhost:50051", grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)))
 	if err != nil {
 		log.Fatalf("Error creating dial: %v", err)

v2/examples/spiffe-grpc/server/main.go

@@ -41,17 +41,8 @@ func main() {
 	// Allowed SPIFFE ID
 	clientID := spiffeid.Must("example.org", "client")
 
-	localTrace := tlsconfig.Trace{
-		GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) {
-			log.Printf("got start of GetTLSCertificate\n")
-		},
-		GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) {
-			log.Printf("got end of GetTLSCertificate\n")
-		},
-	}
-
 	// Create a `tls.Config` to allow mTLS connections, and verify that presented certificate has SPIFFE ID `spiffe://example.org/client`
-	tlsConfig := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeID(clientID), localTrace)
+	tlsConfig := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeID(clientID))
 	s := grpc.NewServer(grpc.Creds(credentials.NewTLS(tlsConfig)))
 
 	lis, err := net.Listen("tcp", "127.0.0.1:50051")

v2/examples/spiffe-http/client/main.go

@@ -32,17 +32,8 @@ func main() {
 	// Allowed SPIFFE ID
 	serverID := spiffeid.Must("example.org", "server")
 
-	localTrace := tlsconfig.Trace{
-		GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) {
-			log.Printf("got start of GetTLSCertificate\n")
-		},
-		GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) {
-			log.Printf("got end of GetTLSCertificate\n")
-		},
-	}
-
 	// Create a `tls.Config` to allow mTLS connections, and verify that presented certificate has SPIFFE ID `spiffe://example.org/server`
-	tlsConfig := tlsconfig.MTLSClientConfig(source, source, tlsconfig.AuthorizeID(serverID), localTrace)
+	tlsConfig := tlsconfig.MTLSClientConfig(source, source, tlsconfig.AuthorizeID(serverID))
 	client := &http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: tlsConfig,

v2/examples/spiffe-http/server/main.go

@@ -35,17 +35,8 @@ func main() {
 	// Allowed SPIFFE ID
 	clientID := spiffeid.Must("example.org", "client")
 
-	localTrace := tlsconfig.Trace{
-		GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) {
-			log.Printf("got start of GetTLSCertificate\n")
-		},
-		GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) {
-			log.Printf("got end of GetTLSCertificate\n")
-		},
-	}
-
 	// Create a `tls.Config` to allow mTLS connections, and verify that presented certificate has SPIFFE ID `spiffe://example.org/client`
-	tlsConfig := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeID(clientID), localTrace)
+	tlsConfig := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeID(clientID))
 	server := &http.Server{
 		Addr:      ":8443",
 		TLSConfig: tlsConfig,

v2/examples/spiffe-jwt-using-proxy/proxy/main.go

@@ -49,21 +49,12 @@ func main() {
 
 	http.HandleFunc("/", handler(proxy))
 
-	localTrace := tlsconfig.Trace{
-		GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) {
-			log.Printf("got start of GetTLSCertificate\n")
-		},
-		GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) {
-			log.Printf("got end of GetTLSCertificate\n")
-		},
-	}
-
 	// Create an HTTP server using a TLS configuration that doesn't require
 	// client certificates, because the proxy is not in charge of authenticating
 	// the clients.
 	server := &http.Server{
 		Addr:      ":8443",
-		TLSConfig: tlsconfig.TLSServerConfig(x509Source, localTrace),
+		TLSConfig: tlsconfig.TLSServerConfig(x509Source),
 	}
 	log.Fatal(server.ListenAndServeTLS("", ""))
 }

v2/examples/spiffe-jwt-using-proxy/server/main.go

@@ -80,18 +80,9 @@ func main() {
 	}
 	http.Handle("/", auth.authenticateClient(http.HandlerFunc(index)))
 
-	localTrace := tlsconfig.Trace{
-		GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) {
-			log.Printf("got start of GetTLSCertificate\n")
-		},
-		GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) {
-			log.Printf("got end of GetTLSCertificate\n")
-		},
-	}
-
 	server := &http.Server{
 		Addr:      ":8080",
-		TLSConfig: tlsconfig.TLSServerConfig(x509Source, localTrace),
+		TLSConfig: tlsconfig.TLSServerConfig(x509Source),
 	}
 	log.Fatal(server.ListenAndServeTLS("", ""))
 }

v2/examples/spiffe-jwt/server/main.go

@@ -65,17 +65,8 @@ func main() {
 	}
 	defer x509Source.Close()
 
-	localTrace := tlsconfig.Trace{
-		GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) {
-			log.Printf("got start of GetTLSCertificate\n")
-		},
-		GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) {
-			log.Printf("got end of GetTLSCertificate\n")
-		},
-	}
-
 	// Create a `tls.Config` with configuration to allow TLS communication with client
-	tlsConfig := tlsconfig.TLSServerConfig(x509Source, localTrace)
+	tlsConfig := tlsconfig.TLSServerConfig(x509Source)
 	server := &http.Server{
 		Addr:      ":8443",
 		TLSConfig: tlsConfig,

v2/federation/examples_test.go

@@ -2,7 +2,6 @@ package federation_test
 
 import (
 	"context"
-	"log"
 	"net/http"
 
 	"github.com/spiffe/go-spiffe/v2/bundle/spiffebundle"
@@ -143,19 +142,10 @@ func ExampleHandler_sPIFFEAuth() {
 	}
 	defer bundleSource.Close()
 
-	localTrace := tlsconfig.Trace{
-		GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) {
-			log.Printf("got start of GetTLSCertificate\n")
-		},
-		GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) {
-			log.Printf("got end of GetTLSCertificate\n")
-		},
-	}
-
 	server := http.Server{
 		Addr:      ":8443",
 		Handler:   federation.Handler(trustDomain, bundleSource, logger.Null),
-		TLSConfig: tlsconfig.TLSServerConfig(x509Source, localTrace),
+		TLSConfig: tlsconfig.TLSServerConfig(x509Source),
 	}
 	if err := server.ListenAndServeTLS("", ""); err != nil {
 		// TODO: handle error

v2/internal/test/fakebundleendpoint/server.go

@@ -127,18 +127,9 @@ func WithTestBundles(bundles ...*spiffebundle.Bundle) ServerOption {
 }
 
 func WithSPIFFEAuth(bundle *spiffebundle.Bundle, svid *x509svid.SVID) ServerOption {
-	localTrace := tlsconfig.Trace{
-		GetTLSCertificateStart: func(tlsconfig.GetTLSCertificateStart) {
-			fmt.Printf("got start of GetTLSCertificate\n")
-		},
-		GetTLSCertificateEnd: func(tlsconfig.GetTLSCertificateEnd) {
-			fmt.Printf("got end of GetTLSCertificate\n")
-		},
-	}
-
 	return serverOption(func(s *Server) {
 		s.rootCAs = x509util.NewCertPool(bundle.X509Authorities())
-		s.tlscfg = tlsconfig.TLSServerConfig(svid, localTrace)
+		s.tlscfg = tlsconfig.TLSServerConfig(svid)
 	})
 }
 

v2/spiffetls/dial.go

@@ -59,9 +59,9 @@ func DialWithMode(ctx context.Context, network, addr string, mode DialMode, opti
 	case tlsClientMode:
 		tlsconfig.HookTLSClientConfig(tlsConfig, m.bundle, m.authorizer)
 	case mtlsClientMode:
-		tlsconfig.HookMTLSClientConfig(tlsConfig, m.svid, m.bundle, m.authorizer, opt.tlsConfigTrace)
+		tlsconfig.HookMTLSClientConfig(tlsConfig, m.svid, m.bundle, m.authorizer, opt.mtlsClientConfigOpts...)
 	case mtlsWebClientMode:
-		tlsconfig.HookMTLSWebClientConfig(tlsConfig, m.svid, m.roots, opt.tlsConfigTrace)
+		tlsconfig.HookMTLSWebClientConfig(tlsConfig, m.svid, m.roots, opt.mtlsWebClientConfigOpts...)
 	default:
 		return nil, spiffetlsErr.New("unknown client mode: %v", m.mode)
 	}

v2/spiffetls/listen.go

@@ -89,9 +89,9 @@ func NewListenerWithMode(ctx context.Context, inner net.Listener, mode ListenMod
 
 	switch m.mode {
 	case tlsServerMode:
-		tlsconfig.HookTLSServerConfig(tlsConfig, m.svid, opt.tlsConfigTrace)
+		tlsconfig.HookTLSServerConfig(tlsConfig, m.svid, opt.tlsServerConfigOpts...)
 	case mtlsServerMode:
-		tlsconfig.HookMTLSServerConfig(tlsConfig, m.svid, m.bundle, m.authorizer, opt.tlsConfigTrace)
+		tlsconfig.HookMTLSServerConfig(tlsConfig, m.svid, m.bundle, m.authorizer, opt.mtlsServerConfigOpts...)
 	case mtlsWebServerMode:
 		tlsconfig.HookMTLSWebServerConfig(tlsConfig, m.cert, m.bundle, m.authorizer)
 	default:

v2/spiffetls/option.go

@@ -22,16 +22,18 @@ func (fn dialOption) apply(c *dialConfig) {
 }
 
 type dialConfig struct {
-	baseTLSConf    *tls.Config
-	dialer         *net.Dialer
-	tlsConfigTrace tlsconfig.Trace
+	baseTLSConf             *tls.Config
+	dialer                  *net.Dialer
+	mtlsClientConfigOpts    []tlsconfig.MTLSClientConfigOption
+	mtlsWebClientConfigOpts []tlsconfig.MTLSWebClientConfigOption
 }
 
 type listenOption func(*listenConfig)
 
 type listenConfig struct {
-	baseTLSConf    *tls.Config
-	tlsConfigTrace tlsconfig.Trace
+	baseTLSConf          *tls.Config
+	tlsServerConfigOpts  []tlsconfig.TLSServerConfigOption
+	mtlsServerConfigOpts []tlsconfig.MTLSServerConfigOption
 }
 
 func (fn listenOption) apply(c *listenConfig) {
@@ -47,6 +49,21 @@ func WithDialTLSConfigBase(base *tls.Config) DialOption {
 	})
 }
 
+// WithDialMTLSClientConfigOption provides options to use when doing Client mTLS.
+func WithDialMTLSClientConfigOption(opts ...tlsconfig.MTLSClientConfigOption) DialOption {
+	return dialOption(func(c *dialConfig) {
+		c.mtlsClientConfigOpts = opts
+	})
+}
+
+// WithDialMTLSWebClientConfigOption provides options to use when doing Client mTLS
+// as a web client.
+func WithDialMTLSWebClientConfigOption(opts ...tlsconfig.MTLSWebClientConfigOption) DialOption {
+	return dialOption(func(c *dialConfig) {
+		c.mtlsWebClientConfigOpts = opts
+	})
+}
+
 // WithDialer provides a net dialer to use. If unset, the standard net dialer
 // will be used.
 func WithDialer(dialer *net.Dialer) DialOption {
@@ -68,3 +85,18 @@ func WithListenTLSConfigBase(base *tls.Config) ListenOption {
 		c.baseTLSConf = base
 	})
 }
+
+// WithDialTLSServerConfigOption provides options to use when doing Server mTLS.
+func WithDialTLSServerConfigOption(opts ...tlsconfig.TLSServerConfigOption) ListenOption {
+	return listenOption(func(c *listenConfig) {
+		c.tlsServerConfigOpts = opts
+	})
+}
+
+// WithDialMTLSServerConfigOption provides options to use when doing Server mTLS
+// as a web client.
+func WithDialMTLSServerConfigOption(opts ...tlsconfig.MTLSServerConfigOption) ListenOption {
+	return listenOption(func(c *listenConfig) {
+		c.mtlsServerConfigOpts = opts
+	})
+}