make sure client CA and auth type are set if CA is explicitly specified. (#2825)
* make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README
This commit is contained in:
JINMEI Tatuya
John Belamaric
parent
5565ca1c03
commit
a6d9adbf4a
6 changed files with 160 additions and 1 deletions
|
|
@ -1,6 +1,8 @@
|
|||
package tls
|
||||
|
||||
import (
|
||||
ctls "crypto/tls"
|
||||
|
||||
"github.com/coredns/coredns/core/dnsserver"
|
||||
"github.com/coredns/coredns/plugin"
|
||||
"github.com/coredns/coredns/plugin/pkg/tls"
|
||||
|
|
@ -16,6 +18,14 @@ func init() {
|
|||
}
|
||||
|
||||
func setup(c *caddy.Controller) error {
|
||||
err := parseTLS(c)
|
||||
if err != nil {
|
||||
return plugin.Error("tls", err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func parseTLS(c *caddy.Controller) error {
|
||||
config := dnsserver.GetConfig(c)
|
||||
|
||||
if config.TLSConfig != nil {
|
||||
|
|
@ -27,10 +37,39 @@ func setup(c *caddy.Controller) error {
|
|||
if len(args) < 2 || len(args) > 3 {
|
||||
return plugin.Error("tls", c.ArgErr())
|
||||
}
|
||||
clientAuth := ctls.NoClientCert
|
||||
for c.NextBlock() {
|
||||
switch c.Val() {
|
||||
case "client_auth":
|
||||
authTypeArgs := c.RemainingArgs()
|
||||
if len(authTypeArgs) != 1 {
|
||||
return c.ArgErr()
|
||||
}
|
||||
switch authTypeArgs[0] {
|
||||
case "nocert":
|
||||
clientAuth = ctls.NoClientCert
|
||||
case "request":
|
||||
clientAuth = ctls.RequestClientCert
|
||||
case "require":
|
||||
clientAuth = ctls.RequireAnyClientCert
|
||||
case "verify_if_given":
|
||||
clientAuth = ctls.VerifyClientCertIfGiven
|
||||
case "require_and_verify":
|
||||
clientAuth = ctls.RequireAndVerifyClientCert
|
||||
default:
|
||||
return c.Errf("unknown authentication type '%s'", authTypeArgs[0])
|
||||
}
|
||||
default:
|
||||
return c.Errf("unknown option '%s'", c.Val())
|
||||
}
|
||||
}
|
||||
tls, err := tls.NewTLSConfigFromArgs(args...)
|
||||
if err != nil {
|
||||
return plugin.Error("tls", err)
|
||||
return err
|
||||
}
|
||||
tls.ClientAuth = clientAuth
|
||||
// NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it.
|
||||
tls.ClientCAs = tls.RootCAs
|
||||
config.TLSConfig = tls
|
||||
}
|
||||
return nil
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue