forked from TrueCloudLab/frostfs-s3-gw
[#562] Empty default value for TLS termination header param
If the service is accessed not through a proxy and the default value of the parameter with the header key is not empty, then the system administrator does not control disabling TLS verification in any way, because the client can simply add a known header, thereby skipping the verification. Therefore, the default value of the header parameter is made empty. If it is empty, then TLS verification cannot be disabled in any way. Thus, the system administrator will be able to control the enabling/disabling of TLS. Signed-off-by: Roman Loginov <r.loginov@yadro.com>
This commit is contained in:
parent
59b789f57e
commit
04b8fc2b5f
5 changed files with 35 additions and 27 deletions
|
|
@ -636,8 +636,6 @@ func TestPutObjectWithContentLanguage(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestFormEncryptionParamsBase(t *testing.T) {
|
||||
hc := prepareHandlerContext(t)
|
||||
|
||||
userSecret := "test1customer2secret3with32char4"
|
||||
expectedEncKey := []byte(userSecret)
|
||||
emptyEncKey := []byte(nil)
|
||||
|
|
@ -770,7 +768,8 @@ func TestFormEncryptionParamsBase(t *testing.T) {
|
|||
},
|
||||
} {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
r := prepareRequestForEncryption(tc.algo, tc.key, tc.md5, tc.tlsTermination, tc.reqWithoutTLS, tc.reqWithoutSSE, tc.isCopySource)
|
||||
hc := prepareHandlerContext(t)
|
||||
r := prepareRequestForEncryption(hc, tc.algo, tc.key, tc.md5, tc.tlsTermination, tc.reqWithoutTLS, tc.reqWithoutSSE, tc.isCopySource)
|
||||
|
||||
enc, err := hc.h.formEncryptionParamsBase(r, tc.isCopySource)
|
||||
if tc.err != nil {
|
||||
|
|
@ -789,7 +788,7 @@ func TestFormEncryptionParamsBase(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func prepareRequestForEncryption(algo, key, md5, tlsTermination string, reqWithoutTLS, reqWithoutSSE, isCopySource bool) *http.Request {
|
||||
func prepareRequestForEncryption(hc *handlerContext, algo, key, md5, tlsTermination string, reqWithoutTLS, reqWithoutSSE, isCopySource bool) *http.Request {
|
||||
r := httptest.NewRequest(http.MethodPost, "/", nil)
|
||||
|
||||
if !reqWithoutTLS {
|
||||
|
|
@ -808,8 +807,10 @@ func prepareRequestForEncryption(algo, key, md5, tlsTermination string, reqWitho
|
|||
}
|
||||
}
|
||||
|
||||
customHeader := "X-Frostfs-TLS-Termination"
|
||||
if tlsTermination != "" {
|
||||
r.Header.Set("X-Frostfs-TLS-Termination", tlsTermination)
|
||||
hc.config.tlsTerminationHeader = customHeader
|
||||
r.Header.Set(customHeader, tlsTermination)
|
||||
}
|
||||
|
||||
return r
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue