Skip to content

Commit

Permalink
refactor(config): add TLSVersion type
Browse files Browse the repository at this point in the history
  • Loading branch information
ThinkChaos committed Nov 23, 2023
1 parent 7d93ffb commit 270dc17
Show file tree
Hide file tree
Showing 4 changed files with 134 additions and 18 deletions.
38 changes: 37 additions & 1 deletion config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package config

import (
"context"
"crypto/tls"
"errors"
"fmt"
"net"
Expand Down Expand Up @@ -78,6 +79,26 @@ func (ipv IPVersion) QTypes() []dns.Type {
panic(fmt.Errorf("bad value: %s", ipv))
}

// TLSVersion represents a TLS protocol version. ENUM(
// 1.0 = 769
// 1.1
// 1.2
// 1.3
// )
type TLSVersion int // values MUST match `tls.VersionTLS*`

func (v *TLSVersion) validate(logger *logrus.Entry) {
// So we get a linting error if it is considered insecure in the future
minAllowed := tls.Config{MinVersion: tls.VersionTLS12}.MinVersion

if *v < TLSVersion(minAllowed) {
def := mustDefault[Config]().MinTLSServeVer

logger.Warnf("TLS version %s is insecure, using %s instead", v, def)
*v = def
}
}

// QueryLogType type of the query log ENUM(
// console // use logger as fallback
// none // no logging
Expand Down Expand Up @@ -201,7 +222,7 @@ type Config struct {
Redis RedisConfig `yaml:"redis"`
Log log.Config `yaml:"log"`
Ports PortsConfig `yaml:"ports"`
MinTLSServeVer string `yaml:"minTlsServeVersion" default:"1.2"`
MinTLSServeVer TLSVersion `yaml:"minTlsServeVersion" default:"1.2"`
CertFile string `yaml:"certFile"`
KeyFile string `yaml:"keyFile"`
BootstrapDNS BootstrapDNSConfig `yaml:"bootstrapDns"`
Expand Down Expand Up @@ -384,6 +405,15 @@ func WithDefaults[T any]() (T, error) {
return cfg, nil
}

func mustDefault[T any]() T {
cfg, err := WithDefaults[T]()
if err != nil {
util.FatalOnError("broken defaults", err)
}

return cfg
}

// LoadConfig creates new config from YAML file or a directory containing YAML files
func LoadConfig(path string, mandatory bool) (rCfg *Config, rerr error) {
cfg, err := WithDefaults[Config]()
Expand Down Expand Up @@ -495,6 +525,8 @@ func unmarshalConfig(data []byte, cfg *Config) error {
logger.Error("configuration uses deprecated options, see warning logs for details")
}

cfg.validate(logger)

return nil
}

Expand Down Expand Up @@ -525,6 +557,10 @@ func (cfg *Config) migrate(logger *logrus.Entry) bool {
return usesDepredOpts
}

func (cfg *Config) validate(logger *logrus.Entry) {
cfg.MinTLSServeVer.validate(logger)
}

// ConvertPort converts string representation into a valid port (0 - 65535)
func ConvertPort(in string) (uint16, error) {
const (
Expand Down
92 changes: 92 additions & 0 deletions config/config_enum.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion config/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package config

import (
"context"
"crypto/tls"
"errors"
"net"
"sync/atomic"
Expand Down Expand Up @@ -800,7 +801,8 @@ func defaultTestFileConfig(config *Config) {
Expect(config.Caching.MaxCachingTime).Should(BeZero())
Expect(config.Caching.MinCachingTime).Should(BeZero())

Expect(config.MinTLSServeVer).Should(Equal("1.3"))
Expect(config.MinTLSServeVer).Should(Equal(TLSVersion13))
Expect(config.MinTLSServeVer).Should(BeEquivalentTo(tls.VersionTLS13))
}

func writeConfigYml(tmpDir *helpertest.TmpFolder) *helpertest.TmpFile {
Expand Down
18 changes: 2 additions & 16 deletions server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,20 +56,6 @@ func logger() *logrus.Entry {
return log.PrefixedLog("server")
}

func minTLSVersion(cfg *config.Config) uint16 {
minTLSVer := cfg.MinTLSServeVer
switch minTLSVer {
case "1.2":
return tls.VersionTLS12
case "1.3":
return tls.VersionTLS13
default:
logger().Warn("Not allowed or supported mininum TLS version ", minTLSVer, ", fallback to TLS 1.3")

return tls.VersionTLS13
}
}

func tlsCipherSuites() []uint16 {
tlsCipherSuites := []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
Expand Down Expand Up @@ -252,7 +238,7 @@ func createTLSServer(cfg *config.Config, address string, cert tls.Certificate) (
//nolint:gosec
TLSConfig: &tls.Config{
Certificates: []tls.Certificate{cert},
MinVersion: minTLSVersion(cfg),
MinVersion: uint16(cfg.MinTLSServeVer),
CipherSuites: tlsCipherSuites(),
},
Handler: dns.NewServeMux(),
Expand Down Expand Up @@ -524,7 +510,7 @@ func (s *Server) Start(ctx context.Context, errCh chan<- error) {
WriteTimeout: writeTimeout,
//nolint:gosec
TLSConfig: &tls.Config{
MinVersion: minTLSVersion(s.cfg),
MinVersion: uint16(s.cfg.MinTLSServeVer),
CipherSuites: tlsCipherSuites(),
Certificates: []tls.Certificate{s.cert},
},
Expand Down

0 comments on commit 270dc17

Please sign in to comment.