grafana · jayjayswal · May 10, 2020 · May 14, 2020 · May 14, 2020 · May 14, 2020
@@ -104,6 +104,9 @@ func (c Config) Apply(cfg Config) Config {
 	if cfg.SummaryExport.Valid {
 		c.SummaryExport = cfg.SummaryExport
 	}
+	if cfg.LogTLSKey.Valid {
+		c.LogTLSKey = cfg.LogTLSKey
+	}
 	c.Collectors.InfluxDB = c.Collectors.InfluxDB.Apply(cfg.Collectors.InfluxDB)
 	c.Collectors.Cloud = c.Collectors.Cloud.Apply(cfg.Collectors.Cloud)
 	c.Collectors.Kafka = c.Collectors.Kafka.Apply(cfg.Collectors.Kafka)
@@ -163,9 +166,25 @@ func readDiskConfig(fs afero.Fs) (Config, string, error) {
 	}
 	var conf Config
 	err = json.Unmarshal(data, &conf)
+	if err != nil {
+		return Config{}, realConfigFilePath, err
+	}
+	err = ValidateDiskConfigOptions(&conf)
+	if err != nil {
+		return Config{}, realConfigFilePath, err
+	}
 	return conf, realConfigFilePath, err
 }
 
+// ValidateDiskConfigOptions will check for invalid options set in config.json file.
+func ValidateDiskConfigOptions(config *Config) error {
+	if config.Options.LogTLSKey.Valid {
+		return errors.New("use command line argument or environment variable to set LogTlsKey. " +
+			"use of LogTlsKey compromises security and should only be used for debugging")
+	}
+	return nil
+}
+
 // Serializes the configuration to a JSON file and writes it in the supplied
 // location on the supplied filesystem
 func writeDiskConfig(fs afero.Fs, configPath string, conf Config) error {

@@ -58,6 +58,8 @@ func optionFlagSet() *pflag.FlagSet {
 	flags.String("http-debug", "", "log all HTTP requests and responses. Excludes body by default. To include body use '--http-debug=full'")
 	flags.Lookup("http-debug").NoOptDefVal = "headers"
 	flags.Bool("insecure-skip-tls-verify", false, "skip verification of TLS certificates")
+	flags.Bool("log-tls-key", false, "logs TLS public key. "+
+		"use of LogTlsKey compromises security and should only be used for debugging.")
 	flags.Bool("no-connection-reuse", false, "disable keep-alive connections")
 	flags.Bool("no-vu-connection-reuse", false, "don't reuse connections between iterations")
 	flags.Duration("min-iteration-duration", 0, "minimum amount of time k6 will take executing a single iteration")
@@ -99,6 +101,7 @@ func getOptions(flags *pflag.FlagSet) (lib.Options, error) {
 		UserAgent:             getNullString(flags, "user-agent"),
 		HTTPDebug:             getNullString(flags, "http-debug"),
 		InsecureSkipTLSVerify: getNullBool(flags, "insecure-skip-tls-verify"),
+		LogTLSKey:             getNullBool(flags, "log-tls-key"),
 		NoConnectionReuse:     getNullBool(flags, "no-connection-reuse"),
 		NoVUConnectionReuse:   getNullBool(flags, "no-vu-connection-reuse"),
 		MinIterationDuration:  getNullDuration(flags, "min-iteration-duration"),

@@ -127,10 +127,22 @@ func NewBundle(src *loader.SourceData, filesystems map[string]afero.Fs, rtOpts l
 			}
 		}
 	}
-
+	err = ValidateJsScriptOptions(&bundle.Options)
+	if err != nil {
+		return nil, err
+	}
 	return &bundle, nil
 }
 
+// ValidateJsScriptOptions will check for invalid options set in .js file.
+func ValidateJsScriptOptions(options *lib.Options) error {
+	if options.LogTLSKey.Valid {
+		return errors.New("use command line argument or environment variable to set LogTlsKey. " +
+			"use of LogTlsKey compromises security and should only be used for debugging")
+	}
+	return nil
+}
+
 // NewBundleFromArchive creates a new bundle from an lib.Archive.
 func NewBundleFromArchive(arc *lib.Archive, rtOpts lib.RuntimeOptions) (*Bundle, error) {
 	if arc.Type != "js" {

@@ -168,6 +168,9 @@ func (r *Runner) newVU(samplesOut chan<- stats.SampleContainer) (*VU, error) {
 		NameToCertificate:  nameToCert,
 		Renegotiation:      tls.RenegotiateFreelyAsClient,
 	}
+	if r.Bundle.Options.LogTLSKey.Bool {
+		tlsConfig.KeyLogWriter = r.Logger.Out
+	}
 	transport := &http.Transport{
 		Proxy:               http.ProxyFromEnvironment,
 		TLSClientConfig:     tlsConfig,

@@ -225,6 +225,7 @@ type Options struct {
 
 	// Accept invalid or untrusted TLS certificates.
 	InsecureSkipTLSVerify null.Bool `json:"insecureSkipTLSVerify" envconfig:"K6_INSECURE_SKIP_TLS_VERIFY"`
+	LogTLSKey             null.Bool `json:"logTLSKey" envconfig:"K6_LOG_TLS_KEY"`
 
 	// Specify TLS versions and cipher suites, and present client certificates.
 	TLSCipherSuites *TLSCipherSuites `json:"tlsCipherSuites" envconfig:"K6_TLS_CIPHER_SUITES"`