TLS Mode is now an enum

nginxinc · Dec 7, 2023 · 45d047a · 45d047a
1 parent 360536b
commit 45d047a
Show file tree

Hide file tree

Showing 6 changed files with 134 additions and 43 deletions.
diff --git a/cmd/tls-config-factory-test-harness/main.go b/cmd/tls-config-factory-test-harness/main.go
@@ -87,7 +87,7 @@ func ssTlsConfig() configuration.Settings {
 	certificates[ClientCertificateSecretKey] = buildClientCertificateEntry(clientKeyPEM(), clientCertificatePEM())
 
 	return configuration.Settings{
-		TlsMode: "ss-tls",
+		TlsMode: configuration.TLSModeSsTLS,
 		Certificates: &certification.Certificates{
 			Certificates: certificates,
 		},
@@ -100,7 +100,7 @@ func ssMtlsConfig() configuration.Settings {
 	certificates[ClientCertificateSecretKey] = buildClientCertificateEntry(clientKeyPEM(), clientCertificatePEM())
 
 	return configuration.Settings{
-		TlsMode: "ss-mtls",
+		TlsMode: configuration.TLSModeSsMTLS,
 		Certificates: &certification.Certificates{
 			Certificates: certificates,
 		},
@@ -109,7 +109,7 @@ func ssMtlsConfig() configuration.Settings {
 
 func caTlsConfig() configuration.Settings {
 	return configuration.Settings{
-		TlsMode: "ca-tls",
+		TlsMode: configuration.TLSModeCaTLS,
 	}
 }
 
@@ -118,7 +118,7 @@ func caMtlsConfig() configuration.Settings {
 	certificates[ClientCertificateSecretKey] = buildClientCertificateEntry(clientKeyPEM(), clientCertificatePEM())
 
 	return configuration.Settings{
-		TlsMode: "ca-mtls",
+		TlsMode: configuration.TLSModeCaMTLS,
 		Certificates: &certification.Certificates{
 			Certificates: certificates,
 		},

diff --git a/internal/authentication/factory.go b/internal/authentication/factory.go
@@ -20,20 +20,24 @@ import (
 func NewTlsConfig(settings *configuration.Settings) (*tls.Config, error) {
 	logrus.Debugf("authentication::NewTlsConfig Creating TLS config for mode: '%s'", settings.TlsMode)
 	switch settings.TlsMode {
-	case "ss-tls": // needs ca cert
+
+	case configuration.TLSModeNoTLS:
+		return buildBasicTlsConfig(true), nil
+
+	case configuration.TLSModeSsTLS: // needs ca cert
 		return buildSelfSignedTlsConfig(settings.Certificates)
 
-	case "ss-mtls": // needs ca cert and client cert
+	case configuration.TLSModeSsMTLS: // needs ca cert and client cert
 		return buildSelfSignedMtlsConfig(settings.Certificates)
 
-	case "ca-tls": // needs nothing
+	case configuration.TLSModeCaTLS: // needs nothing
 		return buildBasicTlsConfig(false), nil
 
-	case "ca-mtls": // needs client cert
+	case configuration.TLSModeCaMTLS: // needs client cert
 		return buildCaTlsConfig(settings.Certificates)
 
-	default: // no-tls, needs nothing
-		return buildBasicTlsConfig(true), nil
+	default:
+		return nil, fmt.Errorf("unknown TLS mode: %s", settings.TlsMode)
 	}
 }
 

diff --git a/internal/authentication/factory_test.go b/internal/authentication/factory_test.go
@@ -16,25 +16,6 @@ const (
 	ClientCertificateSecretKey = "nlk-tls-client-secret"
 )
 
-func TestTlsFactory_EmptyStringModeDefaultsToNoTls(t *testing.T) {
-	settings := configuration.Settings{
-		TlsMode: "",
-	}
-
-	tlsConfig, err := NewTlsConfig(&settings)
-	if err != nil {
-		t.Fatalf(`Unexpected error: %v`, err)
-	}
-
-	if tlsConfig == nil {
-		t.Fatalf(`tlsConfig should not be nil`)
-	}
-
-	if tlsConfig.InsecureSkipVerify != true {
-		t.Fatalf(`tlsConfig.InsecureSkipVerify should be true`)
-	}
-}
-
 func TestTlsFactory_UnspecifiedModeDefaultsToNoTls(t *testing.T) {
 	settings := configuration.Settings{}
 
@@ -57,7 +38,7 @@ func TestTlsFactory_SelfSignedTlsMode(t *testing.T) {
 	certificates[CaCertificateSecretKey] = buildCaCertificateEntry(caCertificatePEM())
 
 	settings := configuration.Settings{
-		TlsMode: "ss-tls",
+		TlsMode: configuration.TLSModeSsTLS,
 		Certificates: &certification.Certificates{
 			Certificates:               certificates,
 			CaCertificateSecretKey:     CaCertificateSecretKey,
@@ -92,7 +73,7 @@ func TestTlsFactory_SelfSignedTlsModeCertPoolError(t *testing.T) {
 	certificates[CaCertificateSecretKey] = buildCaCertificateEntry(invalidCertificatePEM())
 
 	settings := configuration.Settings{
-		TlsMode: "ss-tls",
+		TlsMode: configuration.TLSModeSsTLS,
 		Certificates: &certification.Certificates{
 			Certificates: certificates,
 		},
@@ -113,7 +94,7 @@ func TestTlsFactory_SelfSignedTlsModeCertPoolCertificateParseError(t *testing.T)
 	certificates[CaCertificateSecretKey] = buildCaCertificateEntry(invalidCertificateDataPEM())
 
 	settings := configuration.Settings{
-		TlsMode: "ss-tls",
+		TlsMode: configuration.TLSModeSsTLS,
 		Certificates: &certification.Certificates{
 			Certificates:               certificates,
 			CaCertificateSecretKey:     CaCertificateSecretKey,
@@ -137,7 +118,7 @@ func TestTlsFactory_SelfSignedMtlsMode(t *testing.T) {
 	certificates[ClientCertificateSecretKey] = buildClientCertificateEntry(clientKeyPEM(), clientCertificatePEM())
 
 	settings := configuration.Settings{
-		TlsMode: "ss-mtls",
+		TlsMode: configuration.TLSModeSsMTLS,
 		Certificates: &certification.Certificates{
 			Certificates:               certificates,
 			CaCertificateSecretKey:     CaCertificateSecretKey,
@@ -173,7 +154,7 @@ func TestTlsFactory_SelfSignedMtlsModeCertPoolError(t *testing.T) {
 	certificates[ClientCertificateSecretKey] = buildClientCertificateEntry(clientKeyPEM(), clientCertificatePEM())
 
 	settings := configuration.Settings{
-		TlsMode: "ss-mtls",
+		TlsMode: configuration.TLSModeSsMTLS,
 		Certificates: &certification.Certificates{
 			Certificates: certificates,
 		},
@@ -195,7 +176,7 @@ func TestTlsFactory_SelfSignedMtlsModeClientCertificateError(t *testing.T) {
 	certificates[ClientCertificateSecretKey] = buildClientCertificateEntry(clientKeyPEM(), invalidCertificatePEM())
 
 	settings := configuration.Settings{
-		TlsMode: "ss-mtls",
+		TlsMode: configuration.TLSModeSsMTLS,
 		Certificates: &certification.Certificates{
 			Certificates:               certificates,
 			CaCertificateSecretKey:     CaCertificateSecretKey,
@@ -215,7 +196,7 @@ func TestTlsFactory_SelfSignedMtlsModeClientCertificateError(t *testing.T) {
 
 func TestTlsFactory_CaTlsMode(t *testing.T) {
 	settings := configuration.Settings{
-		TlsMode: "ca-tls",
+		TlsMode: configuration.TLSModeCaTLS,
 	}
 
 	tlsConfig, err := NewTlsConfig(&settings)
@@ -245,7 +226,7 @@ func TestTlsFactory_CaMtlsMode(t *testing.T) {
 	certificates[ClientCertificateSecretKey] = buildClientCertificateEntry(clientKeyPEM(), clientCertificatePEM())
 
 	settings := configuration.Settings{
-		TlsMode: "ca-mtls",
+		TlsMode: configuration.TLSModeCaMTLS,
 		Certificates: &certification.Certificates{
 			Certificates:               certificates,
 			CaCertificateSecretKey:     CaCertificateSecretKey,
@@ -281,7 +262,7 @@ func TestTlsFactory_CaMtlsModeClientCertificateError(t *testing.T) {
 	certificates[ClientCertificateSecretKey] = buildClientCertificateEntry(clientKeyPEM(), invalidCertificatePEM())
 
 	settings := configuration.Settings{
-		TlsMode: "ca-mtls",
+		TlsMode: configuration.TLSModeCaMTLS,
 		Certificates: &certification.Certificates{
 			Certificates: certificates,
 		},

diff --git a/internal/configuration/settings.go b/internal/configuration/settings.go
@@ -110,7 +110,7 @@ type Settings struct {
 	NginxPlusHosts []string
 
 	// TlsMode is the value used to determine which of the five TLS modes will be used to communicate with the Border Servers (see: ../../docs/tls/README.md).
-	TlsMode string
+	TlsMode TLSMode
 
 	// Certificates is the object used to retrieve the certificates and keys used to communicate with the Border Servers.
 	Certificates *certification.Certificates
@@ -139,7 +139,7 @@ func NewSettings(ctx context.Context, k8sClient kubernetes.Interface) (*Settings
 	settings := &Settings{
 		Context:      ctx,
 		K8sClient:    k8sClient,
-		TlsMode:      "",
+		TlsMode:      TLSModeNoTLS,
 		Certificates: nil,
 		Handler: HandlerSettings{
 			RetryCount: 5,
@@ -284,11 +284,11 @@ func (s *Settings) handleUpdateEvent(_ interface{}, newValue interface{}) {
 
 	tlsMode, found := configMap.Data["tls-mode"]
 	if found {
-		s.TlsMode = tlsMode
+		s.TlsMode = TLSModeMap[tlsMode]
 		logrus.Debugf("Settings::handleUpdateEvent: tls-mode: %s", s.TlsMode)
 	} else {
-		s.TlsMode = "no-tls"
-		logrus.Warnf("Settings::handleUpdateEvent: tls-mode key not found in ConfigMap, defaulting to 'no-tls'")
+		s.TlsMode = TLSModeNoTLS
+		logrus.Warnf("Settings::handleUpdateEvent: tls-mode key not found in ConfigMap, defaulting to '%s'", s.TlsMode)
 	}
 
 	caCertificateSecretKey, found := configMap.Data["ca-certificate"]

diff --git a/internal/configuration/tlsmodes.go b/internal/configuration/tlsmodes.go
@@ -0,0 +1,32 @@
+/*
+ * Copyright 2023 F5 Inc. All rights reserved.
+ * Use of this source code is governed by the Apache License that can be found in the LICENSE file.
+ */
+
+package configuration
+
+type TLSMode int
+
+var TLSModeMap = map[string]TLSMode{
+	"no-tls":  TLSModeNoTLS,
+	"ca-tls":  TLSModeCaTLS,
+	"ca-mtls": TLSModeCaMTLS,
+	"ss-tls":  TLSModeSsTLS,
+	"ss-mtls": TLSModeSsMTLS,
+}
+
+const (
+	TLSModeNoTLS TLSMode = iota
+	TLSModeCaTLS
+	TLSModeCaMTLS
+	TLSModeSsTLS
+	TLSModeSsMTLS
+)
+
+func (t TLSMode) String() string {
+	modes := []string{"no-tls", "ca-tls", "ca-mtls", "ss-tls", "ss-mtls"}
+	if t < TLSModeNoTLS || t > TLSModeSsMTLS {
+		return ""
+	}
+	return modes[t]
+}
diff --git a/internal/configuration/tlsmodes_test.go b/internal/configuration/tlsmodes_test.go
@@ -0,0 +1,74 @@
+/*
+ * Copyright 2023 F5 Inc. All rights reserved.
+ * Use of this source code is governed by the Apache License that can be found in the LICENSE file.
+ */
+
+package configuration
+
+import (
+	"testing"
+)
+
+func Test_String(t *testing.T) {
+	mode := TLSModeNoTLS.String()
+	if mode != "no-tls" {
+		t.Errorf("Expected TLSModeNoTLS to be 'no-tls', got '%s'", mode)
+	}
+
+	mode = TLSModeCaTLS.String()
+	if mode != "ca-tls" {
+		t.Errorf("Expected TLSModeCaTLS to be 'ca-tls', got '%s'", mode)
+	}
+
+	mode = TLSModeCaMTLS.String()
+	if mode != "ca-mtls" {
+		t.Errorf("Expected TLSModeCaMTLS to be 'ca-mtls', got '%s'", mode)
+	}
+
+	mode = TLSModeSsTLS.String()
+	if mode != "ss-tls" {
+		t.Errorf("Expected TLSModeSsTLS to be 'ss-tls', got '%s'", mode)
+	}
+
+	mode = TLSModeSsMTLS.String()
+	if mode != "ss-mtls" {
+		t.Errorf("Expected TLSModeSsMTLS to be 'ss-mtls', got '%s',", mode)
+	}
+
+	mode = TLSMode(5).String()
+	if mode != "" {
+		t.Errorf("Expected TLSMode(5) to be '', got '%s'", mode)
+	}
+}
+
+func Test_TLSModeMap(t *testing.T) {
+	mode := TLSModeMap["no-tls"]
+	if mode != TLSModeNoTLS {
+		t.Errorf("Expected TLSModeMap['no-tls'] to be TLSModeNoTLS, got '%d'", mode)
+	}
+
+	mode = TLSModeMap["ca-tls"]
+	if mode != TLSModeCaTLS {
+		t.Errorf("Expected TLSModeMap['ca-tls'] to be TLSModeCaTLS, got '%d'", mode)
+	}
+
+	mode = TLSModeMap["ca-mtls"]
+	if mode != TLSModeCaMTLS {
+		t.Errorf("Expected TLSModeMap['ca-mtls'] to be TLSModeCaMTLS, got '%d'", mode)
+	}
+
+	mode = TLSModeMap["ss-tls"]
+	if mode != TLSModeSsTLS {
+		t.Errorf("Expected TLSModeMap['ss-tls'] to be TLSModeSsTLS, got '%d'", mode)
+	}
+
+	mode = TLSModeMap["ss-mtls"]
+	if mode != TLSModeSsMTLS {
+		t.Errorf("Expected TLSModeMap['ss-mtls'] to be TLSModeSsMTLS, got '%d'", mode)
+	}
+
+	mode = TLSModeMap["invalid"]
+	if mode != TLSMode(0) {
+		t.Errorf("Expected TLSModeMap['invalid'] to be TLSMode(0), got '%d'", mode)
+	}
+}