From d4610972474eed37b3eeac187dc56f217889dd2e Mon Sep 17 00:00:00 2001 From: Juan Font Date: Sat, 19 Nov 2022 10:33:15 +0000 Subject: [PATCH] Remove mTLS stuff from code --- app.go | 26 -------------------------- app_test.go | 17 ----------------- config.go | 25 ++----------------------- integration/hsic/hsic.go | 3 +-- 4 files changed, 3 insertions(+), 68 deletions(-) diff --git a/app.go b/app.go index c97c3f15..26a88ca7 100644 --- a/app.go +++ b/app.go @@ -101,27 +101,6 @@ type Headscale struct { pollNetMapStreamWG sync.WaitGroup } -// Look up the TLS constant relative to user-supplied TLS client -// authentication mode. If an unknown mode is supplied, the default -// value, tls.RequireAnyClientCert, is returned. The returned boolean -// indicates if the supplied mode was valid. -func LookupTLSClientAuthMode(mode string) (tls.ClientAuthType, bool) { - switch mode { - case DisabledClientAuth: - // Client cert is _not_ required. - return tls.NoClientCert, true - case RelaxedClientAuth: - // Client cert required, but _not verified_. - return tls.RequireAnyClientCert, true - case EnforcedClientAuth: - // Client cert is _required and verified_. - return tls.RequireAndVerifyClientCert, true - default: - // Return the default when an unknown value is supplied. - return tls.RequireAnyClientCert, false - } -} - func NewHeadscale(cfg *Config) (*Headscale, error) { privateKey, err := readOrCreatePrivateKey(cfg.PrivateKeyPath) if err != nil { @@ -855,12 +834,7 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) { log.Warn().Msg("Listening with TLS but ServerURL does not start with https://") } - log.Info().Msg(fmt.Sprintf( - "Client authentication (mTLS) is \"%s\". See the docs to learn about configuring this setting.", - h.cfg.TLS.ClientAuthMode)) - tlsConfig := &tls.Config{ - ClientAuth: h.cfg.TLS.ClientAuthMode, NextProtos: []string{"http/1.1"}, Certificates: make([]tls.Certificate, 1), MinVersion: tls.VersionTLS12, diff --git a/app_test.go b/app_test.go index c2ebe4ad..5f23fd2b 100644 --- a/app_test.go +++ b/app_test.go @@ -59,20 +59,3 @@ func (s *Suite) ResetDB(c *check.C) { } app.db = db } - -// Enusre an error is returned when an invalid auth mode -// is supplied. -func (s *Suite) TestInvalidClientAuthMode(c *check.C) { - _, isValid := LookupTLSClientAuthMode("invalid") - c.Assert(isValid, check.Equals, false) -} - -// Ensure that all client auth modes return a nil error. -func (s *Suite) TestAuthModes(c *check.C) { - modes := []string{"disabled", "relaxed", "enforced"} - - for _, v := range modes { - _, isValid := LookupTLSClientAuthMode(v) - c.Assert(isValid, check.Equals, true) - } -} diff --git a/config.go b/config.go index 03df59ea..b4cad5be 100644 --- a/config.go +++ b/config.go @@ -1,7 +1,6 @@ package headscale import ( - "crypto/tls" "errors" "fmt" "io/fs" @@ -75,9 +74,8 @@ type Config struct { } type TLSConfig struct { - CertPath string - KeyPath string - ClientAuthMode tls.ClientAuthType + CertPath string + KeyPath string LetsEncrypt LetsEncryptConfig } @@ -154,7 +152,6 @@ func LoadConfig(path string, isFile bool) error { viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache") viper.SetDefault("tls_letsencrypt_challenge_type", http01ChallengeType) - viper.SetDefault("tls_client_auth_mode", "relaxed") viper.SetDefault("log.level", "info") viper.SetDefault("log.format", TextLogFormat) @@ -224,19 +221,6 @@ func LoadConfig(path string, isFile bool) error { errorText += "Fatal config error: server_url must start with https:// or http://\n" } - _, authModeValid := LookupTLSClientAuthMode( - viper.GetString("tls_client_auth_mode"), - ) - - if !authModeValid { - errorText += fmt.Sprintf( - "Invalid tls_client_auth_mode supplied: %s. Accepted values: %s, %s, %s.", - viper.GetString("tls_client_auth_mode"), - DisabledClientAuth, - RelaxedClientAuth, - EnforcedClientAuth) - } - // Minimum inactivity time out is keepalive timeout (60s) plus a few seconds // to avoid races minInactivityTimeout, _ := time.ParseDuration("65s") @@ -266,10 +250,6 @@ func LoadConfig(path string, isFile bool) error { } func GetTLSConfig() TLSConfig { - tlsClientAuthMode, _ := LookupTLSClientAuthMode( - viper.GetString("tls_client_auth_mode"), - ) - return TLSConfig{ LetsEncrypt: LetsEncryptConfig{ Hostname: viper.GetString("tls_letsencrypt_hostname"), @@ -285,7 +265,6 @@ func GetTLSConfig() TLSConfig { KeyPath: AbsolutePathFromConfigPath( viper.GetString("tls_key_path"), ), - ClientAuthMode: tlsClientAuthMode, } } diff --git a/integration/hsic/hsic.go b/integration/hsic/hsic.go index 544785dc..77d1db6c 100644 --- a/integration/hsic/hsic.go +++ b/integration/hsic/hsic.go @@ -71,7 +71,6 @@ func WithTLS() Option { // TODO(kradalby): Move somewhere appropriate hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_TLS_CERT_PATH=%s", tlsCertPath)) hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_TLS_KEY_PATH=%s", tlsKeyPath)) - hsic.env = append(hsic.env, "HEADSCALE_TLS_CLIENT_AUTH_MODE=disabled") hsic.tlsCert = cert hsic.tlsKey = key @@ -371,7 +370,7 @@ func (t *HeadscaleInContainer) WriteFile(path string, data []byte) error { return integrationutil.WriteFileToContainer(t.pool, t.container, path, data) } -//nolint +// nolint func createCertificate() ([]byte, []byte, error) { // From: // https://shaneutt.com/blog/golang-ca-and-signed-cert-go/