Add the ability to specify the maximum acceptable TLS version (prometheus#414)

lspiehler · radek-ryckowski · commit d1ffe18928e0 · 2023-05-18T08:56:29.000+01:00
Signed-off-by: Lyas Spiehler &lt;lspiehler@gmail.com&gt;
diff --git a/config/http_config.go b/config/http_config.go
@@ -779,6 +779,7 @@ func NewTLSConfig(cfg *TLSConfig) (*tls.Config, error) {
 	tlsConfig := &tls.Config{
 		InsecureSkipVerify: cfg.InsecureSkipVerify,
 		MinVersion:         uint16(tls.VersionTLS10),
+		MaxVersion:         uint16(cfg.MaxVersion),
 	}
 
 	// If a CA cert is provided then let's read it in so we can validate the
@@ -826,6 +827,8 @@ type TLSConfig struct {
 	InsecureSkipVerify bool `yaml:"insecure_skip_verify" json:"insecure_skip_verify"`
 	// Minimum TLS version.
 	MinVersion TLSVersion `yaml:"min_version,omitempty" json:"min_version,omitempty"`
+	// Maximum TLS version.
+	MaxVersion TLSVersion `yaml:"max_version,omitempty" json:"max_version,omitempty"`
 }
 
 // SetDirectory joins any relative file paths with dir.
diff --git a/config/testdata/tls_config.max_and_min_version.bad.json b/config/testdata/tls_config.max_and_min_version.bad.json
@@ -0,0 +1,2 @@
+{"max_version": "TLS11",
+"min_version": "TLS12"}
diff --git a/config/testdata/tls_config.max_and_min_version.bad.yml b/config/testdata/tls_config.max_and_min_version.bad.yml
@@ -0,0 +1,2 @@
+max_version: TLS11
+min_version: TLS12
diff --git a/config/testdata/tls_config.max_and_min_version.good.json b/config/testdata/tls_config.max_and_min_version.good.json
@@ -0,0 +1,2 @@
+{"max_version": "TLS12",
+"min_version": "TLS11"}
diff --git a/config/testdata/tls_config.max_and_min_version.good.yml b/config/testdata/tls_config.max_and_min_version.good.yml
@@ -0,0 +1,2 @@
+max_version: TLS12
+min_version: TLS11
diff --git a/config/testdata/tls_config.max_and_min_version_same.good.json b/config/testdata/tls_config.max_and_min_version_same.good.json
@@ -0,0 +1,2 @@
+{"max_version": "TLS12",
+"min_version": "TLS12"}
diff --git a/config/testdata/tls_config.max_and_min_version_same.good.yml b/config/testdata/tls_config.max_and_min_version_same.good.yml
@@ -0,0 +1,2 @@
+max_version: TLS12
+min_version: TLS12
diff --git a/config/testdata/tls_config.max_version.good.json b/config/testdata/tls_config.max_version.good.json
@@ -0,0 +1 @@
+{"max_version": "TLS12"}
diff --git a/config/testdata/tls_config.max_version.good.yml b/config/testdata/tls_config.max_version.good.yml
@@ -0,0 +1 @@
+max_version: TLS12
diff --git a/config/tls_config_test.go b/config/tls_config_test.go
@@ -20,6 +20,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"strings"
 	"testing"
 
 	"encoding/json"
@@ -64,6 +65,9 @@ var expectedTLSConfigs = []struct {
 	}, {
 		filename: "tls_config.tlsversion.good.json",
 		config:   &tls.Config{MinVersion: tls.VersionTLS11},
+	}, {
+		filename: "tls_config.max_version.good.json",
+		config:   &tls.Config{MaxVersion: tls.VersionTLS12},
 	},
 	{
 		filename: "tls_config.empty.good.yml",
@@ -74,6 +78,15 @@ var expectedTLSConfigs = []struct {
 	}, {
 		filename: "tls_config.tlsversion.good.yml",
 		config:   &tls.Config{MinVersion: tls.VersionTLS11},
+	}, {
+		filename: "tls_config.max_version.good.yml",
+		config:   &tls.Config{MaxVersion: tls.VersionTLS12},
+	}, {
+		filename: "tls_config.max_and_min_version.good.yml",
+		config:   &tls.Config{MaxVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS11},
+	}, {
+		filename: "tls_config.max_and_min_version_same.good.yml",
+		config:   &tls.Config{MaxVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12},
 	},
 }
 
@@ -91,6 +104,29 @@ func TestValidTLSConfig(t *testing.T) {
 	}
 }
 
+var invalidTLSConfigs = []struct {
+	filename string
+	errMsg   string
+}{
+	{
+		filename: "tls_config.max_and_min_version.bad.yml",
+		errMsg:   "tls_config.max_version must be greater than or equal to tls_config.min_version if both are specified",
+	},
+}
+
+func TestInvalidTLSConfig(t *testing.T) {
+	for _, ee := range invalidTLSConfigs {
+		_, err := LoadTLSConfig("testdata/" + ee.filename)
+		if err == nil {
+			t.Error("Expected error with config but got none")
+			continue
+		}
+		if !strings.Contains(err.Error(), ee.errMsg) {
+			t.Errorf("Expected error for invalid HTTP client configuration to contain %q but got: %s", ee.errMsg, err)
+		}
+	}
+}
+
 func TestStringer(t *testing.T) {
 	if s := (TLSVersion)(tls.VersionTLS13); s.String() != "TLS13" {
 		t.Fatalf("tls.VersionTLS13 string should be TLS13, got %s", s.String())

Original file line number	Diff line number	Diff line change
`@@ -779,6 +779,7 @@ func NewTLSConfig(cfg TLSConfig) (tls.Config, error) {`
`779`	`779`	`tlsConfig := &tls.Config{`
`780`	`780`	`InsecureSkipVerify: cfg.InsecureSkipVerify,`
`781`	`781`	`MinVersion: uint16(tls.VersionTLS10),`
	`782`	`+ MaxVersion: uint16(cfg.MaxVersion),`
`782`	`783`	`}`
`783`	`784`
`784`	`785`	`// If a CA cert is provided then let's read it in so we can validate the`
`@@ -826,6 +827,8 @@ type TLSConfig struct {`
`826`	`827`	InsecureSkipVerify bool `yaml:"insecure_skip_verify" json:"insecure_skip_verify"`
`827`	`828`	`// Minimum TLS version.`
`828`	`829`	MinVersion TLSVersion `yaml:"min_version,omitempty" json:"min_version,omitempty"`
	`830`	`+ // Maximum TLS version.`
	`831`	+ MaxVersion TLSVersion `yaml:"max_version,omitempty" json:"max_version,omitempty"`
`829`	`832`	`}`
`830`	`833`
`831`	`834`	`// SetDirectory joins any relative file paths with dir.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+{"max_version": "TLS11",`
	`2`	`+"min_version": "TLS12"}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+max_version: TLS11`
	`2`	`+min_version: TLS12`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+{"max_version": "TLS12",`
	`2`	`+"min_version": "TLS11"}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+max_version: TLS12`
	`2`	`+min_version: TLS11`