Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-10-28 00:34:24 -04:00
Code Issues Packages Projects Releases Wiki Activity

plugin/tls: respect the path specified by root plugin (#6138)

Browse Source 
* plugin/tls: respect the path specified by root plugin

Signed-off-by: Marius Kimmina <mar.kimmina@gmail.com>

* improve readme

Signed-off-by: Marius Kimmina <mar.kimmina@gmail.com>

---------

Signed-off-by: Marius Kimmina <mar.kimmina@gmail.com>
This commit is contained in:
Marius Kimmina
2023-12-08 16:50:30 +01:00
committed by GitHub
parent f9d5d0cb56
commit 92ec849acb
8 changed files with 86 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
core/dnsserver/zdirectives.go
View File

@@ -10,6 +10,7 @@ package dnsserver
// (after) them during a request, but they must not // (after) them during a request, but they must not
// care what plugin above them are doing. // care what plugin above them are doing.
var Directives = []string{ var Directives = []string{
"root",
"metadata", "metadata",
"geoip", "geoip",
"cancel", "cancel",
@@ -18,7 +19,6 @@ var Directives = []string{
"reload", "reload",
"nsid", "nsid",
"bufsize", "bufsize",
"root",
"bind", "bind",
"debug", "debug",
"trace", "trace",

2
plugin.cfg
View File

@@ -19,6 +19,7 @@
# Local plugin example: # Local plugin example:
# log:log # log:log
root:root
metadata:metadata metadata:metadata
geoip:geoip geoip:geoip
cancel:cancel cancel:cancel
@@ -27,7 +28,6 @@ timeouts:timeouts
reload:reload reload:reload
nsid:nsid nsid:nsid
bufsize:bufsize bufsize:bufsize
root:root
bind:bind bind:bind
debug:debug debug:debug
trace:trace trace:trace

7
plugin/etcd/setup.go
View File

@@ -2,6 +2,7 @@ package etcd
import ( import (
"crypto/tls" "crypto/tls"
"path/filepath"
"github.com/coredns/caddy" "github.com/coredns/caddy"
"github.com/coredns/coredns/core/dnsserver" "github.com/coredns/coredns/core/dnsserver"
@@ -29,6 +30,7 @@ func setup(c *caddy.Controller) error {
} }
func etcdParse(c *caddy.Controller) (*Etcd, error) { func etcdParse(c *caddy.Controller) (*Etcd, error) {
config := dnsserver.GetConfig(c)
etc := Etcd{PathPrefix: "skydns"} etc := Etcd{PathPrefix: "skydns"}
var ( var (
tlsConfig *tls.Config tlsConfig *tls.Config
@@ -66,6 +68,11 @@ func etcdParse(c *caddy.Controller) (*Etcd, error) {
c.RemainingArgs() c.RemainingArgs()
case "tls": // cert key cacertfile case "tls": // cert key cacertfile
args := c.RemainingArgs() args := c.RemainingArgs()
for i := range args {
if !filepath.IsAbs(args[i]) && config.Root != "" {
args[i] = filepath.Join(config.Root, args[i])
}
}
tlsConfig, err = mwtls.NewTLSConfigFromArgs(args...) tlsConfig, err = mwtls.NewTLSConfigFromArgs(args...)
if err != nil { if err != nil {
return &Etcd{}, err return &Etcd{}, err

7
plugin/forward/setup.go
View File

@@ -4,6 +4,7 @@ import (
"crypto/tls" "crypto/tls"
"errors" "errors"
"fmt" "fmt"
"path/filepath"
"strconv" "strconv"
"time" "time"
@@ -167,6 +168,7 @@ func parseStanza(c *caddy.Controller) (*Forward, error) {
} }
func parseBlock(c *caddy.Controller, f *Forward) error { func parseBlock(c *caddy.Controller, f *Forward) error {
config := dnsserver.GetConfig(c)
switch c.Val() { switch c.Val() {
case "except": case "except":
ignore := c.RemainingArgs() ignore := c.RemainingArgs()
@@ -233,6 +235,11 @@ func parseBlock(c *caddy.Controller, f *Forward) error {
return c.ArgErr() return c.ArgErr()
} }
for i := range args {
if !filepath.IsAbs(args[i]) && config.Root != "" {
args[i] = filepath.Join(config.Root, args[i])
}
}
tlsConfig, err := pkgtls.NewTLSConfigFromArgs(args...) tlsConfig, err := pkgtls.NewTLSConfigFromArgs(args...)
if err != nil { if err != nil {
return err return err

6
plugin/grpc/setup.go
View File

@@ -3,6 +3,7 @@ package grpc
import ( import (
"crypto/tls" "crypto/tls"
"fmt" "fmt"
"path/filepath"
"github.com/coredns/caddy" "github.com/coredns/caddy"
"github.com/coredns/coredns/core/dnsserver" "github.com/coredns/coredns/core/dnsserver"
@@ -111,6 +112,11 @@ func parseBlock(c *caddy.Controller, g *GRPC) error {
return c.ArgErr() return c.ArgErr()
} }
for i := range args {
if !filepath.IsAbs(args[i]) && dnsserver.GetConfig(c).Root != "" {
args[i] = filepath.Join(dnsserver.GetConfig(c).Root, args[i])
}
}
tlsConfig, err := pkgtls.NewTLSConfigFromArgs(args...) tlsConfig, err := pkgtls.NewTLSConfigFromArgs(args...)
if err != nil { if err != nil {
return err return err

32
plugin/pkg/tls/tls_test.go
View File

@@ -1,6 +1,7 @@
package tls package tls
import ( import (
"os"
"path/filepath" "path/filepath"
"testing" "testing"
@@ -22,7 +23,6 @@ func getPEMFiles(t *testing.T) (cert, key, ca string) {
func TestNewTLSConfig(t *testing.T) { func TestNewTLSConfig(t *testing.T) {
cert, key, ca := getPEMFiles(t) cert, key, ca := getPEMFiles(t)
_, err := NewTLSConfig(cert, key, ca) _, err := NewTLSConfig(cert, key, ca)
if err != nil { if err != nil {
t.Errorf("Failed to create TLSConfig: %s", err) t.Errorf("Failed to create TLSConfig: %s", err)
@@ -77,6 +77,36 @@ func TestNewTLSConfigFromArgs(t *testing.T) {
} }
} }
func TestNewTLSConfigFromArgsWithRoot(t *testing.T) {
cert, key, ca := getPEMFiles(t)
tempDir, err := os.MkdirTemp("", "go-test-pemfiles")
defer func() {
if err := os.RemoveAll(tempDir); err != nil {
t.Error("failed to clean up temporary directory", err)
}
}()
if err != nil {
t.Error("failed to create temporary directory", err)
}
root := tempDir
args := []string{cert, key, ca}
for i := range args {
if !filepath.IsAbs(args[i]) && root != "" {
args[i] = filepath.Join(root, args[i])
}
}
c, err := NewTLSConfigFromArgs(args...)
if err != nil {
t.Errorf("Failed to create TLSConfig: %s", err)
}
if c.RootCAs == nil {
t.Error("RootCAs should not be nil when three args passed")
}
if len(c.Certificates) != 1 {
t.Error("Certificates should have a single entry when three args passed")
}
}
func TestNewHTTPSTransport(t *testing.T) { func TestNewHTTPSTransport(t *testing.T) {
_, _, ca := getPEMFiles(t) _, _, ca := getPEMFiles(t)

30
plugin/root/README.md
View File

@@ -2,14 +2,19 @@
## Name ## Name
*root* - simply specifies the root of where to find (zone) files. *root* - simply specifies the root of where to find files.
## Description ## Description
The default root is the current working directory of CoreDNS. The *root* plugin allows you to change The default root is the current working directory of CoreDNS. The *root* plugin allows you to change
this. A relative root path is relative to the current working directory. this. A relative root path is relative to the current working directory.
**NOTE: The *root* directory is NOT currently supported by all plugins.**
Currently the following plugins respect the *root* plugin configuration:
This plugin can only be used once per Server Block. * file
* tls
This plugin can only be used once per Server Block.
## Syntax ## Syntax
@@ -28,3 +33,22 @@ Serve zone data (when the *file* plugin is used) from `/etc/coredns/zones`:
root /etc/coredns/zones root /etc/coredns/zones
} }
~~~ ~~~
When you use the *root* and *tls* plugin together, your cert and key should also be placed in the *root* directory.
The example below will look for `/config/cert.pem` and `/config/key.pem`
~~~ txt
tls://example.com:853 {
root /config
tls cert.pem key.pem
whoami
}
~~~
## Bugs
**NOTE: The *root* directory is NOT currently supported by all plugins.**
Currently the following plugins respect the *root* plugin configuration:
* file
* tls

6
plugin/tls/tls.go
View File

@@ -2,6 +2,7 @@ package tls
import ( import (
ctls "crypto/tls" ctls "crypto/tls"
"path/filepath"
"github.com/coredns/caddy" "github.com/coredns/caddy"
"github.com/coredns/coredns/core/dnsserver" "github.com/coredns/coredns/core/dnsserver"
@@ -57,6 +58,11 @@ func parseTLS(c *caddy.Controller) error {
return c.Errf("unknown option '%s'", c.Val()) return c.Errf("unknown option '%s'", c.Val())
} }
} }
for i := range args {
if !filepath.IsAbs(args[i]) && config.Root != "" {
args[i] = filepath.Join(config.Root, args[i])
}
}
tls, err := tls.NewTLSConfigFromArgs(args...) tls, err := tls.NewTLSConfigFromArgs(args...)
if err != nil { if err != nil {
return err return err