plugin/tls: respect the path specified by root plugin (#6138)

* plugin/tls: respect the path specified by root plugin

Signed-off-by: Marius Kimmina <mar.kimmina@gmail.com>

* improve readme

Signed-off-by: Marius Kimmina <mar.kimmina@gmail.com>

---------

Signed-off-by: Marius Kimmina <mar.kimmina@gmail.com>

core/dnsserver/zdirectives.go

@@ -10,6 +10,7 @@ package dnsserver
 // (after) them during a request, but they must not
 // care what plugin above them are doing.
 var Directives = []string{
+	"root",
 	"metadata",
 	"geoip",
 	"cancel",
@@ -18,7 +19,6 @@ var Directives = []string{
 	"reload",
 	"nsid",
 	"bufsize",
-	"root",
 	"bind",
 	"debug",
 	"trace",

plugin.cfg

@@ -19,6 +19,7 @@
 # Local plugin example:
 # log:log
 
+root:root
 metadata:metadata
 geoip:geoip
 cancel:cancel
@@ -27,7 +28,6 @@ timeouts:timeouts
 reload:reload
 nsid:nsid
 bufsize:bufsize
-root:root
 bind:bind
 debug:debug
 trace:trace

plugin/etcd/setup.go

@@ -2,6 +2,7 @@ package etcd
 
 import (
 	"crypto/tls"
+	"path/filepath"
 
 	"github.com/coredns/caddy"
 	"github.com/coredns/coredns/core/dnsserver"
@@ -29,6 +30,7 @@ func setup(c *caddy.Controller) error {
 }
 
 func etcdParse(c *caddy.Controller) (*Etcd, error) {
+	config := dnsserver.GetConfig(c)
 	etc := Etcd{PathPrefix: "skydns"}
 	var (
 		tlsConfig *tls.Config
@@ -66,6 +68,11 @@ func etcdParse(c *caddy.Controller) (*Etcd, error) {
 				c.RemainingArgs()
 			case "tls": // cert key cacertfile
 				args := c.RemainingArgs()
+				for i := range args {
+					if !filepath.IsAbs(args[i]) && config.Root != "" {
+						args[i] = filepath.Join(config.Root, args[i])
+					}
+				}
 				tlsConfig, err = mwtls.NewTLSConfigFromArgs(args...)
 				if err != nil {
 					return &Etcd{}, err

plugin/forward/setup.go

@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
+	"path/filepath"
 	"strconv"
 	"time"
 
@@ -167,6 +168,7 @@ func parseStanza(c *caddy.Controller) (*Forward, error) {
 }
 
 func parseBlock(c *caddy.Controller, f *Forward) error {
+	config := dnsserver.GetConfig(c)
 	switch c.Val() {
 	case "except":
 		ignore := c.RemainingArgs()
@@ -233,6 +235,11 @@ func parseBlock(c *caddy.Controller, f *Forward) error {
 			return c.ArgErr()
 		}
 
+		for i := range args {
+			if !filepath.IsAbs(args[i]) && config.Root != "" {
+				args[i] = filepath.Join(config.Root, args[i])
+			}
+		}
 		tlsConfig, err := pkgtls.NewTLSConfigFromArgs(args...)
 		if err != nil {
 			return err

plugin/grpc/setup.go

@@ -3,6 +3,7 @@ package grpc
 import (
 	"crypto/tls"
 	"fmt"
+	"path/filepath"
 
 	"github.com/coredns/caddy"
 	"github.com/coredns/coredns/core/dnsserver"
@@ -111,6 +112,11 @@ func parseBlock(c *caddy.Controller, g *GRPC) error {
 			return c.ArgErr()
 		}
 
+		for i := range args {
+			if !filepath.IsAbs(args[i]) && dnsserver.GetConfig(c).Root != "" {
+				args[i] = filepath.Join(dnsserver.GetConfig(c).Root, args[i])
+			}
+		}
 		tlsConfig, err := pkgtls.NewTLSConfigFromArgs(args...)
 		if err != nil {
 			return err

plugin/pkg/tls/tls_test.go

@@ -1,6 +1,7 @@
 package tls
 
 import (
+	"os"
 	"path/filepath"
 	"testing"
 
@@ -22,7 +23,6 @@ func getPEMFiles(t *testing.T) (cert, key, ca string) {
 
 func TestNewTLSConfig(t *testing.T) {
 	cert, key, ca := getPEMFiles(t)
-
 	_, err := NewTLSConfig(cert, key, ca)
 	if err != nil {
 		t.Errorf("Failed to create TLSConfig: %s", err)
@@ -77,6 +77,36 @@ func TestNewTLSConfigFromArgs(t *testing.T) {
 	}
 }
 
+func TestNewTLSConfigFromArgsWithRoot(t *testing.T) {
+	cert, key, ca := getPEMFiles(t)
+	tempDir, err := os.MkdirTemp("", "go-test-pemfiles")
+	defer func() {
+		if err := os.RemoveAll(tempDir); err != nil {
+			t.Error("failed to clean up temporary directory", err)
+		}
+	}()
+	if err != nil {
+		t.Error("failed to create temporary directory", err)
+	}
+	root := tempDir
+	args := []string{cert, key, ca}
+	for i := range args {
+		if !filepath.IsAbs(args[i]) && root != "" {
+			args[i] = filepath.Join(root, args[i])
+		}
+	}
+	c, err := NewTLSConfigFromArgs(args...)
+	if err != nil {
+		t.Errorf("Failed to create TLSConfig: %s", err)
+	}
+	if c.RootCAs == nil {
+		t.Error("RootCAs should not be nil when three args passed")
+	}
+	if len(c.Certificates) != 1 {
+		t.Error("Certificates should have a single entry when three args passed")
+	}
+}
+
 func TestNewHTTPSTransport(t *testing.T) {
 	_, _, ca := getPEMFiles(t)
 

plugin/root/README.md

@@ -2,12 +2,17 @@
 
 ## Name
 
-*root* - simply specifies the root of where to find (zone) files.
+*root* - simply specifies the root of where to find files. 
 
 ## Description
 
 The default root is the current working directory of CoreDNS. The *root* plugin allows you to change
 this. A relative root path is relative to the current working directory. 
+**NOTE: The *root* directory is NOT currently supported by all plugins.** 
+Currently the following plugins respect the *root* plugin configuration:
+
+* file
+* tls
 
 This plugin can only be used once per Server Block. 
 
@@ -28,3 +33,22 @@ Serve zone data (when the *file* plugin is used) from `/etc/coredns/zones`:
     root /etc/coredns/zones
 }
 ~~~
+
+When you use the *root* and *tls* plugin together, your cert and key should also be placed in the *root* directory.
+The example below will look for `/config/cert.pem` and `/config/key.pem`
+
+~~~ txt
+tls://example.com:853 {
+    root /config
+    tls cert.pem key.pem
+    whoami
+}
+~~~
+
+## Bugs
+
+**NOTE: The *root* directory is NOT currently supported by all plugins.** 
+Currently the following plugins respect the *root* plugin configuration:
+
+* file
+* tls

plugin/tls/tls.go

@@ -2,6 +2,7 @@ package tls
 
 import (
 	ctls "crypto/tls"
+	"path/filepath"
 
 	"github.com/coredns/caddy"
 	"github.com/coredns/coredns/core/dnsserver"
@@ -57,6 +58,11 @@ func parseTLS(c *caddy.Controller) error {
 				return c.Errf("unknown option '%s'", c.Val())
 			}
 		}
+		for i := range args {
+			if !filepath.IsAbs(args[i]) && config.Root != "" {
+				args[i] = filepath.Join(config.Root, args[i])
+			}
+		}
 		tls, err := tls.NewTLSConfigFromArgs(args...)
 		if err != nil {
 			return err