diff --git a/.chloggen/configtls-cert-validation.yaml b/.chloggen/configtls-cert-validation.yaml new file mode 100644 index 00000000000..e9d2dbf8e38 --- /dev/null +++ b/.chloggen/configtls-cert-validation.yaml @@ -0,0 +1,25 @@ +# Use this changelog template to create an entry for release notes. + +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: enhancement + +# The name of the component, or a single word describing the area of concern, (e.g. otlpreceiver) +component: configtls + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: Add early validation for TLS server configurations to fail fast when certificates are missing instead of failing at runtime. + +# One or more tracking issues or pull requests related to the change +issues: [13130, 13245] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: + +# Optional: The change log or logs in which this entry should be included. +# e.g. '[user]' or '[user, api]' +# Include 'user' if the change is relevant to end users. +# Include 'api' if there is a change to a library API. +# Default: '[user]' +change_logs: [user] diff --git a/config/configtls/configtls.go b/config/configtls/configtls.go index 82f031eba8f..88b357de09b 100644 --- a/config/configtls/configtls.go +++ b/config/configtls/configtls.go @@ -194,6 +194,21 @@ func (c Config) Validate() error { return errors.New("provide either a CA file or the PEM-encoded string, but not both") } + // Ensure certificate is not set using both file and PEM + if c.hasCertFile() && c.hasCertPem() { + return errors.New("provide either certificate file or PEM, but not both") + } + + // Ensure key is not set using both file and PEM + if c.hasKeyFile() && c.hasKeyPem() { + return errors.New("provide either key file or PEM, but not both") + } + + // Fail if only one of cert/key is provided (mismatch case) + if c.hasCert() != c.hasKey() { + return errors.New("TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)") + } + minTLS, err := convertVersion(c.MinVersion, defaultMinTLSVersion) if err != nil { return fmt.Errorf("invalid TLS min_version: %w", err) @@ -211,6 +226,16 @@ func (c Config) Validate() error { return nil } +func (c ServerConfig) Validate() error { + // For servers, both certificate and key are required: + // - If both are missing, error. + // - If only one is provided (mismatch), error. + if !c.hasCert() && !c.hasKey() { + return errors.New("TLS configuration must include both certificate and key for server connections") + } + return nil +} + // loadTLSConfig loads TLS certificates and returns a tls.Config. // This will set the RootCAs and Certificates of a tls.Config. func (c Config) loadTLSConfig() (*tls.Config, error) { diff --git a/config/configtls/configtls_test.go b/config/configtls/configtls_test.go index cb7ccdd4de0..a66b0376d97 100644 --- a/config/configtls/configtls_test.go +++ b/config/configtls/configtls_test.go @@ -19,6 +19,7 @@ import ( "github.com/stretchr/testify/require" "go.opentelemetry.io/collector/config/configopaque" + "go.opentelemetry.io/collector/confmap/xconfmap" ) func TestNewDefaultConfig(t *testing.T) { @@ -664,6 +665,16 @@ func TestConfigValidate(t *testing.T) { {name: `TLS Config ["0.4", ""] to give [Error]`, tlsConfig: Config{MinVersion: "0.4", MaxVersion: ""}, errorTxt: `invalid TLS min_version: unsupported TLS version: "0.4"`}, {name: `TLS Config ["1.2", "1.1"] to give [Error]`, tlsConfig: Config{MinVersion: "1.2", MaxVersion: "1.1"}, errorTxt: `invalid TLS configuration: min_version cannot be greater than max_version`}, {name: `TLS Config with both CA File and PEM`, tlsConfig: Config{CAFile: "test", CAPem: "test"}, errorTxt: `provide either a CA file or the PEM-encoded string, but not both`}, + {name: `TLS Config with cert file but no key`, tlsConfig: Config{CertFile: "cert.pem"}, errorTxt: `TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)`}, + {name: `TLS Config with key file but no cert`, tlsConfig: Config{KeyFile: "key.pem"}, errorTxt: `TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)`}, + {name: `TLS Config with cert PEM but no key`, tlsConfig: Config{CertPem: "cert-pem"}, errorTxt: `TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)`}, + {name: `TLS Config with key PEM but no cert`, tlsConfig: Config{KeyPem: "key-pem"}, errorTxt: `TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)`}, + {name: `TLS Config with both cert file and cert PEM`, tlsConfig: Config{CertFile: "cert.pem", CertPem: "cert-pem", KeyFile: "key.pem"}, errorTxt: `provide either certificate file or PEM, but not both`}, + {name: `TLS Config with both key file and key PEM`, tlsConfig: Config{CertFile: "cert.pem", KeyFile: "key.pem", KeyPem: "key-pem"}, errorTxt: `provide either key file or PEM, but not both`}, + {name: `TLS Config with cert file and key PEM`, tlsConfig: Config{CertFile: "cert.pem", KeyPem: "key-pem"}}, + {name: `TLS Config with cert PEM and key file`, tlsConfig: Config{CertPem: "cert-pem", KeyFile: "key.pem"}}, + {name: `TLS Config with valid cert and key files`, tlsConfig: Config{CertFile: "cert.pem", KeyFile: "key.pem"}}, + {name: `TLS Config with valid cert and key PEM`, tlsConfig: Config{CertPem: "cert-pem", KeyPem: "key-pem"}}, } for _, test := range tests { @@ -924,3 +935,199 @@ func TestCurvePreferences(t *testing.T) { } } } + +func TestServerConfigValidate(t *testing.T) { + tests := []struct { + name string + serverConfig ServerConfig + errorTxt string + }{ + { + name: "server config without certificates", + serverConfig: ServerConfig{}, + errorTxt: "TLS configuration must include both certificate and key for server connections", + }, + { + name: "server config with cert file but no key", + serverConfig: ServerConfig{ + Config: Config{ + CertFile: "cert.pem", + }, + }, + errorTxt: "config: TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)", + }, + { + name: "server config with key file but no cert", + serverConfig: ServerConfig{ + Config: Config{ + KeyFile: "key.pem", + }, + }, + errorTxt: "config: TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)", + }, + { + name: "server config with cert PEM but no key", + serverConfig: ServerConfig{ + Config: Config{ + CertPem: "cert-pem", + }, + }, + errorTxt: "config: TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)", + }, + { + name: "server config with key PEM but no cert", + serverConfig: ServerConfig{ + Config: Config{ + KeyPem: "key-pem", + }, + }, + errorTxt: "config: TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)", + }, + { + name: "server config with both cert file and cert PEM", + serverConfig: ServerConfig{ + Config: Config{ + CertFile: "cert.pem", + CertPem: "cert-pem", + KeyFile: "key.pem", + }, + }, + errorTxt: "config: provide either certificate file or PEM, but not both", + }, + { + name: "server config with both key file and key PEM", + serverConfig: ServerConfig{ + Config: Config{ + CertFile: "cert.pem", + KeyFile: "key.pem", + KeyPem: "key-pem", + }, + }, + errorTxt: "config: provide either key file or PEM, but not both", + }, + { + name: "valid server config with cert and key files", + serverConfig: ServerConfig{ + Config: Config{ + CertFile: "cert.pem", + KeyFile: "key.pem", + }, + }, + }, + { + name: "valid server config with cert and key PEM", + serverConfig: ServerConfig{ + Config: Config{ + CertPem: "cert-pem", + KeyPem: "key-pem", + }, + }, + }, + { + name: "valid server config with mixed cert file and key PEM", + serverConfig: ServerConfig{ + Config: Config{ + CertFile: "cert.pem", + KeyPem: "key-pem", + }, + }, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + err := xconfmap.Validate(test.serverConfig) + + if test.errorTxt == "" { + assert.NoError(t, err) + } else { + assert.ErrorContains(t, err, test.errorTxt) + } + }) + } +} + +func TestClientConfigValidate(t *testing.T) { + tests := []struct { + name string + clientConfig ClientConfig + errorTxt string + }{ + { + name: "valid empty client config", + clientConfig: ClientConfig{}, + }, + { + name: "valid client config with insecure connection", + clientConfig: ClientConfig{ + Insecure: true, + }, + }, + { + name: "valid client config with cert and key files", + clientConfig: ClientConfig{ + Config: Config{ + CertFile: "cert.pem", + KeyFile: "key.pem", + }, + }, + }, + { + name: "valid client config with mixed cert file and key PEM", + clientConfig: ClientConfig{ + Config: Config{ + CertFile: "cert.pem", + KeyPem: "key-pem", + }, + }, + }, + { + name: "client config with only cert file", + clientConfig: ClientConfig{ + Config: Config{ + CertFile: "cert.pem", + }, + }, + errorTxt: "config: TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)", + }, + { + name: "client config with only key file", + clientConfig: ClientConfig{ + Config: Config{ + KeyFile: "key.pem", + }, + }, + errorTxt: "config: TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)", + }, + { + name: "client config with only cert PEM", + clientConfig: ClientConfig{ + Config: Config{ + CertPem: "cert-pem", + }, + }, + errorTxt: "config: TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)", + }, + { + name: "client config with only key PEM", + clientConfig: ClientConfig{ + Config: Config{ + KeyPem: "key-pem", + }, + }, + errorTxt: "config: TLS configuration must include both certificate and key (CertFile/CertPem and KeyFile/KeyPem)", + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + err := xconfmap.Validate(test.clientConfig) + + if test.errorTxt == "" { + assert.NoError(t, err) + } else { + assert.ErrorContains(t, err, test.errorTxt) + } + }) + } +} diff --git a/config/configtls/go.mod b/config/configtls/go.mod index dad395bdfb7..6f1470e4d3c 100644 --- a/config/configtls/go.mod +++ b/config/configtls/go.mod @@ -8,16 +8,35 @@ require ( github.com/google/go-tpm v0.9.5 github.com/stretchr/testify v1.10.0 go.opentelemetry.io/collector/config/configopaque v1.41.0 + go.opentelemetry.io/collector/confmap/xconfmap v0.135.0 ) require ( github.com/davecgh/go-spew v1.1.1 // indirect + github.com/go-viper/mapstructure/v2 v2.4.0 // indirect + github.com/gobwas/glob v0.2.3 // indirect github.com/google/go-tpm-tools v0.4.4 // indirect - github.com/kr/text v0.2.0 // indirect + github.com/hashicorp/go-version v1.7.0 // indirect + github.com/knadh/koanf/maps v0.1.2 // indirect + github.com/knadh/koanf/providers/confmap v1.0.0 // indirect + github.com/knadh/koanf/v2 v2.2.2 // indirect + github.com/mitchellh/copystructure v1.2.0 // indirect + github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect + go.opentelemetry.io/collector/confmap v1.41.0 // indirect + go.opentelemetry.io/collector/featuregate v1.41.0 // indirect + go.uber.org/multierr v1.11.0 // indirect + go.uber.org/zap v1.27.0 // indirect + go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/crypto v0.35.0 // indirect golang.org/x/sys v0.30.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) replace go.opentelemetry.io/collector/config/configopaque => ../configopaque + +replace go.opentelemetry.io/collector/featuregate => ../../featuregate + +replace go.opentelemetry.io/collector/confmap => ../../confmap + +replace go.opentelemetry.io/collector/confmap/xconfmap => ../../confmap/xconfmap diff --git a/config/configtls/go.sum b/config/configtls/go.sum index d7dfe6db88d..bce9263fc8e 100644 --- a/config/configtls/go.sum +++ b/config/configtls/go.sum @@ -1,4 +1,3 @@ -github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/foxboron/go-tpm-keyfiles v0.0.0-20250323135004-b31fac66206e h1:2jjYsGgM13xId2Ku+UGDQTO5It50LhT6lljiVJvBj1Y= @@ -7,6 +6,10 @@ github.com/foxboron/swtpm_test v0.0.0-20230726224112-46aaafdf7006 h1:50sW4r0Pcvl github.com/foxboron/swtpm_test v0.0.0-20230726224112-46aaafdf7006/go.mod h1:eIXCMsMYCaqq9m1KSSxXwQG11krpuNPGP3k0uaWrbas= github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0= +github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs= +github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= +github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= +github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/google/go-configfs-tsm v0.2.2 h1:YnJ9rXIOj5BYD7/0DNnzs8AOp7UcvjfTvt215EWcs98= @@ -23,10 +26,22 @@ github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ= github.com/google/logger v1.1.1/go.mod h1:BkeJZ+1FhQ+/d087r4dzojEg1u2ZX+ZqG1jTUrLM+zQ= github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY= +github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/knadh/koanf/maps v0.1.2 h1:RBfmAW5CnZT+PJ1CVc1QSJKf4Xu9kxfQgYVQSu8hpbo= +github.com/knadh/koanf/maps v0.1.2/go.mod h1:npD/QZY3V6ghQDdcQzl1W4ICNVTkohC8E73eI2xW4yI= +github.com/knadh/koanf/providers/confmap v1.0.0 h1:mHKLJTE7iXEys6deO5p6olAiZdG5zwp8Aebir+/EaRE= +github.com/knadh/koanf/providers/confmap v1.0.0/go.mod h1:txHYHiI2hAtF0/0sCmcuol4IDcuQbKTybiB1nOcUo1A= +github.com/knadh/koanf/v2 v2.2.2 h1:ghbduIkpFui3L587wavneC9e3WIliCgiCgdxYO/wd7A= +github.com/knadh/koanf/v2 v2.2.2/go.mod h1:abWQc0cBXLSF/PSOMCB/SK+T13NXDsPvOksbpi5e/9Q= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= +github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw= github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -41,6 +56,8 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= +go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=