config: support AllowedCN and AllowedHostname through config file

Allow setting AllowedCN and AllowedHostname tls fields through config file for peer transport security. Signed-off-by: Seena Fallah <seenafallah@gmail.com>
etcd-io · Apr 23, 2024 · 915f983 · 915f983
1 parent c2a3ca6
commit 915f983
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 9 deletions.
diff --git a/server/embed/config.go b/server/embed/config.go
@@ -466,13 +466,15 @@ type configJSON struct {
 }
 
 type securityConfig struct {
-	CertFile       string `json:"cert-file"`
-	KeyFile        string `json:"key-file"`
-	ClientCertFile string `json:"client-cert-file"`
-	ClientKeyFile  string `json:"client-key-file"`
-	CertAuth       bool   `json:"client-cert-auth"`
-	TrustedCAFile  string `json:"trusted-ca-file"`
-	AutoTLS        bool   `json:"auto-tls"`
+	CertFile        string `json:"cert-file"`
+	KeyFile         string `json:"key-file"`
+	ClientCertFile  string `json:"client-cert-file"`
+	ClientKeyFile   string `json:"client-key-file"`
+	CertAuth        bool   `json:"client-cert-auth"`
+	TrustedCAFile   string `json:"trusted-ca-file"`
+	AutoTLS         bool   `json:"auto-tls"`
+	AllowedCN       string `json:"allowed-cn"`
+	AllowedHostname string `json:"allowed-hostname"`
 }
 
 // NewConfig creates a new Config populated with default values.
@@ -847,6 +849,8 @@ func (cfg *configYAML) configFromFile(path string) error {
 		tls.ClientKeyFile = ysc.ClientKeyFile
 		tls.ClientCertAuth = ysc.CertAuth
 		tls.TrustedCAFile = ysc.TrustedCAFile
+		tls.AllowedCN = ysc.AllowedCN
+		tls.AllowedHostname = ysc.AllowedHostname
 	}
 	copySecurityDetails(&cfg.ClientTLSInfo, &cfg.ClientSecurityJSON)
 	copySecurityDetails(&cfg.PeerTLSInfo, &cfg.PeerSecurityJSON)

diff --git a/server/embed/config_test.go b/server/embed/config_test.go
@@ -40,7 +40,7 @@ func notFoundErr(service, domain string) error {
 
 func TestConfigFileOtherFields(t *testing.T) {
 	ctls := securityConfig{TrustedCAFile: "cca", CertFile: "ccert", KeyFile: "ckey"}
-	ptls := securityConfig{TrustedCAFile: "pca", CertFile: "pcert", KeyFile: "pkey"}
+	ptls := securityConfig{TrustedCAFile: "pca", CertFile: "pcert", KeyFile: "pkey", AllowedCN: "etcd"}
 	yc := struct {
 		ClientSecurityCfgFile securityConfig       `json:"client-transport-security"`
 		PeerSecurityCfgFile   securityConfig       `json:"peer-transport-security"`
@@ -155,7 +155,12 @@ func TestUpdateDefaultClusterFromNameOverwrite(t *testing.T) {
 func (s *securityConfig) equals(t *transport.TLSInfo) bool {
 	return s.CertFile == t.CertFile &&
 		s.CertAuth == t.ClientCertAuth &&
-		s.TrustedCAFile == t.TrustedCAFile
+		s.TrustedCAFile == t.TrustedCAFile &&
+		s.ClientCertFile == t.ClientCertFile &&
+		s.ClientKeyFile == t.ClientKeyFile &&
+		s.KeyFile == t.KeyFile &&
+		s.AllowedCN == t.AllowedCN &&
+		s.AllowedHostname == t.AllowedHostname
 }
 
 func mustCreateCfgFile(t *testing.T, b []byte) *os.File {