Skip to content
Permalink
Browse files

Rename repo-s3-verify-ssl option to repo-s3-verify-tls.

The new name is preferred because pgBackRest does not support any SSL protocol versions (they are all considered to be insecure).

The old name will continue to be accepted.
  • Loading branch information...
dwsteele committed May 21, 2019
1 parent 1bc84c6 commit e3fe3434b4428398ffbee5359f0e0cdec8e55bcb
@@ -282,8 +282,8 @@ use constant CFGOPT_REPO_S3_REGION => CFGDEF_RE
push @EXPORT, qw(CFGOPT_REPO_S3_REGION);
use constant CFGOPT_REPO_S3_TOKEN => CFGDEF_REPO_S3 . '-token';
push @EXPORT, qw(CFGOPT_REPO_S3_TOKEN);
use constant CFGOPT_REPO_S3_VERIFY_SSL => CFGDEF_REPO_S3 . '-verify-ssl';
push @EXPORT, qw(CFGOPT_REPO_S3_VERIFY_SSL);
use constant CFGOPT_REPO_S3_VERIFY_TLS => CFGDEF_REPO_S3 . '-verify-tls';
push @EXPORT, qw(CFGOPT_REPO_S3_VERIFY_TLS);

# Archive options
#-----------------------------------------------------------------------------------------------------------------------------------
@@ -1819,7 +1819,7 @@ my %hConfigDefine =
&CFGDEF_COMMAND => CFGOPT_REPO_TYPE,
},

&CFGOPT_REPO_S3_VERIFY_SSL =>
&CFGOPT_REPO_S3_VERIFY_TLS =>
{
&CFGDEF_SECTION => CFGDEF_SECTION_GLOBAL,
&CFGDEF_TYPE => CFGDEF_TYPE_BOOLEAN,
@@ -1829,6 +1829,7 @@ my %hConfigDefine =
&CFGDEF_NAME_ALT =>
{
'repo-s3-verify-ssl' => {&CFGDEF_INDEX => 1, &CFGDEF_RESET => false},
'repo?-s3-verify-ssl' => {&CFGDEF_INDEX => 1, &CFGDEF_RESET => false},
},
&CFGDEF_COMMAND => CFGOPT_REPO_TYPE,
&CFGDEF_DEPEND => CFGOPT_REPO_S3_BUCKET,
@@ -446,8 +446,8 @@
<example>us-east-1</example>
</config-key>

<!-- CONFIG - REPO SECTION - REPO-S3-VERIFY-SSL KEY -->
<config-key id="repo-s3-verify-ssl" name="S3 Repository Verify SSL">
<!-- CONFIG - REPO SECTION - REPO-S3-VERIFY-TLS KEY -->
<config-key id="repo-s3-verify-tls" name="S3 Repository Verify TLS">
<summary>Verify S3 server certificate.</summary>

<text>Disables verification of the S3 server certificate. This should only be used for testing or other scenarios where a certificate has been self-signed.</text>
@@ -18,6 +18,10 @@
<release-item>
<p>The <cmd>local</cmd> command for restore is implemented entirely in C.</p>
</release-item>

<release-item>
<p>Rename <br-option>repo-s3-verify-ssl</br-option> option to <br-option>repo-s3-verify-tls</br-option>. The new name is preferred because pgBackRest does not support any SSL protocol versions (they are all considered to be insecure). The old name will continue to be accepted.</p>
</release-item>
</release-improvement-list>

<release-development-list>
@@ -268,7 +268,7 @@ sub libcAutoExportTag
'CFGOPT_REPO_S3_KEY_SECRET',
'CFGOPT_REPO_S3_REGION',
'CFGOPT_REPO_S3_TOKEN',
'CFGOPT_REPO_S3_VERIFY_SSL',
'CFGOPT_REPO_S3_VERIFY_TLS',
'CFGOPT_REPO_TYPE',
'CFGOPT_RESUME',
'CFGOPT_SET',
@@ -188,7 +188,7 @@ sub storageRepo
$oDriver = new pgBackRest::Storage::S3::Driver(
cfgOption(CFGOPT_REPO_S3_BUCKET), cfgOption(CFGOPT_REPO_S3_ENDPOINT), cfgOption(CFGOPT_REPO_S3_REGION),
cfgOption(CFGOPT_REPO_S3_KEY), cfgOption(CFGOPT_REPO_S3_KEY_SECRET),
{strHost => cfgOption(CFGOPT_REPO_S3_HOST, false), bVerifySsl => cfgOption(CFGOPT_REPO_S3_VERIFY_SSL, false),
{strHost => cfgOption(CFGOPT_REPO_S3_HOST, false), bVerifySsl => cfgOption(CFGOPT_REPO_S3_VERIFY_TLS, false),
strCaPath => cfgOption(CFGOPT_REPO_S3_CA_PATH, false),
strCaFile => cfgOption(CFGOPT_REPO_S3_CA_FILE, false), lBufferMax => cfgOption(CFGOPT_BUFFER_SIZE),
strSecurityToken => cfgOption(CFGOPT_REPO_S3_TOKEN, false)});
@@ -415,7 +415,7 @@ STRING_EXTERN(CFGOPT_REPO1_S3_KEY_STR, CFGOPT_REPO1
STRING_EXTERN(CFGOPT_REPO1_S3_KEY_SECRET_STR, CFGOPT_REPO1_S3_KEY_SECRET);
STRING_EXTERN(CFGOPT_REPO1_S3_REGION_STR, CFGOPT_REPO1_S3_REGION);
STRING_EXTERN(CFGOPT_REPO1_S3_TOKEN_STR, CFGOPT_REPO1_S3_TOKEN);
STRING_EXTERN(CFGOPT_REPO1_S3_VERIFY_SSL_STR, CFGOPT_REPO1_S3_VERIFY_SSL);
STRING_EXTERN(CFGOPT_REPO1_S3_VERIFY_TLS_STR, CFGOPT_REPO1_S3_VERIFY_TLS);
STRING_EXTERN(CFGOPT_REPO1_TYPE_STR, CFGOPT_REPO1_TYPE);
STRING_EXTERN(CFGOPT_RESUME_STR, CFGOPT_RESUME);
STRING_EXTERN(CFGOPT_SET_STR, CFGOPT_SET);
@@ -1610,9 +1610,9 @@ static ConfigOptionData configOptionData[CFG_OPTION_TOTAL] = CONFIG_OPTION_LIST
//------------------------------------------------------------------------------------------------------------------------------
CONFIG_OPTION
(
CONFIG_OPTION_NAME(CFGOPT_REPO1_S3_VERIFY_SSL)
CONFIG_OPTION_NAME(CFGOPT_REPO1_S3_VERIFY_TLS)
CONFIG_OPTION_INDEX(0)
CONFIG_OPTION_DEFINE_ID(cfgDefOptRepoS3VerifySsl)
CONFIG_OPTION_DEFINE_ID(cfgDefOptRepoS3VerifyTls)
)

//------------------------------------------------------------------------------------------------------------------------------
@@ -343,8 +343,8 @@ Option constants
STRING_DECLARE(CFGOPT_REPO1_S3_REGION_STR);
#define CFGOPT_REPO1_S3_TOKEN "repo1-s3-token"
STRING_DECLARE(CFGOPT_REPO1_S3_TOKEN_STR);
#define CFGOPT_REPO1_S3_VERIFY_SSL "repo1-s3-verify-ssl"
STRING_DECLARE(CFGOPT_REPO1_S3_VERIFY_SSL_STR);
#define CFGOPT_REPO1_S3_VERIFY_TLS "repo1-s3-verify-tls"
STRING_DECLARE(CFGOPT_REPO1_S3_VERIFY_TLS_STR);
#define CFGOPT_REPO1_TYPE "repo1-type"
STRING_DECLARE(CFGOPT_REPO1_TYPE_STR);
#define CFGOPT_RESUME "resume"
@@ -559,7 +559,7 @@ typedef enum
cfgOptRepoS3KeySecret,
cfgOptRepoS3Region,
cfgOptRepoS3Token,
cfgOptRepoS3VerifySsl,
cfgOptRepoS3VerifyTls,
cfgOptRepoType,
cfgOptResume,
cfgOptSet,
@@ -3750,7 +3750,7 @@ static ConfigDefineOptionData configDefineOptionData[] = CFGDEFDATA_OPTION_LIST
// -----------------------------------------------------------------------------------------------------------------------------
CFGDEFDATA_OPTION
(
CFGDEFDATA_OPTION_NAME("repo-s3-verify-ssl")
CFGDEFDATA_OPTION_NAME("repo-s3-verify-tls")
CFGDEFDATA_OPTION_REQUIRED(true)
CFGDEFDATA_OPTION_SECTION(cfgDefSectionGlobal)
CFGDEFDATA_OPTION_TYPE(cfgDefOptTypeBoolean)
@@ -3797,6 +3797,7 @@ static ConfigDefineOptionData configDefineOptionData[] = CFGDEFDATA_OPTION_LIST

CFGDEFDATA_OPTION_OPTIONAL_DEFAULT("1")
CFGDEFDATA_OPTION_OPTIONAL_PREFIX("repo")
CFGDEFDATA_OPTION_OPTIONAL_HELP_NAME_ALT("repo-s3-verify-ssl")
)
)

@@ -127,7 +127,7 @@ typedef enum
cfgDefOptRepoS3KeySecret,
cfgDefOptRepoS3Region,
cfgDefOptRepoS3Token,
cfgDefOptRepoS3VerifySsl,
cfgDefOptRepoS3VerifyTls,
cfgDefOptRepoType,
cfgDefOptResume,
cfgDefOptSet,
@@ -220,7 +220,7 @@ cfgLoadUpdateOption(void)
}

// Error if an S3 bucket name contains dots
if (cfgOptionTest(cfgOptRepoS3Bucket) && cfgOptionBool(cfgOptRepoS3VerifySsl) &&
if (cfgOptionTest(cfgOptRepoS3Bucket) && cfgOptionBool(cfgOptRepoS3VerifyTls) &&
strChr(cfgOptionStr(cfgOptRepoS3Bucket), '.') != -1)
{
THROW_FMT(
@@ -2029,27 +2029,35 @@ static const struct option optionList[] =
.val = PARSE_OPTION_FLAG | PARSE_RESET_FLAG | cfgOptRepoS3Token,
},

// repo-s3-verify-ssl option and deprecations
// repo-s3-verify-tls option and deprecations
// -----------------------------------------------------------------------------------------------------------------------------
{
.name = CFGOPT_REPO1_S3_VERIFY_SSL,
.val = PARSE_OPTION_FLAG | cfgOptRepoS3VerifySsl,
.name = CFGOPT_REPO1_S3_VERIFY_TLS,
.val = PARSE_OPTION_FLAG | cfgOptRepoS3VerifyTls,
},
{
.name = "no-" CFGOPT_REPO1_S3_VERIFY_SSL,
.val = PARSE_OPTION_FLAG | PARSE_NEGATE_FLAG | cfgOptRepoS3VerifySsl,
.name = "no-" CFGOPT_REPO1_S3_VERIFY_TLS,
.val = PARSE_OPTION_FLAG | PARSE_NEGATE_FLAG | cfgOptRepoS3VerifyTls,
},
{
.name = "reset-" CFGOPT_REPO1_S3_VERIFY_SSL,
.val = PARSE_OPTION_FLAG | PARSE_RESET_FLAG | cfgOptRepoS3VerifySsl,
.name = "reset-" CFGOPT_REPO1_S3_VERIFY_TLS,
.val = PARSE_OPTION_FLAG | PARSE_RESET_FLAG | cfgOptRepoS3VerifyTls,
},
{
.name = "repo-s3-verify-ssl",
.val = PARSE_OPTION_FLAG | PARSE_DEPRECATE_FLAG | cfgOptRepoS3VerifySsl,
.val = PARSE_OPTION_FLAG | PARSE_DEPRECATE_FLAG | cfgOptRepoS3VerifyTls,
},
{
.name = "no-repo-s3-verify-ssl",
.val = PARSE_OPTION_FLAG | PARSE_DEPRECATE_FLAG | PARSE_NEGATE_FLAG | cfgOptRepoS3VerifySsl,
.val = PARSE_OPTION_FLAG | PARSE_DEPRECATE_FLAG | PARSE_NEGATE_FLAG | cfgOptRepoS3VerifyTls,
},
{
.name = "repo1-s3-verify-ssl",
.val = PARSE_OPTION_FLAG | PARSE_DEPRECATE_FLAG | cfgOptRepoS3VerifyTls,
},
{
.name = "no-repo1-s3-verify-ssl",
.val = PARSE_OPTION_FLAG | PARSE_DEPRECATE_FLAG | PARSE_NEGATE_FLAG | cfgOptRepoS3VerifyTls,
},

// repo-type option and deprecations
@@ -2397,7 +2405,7 @@ static const ConfigOption optionResolveOrder[] =
cfgOptRepoS3KeySecret,
cfgOptRepoS3Region,
cfgOptRepoS3Token,
cfgOptRepoS3VerifySsl,
cfgOptRepoS3VerifyTls,
cfgOptTarget,
cfgOptTargetAction,
cfgOptTargetExclusive,
@@ -9576,7 +9576,7 @@ static const EmbeddedModule embeddedModule[] =
"'CFGOPT_REPO_S3_KEY_SECRET',\n"
"'CFGOPT_REPO_S3_REGION',\n"
"'CFGOPT_REPO_S3_TOKEN',\n"
"'CFGOPT_REPO_S3_VERIFY_SSL',\n"
"'CFGOPT_REPO_S3_VERIFY_TLS',\n"
"'CFGOPT_REPO_TYPE',\n"
"'CFGOPT_RESUME',\n"
"'CFGOPT_SET',\n"
"$oDriver = new pgBackRest::Storage::S3::Driver(\n"
"cfgOption(CFGOPT_REPO_S3_BUCKET), cfgOption(CFGOPT_REPO_S3_ENDPOINT), cfgOption(CFGOPT_REPO_S3_REGION),\n"
"cfgOption(CFGOPT_REPO_S3_KEY), cfgOption(CFGOPT_REPO_S3_KEY_SECRET),\n"
"{strHost => cfgOption(CFGOPT_REPO_S3_HOST, false), bVerifySsl => cfgOption(CFGOPT_REPO_S3_VERIFY_SSL, false),\n"
"{strHost => cfgOption(CFGOPT_REPO_S3_HOST, false), bVerifySsl => cfgOption(CFGOPT_REPO_S3_VERIFY_TLS, false),\n"
"strCaPath => cfgOption(CFGOPT_REPO_S3_CA_PATH, false),\n"
"strCaFile => cfgOption(CFGOPT_REPO_S3_CA_FILE, false), lBufferMax => cfgOption(CFGOPT_BUFFER_SIZE),\n"
"strSecurityToken => cfgOption(CFGOPT_REPO_S3_TOKEN, false)});\n"
@@ -306,7 +306,7 @@ storageRepoGet(const String *type, bool write)
cfgOptionStr(cfgOptRepoPath), write, storageRepoPathExpression, cfgOptionStr(cfgOptRepoS3Bucket), endPoint,
cfgOptionStr(cfgOptRepoS3Region), cfgOptionStr(cfgOptRepoS3Key), cfgOptionStr(cfgOptRepoS3KeySecret),
cfgOptionTest(cfgOptRepoS3Token) ? cfgOptionStr(cfgOptRepoS3Token) : NULL, STORAGE_S3_PARTSIZE_MIN, host, port,
STORAGE_S3_TIMEOUT_DEFAULT, cfgOptionBool(cfgOptRepoS3VerifySsl),
STORAGE_S3_TIMEOUT_DEFAULT, cfgOptionBool(cfgOptRepoS3VerifyTls),
cfgOptionTest(cfgOptRepoS3CaFile) ? cfgOptionStr(cfgOptRepoS3CaFile) : NULL,
cfgOptionTest(cfgOptRepoS3CaPath) ? cfgOptionStr(cfgOptRepoS3CaPath) : NULL);
}

0 comments on commit e3fe343

Please sign in to comment.
You can’t perform that action at this time.