From 132c8c72d3657294ea2a12deaa7400b5499cc061 Mon Sep 17 00:00:00 2001 From: wxing1292 Date: Tue, 20 Apr 2021 12:54:52 -0700 Subject: [PATCH] Change CLI default TLS host name verification behavior (#1478) * Change CLI default TLS host name verification behavior * CLI TLS default to perform host name verification * Remove CLI TLS enable host verification flag, `tls_enable_host_verification` and `tls-enable-host-verification` * Add CLI TLS disable host verification flag `tls_disable_host_verification` and `tls-disable-host-verification` --- tools/cassandra/handler.go | 2 +- tools/cassandra/main.go | 6 +++--- tools/cli/adminCommands.go | 2 +- tools/cli/app.go | 6 +++--- tools/cli/factory.go | 2 +- tools/cli/flags.go | 5 ++--- tools/cli/persistenceUtil.go | 2 +- tools/common/schema/types.go | 4 ++-- tools/sql/handler.go | 2 +- tools/sql/main.go | 6 +++--- 10 files changed, 18 insertions(+), 19 deletions(-) diff --git a/tools/cassandra/handler.go b/tools/cassandra/handler.go index 40badfe2f8d..a29c5ddc143 100644 --- a/tools/cassandra/handler.go +++ b/tools/cassandra/handler.go @@ -170,7 +170,7 @@ func newCQLClientConfig(cli *cli.Context) (*CQLClientConfig, error) { CertFile: cli.GlobalString(schema.CLIFlagTLSCertFile), KeyFile: cli.GlobalString(schema.CLIFlagTLSKeyFile), CaFile: cli.GlobalString(schema.CLIFlagTLSCaFile), - EnableHostVerification: cli.GlobalBool(schema.CLIFlagTLSEnableHostVerification), + EnableHostVerification: !cli.GlobalBool(schema.CLIFlagTLSDisableHostVerification), } } diff --git a/tools/cassandra/main.go b/tools/cassandra/main.go index 1338c85b824..545f80de080 100644 --- a/tools/cassandra/main.go +++ b/tools/cassandra/main.go @@ -137,9 +137,9 @@ func buildCLIOptions() *cli.App { EnvVar: "CASSANDRA_TLS_CA", }, cli.BoolFlag{ - Name: schema.CLIFlagTLSEnableHostVerification, - Usage: "TLS host verification", - EnvVar: "CASSANDRA_TLS_VERIFY_HOST", + Name: schema.CLIFlagTLSDisableHostVerification, + Usage: "disable tls host name verification (tls must be enabled)", + EnvVar: "CASSANDRA_TLS_DISABLE_HOST_VERIFICATION", }, } diff --git a/tools/cli/adminCommands.go b/tools/cli/adminCommands.go index a73bd47d5a6..713898f6ca1 100644 --- a/tools/cli/adminCommands.go +++ b/tools/cli/adminCommands.go @@ -306,7 +306,7 @@ func connectToCassandra(c *cli.Context) gocql.Session { CertFile: c.String(FlagTLSCertPath), KeyFile: c.String(FlagTLSKeyPath), CaFile: c.String(FlagTLSCaPath), - EnableHostVerification: c.Bool(FlagTLSEnableHostVerification), + EnableHostVerification: !c.Bool(FlagTLSDisableHostVerification), } } diff --git a/tools/cli/app.go b/tools/cli/app.go index 5eec0d1c6f9..7589b1353bf 100644 --- a/tools/cli/app.go +++ b/tools/cli/app.go @@ -84,9 +84,9 @@ func NewCliApp() *cli.App { EnvVar: "TEMPORAL_CLI_TLS_CA", }, cli.BoolFlag{ - Name: FlagTLSEnableHostVerification, - Usage: "validates hostname of temporal cluster against server certificate", - EnvVar: "TEMPORAL_CLI_TLS_ENABLE_HOST_VERIFICATION", + Name: FlagTLSDisableHostVerification, + Usage: "disable tls host name verification (tls must be enabled)", + EnvVar: "TEMPORAL_CLI_TLS_DISABLE_HOST_VERIFICATION", }, cli.StringFlag{ Name: FlagTLSServerName, diff --git a/tools/cli/factory.go b/tools/cli/factory.go index 083c2151306..bdae456bda2 100644 --- a/tools/cli/factory.go +++ b/tools/cli/factory.go @@ -144,7 +144,7 @@ func (b *clientFactory) createTLSConfig(c *cli.Context) (*tls.Config, error) { certPath := c.GlobalString(FlagTLSCertPath) keyPath := c.GlobalString(FlagTLSKeyPath) caPath := c.GlobalString(FlagTLSCaPath) - hostNameVerification := c.GlobalBool(FlagTLSEnableHostVerification) + hostNameVerification := !c.GlobalBool(FlagTLSDisableHostVerification) serverName := c.GlobalString(FlagTLSServerName) var host string diff --git a/tools/cli/flags.go b/tools/cli/flags.go index 3cd7b8ff4ff..532525cd23e 100644 --- a/tools/cli/flags.go +++ b/tools/cli/flags.go @@ -215,14 +215,13 @@ const ( FlagTLSCertPath = "tls_cert_path" FlagTLSKeyPath = "tls_key_path" FlagTLSCaPath = "tls_ca_path" - FlagTLSEnableHostVerification = "tls_enable_host_verification" + FlagTLSDisableHostVerification = "tls_disable_host_verification" FlagTLSServerName = "tls_server_name" FlagDLQType = "dlq_type" FlagDLQTypeWithAlias = FlagDLQType + ", dt" FlagMaxMessageCount = "max_message_count" FlagMaxMessageCountWithAlias = FlagMaxMessageCount + ", mmc" FlagLastMessageID = "last_message_id" - FlagLastMessageIDWithAlias = FlagLastMessageID + ", lm" FlagConcurrency = "concurrency" FlagReportRate = "report_rate" FlagLowerShardBound = "lower_shard_bound" @@ -637,7 +636,7 @@ func getDBFlags() []cli.Flag { Usage: "DB tls client ca path (tls must be enabled)", }, cli.BoolFlag{ - Name: FlagTLSEnableHostVerification, + Name: FlagTLSDisableHostVerification, Usage: "DB tls verify hostname and server cert (tls must be enabled)", }, } diff --git a/tools/cli/persistenceUtil.go b/tools/cli/persistenceUtil.go index 6b58d8ff379..f83d69feb19 100644 --- a/tools/cli/persistenceUtil.go +++ b/tools/cli/persistenceUtil.go @@ -85,7 +85,7 @@ func CreateDefaultDBConfig(c *cli.Context) (config.DataStore, error) { CertFile: c.String(FlagTLSCertPath), KeyFile: c.String(FlagTLSKeyPath), CaFile: c.String(FlagTLSCaPath), - EnableHostVerification: c.Bool(FlagTLSEnableHostVerification), + EnableHostVerification: !c.Bool(FlagTLSDisableHostVerification), } } diff --git a/tools/common/schema/types.go b/tools/common/schema/types.go index 654d00e455c..28107c7a896 100644 --- a/tools/common/schema/types.go +++ b/tools/common/schema/types.go @@ -159,8 +159,8 @@ const ( CLIFlagTLSKeyFile = "tls-key-file" // CLIFlagTLSCaFile is the optional tls CA file (tls must be enabled) CLIFlagTLSCaFile = "tls-ca-file" - // CLIFlagTLSEnableHostVerification enables tls host verification (tls must be enabled) - CLIFlagTLSEnableHostVerification = "tls-enable-host-verification" + // CLIFlagTLSDisableHostVerification disable tls host verification (tls must be enabled) + CLIFlagTLSDisableHostVerification = "tls-disable-host-verification" ) var rmspaceRegex = regexp.MustCompile(`\s+`) diff --git a/tools/sql/handler.go b/tools/sql/handler.go index 99711251ca5..3d45d33282a 100644 --- a/tools/sql/handler.go +++ b/tools/sql/handler.go @@ -167,7 +167,7 @@ func parseConnectConfig(cli *cli.Context) (*config.SQL, error) { CertFile: cli.GlobalString(schema.CLIFlagTLSCertFile), KeyFile: cli.GlobalString(schema.CLIFlagTLSKeyFile), CaFile: cli.GlobalString(schema.CLIFlagTLSCaFile), - EnableHostVerification: cli.GlobalBool(schema.CLIFlagTLSEnableHostVerification), + EnableHostVerification: !cli.GlobalBool(schema.CLIFlagTLSDisableHostVerification), } } diff --git a/tools/sql/main.go b/tools/sql/main.go index b6c2b382d38..88facf74599 100644 --- a/tools/sql/main.go +++ b/tools/sql/main.go @@ -125,9 +125,9 @@ func BuildCLIOptions() *cli.App { EnvVar: "SQL_TLS_CA_FILE", }, cli.BoolFlag{ - Name: schema.CLIFlagTLSEnableHostVerification, - Usage: "sql tls verify hostname and server cert (tls must be enabled)", - EnvVar: "SQL_TLS_ENABLE_HOST_VERIFICATION", + Name: schema.CLIFlagTLSDisableHostVerification, + Usage: "disable tls host name verification (tls must be enabled)", + EnvVar: "SQL_TLS_DISABLE_HOST_VERIFICATION", }, }