mirror of
https://github.com/AdguardTeam/AdGuardHome.git
synced 2026-06-28 03:41:19 +00:00
Pull request 2675: AGDNS-4104-move-tls-http-api-from-tls-manager
Squashed commit of the following: commit 926a3fd13bdbb74ef9a253e61f403a9a63ebd9b2 Merge:13e3b38d8798cd4d2fAuthor: Maksim Kazantsev <m.kazantsev@adguard.com> Date: Wed Jun 17 14:59:10 2026 +0300 Merge branch 'master' into AGDNS-4104-move-tls-http-api-from-tls-manager commit13e3b38d82Author: Maksim Kazantsev <m.kazantsev@adguard.com> Date: Tue Jun 16 19:17:34 2026 +0300 home: fix docs; commitc73ea0e062Author: Maksim Kazantsev <m.kazantsev@adguard.com> Date: Tue Jun 16 17:39:25 2026 +0300 home: imp code; add todo; commit754e7d2afdMerge:ef139f56054e6e3002Author: Maksim Kazantsev <m.kazantsev@adguard.com> Date: Mon Jun 15 15:11:06 2026 +0300 Merge branch 'master' into AGDNS-4104-move-tls-http-api-from-tls-manager commitef139f5601Author: Maksim Kazantsev <m.kazantsev@adguard.com> Date: Mon Jun 15 15:04:44 2026 +0300 home: imp code; imp docs; fix bugs; commit5e7bd02bffAuthor: Maksim Kazantsev <m.kazantsev@adguard.com> Date: Wed Jun 10 12:58:50 2026 +0300 home: fix private fields are not set in tls settings; commit4109d46b78Author: Maksim Kazantsev <m.kazantsev@adguard.com> Date: Tue Jun 9 19:19:09 2026 +0300 home: mv tls endpoints to web api;
This commit is contained in:
Maksim Kazantsev
parent
798cd4d2fd
commit
af9142e98e
5 changed files with 729 additions and 697 deletions
|
|
@ -301,6 +301,9 @@ type pendingRequests struct {
|
|||
// and HTTPS. When adding new properties, update the [tlsConfigSettings.clone]
|
||||
// and [tlsConfigSettings.setPrivateFieldsAndCompare] methods as necessary.
|
||||
type tlsConfigSettings struct {
|
||||
// Status is the current status of the configuration.
|
||||
Status tlsConfigStatus `yaml:"-" json:"-"`
|
||||
|
||||
// Enabled indicates whether encryption (DoT/DoH/HTTPS) is enabled.
|
||||
Enabled bool `yaml:"enabled" json:"enabled"`
|
||||
|
||||
|
|
@ -360,6 +363,9 @@ type tlsConfigSettings struct {
|
|||
// StrictSNICheck controls if the connections with SNI mismatching the
|
||||
// certificate's ones should be rejected.
|
||||
StrictSNICheck bool `yaml:"strict_sni_check" json:"-"`
|
||||
|
||||
// ServePlainDNS defines whether to serve a plain DNS.
|
||||
ServePlainDNS bool `yaml:"-" json:"-"`
|
||||
}
|
||||
|
||||
// clone returns a deep copy of c.
|
||||
|
|
@ -371,12 +377,13 @@ func (c *tlsConfigSettings) clone() (clone *tlsConfigSettings) {
|
|||
clone.CertificateChainData = slices.Clone(c.CertificateChainData)
|
||||
clone.PrivateKeyData = slices.Clone(c.PrivateKeyData)
|
||||
|
||||
clone.Status.DNSNames = slices.Clone(c.Status.DNSNames)
|
||||
|
||||
return clone
|
||||
}
|
||||
|
||||
// setPrivateFieldsAndCompare sets any missing properties in conf to match those
|
||||
// in c and returns true if TLS configurations are equal. conf must not be be
|
||||
// nil.
|
||||
// in c and returns true if TLS configurations are equal. conf must not be nil.
|
||||
// It sets the following properties because these are not accepted from the
|
||||
// frontend:
|
||||
//
|
||||
|
|
|
|||
|
|
@ -14,7 +14,6 @@ import (
|
|||
"fmt"
|
||||
"log/slog"
|
||||
"net/http"
|
||||
"net/netip"
|
||||
"os"
|
||||
"strings"
|
||||
"sync"
|
||||
|
|
@ -23,7 +22,6 @@ import (
|
|||
"github.com/AdguardTeam/AdGuardHome/internal/agh"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
|
||||
"github.com/AdguardTeam/golibs/errors"
|
||||
"github.com/AdguardTeam/golibs/logutil/slogutil"
|
||||
|
|
@ -36,12 +34,9 @@ type tlsManager struct {
|
|||
// logger is used for logging the operation of the TLS Manager.
|
||||
logger *slog.Logger
|
||||
|
||||
// mu protects status, certLastMod, extTLSConf, and servePlainDNS.
|
||||
// mu protects certLastMod, extTLSConf.
|
||||
mu *sync.Mutex
|
||||
|
||||
// status is the current status of the configuration. It is never nil.
|
||||
status *tlsConfigStatus
|
||||
|
||||
// certLastMod is the last modification time of the certificate file.
|
||||
certLastMod time.Time
|
||||
|
||||
|
|
@ -74,9 +69,6 @@ type tlsManager struct {
|
|||
// customCipherIDs are the IDs of the cipher suites that AdGuard Home must
|
||||
// use.
|
||||
customCipherIDs []uint16
|
||||
|
||||
// servePlainDNS defines if plain DNS is allowed for incoming requests.
|
||||
servePlainDNS bool
|
||||
}
|
||||
|
||||
// tlsManagerConfig contains the settings for initializing the TLS manager.
|
||||
|
|
@ -109,18 +101,19 @@ type tlsManagerConfig struct {
|
|||
// [tlsManager.setWebAPI].
|
||||
func newTLSManager(ctx context.Context, conf *tlsManagerConfig) (m *tlsManager, err error) {
|
||||
m = &tlsManager{
|
||||
logger: conf.logger,
|
||||
mu: &sync.Mutex{},
|
||||
confModifier: conf.confModifier,
|
||||
httpReg: conf.httpReg,
|
||||
manager: conf.manager,
|
||||
status: &tlsConfigStatus{},
|
||||
extTLSConf: &conf.tlsSettings,
|
||||
servePlainDNS: conf.servePlainDNS,
|
||||
logger: conf.logger,
|
||||
mu: &sync.Mutex{},
|
||||
confModifier: conf.confModifier,
|
||||
httpReg: conf.httpReg,
|
||||
manager: conf.manager,
|
||||
extTLSConf: &conf.tlsSettings,
|
||||
}
|
||||
|
||||
m.rootCerts = aghtls.SystemRootCAs(ctx, conf.logger)
|
||||
|
||||
m.extTLSConf.ServePlainDNS = conf.servePlainDNS
|
||||
m.extTLSConf.Status = tlsConfigStatus{}
|
||||
|
||||
if len(conf.tlsSettings.OverrideTLSCiphers) > 0 {
|
||||
m.customCipherIDs, err = aghtls.ParseCiphers(config.TLS.OverrideTLSCiphers)
|
||||
if err != nil {
|
||||
|
|
@ -149,7 +142,7 @@ func newTLSManager(ctx context.Context, conf *tlsManagerConfig) (m *tlsManager,
|
|||
m.logger.ErrorContext(ctx, "setting tls files", slogutil.KeyError, err)
|
||||
}
|
||||
|
||||
err = m.loadTLSConfig(ctx, m.extTLSConf, m.status)
|
||||
err = m.loadTLSConfig(ctx, m.extTLSConf, &m.extTLSConf.Status)
|
||||
if err != nil {
|
||||
m.extTLSConf.Enabled = false
|
||||
|
||||
|
|
@ -162,8 +155,8 @@ func newTLSManager(ctx context.Context, conf *tlsManagerConfig) (m *tlsManager,
|
|||
}
|
||||
|
||||
// setWebAPI stores the provided web API. It must be called before
|
||||
// [tlsManager.start], [tlsManager.reload], [tlsManager.handleTLSConfigure], or
|
||||
// [tlsManager.validateTLSSettings].
|
||||
// [tlsManager.start], [tlsManager.reload], [webAPI.handleTLSConfigure], or
|
||||
// [webAPI.validateTLSSettings].
|
||||
//
|
||||
// TODO(s.chzhen): Remove it once cyclic dependency is resolved.
|
||||
func (m *tlsManager) setWebAPI(webAPI *webAPI) {
|
||||
|
|
@ -199,8 +192,6 @@ func (m *tlsManager) setCertFileTime(ctx context.Context) {
|
|||
//
|
||||
// TODO(s.chzhen): Use context.
|
||||
func (m *tlsManager) start(ctx context.Context) {
|
||||
m.registerWebHandlers()
|
||||
|
||||
m.mu.Lock()
|
||||
defer m.mu.Unlock()
|
||||
|
||||
|
|
@ -271,12 +262,12 @@ func (m *tlsManager) reload(ctx context.Context) {
|
|||
return
|
||||
}
|
||||
|
||||
m.extTLSConf = &tlsConf
|
||||
m.status = status
|
||||
tlsConf.Status = *status
|
||||
|
||||
m.extTLSConf = &tlsConf
|
||||
m.certLastMod = fi.ModTime().UTC()
|
||||
|
||||
err = m.reconfigureDNSServer(ctx)
|
||||
err = m.web.reconfigureDNSServer(ctx, m.extTLSConf)
|
||||
if err != nil {
|
||||
m.logger.ErrorContext(ctx, "reconfiguring dns server", slogutil.KeyError, err)
|
||||
}
|
||||
|
|
@ -287,31 +278,6 @@ func (m *tlsManager) reload(ctx context.Context) {
|
|||
m.web.tlsConfigChanged(context.Background(), m.extTLSConf)
|
||||
}
|
||||
|
||||
// reconfigureDNSServer updates the DNS server configuration using the stored
|
||||
// TLS settings. m.mu is expected to be locked.
|
||||
func (m *tlsManager) reconfigureDNSServer(ctx context.Context) (err error) {
|
||||
newConf, err := newServerConfig(
|
||||
&config.DNS,
|
||||
config.Clients.Sources,
|
||||
m.extTLSConf,
|
||||
config.HTTPConfig.DoH,
|
||||
m,
|
||||
m.httpReg,
|
||||
globalContext.clients.storage,
|
||||
m.confModifier,
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("generating forwarding dns server config: %w", err)
|
||||
}
|
||||
|
||||
err = globalContext.dnsServer.Reconfigure(ctx, newConf)
|
||||
if err != nil {
|
||||
return fmt.Errorf("starting forwarding dns server: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// loadTLSConfig loads and validates the TLS configuration. It also sets
|
||||
// [tlsConfigSettings.CertificateChainData] and
|
||||
// [tlsConfigSettings.PrivateKeyData] properties. The returned error is also
|
||||
|
|
@ -457,93 +423,26 @@ type tlsConfigSettingsExt struct {
|
|||
ServePlainDNS aghalg.NullBool `yaml:"-" json:"serve_plain_dns"`
|
||||
}
|
||||
|
||||
// handleTLSStatus is the handler for the GET /control/tls/status HTTP API.
|
||||
func (m *tlsManager) handleTLSStatus(w http.ResponseWriter, r *http.Request) {
|
||||
var tlsConf *tlsConfigSettings
|
||||
var servePlainDNS bool
|
||||
func() {
|
||||
m.mu.Lock()
|
||||
defer m.mu.Unlock()
|
||||
|
||||
tlsConf = m.extTLSConf.clone()
|
||||
servePlainDNS = m.servePlainDNS
|
||||
}()
|
||||
|
||||
data := &tlsConfig{
|
||||
tlsConfigSettingsExt: tlsConfigSettingsExt{
|
||||
tlsConfigSettings: *tlsConf,
|
||||
ServePlainDNS: aghalg.BoolToNullBool(servePlainDNS),
|
||||
},
|
||||
tlsConfigStatus: m.status,
|
||||
}
|
||||
|
||||
m.marshalTLS(r.Context(), w, r, data)
|
||||
}
|
||||
|
||||
// handleTLSValidate is the handler for the POST /control/tls/validate HTTP API.
|
||||
func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
|
||||
ctx := r.Context()
|
||||
|
||||
setts, err := unmarshalTLS(r)
|
||||
if err != nil {
|
||||
// errFmt does not follow error message guidelines because it is sent
|
||||
// directly to the frontend.
|
||||
const errFmt = "Failed to unmarshal TLS config: %s"
|
||||
|
||||
aghhttp.ErrorAndLog(ctx, m.logger, r, w, http.StatusBadRequest, errFmt, err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// setConfig updates manager TLS configuration with the given one. newConf must
|
||||
// not be nil.
|
||||
func (m *tlsManager) setConfig(
|
||||
ctx context.Context,
|
||||
newConf *tlsConfigSettings,
|
||||
servePlain aghalg.NullBool,
|
||||
) (restartHTTPS bool) {
|
||||
m.mu.Lock()
|
||||
defer m.mu.Unlock()
|
||||
|
||||
if setts.PrivateKeySaved {
|
||||
setts.PrivateKey = m.extTLSConf.PrivateKey
|
||||
}
|
||||
m.extTLSConf.updatePlainDNS(newConf, servePlain)
|
||||
|
||||
if err = m.validateTLSSettings(setts); err != nil {
|
||||
m.logger.InfoContext(ctx, "validating tls settings", slogutil.KeyError, err)
|
||||
|
||||
aghhttp.ErrorAndLog(ctx, m.logger, r, w, http.StatusBadRequest, "%s", err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// Skip the error check, since we are only interested in the value of
|
||||
// status.WarningValidation.
|
||||
status := &tlsConfigStatus{}
|
||||
_ = m.loadTLSConfig(ctx, &setts.tlsConfigSettings, status)
|
||||
resp := &tlsConfig{
|
||||
tlsConfigSettingsExt: setts,
|
||||
tlsConfigStatus: status,
|
||||
}
|
||||
|
||||
m.marshalTLS(ctx, w, r, resp)
|
||||
}
|
||||
|
||||
// setConfig updates manager TLS configuration with the given one. m.mu is
|
||||
// expected to be locked.
|
||||
func (m *tlsManager) setConfig(
|
||||
ctx context.Context,
|
||||
newConf tlsConfigSettings,
|
||||
status *tlsConfigStatus,
|
||||
servePlain aghalg.NullBool,
|
||||
) (restartHTTPS bool) {
|
||||
if !m.extTLSConf.setPrivateFieldsAndCompare(&newConf) {
|
||||
if !m.extTLSConf.setPrivateFieldsAndCompare(newConf) {
|
||||
m.logger.InfoContext(ctx, "config has changed, restarting https server")
|
||||
restartHTTPS = true
|
||||
} else {
|
||||
m.logger.InfoContext(ctx, "config has not changed")
|
||||
}
|
||||
|
||||
m.extTLSConf = &newConf
|
||||
|
||||
m.status = status
|
||||
|
||||
if servePlain != aghalg.NBNull {
|
||||
m.servePlainDNS = servePlain == aghalg.NBTrue
|
||||
}
|
||||
m.extTLSConf = newConf
|
||||
|
||||
certPath, keyPath := "", ""
|
||||
if newConf.Enabled {
|
||||
|
|
@ -558,181 +457,30 @@ func (m *tlsManager) setConfig(
|
|||
m.logger.ErrorContext(ctx, "setting tls files", slogutil.KeyError, err)
|
||||
}
|
||||
|
||||
m.setCertFileTime(ctx)
|
||||
|
||||
return restartHTTPS
|
||||
}
|
||||
|
||||
// handleTLSConfigure is the handler for the POST /control/tls/configure HTTP
|
||||
// API.
|
||||
func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
|
||||
ctx := r.Context()
|
||||
|
||||
req, err := unmarshalTLS(r)
|
||||
if err != nil {
|
||||
aghhttp.ErrorAndLog(
|
||||
ctx,
|
||||
m.logger,
|
||||
r,
|
||||
w,
|
||||
http.StatusBadRequest,
|
||||
"Failed to unmarshal TLS config: %s",
|
||||
err,
|
||||
)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
var restartHTTPS bool
|
||||
defer func() {
|
||||
if restartHTTPS {
|
||||
m.confModifier.Apply(ctx)
|
||||
}
|
||||
}()
|
||||
|
||||
m.mu.Lock()
|
||||
defer m.mu.Unlock()
|
||||
|
||||
if req.PrivateKeySaved {
|
||||
req.PrivateKey = m.extTLSConf.PrivateKey
|
||||
}
|
||||
|
||||
req.StrictSNICheck = m.extTLSConf.StrictSNICheck
|
||||
|
||||
if err = m.validateTLSSettings(req); err != nil {
|
||||
aghhttp.ErrorAndLog(ctx, m.logger, r, w, http.StatusBadRequest, "%s", err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
status := &tlsConfigStatus{}
|
||||
err = m.loadTLSConfig(ctx, &req.tlsConfigSettings, status)
|
||||
if err != nil {
|
||||
resp := &tlsConfig{
|
||||
tlsConfigSettingsExt: req,
|
||||
tlsConfigStatus: status,
|
||||
}
|
||||
|
||||
m.marshalTLS(ctx, w, r, resp)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
restartHTTPS = m.setConfig(ctx, req.tlsConfigSettings, status, req.ServePlainDNS)
|
||||
m.setCertFileTime(ctx)
|
||||
|
||||
if req.ServePlainDNS != aghalg.NBNull {
|
||||
// updatePlainDNS checks the old value of [tlsConfigSettings.ServePlainDNS] in
|
||||
// c and if it differs from servePlain, sets the value of servePlain in
|
||||
// newTLSConf.ServePlainDNS. newTLSConf must not be nil.
|
||||
func (c *tlsConfigSettings) updatePlainDNS(
|
||||
newTLSConf *tlsConfigSettings,
|
||||
servePlain aghalg.NullBool,
|
||||
) {
|
||||
if servePlain != aghalg.NBNull {
|
||||
func() {
|
||||
config.Lock()
|
||||
defer config.Unlock()
|
||||
|
||||
config.DNS.ServePlainDNS = req.ServePlainDNS == aghalg.NBTrue
|
||||
config.DNS.ServePlainDNS = servePlain == aghalg.NBTrue
|
||||
}()
|
||||
|
||||
newTLSConf.ServePlainDNS = servePlain == aghalg.NBTrue
|
||||
} else {
|
||||
newTLSConf.ServePlainDNS = c.ServePlainDNS
|
||||
}
|
||||
|
||||
err = m.reconfigureDNSServer(ctx)
|
||||
if err != nil {
|
||||
m.logger.ErrorContext(ctx, "reconfiguring dns server", slogutil.KeyError, err)
|
||||
|
||||
aghhttp.ErrorAndLog(ctx, m.logger, r, w, http.StatusInternalServerError, "%s", err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
resp := &tlsConfig{
|
||||
tlsConfigSettingsExt: req,
|
||||
tlsConfigStatus: m.status,
|
||||
}
|
||||
|
||||
m.marshalTLS(ctx, w, r, resp)
|
||||
rc := http.NewResponseController(w)
|
||||
err = rc.Flush()
|
||||
if err != nil {
|
||||
m.logger.ErrorContext(ctx, "flushing response", slogutil.KeyError, err)
|
||||
}
|
||||
|
||||
// The background context is used because the TLSConfigChanged wraps context
|
||||
// with timeout on its own and shuts down the server, which handles current
|
||||
// request. It is also should be done in a separate goroutine due to the
|
||||
// same reason.
|
||||
if restartHTTPS {
|
||||
go m.web.tlsConfigChanged(context.Background(), &req.tlsConfigSettings)
|
||||
}
|
||||
}
|
||||
|
||||
// validateTLSSettings returns error if the setts are not valid.
|
||||
func (m *tlsManager) validateTLSSettings(setts tlsConfigSettingsExt) (err error) {
|
||||
if !setts.Enabled {
|
||||
if setts.ServePlainDNS == aghalg.NBFalse {
|
||||
// TODO(a.garipov): Support full disabling of all DNS.
|
||||
return errors.Error("plain DNS is required in case encryption protocols are disabled")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
var (
|
||||
tlsConf tlsConfigSettings
|
||||
webAPIAddr netip.Addr
|
||||
webAPIPort uint16
|
||||
plainDNSPort uint16
|
||||
)
|
||||
|
||||
func() {
|
||||
config.Lock()
|
||||
defer config.Unlock()
|
||||
|
||||
tlsConf = config.TLS
|
||||
webAPIAddr = config.HTTPConfig.Address.Addr()
|
||||
webAPIPort = config.HTTPConfig.Address.Port()
|
||||
plainDNSPort = config.DNS.Port
|
||||
}()
|
||||
|
||||
err = validatePorts(
|
||||
tcpPort(webAPIPort),
|
||||
tcpPort(setts.PortHTTPS),
|
||||
tcpPort(setts.PortDNSOverTLS),
|
||||
tcpPort(setts.PortDNSCrypt),
|
||||
udpPort(plainDNSPort),
|
||||
udpPort(setts.PortDNSOverQUIC),
|
||||
)
|
||||
if err != nil {
|
||||
// Don't wrap the error because it's informative enough as is.
|
||||
return err
|
||||
}
|
||||
|
||||
// Don't wrap the error because it's informative enough as is.
|
||||
return m.checkPortAvailability(tlsConf, setts.tlsConfigSettings, webAPIAddr)
|
||||
}
|
||||
|
||||
// validatePorts validates the uniqueness of TCP and UDP ports for AdGuard Home
|
||||
// DNS protocols.
|
||||
func validatePorts(
|
||||
bindPort, dohPort, dotPort, dnscryptTCPPort tcpPort,
|
||||
dnsPort, doqPort udpPort,
|
||||
) (err error) {
|
||||
tcpPorts := aghalg.UniqChecker[tcpPort]{}
|
||||
addPorts(
|
||||
tcpPorts,
|
||||
bindPort,
|
||||
dohPort,
|
||||
dotPort,
|
||||
dnscryptTCPPort,
|
||||
tcpPort(dnsPort),
|
||||
)
|
||||
|
||||
err = tcpPorts.Validate()
|
||||
if err != nil {
|
||||
return fmt.Errorf("validating tcp ports: %w", err)
|
||||
}
|
||||
|
||||
udpPorts := aghalg.UniqChecker[udpPort]{}
|
||||
addPorts(udpPorts, dnsPort, doqPort)
|
||||
|
||||
err = udpPorts.Validate()
|
||||
if err != nil {
|
||||
return fmt.Errorf("validating udp ports: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// validateCertChain verifies certs using the first as the main one and others
|
||||
|
|
@ -775,67 +523,6 @@ func (m *tlsManager) validateCertChain(
|
|||
return nil
|
||||
}
|
||||
|
||||
// checkPortAvailability checks [tlsConfigSettings.PortHTTPS],
|
||||
// [tlsConfigSettings.PortDNSOverTLS], and [tlsConfigSettings.PortDNSOverQUIC]
|
||||
// are available for use. It checks the current configuration and, if needed,
|
||||
// attempts to bind to the port. The function returns human-readable error
|
||||
// messages for the frontend. This is best-effort check to prevent an "address
|
||||
// already in use" error.
|
||||
//
|
||||
// TODO(a.garipov): Adapt for HTTP/3.
|
||||
func (m *tlsManager) checkPortAvailability(
|
||||
currConf tlsConfigSettings,
|
||||
newConf tlsConfigSettings,
|
||||
addr netip.Addr,
|
||||
) (err error) {
|
||||
const (
|
||||
networkTCP = "tcp"
|
||||
networkUDP = "udp"
|
||||
|
||||
protoHTTPS = "HTTPS"
|
||||
protoDoT = "DNS-over-TLS"
|
||||
protoDoQ = "DNS-over-QUIC"
|
||||
)
|
||||
|
||||
needBindingCheck := []struct {
|
||||
network string
|
||||
proto string
|
||||
currPort uint16
|
||||
newPort uint16
|
||||
}{{
|
||||
network: networkTCP,
|
||||
proto: protoHTTPS,
|
||||
currPort: currConf.PortHTTPS,
|
||||
newPort: newConf.PortHTTPS,
|
||||
}, {
|
||||
network: networkTCP,
|
||||
proto: protoDoT,
|
||||
currPort: currConf.PortDNSOverTLS,
|
||||
newPort: newConf.PortDNSOverTLS,
|
||||
}, {
|
||||
network: networkUDP,
|
||||
proto: protoDoQ,
|
||||
currPort: currConf.PortDNSOverQUIC,
|
||||
newPort: newConf.PortDNSOverQUIC,
|
||||
}}
|
||||
|
||||
var errs []error
|
||||
for _, v := range needBindingCheck {
|
||||
port := v.newPort
|
||||
if v.currPort == port {
|
||||
continue
|
||||
}
|
||||
|
||||
addrPort := netip.AddrPortFrom(addr, port)
|
||||
err = aghnet.CheckPort(v.network, addrPort)
|
||||
if err != nil {
|
||||
errs = append(errs, fmt.Errorf("port %d for %s is not available", port, v.proto))
|
||||
}
|
||||
}
|
||||
|
||||
return errors.Join(errs...)
|
||||
}
|
||||
|
||||
// errNoIPInCert is the error that is returned from [tlsManager.parseCertChain]
|
||||
// if the leaf certificate doesn't contain IPs.
|
||||
const errNoIPInCert errors.Error = `certificates has no IP addresses; ` +
|
||||
|
|
@ -1059,7 +746,7 @@ func parsePrivateKey(der []byte) (key crypto.PrivateKey, typ string, err error)
|
|||
return nil, "", errors.Error("tls: failed to parse private key")
|
||||
}
|
||||
|
||||
// unmarshalTLS handles base64-encoded certificates transparently
|
||||
// unmarshalTLS handles base64-encoded certificates transparently.
|
||||
func unmarshalTLS(r *http.Request) (data tlsConfigSettingsExt, err error) {
|
||||
data = tlsConfigSettingsExt{}
|
||||
err = json.NewDecoder(r.Body).Decode(&data)
|
||||
|
|
@ -1117,10 +804,3 @@ func (m *tlsManager) marshalTLS(
|
|||
|
||||
aghhttp.WriteJSONResponseOK(ctx, m.logger, w, r, *data)
|
||||
}
|
||||
|
||||
// registerWebHandlers registers HTTP handlers for TLS configuration.
|
||||
func (m *tlsManager) registerWebHandlers() {
|
||||
m.httpReg.Register(http.MethodGet, "/control/tls/status", m.handleTLSStatus)
|
||||
m.httpReg.Register(http.MethodPost, "/control/tls/configure", m.handleTLSConfigure)
|
||||
m.httpReg.Register(http.MethodPost, "/control/tls/validate", m.handleTLSValidate)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,26 +6,17 @@ import (
|
|||
"crypto/rsa"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"math/big"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"net/netip"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/agh"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/client"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
|
||||
"github.com/AdguardTeam/golibs/netutil"
|
||||
"github.com/AdguardTeam/golibs/testutil"
|
||||
"github.com/AdguardTeam/golibs/timeutil"
|
||||
"github.com/stretchr/testify/assert"
|
||||
|
|
@ -285,7 +276,7 @@ func TestTLSManager_Reload(t *testing.T) {
|
|||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
web := newTestWeb(t, &webConfig{})
|
||||
web := newTestWeb(t, &webConfig{tlsManager: m})
|
||||
m.setWebAPI(web)
|
||||
|
||||
extTLSConf := m.extendedTLSConfig()
|
||||
|
|
@ -305,326 +296,3 @@ func TestTLSManager_Reload(t *testing.T) {
|
|||
extTLSConf = m.extendedTLSConfig()
|
||||
assertCertSerialNumber(t, extTLSConf, snAfter)
|
||||
}
|
||||
|
||||
func TestTLSManager_HandleTLSStatus(t *testing.T) {
|
||||
var (
|
||||
ctx = testutil.ContextWithTimeout(t, testTimeout)
|
||||
err error
|
||||
)
|
||||
|
||||
testCertChain := requireReadFile(t, testCertificatePath)
|
||||
testPrivateKeyData := requireReadFile(t, testPrivateKeyPath)
|
||||
|
||||
m, err := newTLSManager(ctx, &tlsManagerConfig{
|
||||
logger: testLogger,
|
||||
confModifier: agh.EmptyConfigModifier{},
|
||||
manager: aghtls.EmptyManager{},
|
||||
tlsSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
CertificateChain: string(testCertChain),
|
||||
PrivateKey: string(testPrivateKeyData),
|
||||
},
|
||||
servePlainDNS: false,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
w := httptest.NewRecorder()
|
||||
r := httptest.NewRequest(http.MethodGet, "/control/tls/status", nil)
|
||||
m.handleTLSStatus(w, r)
|
||||
|
||||
res := &tlsConfigSettingsExt{}
|
||||
err = json.NewDecoder(w.Body).Decode(res)
|
||||
require.NoError(t, err)
|
||||
|
||||
wantCertificateChain := base64.StdEncoding.EncodeToString(testCertChain)
|
||||
assert.True(t, res.Enabled)
|
||||
assert.Equal(t, wantCertificateChain, res.CertificateChain)
|
||||
assert.True(t, res.PrivateKeySaved)
|
||||
}
|
||||
|
||||
func TestValidateTLSSettings(t *testing.T) {
|
||||
storeGlobals(t)
|
||||
|
||||
var (
|
||||
ctx = testutil.ContextWithTimeout(t, testTimeout)
|
||||
err error
|
||||
)
|
||||
|
||||
m, err := newTLSManager(ctx, &tlsManagerConfig{
|
||||
logger: testLogger,
|
||||
confModifier: agh.EmptyConfigModifier{},
|
||||
manager: aghtls.EmptyManager{},
|
||||
servePlainDNS: false,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
web := newTestWeb(t, &webConfig{})
|
||||
m.setWebAPI(web)
|
||||
|
||||
tcpLn, err := net.Listen("tcp", ":0")
|
||||
require.NoError(t, err)
|
||||
|
||||
testutil.CleanupAndRequireSuccess(t, tcpLn.Close)
|
||||
|
||||
tcpAddr := testutil.RequireTypeAssert[*net.TCPAddr](t, tcpLn.Addr())
|
||||
busyTCPPort := tcpAddr.Port
|
||||
|
||||
udpLn, err := net.ListenPacket("udp", ":0")
|
||||
require.NoError(t, err)
|
||||
|
||||
testutil.CleanupAndRequireSuccess(t, udpLn.Close)
|
||||
|
||||
udpAddr := testutil.RequireTypeAssert[*net.UDPAddr](t, udpLn.LocalAddr())
|
||||
busyUDPPort := udpAddr.Port
|
||||
|
||||
testCases := []struct {
|
||||
name string
|
||||
wantErr string
|
||||
setts tlsConfigSettingsExt
|
||||
}{{
|
||||
name: "basic",
|
||||
wantErr: "",
|
||||
setts: tlsConfigSettingsExt{},
|
||||
}, {
|
||||
name: "disabled_all",
|
||||
wantErr: "plain DNS is required in case encryption protocols are disabled",
|
||||
setts: tlsConfigSettingsExt{
|
||||
ServePlainDNS: aghalg.NBFalse,
|
||||
},
|
||||
}, {
|
||||
name: "busy_https_port",
|
||||
wantErr: fmt.Sprintf("port %d for HTTPS is not available", busyTCPPort),
|
||||
setts: tlsConfigSettingsExt{
|
||||
tlsConfigSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
PortHTTPS: uint16(busyTCPPort),
|
||||
},
|
||||
},
|
||||
}, {
|
||||
name: "busy_dot_port",
|
||||
wantErr: fmt.Sprintf("port %d for DNS-over-TLS is not available", busyTCPPort),
|
||||
setts: tlsConfigSettingsExt{
|
||||
tlsConfigSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
PortDNSOverTLS: uint16(busyTCPPort),
|
||||
},
|
||||
},
|
||||
}, {
|
||||
name: "busy_doq_port",
|
||||
wantErr: fmt.Sprintf("port %d for DNS-over-QUIC is not available", busyUDPPort),
|
||||
setts: tlsConfigSettingsExt{
|
||||
tlsConfigSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
PortDNSOverQUIC: uint16(busyUDPPort),
|
||||
},
|
||||
},
|
||||
}, {
|
||||
name: "duplicate_port",
|
||||
wantErr: "validating tcp ports: duplicated values: [4433]",
|
||||
setts: tlsConfigSettingsExt{
|
||||
tlsConfigSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
PortHTTPS: 4433,
|
||||
PortDNSOverTLS: 4433,
|
||||
},
|
||||
},
|
||||
}}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
err = m.validateTLSSettings(tc.setts)
|
||||
testutil.AssertErrorMsg(t, tc.wantErr, err)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestTLSManager_HandleTLSValidate(t *testing.T) {
|
||||
storeGlobals(t)
|
||||
|
||||
var (
|
||||
ctx = testutil.ContextWithTimeout(t, testTimeout)
|
||||
err error
|
||||
)
|
||||
|
||||
m, err := newTLSManager(ctx, &tlsManagerConfig{
|
||||
logger: testLogger,
|
||||
confModifier: agh.EmptyConfigModifier{},
|
||||
manager: aghtls.EmptyManager{},
|
||||
tlsSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
CertificatePath: testCertificatePath,
|
||||
PrivateKeyPath: testPrivateKeyPath,
|
||||
},
|
||||
servePlainDNS: false,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
web := newTestWeb(t, &webConfig{})
|
||||
m.setWebAPI(web)
|
||||
|
||||
setts := &tlsConfigSettingsExt{
|
||||
tlsConfigSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
CertificatePath: testCertificatePath,
|
||||
PrivateKeyPath: testPrivateKeyPath,
|
||||
},
|
||||
}
|
||||
|
||||
req, err := json.Marshal(setts)
|
||||
require.NoError(t, err)
|
||||
|
||||
w := httptest.NewRecorder()
|
||||
r := httptest.NewRequest(http.MethodPost, "/control/tls/validate", bytes.NewReader(req))
|
||||
m.handleTLSValidate(w, r)
|
||||
|
||||
res := &tlsConfigStatus{}
|
||||
err = json.NewDecoder(w.Body).Decode(res)
|
||||
require.NoError(t, err)
|
||||
|
||||
testCertChainData := requireReadFile(t, testCertificatePath)
|
||||
testPrivateKeyData := requireReadFile(t, testPrivateKeyPath)
|
||||
|
||||
cert, err := tls.X509KeyPair(testCertChainData, testPrivateKeyData)
|
||||
require.NoError(t, err)
|
||||
|
||||
wantIssuer := cert.Leaf.Issuer.String()
|
||||
assert.Equal(t, wantIssuer, res.Issuer)
|
||||
}
|
||||
|
||||
func TestTLSManager_HandleTLSConfigure(t *testing.T) {
|
||||
// Store the global state before making any changes.
|
||||
storeGlobals(t)
|
||||
|
||||
var (
|
||||
ctx = testutil.ContextWithTimeout(t, testTimeout)
|
||||
err error
|
||||
)
|
||||
|
||||
globalContext.dnsServer, err = dnsforward.NewServer(dnsforward.DNSCreateParams{
|
||||
Logger: testLogger,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
err = globalContext.dnsServer.Prepare(
|
||||
testutil.ContextWithTimeout(t, testTimeout),
|
||||
&dnsforward.ServerConfig{
|
||||
TLSConf: &dnsforward.TLSConfig{},
|
||||
Config: dnsforward.Config{
|
||||
UpstreamMode: dnsforward.UpstreamModeLoadBalance,
|
||||
EDNSClientSubnet: &dnsforward.EDNSClientSubnet{Enabled: false},
|
||||
ClientsContainer: dnsforward.EmptyClientsContainer{},
|
||||
},
|
||||
ServePlainDNS: true,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
globalContext.clients.storage, err = client.NewStorage(ctx, &client.StorageConfig{
|
||||
BaseLogger: testLogger,
|
||||
Logger: testLogger,
|
||||
Clock: timeutil.SystemClock{},
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
config.DNS.BindHosts = []netip.Addr{netutil.IPv4Localhost()}
|
||||
config.DNS.Port = 0
|
||||
|
||||
const wantSerialNumber int64 = 1
|
||||
|
||||
// Prepare the TLS manager configuration.
|
||||
tmpDir := t.TempDir()
|
||||
certPath := filepath.Join(tmpDir, "cert.pem")
|
||||
keyPath := filepath.Join(tmpDir, "key.pem")
|
||||
|
||||
certDER, key := newCertAndKey(t, wantSerialNumber)
|
||||
writeCertAndKey(t, certDER, certPath, key, keyPath)
|
||||
|
||||
// Initialize the TLS manager and assert its configuration.
|
||||
m, err := newTLSManager(ctx, &tlsManagerConfig{
|
||||
logger: testLogger,
|
||||
confModifier: agh.EmptyConfigModifier{},
|
||||
manager: aghtls.EmptyManager{},
|
||||
tlsSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
CertificatePath: certPath,
|
||||
PrivateKeyPath: keyPath,
|
||||
},
|
||||
servePlainDNS: true,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
web := newTestWeb(t, &webConfig{})
|
||||
m.setWebAPI(web)
|
||||
|
||||
extTLSConf := m.extendedTLSConfig()
|
||||
assertCertSerialNumber(t, extTLSConf, wantSerialNumber)
|
||||
|
||||
// Prepare a request with the new TLS configuration.
|
||||
setts := &tlsConfigSettingsExt{
|
||||
tlsConfigSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
PortHTTPS: 4433,
|
||||
CertificatePath: testCertificatePath,
|
||||
PrivateKeyPath: testPrivateKeyPath,
|
||||
},
|
||||
}
|
||||
|
||||
req, err := json.Marshal(setts)
|
||||
require.NoError(t, err)
|
||||
|
||||
r := httptest.NewRequest(http.MethodPost, "/control/tls/configure", bytes.NewReader(req))
|
||||
w := httptest.NewRecorder()
|
||||
|
||||
// Reconfigure the TLS manager.
|
||||
m.handleTLSConfigure(w, r)
|
||||
|
||||
// The [tlsManager.handleTLSConfigure] method will start the DNS server and
|
||||
// it should be stopped after the test ends.
|
||||
testutil.CleanupAndRequireSuccess(t, func() (err error) {
|
||||
return globalContext.dnsServer.Stop(testutil.ContextWithTimeout(t, testTimeout))
|
||||
})
|
||||
|
||||
res := &tlsConfig{
|
||||
tlsConfigStatus: &tlsConfigStatus{},
|
||||
}
|
||||
|
||||
err = json.NewDecoder(w.Body).Decode(res)
|
||||
require.NoError(t, err)
|
||||
|
||||
testCertChainData := requireReadFile(t, testCertificatePath)
|
||||
testPrivateKeyData := requireReadFile(t, testPrivateKeyPath)
|
||||
|
||||
cert, err := tls.X509KeyPair(testCertChainData, testPrivateKeyData)
|
||||
require.NoError(t, err)
|
||||
|
||||
wantIssuer := cert.Leaf.Issuer.String()
|
||||
assert.Equal(t, wantIssuer, res.tlsConfigStatus.Issuer)
|
||||
|
||||
// Assert that the Web API's TLS configuration has been updated.
|
||||
//
|
||||
// TODO(s.chzhen): Remove when [httpsServer.cond] is removed.
|
||||
assert.Eventually(t, func() bool {
|
||||
web.httpsServer.condLock.Lock()
|
||||
defer web.httpsServer.condLock.Unlock()
|
||||
|
||||
cert = web.httpsServer.cert
|
||||
if cert.Leaf == nil {
|
||||
return false
|
||||
}
|
||||
|
||||
assert.Equal(t, wantIssuer, cert.Leaf.Issuer.String())
|
||||
|
||||
return true
|
||||
}, testTimeout, testTimeout/10)
|
||||
}
|
||||
|
||||
// requireReadFile reads the file at the specified path and returns its content.
|
||||
//
|
||||
// TODO(m.kazantsev): Move to golibs/testutil.
|
||||
func requireReadFile(tb testing.TB, path string) (data []byte) {
|
||||
tb.Helper()
|
||||
|
||||
data, err := os.ReadFile(path)
|
||||
require.NoError(tb, err)
|
||||
|
||||
return data
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,7 +13,9 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/agh"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/aghnet"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/updater"
|
||||
"github.com/AdguardTeam/golibs/errors"
|
||||
"github.com/AdguardTeam/golibs/logutil/slogutil"
|
||||
|
|
@ -202,6 +204,7 @@ func newWebAPI(ctx context.Context, conf *webAPIConfig) (w *webAPI) {
|
|||
mux.Handle("/install.html", w.preInstallHandler(clientFS))
|
||||
w.registerInstallHandlers()
|
||||
} else {
|
||||
w.registerTLSHandlers()
|
||||
w.registerControlHandlers()
|
||||
}
|
||||
|
||||
|
|
@ -464,3 +467,323 @@ func startPprof(baseLogger *slog.Logger, port uint16) {
|
|||
}
|
||||
}()
|
||||
}
|
||||
|
||||
// registerTLSHandlers registers HTTP handlers for TLS configuration.
|
||||
func (web *webAPI) registerTLSHandlers() {
|
||||
web.httpReg.Register(http.MethodGet, "/control/tls/status", web.handleTLSStatus)
|
||||
web.httpReg.Register(http.MethodPost, "/control/tls/configure", web.handleTLSConfigure)
|
||||
web.httpReg.Register(http.MethodPost, "/control/tls/validate", web.handleTLSValidate)
|
||||
}
|
||||
|
||||
// handleTLSStatus is the handler for the GET /control/tls/status HTTP API.
|
||||
func (web *webAPI) handleTLSStatus(w http.ResponseWriter, r *http.Request) {
|
||||
tlsConf := web.tlsManager.extendedTLSConfig()
|
||||
|
||||
data := &tlsConfig{
|
||||
tlsConfigSettingsExt: tlsConfigSettingsExt{
|
||||
tlsConfigSettings: *tlsConf,
|
||||
ServePlainDNS: aghalg.BoolToNullBool(tlsConf.ServePlainDNS),
|
||||
},
|
||||
tlsConfigStatus: &tlsConf.Status,
|
||||
}
|
||||
|
||||
web.tlsManager.marshalTLS(r.Context(), w, r, data)
|
||||
}
|
||||
|
||||
// handleTLSValidate is the handler for the POST /control/tls/validate HTTP API.
|
||||
func (web *webAPI) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
|
||||
ctx := r.Context()
|
||||
|
||||
setts, err := unmarshalTLS(r)
|
||||
if err != nil {
|
||||
// errFmt does not follow error message guidelines because it is sent
|
||||
// directly to the frontend.
|
||||
const errFmt = "Failed to unmarshal TLS config: %s"
|
||||
|
||||
aghhttp.ErrorAndLog(ctx, web.logger, r, w, http.StatusBadRequest, errFmt, err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
extTLSConf := web.tlsManager.extendedTLSConfig()
|
||||
|
||||
if setts.PrivateKeySaved {
|
||||
setts.PrivateKey = extTLSConf.PrivateKey
|
||||
}
|
||||
|
||||
if err = web.validateTLSSettings(setts); err != nil {
|
||||
web.logger.InfoContext(ctx, "validating tls settings", slogutil.KeyError, err)
|
||||
|
||||
aghhttp.ErrorAndLog(ctx, web.logger, r, w, http.StatusBadRequest, "%s", err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// Skip the error check, since we are only interested in the value of
|
||||
// status.WarningValidation.
|
||||
status := &tlsConfigStatus{}
|
||||
_ = web.tlsManager.loadTLSConfig(ctx, &setts.tlsConfigSettings, status)
|
||||
resp := &tlsConfig{
|
||||
tlsConfigSettingsExt: setts,
|
||||
tlsConfigStatus: status,
|
||||
}
|
||||
|
||||
web.tlsManager.marshalTLS(ctx, w, r, resp)
|
||||
}
|
||||
|
||||
// validateTLSSettings returns error if the setts are not valid.
|
||||
func (web *webAPI) validateTLSSettings(setts tlsConfigSettingsExt) (err error) {
|
||||
if !setts.Enabled {
|
||||
if setts.ServePlainDNS == aghalg.NBFalse {
|
||||
// TODO(a.garipov): Support full disabling of all DNS.
|
||||
return errors.Error("plain DNS is required in case encryption protocols are disabled")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
var (
|
||||
tlsConf tlsConfigSettings
|
||||
webAPIAddr netip.Addr
|
||||
webAPIPort uint16
|
||||
plainDNSPort uint16
|
||||
)
|
||||
|
||||
func() {
|
||||
config.Lock()
|
||||
defer config.Unlock()
|
||||
|
||||
tlsConf = config.TLS
|
||||
webAPIAddr = config.HTTPConfig.Address.Addr()
|
||||
webAPIPort = config.HTTPConfig.Address.Port()
|
||||
plainDNSPort = config.DNS.Port
|
||||
}()
|
||||
|
||||
err = validatePorts(
|
||||
tcpPort(webAPIPort),
|
||||
tcpPort(setts.PortHTTPS),
|
||||
tcpPort(setts.PortDNSOverTLS),
|
||||
tcpPort(setts.PortDNSCrypt),
|
||||
udpPort(plainDNSPort),
|
||||
udpPort(setts.PortDNSOverQUIC),
|
||||
)
|
||||
if err != nil {
|
||||
// Don't wrap the error because it's informative enough as is.
|
||||
return err
|
||||
}
|
||||
|
||||
// Don't wrap the error because it's informative enough as is.
|
||||
return checkPortAvailability(tlsConf, setts.tlsConfigSettings, webAPIAddr)
|
||||
}
|
||||
|
||||
// checkPortAvailability checks [tlsConfigSettings.PortHTTPS],
|
||||
// [tlsConfigSettings.PortDNSOverTLS], and [tlsConfigSettings.PortDNSOverQUIC]
|
||||
// are available for use. It checks the current configuration and, if needed,
|
||||
// attempts to bind to the port. The function returns human-readable error
|
||||
// messages for the frontend. This is best-effort check to prevent an "address
|
||||
// already in use" error.
|
||||
//
|
||||
// TODO(a.garipov): Adapt for HTTP/3.
|
||||
func checkPortAvailability(
|
||||
currConf tlsConfigSettings,
|
||||
newConf tlsConfigSettings,
|
||||
addr netip.Addr,
|
||||
) (err error) {
|
||||
const (
|
||||
networkTCP = "tcp"
|
||||
networkUDP = "udp"
|
||||
|
||||
protoHTTPS = "HTTPS"
|
||||
protoDoT = "DNS-over-TLS"
|
||||
protoDoQ = "DNS-over-QUIC"
|
||||
)
|
||||
|
||||
needBindingCheck := []struct {
|
||||
network string
|
||||
proto string
|
||||
currPort uint16
|
||||
newPort uint16
|
||||
}{{
|
||||
network: networkTCP,
|
||||
proto: protoHTTPS,
|
||||
currPort: currConf.PortHTTPS,
|
||||
newPort: newConf.PortHTTPS,
|
||||
}, {
|
||||
network: networkTCP,
|
||||
proto: protoDoT,
|
||||
currPort: currConf.PortDNSOverTLS,
|
||||
newPort: newConf.PortDNSOverTLS,
|
||||
}, {
|
||||
network: networkUDP,
|
||||
proto: protoDoQ,
|
||||
currPort: currConf.PortDNSOverQUIC,
|
||||
newPort: newConf.PortDNSOverQUIC,
|
||||
}}
|
||||
|
||||
var errs []error
|
||||
for _, v := range needBindingCheck {
|
||||
port := v.newPort
|
||||
if v.currPort == port {
|
||||
continue
|
||||
}
|
||||
|
||||
addrPort := netip.AddrPortFrom(addr, port)
|
||||
err = aghnet.CheckPort(v.network, addrPort)
|
||||
if err != nil {
|
||||
errs = append(errs, fmt.Errorf("port %d for %s is not available", port, v.proto))
|
||||
}
|
||||
}
|
||||
|
||||
return errors.Join(errs...)
|
||||
}
|
||||
|
||||
// validatePorts validates the uniqueness of TCP and UDP ports for AdGuard Home
|
||||
// DNS protocols.
|
||||
func validatePorts(
|
||||
bindPort, dohPort, dotPort, dnscryptTCPPort tcpPort,
|
||||
dnsPort, doqPort udpPort,
|
||||
) (err error) {
|
||||
tcpPorts := aghalg.UniqChecker[tcpPort]{}
|
||||
addPorts(
|
||||
tcpPorts,
|
||||
bindPort,
|
||||
dohPort,
|
||||
dotPort,
|
||||
dnscryptTCPPort,
|
||||
tcpPort(dnsPort),
|
||||
)
|
||||
|
||||
err = tcpPorts.Validate()
|
||||
if err != nil {
|
||||
return fmt.Errorf("validating tcp ports: %w", err)
|
||||
}
|
||||
|
||||
udpPorts := aghalg.UniqChecker[udpPort]{}
|
||||
addPorts(udpPorts, dnsPort, doqPort)
|
||||
|
||||
err = udpPorts.Validate()
|
||||
if err != nil {
|
||||
return fmt.Errorf("validating udp ports: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// handleTLSConfigure is the handler for the POST /control/tls/configure HTTP
|
||||
// API.
|
||||
//
|
||||
// TODO(m.kazantsev): Improve maintainability.
|
||||
func (web *webAPI) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
|
||||
ctx := r.Context()
|
||||
|
||||
req, err := unmarshalTLS(r)
|
||||
if err != nil {
|
||||
aghhttp.ErrorAndLog(
|
||||
ctx,
|
||||
web.logger,
|
||||
r,
|
||||
w,
|
||||
http.StatusBadRequest,
|
||||
"Failed to unmarshal TLS config: %s",
|
||||
err,
|
||||
)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
var restartHTTPS bool
|
||||
defer func() {
|
||||
if restartHTTPS {
|
||||
web.tlsManager.confModifier.Apply(ctx)
|
||||
}
|
||||
}()
|
||||
|
||||
extTLSConf := web.tlsManager.extendedTLSConfig()
|
||||
|
||||
if req.PrivateKeySaved {
|
||||
req.PrivateKey = extTLSConf.PrivateKey
|
||||
}
|
||||
|
||||
req.StrictSNICheck = extTLSConf.StrictSNICheck
|
||||
|
||||
if err = web.validateTLSSettings(req); err != nil {
|
||||
aghhttp.ErrorAndLog(ctx, web.logger, r, w, http.StatusBadRequest, "%s", err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
status := &tlsConfigStatus{}
|
||||
err = web.tlsManager.loadTLSConfig(ctx, &req.tlsConfigSettings, status)
|
||||
if err != nil {
|
||||
resp := &tlsConfig{
|
||||
tlsConfigSettingsExt: req,
|
||||
tlsConfigStatus: status,
|
||||
}
|
||||
|
||||
web.tlsManager.marshalTLS(ctx, w, r, resp)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
newTLSConf := &req.tlsConfigSettings
|
||||
newTLSConf.Status = *status
|
||||
|
||||
restartHTTPS = web.tlsManager.setConfig(ctx, newTLSConf, req.ServePlainDNS)
|
||||
|
||||
err = web.reconfigureDNSServer(ctx, newTLSConf)
|
||||
if err != nil {
|
||||
web.logger.ErrorContext(ctx, "reconfiguring dns server", slogutil.KeyError, err)
|
||||
|
||||
aghhttp.ErrorAndLog(ctx, web.logger, r, w, http.StatusInternalServerError, "%s", err)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
resp := &tlsConfig{
|
||||
tlsConfigSettingsExt: req,
|
||||
tlsConfigStatus: status,
|
||||
}
|
||||
|
||||
web.tlsManager.marshalTLS(ctx, w, r, resp)
|
||||
rc := http.NewResponseController(w)
|
||||
err = rc.Flush()
|
||||
if err != nil {
|
||||
web.logger.ErrorContext(ctx, "flushing response", slogutil.KeyError, err)
|
||||
}
|
||||
|
||||
// The background context is used because the TLSConfigChanged wraps context
|
||||
// with timeout on its own and shuts down the server, which handles current
|
||||
// request. It is also should be done in a separate goroutine due to the
|
||||
// same reason.
|
||||
if restartHTTPS {
|
||||
go web.tlsConfigChanged(context.Background(), &req.tlsConfigSettings)
|
||||
}
|
||||
}
|
||||
|
||||
// reconfigureDNSServer updates the DNS server configuration using extTLSConf.
|
||||
// extTLSConf must not be nil.
|
||||
func (web *webAPI) reconfigureDNSServer(
|
||||
ctx context.Context,
|
||||
extTLSConf *tlsConfigSettings,
|
||||
) (err error) {
|
||||
newConf, err := newServerConfig(
|
||||
&config.DNS,
|
||||
config.Clients.Sources,
|
||||
extTLSConf,
|
||||
config.HTTPConfig.DoH,
|
||||
web.tlsManager,
|
||||
web.httpReg,
|
||||
globalContext.clients.storage,
|
||||
web.tlsManager.confModifier,
|
||||
)
|
||||
if err != nil {
|
||||
return fmt.Errorf("generating forwarding dns server config: %w", err)
|
||||
}
|
||||
|
||||
err = globalContext.dnsServer.Reconfigure(ctx, newConf)
|
||||
if err != nil {
|
||||
return fmt.Errorf("starting forwarding dns server: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
354
internal/home/web_internal_test.go
Normal file
354
internal/home/web_internal_test.go
Normal file
|
|
@ -0,0 +1,354 @@
|
|||
package home
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"crypto/tls"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"net/netip"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/agh"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/client"
|
||||
"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
|
||||
"github.com/AdguardTeam/golibs/netutil"
|
||||
"github.com/AdguardTeam/golibs/testutil"
|
||||
"github.com/AdguardTeam/golibs/timeutil"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestWebAPI_HandleTLSConfigure(t *testing.T) {
|
||||
// Store the global state before making any changes.
|
||||
storeGlobals(t)
|
||||
|
||||
var (
|
||||
ctx = testutil.ContextWithTimeout(t, testTimeout)
|
||||
err error
|
||||
)
|
||||
|
||||
globalContext.dnsServer, err = dnsforward.NewServer(dnsforward.DNSCreateParams{
|
||||
Logger: testLogger,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
err = globalContext.dnsServer.Prepare(
|
||||
testutil.ContextWithTimeout(t, testTimeout),
|
||||
&dnsforward.ServerConfig{
|
||||
TLSConf: &dnsforward.TLSConfig{},
|
||||
Config: dnsforward.Config{
|
||||
UpstreamMode: dnsforward.UpstreamModeLoadBalance,
|
||||
EDNSClientSubnet: &dnsforward.EDNSClientSubnet{Enabled: false},
|
||||
ClientsContainer: dnsforward.EmptyClientsContainer{},
|
||||
},
|
||||
ServePlainDNS: true,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
globalContext.clients.storage, err = client.NewStorage(ctx, &client.StorageConfig{
|
||||
BaseLogger: testLogger,
|
||||
Logger: testLogger,
|
||||
Clock: timeutil.SystemClock{},
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
config.DNS.BindHosts = []netip.Addr{netutil.IPv4Localhost()}
|
||||
config.DNS.Port = 0
|
||||
|
||||
const wantSerialNumber int64 = 1
|
||||
|
||||
// Prepare the TLS manager configuration.
|
||||
tmpDir := t.TempDir()
|
||||
certPath := filepath.Join(tmpDir, "cert.pem")
|
||||
keyPath := filepath.Join(tmpDir, "key.pem")
|
||||
|
||||
certDER, key := newCertAndKey(t, wantSerialNumber)
|
||||
writeCertAndKey(t, certDER, certPath, key, keyPath)
|
||||
|
||||
// Initialize the TLS manager and assert its configuration.
|
||||
m, err := newTLSManager(ctx, &tlsManagerConfig{
|
||||
logger: testLogger,
|
||||
confModifier: agh.EmptyConfigModifier{},
|
||||
manager: aghtls.EmptyManager{},
|
||||
tlsSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
CertificatePath: certPath,
|
||||
PrivateKeyPath: keyPath,
|
||||
ServePlainDNS: true,
|
||||
},
|
||||
servePlainDNS: true,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
web := newTestWeb(t, &webConfig{tlsManager: m})
|
||||
m.setWebAPI(web)
|
||||
|
||||
extTLSConf := m.extendedTLSConfig()
|
||||
assertCertSerialNumber(t, extTLSConf, wantSerialNumber)
|
||||
|
||||
// Prepare a request with the new TLS configuration.
|
||||
setts := &tlsConfigSettingsExt{
|
||||
tlsConfigSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
PortHTTPS: 4433,
|
||||
CertificatePath: testCertificatePath,
|
||||
PrivateKeyPath: testPrivateKeyPath,
|
||||
},
|
||||
}
|
||||
|
||||
req, err := json.Marshal(setts)
|
||||
require.NoError(t, err)
|
||||
|
||||
r := httptest.NewRequest(http.MethodPost, "/control/tls/configure", bytes.NewReader(req))
|
||||
w := httptest.NewRecorder()
|
||||
|
||||
// Reconfigure the TLS manager.
|
||||
web.handleTLSConfigure(w, r)
|
||||
|
||||
// The [webAPI.handleTLSConfigure] method will start the DNS server and
|
||||
// it should be stopped after the test ends.
|
||||
testutil.CleanupAndRequireSuccess(t, func() (err error) {
|
||||
return globalContext.dnsServer.Stop(testutil.ContextWithTimeout(t, testTimeout))
|
||||
})
|
||||
|
||||
res := &tlsConfig{
|
||||
tlsConfigStatus: &tlsConfigStatus{},
|
||||
}
|
||||
|
||||
err = json.NewDecoder(w.Body).Decode(res)
|
||||
require.NoError(t, err)
|
||||
|
||||
testCertChainData := requireReadFile(t, testCertificatePath)
|
||||
testPrivateKeyData := requireReadFile(t, testPrivateKeyPath)
|
||||
|
||||
cert, err := tls.X509KeyPair(testCertChainData, testPrivateKeyData)
|
||||
require.NoError(t, err)
|
||||
|
||||
wantIssuer := cert.Leaf.Issuer.String()
|
||||
assert.Equal(t, wantIssuer, res.tlsConfigStatus.Issuer)
|
||||
|
||||
// Assert that the Web API's TLS configuration has been updated.
|
||||
//
|
||||
// TODO(s.chzhen): Remove when [httpsServer.cond] is removed.
|
||||
assert.Eventually(t, func() bool {
|
||||
web.httpsServer.condLock.Lock()
|
||||
defer web.httpsServer.condLock.Unlock()
|
||||
|
||||
cert = web.httpsServer.cert
|
||||
if cert.Leaf == nil {
|
||||
return false
|
||||
}
|
||||
|
||||
assert.Equal(t, wantIssuer, cert.Leaf.Issuer.String())
|
||||
|
||||
return true
|
||||
}, testTimeout, testTimeout/10)
|
||||
}
|
||||
|
||||
func TestWebAPI_HandleTLSStatus(t *testing.T) {
|
||||
var (
|
||||
ctx = testutil.ContextWithTimeout(t, testTimeout)
|
||||
err error
|
||||
)
|
||||
|
||||
testCertChain := requireReadFile(t, testCertificatePath)
|
||||
testPrivateKeyData := requireReadFile(t, testPrivateKeyPath)
|
||||
|
||||
m, err := newTLSManager(ctx, &tlsManagerConfig{
|
||||
logger: testLogger,
|
||||
confModifier: agh.EmptyConfigModifier{},
|
||||
manager: aghtls.EmptyManager{},
|
||||
tlsSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
CertificateChain: string(testCertChain),
|
||||
PrivateKey: string(testPrivateKeyData),
|
||||
},
|
||||
servePlainDNS: false,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
web := newTestWeb(t, &webConfig{tlsManager: m})
|
||||
m.setWebAPI(web)
|
||||
|
||||
w := httptest.NewRecorder()
|
||||
r := httptest.NewRequest(http.MethodGet, "/control/tls/status", nil)
|
||||
web.handleTLSStatus(w, r)
|
||||
|
||||
res := &tlsConfigSettingsExt{}
|
||||
err = json.NewDecoder(w.Body).Decode(res)
|
||||
require.NoError(t, err)
|
||||
|
||||
wantCertificateChain := base64.StdEncoding.EncodeToString(testCertChain)
|
||||
assert.True(t, res.Enabled)
|
||||
assert.Equal(t, wantCertificateChain, res.CertificateChain)
|
||||
assert.True(t, res.PrivateKeySaved)
|
||||
}
|
||||
|
||||
func TestWebAPI_ValidateTLSSettings(t *testing.T) {
|
||||
storeGlobals(t)
|
||||
|
||||
var (
|
||||
ctx = testutil.ContextWithTimeout(t, testTimeout)
|
||||
err error
|
||||
)
|
||||
|
||||
m, err := newTLSManager(ctx, &tlsManagerConfig{
|
||||
logger: testLogger,
|
||||
confModifier: agh.EmptyConfigModifier{},
|
||||
manager: aghtls.EmptyManager{},
|
||||
servePlainDNS: false,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
web := newTestWeb(t, &webConfig{tlsManager: m})
|
||||
m.setWebAPI(web)
|
||||
|
||||
tcpLn, err := net.Listen("tcp", ":0")
|
||||
require.NoError(t, err)
|
||||
|
||||
testutil.CleanupAndRequireSuccess(t, tcpLn.Close)
|
||||
|
||||
tcpAddr := testutil.RequireTypeAssert[*net.TCPAddr](t, tcpLn.Addr())
|
||||
busyTCPPort := tcpAddr.Port
|
||||
|
||||
udpLn, err := net.ListenPacket("udp", ":0")
|
||||
require.NoError(t, err)
|
||||
|
||||
testutil.CleanupAndRequireSuccess(t, udpLn.Close)
|
||||
|
||||
udpAddr := testutil.RequireTypeAssert[*net.UDPAddr](t, udpLn.LocalAddr())
|
||||
busyUDPPort := udpAddr.Port
|
||||
|
||||
testCases := []struct {
|
||||
name string
|
||||
wantErr string
|
||||
setts tlsConfigSettingsExt
|
||||
}{{
|
||||
name: "basic",
|
||||
wantErr: "",
|
||||
setts: tlsConfigSettingsExt{},
|
||||
}, {
|
||||
name: "disabled_all",
|
||||
wantErr: "plain DNS is required in case encryption protocols are disabled",
|
||||
setts: tlsConfigSettingsExt{
|
||||
ServePlainDNS: aghalg.NBFalse,
|
||||
},
|
||||
}, {
|
||||
name: "busy_https_port",
|
||||
wantErr: fmt.Sprintf("port %d for HTTPS is not available", busyTCPPort),
|
||||
setts: tlsConfigSettingsExt{
|
||||
tlsConfigSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
PortHTTPS: uint16(busyTCPPort),
|
||||
},
|
||||
},
|
||||
}, {
|
||||
name: "busy_dot_port",
|
||||
wantErr: fmt.Sprintf("port %d for DNS-over-TLS is not available", busyTCPPort),
|
||||
setts: tlsConfigSettingsExt{
|
||||
tlsConfigSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
PortDNSOverTLS: uint16(busyTCPPort),
|
||||
},
|
||||
},
|
||||
}, {
|
||||
name: "busy_doq_port",
|
||||
wantErr: fmt.Sprintf("port %d for DNS-over-QUIC is not available", busyUDPPort),
|
||||
setts: tlsConfigSettingsExt{
|
||||
tlsConfigSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
PortDNSOverQUIC: uint16(busyUDPPort),
|
||||
},
|
||||
},
|
||||
}, {
|
||||
name: "duplicate_port",
|
||||
wantErr: "validating tcp ports: duplicated values: [4433]",
|
||||
setts: tlsConfigSettingsExt{
|
||||
tlsConfigSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
PortHTTPS: 4433,
|
||||
PortDNSOverTLS: 4433,
|
||||
},
|
||||
},
|
||||
}}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
err = web.validateTLSSettings(tc.setts)
|
||||
testutil.AssertErrorMsg(t, tc.wantErr, err)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestWebAPI_HandleTLSValidate(t *testing.T) {
|
||||
storeGlobals(t)
|
||||
|
||||
var (
|
||||
ctx = testutil.ContextWithTimeout(t, testTimeout)
|
||||
err error
|
||||
)
|
||||
|
||||
m, err := newTLSManager(ctx, &tlsManagerConfig{
|
||||
logger: testLogger,
|
||||
confModifier: agh.EmptyConfigModifier{},
|
||||
manager: aghtls.EmptyManager{},
|
||||
tlsSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
CertificatePath: testCertificatePath,
|
||||
PrivateKeyPath: testPrivateKeyPath,
|
||||
},
|
||||
servePlainDNS: false,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
web := newTestWeb(t, &webConfig{tlsManager: m})
|
||||
m.setWebAPI(web)
|
||||
|
||||
setts := &tlsConfigSettingsExt{
|
||||
tlsConfigSettings: tlsConfigSettings{
|
||||
Enabled: true,
|
||||
CertificatePath: testCertificatePath,
|
||||
PrivateKeyPath: testPrivateKeyPath,
|
||||
},
|
||||
}
|
||||
|
||||
req, err := json.Marshal(setts)
|
||||
require.NoError(t, err)
|
||||
|
||||
w := httptest.NewRecorder()
|
||||
r := httptest.NewRequest(http.MethodPost, "/control/tls/validate", bytes.NewReader(req))
|
||||
web.handleTLSValidate(w, r)
|
||||
|
||||
res := &tlsConfigStatus{}
|
||||
err = json.NewDecoder(w.Body).Decode(res)
|
||||
require.NoError(t, err)
|
||||
|
||||
testCertChainData := requireReadFile(t, testCertificatePath)
|
||||
testPrivateKeyData := requireReadFile(t, testPrivateKeyPath)
|
||||
|
||||
cert, err := tls.X509KeyPair(testCertChainData, testPrivateKeyData)
|
||||
require.NoError(t, err)
|
||||
|
||||
wantIssuer := cert.Leaf.Issuer.String()
|
||||
assert.Equal(t, wantIssuer, res.Issuer)
|
||||
}
|
||||
|
||||
// requireReadFile reads the file at the specified path and returns its content.
|
||||
//
|
||||
// TODO(m.kazantsev): Move to golibs/testutil.
|
||||
func requireReadFile(tb testing.TB, path string) (data []byte) {
|
||||
tb.Helper()
|
||||
|
||||
data, err := os.ReadFile(path)
|
||||
require.NoError(tb, err)
|
||||
|
||||
return data
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue