fix: remove dead min_tls_version config field, TLS 1.3 is only supported version (closes #16)
Some checks failed
CI/CD Pipeline / Code Format (push) Successful in 4s
CI/CD Pipeline / Clippy Lints (push) Successful in 44s
CI/CD Pipeline / All Unit Tests (push) Successful in 1m24s
CI/CD Pipeline / Security Audit (push) Successful in 4s
CI/CD Pipeline / Enrollment Tests (push) Successful in 1m15s
CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 1m0s
CI/CD Pipeline / Build Debian Package (push) Failing after 4s
CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 4s
CI/CD Pipeline / Build RPM Package (push) Successful in 2m17s
CI/CD Pipeline / Build Arch Package (push) Successful in 2m25s
CI/CD Pipeline / Build Alpine Package (push) Failing after 3m15s
Some checks failed
CI/CD Pipeline / Code Format (push) Successful in 4s
CI/CD Pipeline / Clippy Lints (push) Successful in 44s
CI/CD Pipeline / All Unit Tests (push) Successful in 1m24s
CI/CD Pipeline / Security Audit (push) Successful in 4s
CI/CD Pipeline / Enrollment Tests (push) Successful in 1m15s
CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 1m0s
CI/CD Pipeline / Build Debian Package (push) Failing after 4s
CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 4s
CI/CD Pipeline / Build RPM Package (push) Successful in 2m17s
CI/CD Pipeline / Build Arch Package (push) Successful in 2m25s
CI/CD Pipeline / Build Alpine Package (push) Failing after 3m15s
Co-authored-by: git-echo <git-echo@moon-dragon.us>
This commit is contained in:
Draco-Lunaris-Echo
committed by
GitHub
GitHub
parent
df2f4c70c9
commit
eac05ad1eb
@ -143,12 +143,14 @@ impl ClientCertVerifier for CrlAwareVerifier {
|
||||
}
|
||||
|
||||
/// mTLS Configuration
|
||||
///
|
||||
/// TLS 1.3 is the only supported protocol version — this is hardcoded
|
||||
/// in `build_rustls_config()` and cannot be configured via this struct.
|
||||
#[derive(Debug, Clone)]
|
||||
pub struct MtlsConfig {
|
||||
pub ca_cert_path: String,
|
||||
pub server_cert_path: String,
|
||||
pub server_key_path: String,
|
||||
pub min_tls_version: String,
|
||||
}
|
||||
|
||||
/// Build a rustls ServerConfig with client certificate verification.
|
||||
|
||||
@ -33,8 +33,6 @@ pub struct TlsConfig {
|
||||
pub ca_cert: String,
|
||||
pub server_cert: String,
|
||||
pub server_key: String,
|
||||
#[serde(default = "default_tls_version")]
|
||||
pub min_tls_version: String,
|
||||
/// Path to persist the CRL fetched from the manager.
|
||||
/// Defaults to /etc/linux_patch_api/certs/crl.pem
|
||||
#[serde(default = "default_crl_path")]
|
||||
@ -49,10 +47,6 @@ fn default_true() -> bool {
|
||||
true
|
||||
}
|
||||
|
||||
fn default_tls_version() -> String {
|
||||
"1.3".to_string()
|
||||
}
|
||||
|
||||
/// Jobs configuration
|
||||
#[derive(Debug, Deserialize, Serialize, Clone)]
|
||||
pub struct JobsConfig {
|
||||
@ -501,6 +495,19 @@ impl AppConfig {
|
||||
let content = std::fs::read_to_string(path)
|
||||
.with_context(|| format!("Failed to read config file: {}", path))?;
|
||||
|
||||
// Check for deprecated fields before typed parsing
|
||||
if let Ok(value) = serde_yaml::from_str::<serde_yaml::Value>(&content) {
|
||||
if let Some(tls) = value.get("tls") {
|
||||
if tls.get("min_tls_version").is_some() {
|
||||
tracing::warn!(
|
||||
"Config contains deprecated 'tls.min_tls_version' field. \
|
||||
This field is ignored — TLS 1.3 is the only supported version. \
|
||||
Remove it from your config to silence this warning."
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
let config: AppConfig = serde_yaml::from_str(&content)
|
||||
.with_context(|| format!("Failed to parse config file: {}", path))?;
|
||||
|
||||
|
||||
@ -8,4 +8,5 @@
|
||||
pub mod loader;
|
||||
pub use loader::{validate_certs, AppConfig, CertStatus, EnrollmentConfig, RateLimitConfig};
|
||||
pub mod validator;
|
||||
pub use validator::validate_config_warnings;
|
||||
pub mod watcher;
|
||||
|
||||
@ -1,3 +1,25 @@
|
||||
//! Configuration Validator
|
||||
//!
|
||||
//! Placeholder - implementation in future phases
|
||||
//! Validates configuration values and warns about deprecated fields.
|
||||
|
||||
use tracing::warn;
|
||||
|
||||
/// Validate configuration for deprecated or unknown fields.
|
||||
///
|
||||
/// This is called after config loading to emit warnings for fields
|
||||
/// that are no longer functional but may still be present in operator
|
||||
/// config files.
|
||||
pub fn validate_config_warnings(config_yaml: &str) {
|
||||
// Check for deprecated tls.min_tls_version field
|
||||
if let Ok(value) = serde_yaml::from_str::<serde_yaml::Value>(config_yaml) {
|
||||
if let Some(tls) = value.get("tls") {
|
||||
if tls.get("min_tls_version").is_some() {
|
||||
warn!(
|
||||
"Config contains deprecated 'tls.min_tls_version' field. \
|
||||
This field is ignored — TLS 1.3 is the only supported version. \
|
||||
Remove it from your config to silence this warning."
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -368,16 +368,15 @@ async fn main() -> Result<()> {
|
||||
ca_cert = %tls_config.ca_cert,
|
||||
server_cert = %tls_config.server_cert,
|
||||
server_key = %tls_config.server_key,
|
||||
min_tls_version = %tls_config.min_tls_version,
|
||||
crl_path = %tls_config.crl_path,
|
||||
"Initializing mTLS authentication with TLS binding"
|
||||
"Initializing mTLS authentication with TLS 1.3 binding"
|
||||
);
|
||||
|
||||
// TLS 1.3 is the only supported version — hardcoded in build_rustls_config()
|
||||
let mtls_config = mtls::MtlsConfig {
|
||||
ca_cert_path: tls_config.ca_cert.clone(),
|
||||
server_cert_path: tls_config.server_cert.clone(),
|
||||
server_key_path: tls_config.server_key.clone(),
|
||||
min_tls_version: tls_config.min_tls_version.clone(),
|
||||
};
|
||||
|
||||
// Load CRL from disk into the shared CRL state
|
||||
|
||||
Reference in New Issue
Block a user