From e9735c6110f0fff5e6ad6e0ca14bbf6263a97549 Mon Sep 17 00:00:00 2001 From: James Houlahan Date: Fri, 24 Apr 2020 16:00:12 +0200 Subject: [PATCH] refactor: set app version when enabling remote tls issue reporting --- pkg/config/pmapi_prod.go | 4 ++-- pkg/pmapi/dialer_pinning.go | 14 +++++++------- pkg/pmapi/dialer_pinning_test.go | 2 +- pkg/pmapi/proxy.go | 2 +- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/pkg/config/pmapi_prod.go b/pkg/config/pmapi_prod.go index d9b27745..ea2d4ce2 100644 --- a/pkg/config/pmapi_prod.go +++ b/pkg/config/pmapi_prod.go @@ -44,11 +44,11 @@ func (c *Config) GetRoundTripper(cm *pmapi.ClientManager, listener listener.List basicDialer := pmapi.NewBasicTLSDialer() // We wrap the TLS dialer in a layer which enforces connections to trusted servers. - pinningDialer := pmapi.NewPinningTLSDialer(basicDialer, c.GetAPIConfig().AppVersion) + pinningDialer := pmapi.NewPinningTLSDialer(basicDialer) // We want any pin mismatches to be communicated back to bridge GUI and reported. pinningDialer.SetTLSIssueNotifier(func() { listener.Emit(events.TLSCertIssue, "") }) - pinningDialer.SetRemoteTLSIssueReporting(true) + pinningDialer.EnableRemoteTLSIssueReporting(c.GetAPIConfig().AppVersion) // We wrap the pinning dialer in a layer which adds "alternative routing" feature. proxyDialer := pmapi.NewProxyTLSDialer(pinningDialer, cm) diff --git a/pkg/pmapi/dialer_pinning.go b/pkg/pmapi/dialer_pinning.go index 358bcba4..d31be145 100644 --- a/pkg/pmapi/dialer_pinning.go +++ b/pkg/pmapi/dialer_pinning.go @@ -33,12 +33,12 @@ type PinningTLSDialer struct { // pinChecker is used to check TLS keys of connections. pinChecker PinChecker - // appVersion is supplied if there is a TLS mismatch. - appVersion string - // tlsIssueNotifier is used to notify something when there is a TLS issue. tlsIssueNotifier func() + // appVersion is needed to report TLS mismatches. + appVersion string + // enableRemoteReporting instructs the dialer to report TLS mismatches. enableRemoteReporting bool @@ -49,11 +49,10 @@ type PinningTLSDialer struct { // NewPinningTLSDialer constructs a new dialer which only returns tcp connections to servers // which present known certificates. // If enabled, it reports any invalid certificates it finds. -func NewPinningTLSDialer(dialer TLSDialer, appVersion string) *PinningTLSDialer { +func NewPinningTLSDialer(dialer TLSDialer) *PinningTLSDialer { return &PinningTLSDialer{ dialer: dialer, pinChecker: NewPinChecker(TrustedAPIPins), - appVersion: appVersion, log: logrus.WithField("pkg", "pmapi/tls-pinning"), } } @@ -62,8 +61,9 @@ func (p *PinningTLSDialer) SetTLSIssueNotifier(notifier func()) { p.tlsIssueNotifier = notifier } -func (p *PinningTLSDialer) SetRemoteTLSIssueReporting(enabled bool) { - p.enableRemoteReporting = enabled +func (p *PinningTLSDialer) EnableRemoteTLSIssueReporting(appVersion string) { + p.enableRemoteReporting = true + p.appVersion = appVersion } // DialTLS dials the given network/address, returning an error if the certificates don't match the trusted pins. diff --git a/pkg/pmapi/dialer_pinning_test.go b/pkg/pmapi/dialer_pinning_test.go index 24c5c2f6..e64fed54 100644 --- a/pkg/pmapi/dialer_pinning_test.go +++ b/pkg/pmapi/dialer_pinning_test.go @@ -33,7 +33,7 @@ var testLiveConfig = &ClientConfig{ func createAndSetPinningDialer(cm *ClientManager) (*int, *PinningTLSDialer) { called := 0 - dialer := NewPinningTLSDialer(NewBasicTLSDialer(), testLiveConfig.AppVersion) + dialer := NewPinningTLSDialer(NewBasicTLSDialer()) dialer.SetTLSIssueNotifier(func() { called++ }) cm.SetRoundTripper(CreateTransportWithDialer(dialer)) diff --git a/pkg/pmapi/proxy.go b/pkg/pmapi/proxy.go index ff147123..5a36bb05 100644 --- a/pkg/pmapi/proxy.go +++ b/pkg/pmapi/proxy.go @@ -144,7 +144,7 @@ func (p *proxyProvider) canReach(url string) bool { url = "https://" + url } - pinningDialer := NewPinningTLSDialer(NewBasicTLSDialer(), "") + pinningDialer := NewPinningTLSDialer(NewBasicTLSDialer()) pinger := resty.New(). SetHostURL(url).