Adding (m)TLS Support

config/backend.go

@@ -12,21 +12,20 @@ var (
 	_ BackendReference = &Backend{}
 	_ Body             = &Backend{}
 	_ Inline           = &Backend{}
-
-	BackendInlineSchema = Backend{}.Schema(true)
 )
 
 // Backend represents the <Backend> object.
 type Backend struct {
-	DisableCertValidation  bool       `hcl:"disable_certificate_validation,optional" docs:"Disables the peer certificate validation. Must not be used in backend refinement."`
-	DisableConnectionReuse bool       `hcl:"disable_connection_reuse,optional" docs:"Disables reusage of connections to the origin. Must not be used in backend refinement."`
-	Health                 *Health    `hcl:"beta_health,block"`
-	HTTP2                  bool       `hcl:"http2,optional" docs:"Enables the HTTP2 support. Must not be used in backend refinement."`
-	MaxConnections         int        `hcl:"max_connections,optional" docs:"The maximum number of concurrent connections in any state (_active_ or _idle_) to the origin. Must not be used in backend refinement." default:"0"`
-	Name                   string     `hcl:"name,label,optional"`
-	OpenAPI                *OpenAPI   `hcl:"openapi,block"`
-	RateLimits             RateLimits `hcl:"beta_rate_limit,block"`
-	Remain                 hcl.Body   `hcl:",remain"`
+	DisableCertValidation  bool        `hcl:"disable_certificate_validation,optional" docs:"Disables the peer certificate validation. Must not be used in backend refinement."`
+	DisableConnectionReuse bool        `hcl:"disable_connection_reuse,optional" docs:"Disables reusage of connections to the origin. Must not be used in backend refinement."`
+	Health                 *Health     `hcl:"beta_health,block"`
+	HTTP2                  bool        `hcl:"http2,optional" docs:"Enables the HTTP2 support. Must not be used in backend refinement."`
+	MaxConnections         int         `hcl:"max_connections,optional" docs:"The maximum number of concurrent connections in any state (_active_ or _idle_) to the origin. Must not be used in backend refinement." default:"0"`
+	Name                   string      `hcl:"name,label,optional"`
+	OpenAPI                *OpenAPI    `hcl:"openapi,block"`
+	RateLimits             RateLimits  `hcl:"beta_rate_limit,block"`
+	Remain                 hcl.Body    `hcl:",remain"`
+	TLS                    *BackendTLS `hcl:"tls,block"`
 }
 
 // Reference implements the <BackendReference> interface.

config/body/body.go

@@ -46,6 +46,15 @@ func BlocksOfType(body *hclsyntax.Body, blockType string) []*hclsyntax.Block {
 	return blocks
 }
 
+func AttributeByName(body *hclsyntax.Body, needle string) *hclsyntax.Attribute {
+	for _, attr := range body.Attributes {
+		if attr.Name == needle {
+			return attr
+		}
+	}
+	return nil
+}
+
 func RenameAttribute(body *hclsyntax.Body, old, new string) {
 	if attr, ok := body.Attributes[old]; ok {
 		attr.Name = new

config/certificate.go

@@ -0,0 +1,17 @@
+package config
+
+type ClientCertificate struct {
+	Name     string `hcl:",label,optional"`
+	CA       string `hcl:"ca_certificate,optional"`
+	CAFile   string `hcl:"ca_certificate_file,optional"`
+	Leaf     string `hcl:"leaf_certificate,optional"`
+	LeafFile string `hcl:"leaf_certificate_file,optional"`
+}
+
+type ServerCertificate struct {
+	Name           string `hcl:",label,optional"`
+	PublicKey      string `hcl:"public_key,optional"`
+	PublicKeyFile  string `hcl:"public_key_file,optional"`
+	PrivateKey     string `hcl:"private_key,optional"`
+	PrivateKeyFile string `hcl:"private_key_file,optional"`
+}

config/configload/load.go

@@ -42,6 +42,7 @@ const (
 	server          = "server"
 	settings        = "settings"
 	spa             = "spa"
+	tls             = "tls"
 	tokenRequest    = "beta_token_request"
 	// defaultNameLabel maps the hcl label attr 'name'.
 	defaultNameLabel = "default"

config/configload/validate.go

@@ -10,6 +10,7 @@ import (
 	"github.com/hashicorp/hcl/v2/hclsyntax"
 	"github.com/zclconf/go-cty/cty"
 
+	bodySyntax "github.com/avenga/couper/config/body"
 	"github.com/avenga/couper/eval"
 	"github.com/avenga/couper/utils"
 )
@@ -64,6 +65,11 @@ func validateBody(body *hclsyntax.Body, afterMerge bool) error {
 						}
 						uniqueBackends[label] = struct{}{}
 					}
+
+					if err := validateBackendTLS(innerBlock); err != nil {
+						return err
+					}
+
 				case "basic_auth", "beta_oauth2", "oidc", "saml":
 					err := checkAC(uniqueACs, label, labelRange, afterMerge)
 					if err != nil {
@@ -110,8 +116,8 @@ func validateBody(body *hclsyntax.Body, afterMerge bool) error {
 						return err
 					}
 				} else if innerBlock.Type == api {
-					apiBasePath, err := getBasePath(innerBlock, afterMerge)
-					if err != nil {
+					var apiBasePath string
+					if apiBasePath, err = getBasePath(innerBlock, afterMerge); err != nil {
 						return err
 					}
 
@@ -306,3 +312,21 @@ func validMethods(methods []string, attr *hclsyntax.Attribute) error {
 
 	return nil
 }
+
+// validateBackendTLS determines irrational backend certificate configuration.
+func validateBackendTLS(block *hclsyntax.Block) error {
+	validateCertAttr := bodySyntax.AttributeByName(block.Body, "disable_certificate_validation")
+	if tlsBlocks := bodySyntax.BlocksOfType(block.Body, "tls"); validateCertAttr != nil && len(tlsBlocks) > 0 {
+		var attrName string
+		if caCert := bodySyntax.AttributeByName(tlsBlocks[0].Body, "server_ca_certificate"); caCert != nil {
+			attrName = caCert.Name
+		} else if caCertFile := bodySyntax.AttributeByName(tlsBlocks[0].Body, "server_ca_certificate_file"); caCertFile != nil {
+			attrName = caCertFile.Name
+		}
+		if attrName != "" {
+			r := tlsBlocks[0].Range()
+			return newDiagErr(&r, fmt.Sprintf("configured 'disable_certificate_validation' along with '%s' attribute", attrName))
+		}
+	}
+	return nil
+}

config/configload/validate_test.go

@@ -288,6 +288,43 @@ func Test_validateBody(t *testing.T) {
 			 }`,
 			"couper.hcl:5,15-20: backend labels must be unique; ",
 		},
+		{
+			"backend disable cert validation with tls block and server_ca_certificate",
+			`server {}
+			 definitions {
+			   backend "foo" {
+					disable_certificate_validation = false # value does not matter
+					tls {
+						server_ca_certificate = "asdf"
+					}
+			   }
+			 }`,
+			"couper.hcl:5,6-7,7: configured 'disable_certificate_validation' along with 'server_ca_certificate' attribute; ",
+		},
+		{
+			"backend disable cert validation with tls block and server_ca_certificate_file",
+			`server {}
+			 definitions {
+			   backend "foo" {
+					disable_certificate_validation = true # value does not matter
+					tls {
+						server_ca_certificate_file = "asdf.crt"
+					}
+			   }
+			 }`,
+			"couper.hcl:5,6-7,7: configured 'disable_certificate_validation' along with 'server_ca_certificate_file' attribute; ",
+		},
+		{
+			"backend disable cert validation with tls block and w/o server_ca_certificate*",
+			`server {}
+			 definitions {
+			   backend "foo" {
+					disable_certificate_validation = true # value does not matter
+					tls {}
+			   }
+			 }`,
+			"",
+		},
 		{
 			"duplicate proxy labels",
 			`server {}

config/server.go

@@ -23,6 +23,7 @@ type Server struct {
 	Name                 string      `hcl:"name,label,optional"`
 	Remain               hcl.Body    `hcl:",remain"`
 	SPAs                 SPAs        `hcl:"spa,block"`
+	TLS                  *ServerTLS  `hcl:"tls,block"`
 }
 
 // Servers represents a list of <Server> objects.

config/tls.go

@@ -0,0 +1,15 @@
+package config
+
+type ServerTLS struct {
+	Ocsp               bool                 `hcl:"ocsp,optional"`
+	OcspTTL            string               `hcl:"ocsp_ttl,optional" type:"duration" default:"12h"`
+	ClientCertificate  []*ClientCertificate `hcl:"client_certificate,block"`
+	ServerCertificates []*ServerCertificate `hcl:"server_certificate,block"`
+}
+
+type BackendTLS struct {
+	ServerCertificate     string `hcl:"server_ca_certificate,optional"`
+	ServerCertificateFile string `hcl:"server_ca_certificate_file,optional"`
+	ClientCertificate     string `hcl:"client_certificate,optional"`
+	ClientCertificateFile string `hcl:"client_certificate_file,optional"`
+}