add support for reading tls config from a file

Reviewed By: shringiarpit26

Differential Revision: D82873724

fbshipit-source-id: 937786ca77617e9c46923fc5caab9c9f591759e4

Author: Surya Ahuja

cmds/client/main.go

@@ -30,24 +30,25 @@ var (
 	authenMode = flag.String("authen-mode", "pap", "valid choices, [pap ascii]")
 
 	// TLS options
-	useTLS                = flag.Bool("tls", false, "enable TLS support as per IETF draft-ietf-opsawg-tacacs-tls13-07")
-	tlsCertFile           = flag.String("tls-cert", "", "path to TLS client certificate file")
-	tlsKeyFile            = flag.String("tls-key", "", "path to TLS client key file")
-	tlsCAFile             = flag.String("tls-ca", "", "path to TLS CA certificate file for server certificate validation")
-	tlsServerName         = flag.String("tls-server-name", "", "server name for TLS certificate validation")
-	tlsInsecureSkipVerify = flag.Bool("tls-insecure-skip-verify", false, "skip TLS certificate verification (not recommended for production)")
+	tlsConfigFile = flag.String("tls-config", "", "path to TLS configuration file in JSON format. When set, the values inside the file this will override all other TLS cmdline flags")
 )
 
 func main() {
 	flag.Parse()
+
 	verifyFlags()
 
 	var c *tq.Client
 	var err error
 
-	if *useTLS {
+	if *tlsConfigFile != "" {
+		config, err := tq.LoadTLSConfig(*tlsConfigFile)
+		if err != nil {
+			fmt.Printf("Error loading TLS config file: %v\n", err)
+			os.Exit(1)
+		}
 		// Create TLS configuration
-		tlsConfig, tlsErr := tq.GenClientTLSConfig(*tlsServerName, *tlsCertFile, *tlsKeyFile, *tlsCAFile, *tlsInsecureSkipVerify)
+		tlsConfig, tlsErr := tq.GenClientTLSConfig(config)
 		if tlsErr != nil {
 			fmt.Printf("Error creating TLS config: %v\n", tlsErr)
 			os.Exit(1)

cmds/client/tls.conf

@@ -0,0 +1,7 @@
+{
+  "cert_file": "./client.crt",
+  "key_file": "./client.key",
+  "ca_file": "./ca.crt",
+  "server_name": "localhost",
+  "insecure_skip_verify": false
+}

docs/tls_support.md

@@ -413,6 +413,140 @@ openssl rsa -noout -modulus -in server.key | openssl md5
 # The MD5 hashes should match
 ```
 
+# TLS Configuration File
+
+The TACACS+ client supports loading TLS configuration from a JSON file using the
+`-tls-config` flag. When a TLS configuration file is specified, TLS is
+automatically enabled for the connection.
+
+## Architecture Overview
+
+The TLS configuration follows this flow:
+
+1. **JSON Config File** → `LoadTLSConfig()` → **`ParsedTLSConfig` struct**
+2. **`ParsedTLSConfig`** → `GenClientTLSConfig()` → **`tls.Config` for client**
+3. **Client** uses the generated `tls.Config` to establish TLS connections
+
+### Key Components
+
+- **`ParsedTLSConfig`**: A Go struct that represents the TLS configuration loaded from JSON
+- **`LoadTLSConfig()`**: Function that loads and validates the JSON configuration file
+- **`GenClientTLSConfig()`**: Function that creates a `tls.Config` from `ParsedTLSConfig`
+- **Automatic path resolution**: Relative paths are automatically converted to absolute paths
+- **File validation**: All certificate files are verified to exist during configuration loading
+
+## File Format
+
+The TLS configuration file must be in JSON format. See `tls.conf` for a sample config.
+
+## Configuration Options
+
+| Field                  | Type    | Description                                                      | Required |
+| ---------------------- | ------- | ---------------------------------------------------------------- | -------- |
+| `cert_file`            | string  | Absolute/Relative Path to client certificate file (PEM format)                     | No       |
+| `key_file`             | string  | Absolute/Relative Path to client private key file (PEM format)                     | No       |
+| `ca_file`              | string  | Absolute/Relative Path to CA certificate file for server verification (PEM format) | No       |
+| `server_name`          | string  | Server name for certificate validation (must match server's SAN) | No       |
+| `insecure_skip_verify` | boolean | Skip certificate verification (not recommended for production)   | No       |
+
+### Path Handling
+
+- **Relative paths**: `./client.crt`, `../certs/ca.crt`, `config/client.key`
+- **Absolute paths**: `/etc/ssl/certs/client.crt`, `/path/to/ca.crt`
+- **Path validation**: All specified certificate files are verified to exist during configuration loading
+- **Automatic resolution**: Relative paths are automatically converted to absolute paths
+- **No shell expansion**: Tilde (`~`) and environment variables are not supported
+
+## Usage Examples
+
+### Basic TLS with server certificate verification:
+
+```json
+{
+  "ca_file": "./ca.crt",
+  "server_name": "localhost",
+  "insecure_skip_verify": false
+}
+```
+
+```bash
+./client -tls-config tls.json -username cisco
+```
+
+### Mutual TLS (client and server certificates):
+
+```json
+{
+  "cert_file": "./client.crt",
+  "key_file": "./client.key",
+  "ca_file": "./ca.crt",
+  "server_name": "localhost",
+  "insecure_skip_verify": false
+}
+```
+
+```bash
+./client -tls-config tls.json -username cisco
+```
+
+### Development/Testing with insecure skip verify:
+
+```json
+{
+  "cert_file": "./client.crt",
+  "key_file": "./client.key",
+  "server_name": "localhost",
+  "insecure_skip_verify": true
+}
+```
+
+```bash
+./client -tls-config tls.json -username cisco
+```
+
+**⚠️ Warning**: Never use `insecure_skip_verify: true` in production environments.
+
+## Implementation Details
+
+### ParsedTLSConfig Structure
+
+The `ParsedTLSConfig` struct contains:
+
+```go
+type ParsedTLSConfig struct {
+    // Certificate files
+    CertFile string `json:"cert_file"`
+    KeyFile  string `json:"key_file"`
+    CAFile   string `json:"ca_file"`
+
+    // Server name for certificate validation
+    ServerName string `json:"server_name"`
+
+    // Skip certificate verification (not recommended for production)
+    InsecureSkipVerify bool `json:"insecure_skip_verify"`
+}
+```
+
+### Configuration Validation
+
+During `LoadTLSConfig()`, the system:
+
+- ✅ **Validates JSON syntax** and structure
+- ✅ **Converts relative paths** to absolute paths using `filepath.Abs()`
+- ✅ **Verifies file existence** for all certificate files using `os.Stat()`
+- ✅ **Validates certificate/key pairs** (cert_file requires key_file and vice versa)
+- ✅ **Returns descriptive errors** for missing files or invalid configurations
+
+### Client TLS Config Generation
+
+The `GenClientTLSConfig()` function creates a standard Go `tls.Config` with:
+
+- **TLS 1.3 minimum version** (as per IETF draft requirements)
+- **Server name indication** from `server_name` field
+- **Client certificates** loaded from `cert_file` and `key_file`
+- **Root CA certificates** loaded from `ca_file` for server verification
+- **Skip verification flag** from `insecure_skip_verify` (if enabled)
+
 ## Security Considerations
 
 When deploying TACACS+ over TLS in production:

tls.go

@@ -3,9 +3,12 @@ package tacquito
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/json"
 	"errors"
+	"fmt"
 	"net"
 	"os"
+	"path/filepath"
 	"time"
 )
 
@@ -45,21 +48,19 @@ func (l *TLSDeadlineListener) SetDeadline(t time.Time) error {
 func GenTLSConfig(certFile, keyFile, CAFile string, requireMutualAuth bool) (*tls.Config, error) {
 	config := &tls.Config{
 		MinVersion: tls.VersionTLS13,            // Require TLS 1.3 as per the IETF draft
-		ClientAuth: tls.VerifyClientCertIfGiven, // Mutual authentication is optional
+		ClientAuth: tls.VerifyClientCertIfGiven, // Mutual authentication is optional to start with, but is highly recommended
 	}
 
 	if certFile == "" || keyFile == "" {
 		return nil, errors.New("TLS is enabled but certificate or key file is not provided")
 	}
 
-	// Load server certificate and key
 	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
 	if err != nil {
 		return nil, err
 	}
 	config.Certificates = []tls.Certificate{cert}
 
-	// Configure client certificate verification if CA file is provided
 	if CAFile != "" {
 		data, err := os.ReadFile(CAFile)
 		if err != nil {
@@ -80,25 +81,24 @@ func GenTLSConfig(certFile, keyFile, CAFile string, requireMutualAuth bool) (*tl
 }
 
 // createTLSConfig creates a TLS configuration based on the provided command-line flags
-func GenClientTLSConfig(serverName, certFile, keyFile, CAFile string, skipVerification bool) (*tls.Config, error) {
+func GenClientTLSConfig(p *ParsedTLSConfig) (*tls.Config, error) {
 	config := &tls.Config{
 		MinVersion:         tls.VersionTLS13, // Require TLS 1.3 as per the IETF draft
-		ServerName:         serverName,
-		InsecureSkipVerify: skipVerification,
+		ServerName:         p.ServerName,
+		InsecureSkipVerify: p.InsecureSkipVerify, // false by default
 	}
 
 	// Client certificates are optional - only load them for mutual TLS when both are provided
-	if certFile != "" && keyFile != "" {
-		cert, err := tls.LoadX509KeyPair(certFile, keyFile)
+	if p.CertFile != "" && p.KeyFile != "" {
+		cert, err := tls.LoadX509KeyPair(p.CertFile, p.KeyFile)
 		if err != nil {
 			return nil, err
 		}
 		config.Certificates = []tls.Certificate{cert}
 	}
 
-	// Set RootCAs for server certificate verification if CA file is provided
-	if CAFile != "" {
-		data, err := os.ReadFile(CAFile)
+	if p.CAFile != "" {
+		data, err := os.ReadFile(p.CAFile)
 		if err != nil {
 			return nil, err
 		}
@@ -111,3 +111,96 @@ func GenClientTLSConfig(serverName, certFile, keyFile, CAFile string, skipVerifi
 
 	return config, nil
 }
+
+// TLSConfig represents the TLS configuration that can be loaded from a JSON file
+// If a TLS config file is specified, TLS is automatically enabled
+type ParsedTLSConfig struct {
+	// Certificate files
+	CertFile string `json:"cert_file"`
+	KeyFile  string `json:"key_file"`
+	CAFile   string `json:"ca_file"`
+
+	// Server name for certificate validation
+	ServerName string `json:"server_name"`
+
+	// Skip certificate verification (not recommended for production)
+	InsecureSkipVerify bool `json:"insecure_skip_verify"`
+}
+
+// LoadTLSConfig loads TLS configuration from a JSON file
+func LoadTLSConfig(filename string) (*ParsedTLSConfig, error) {
+	if filename == "" {
+		return nil, fmt.Errorf("TLS config file path is empty")
+	}
+
+	if _, err := os.Stat(filename); os.IsNotExist(err) {
+		return nil, fmt.Errorf("TLS config file does not exist: %s", filename)
+	}
+
+	data, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read TLS config file: %w", err)
+	}
+
+	var config ParsedTLSConfig
+	err = json.Unmarshal(data, &config)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse JSON TLS config: %w", err)
+	}
+
+	if err := config.Validate(); err != nil {
+		return nil, fmt.Errorf("invalid TLS config: %w", err)
+	}
+
+	return &config, nil
+}
+
+// Validate checks if the TLS configuration is valid
+func (c *ParsedTLSConfig) Validate() error {
+	var err error
+
+	if c.CertFile, err = resolvePath(c.CertFile, "TLS certificate"); err != nil {
+		return err
+	}
+
+	if c.KeyFile, err = resolvePath(c.KeyFile, "TLS key"); err != nil {
+		return err
+	}
+
+	if c.CAFile, err = resolvePath(c.CAFile, "TLS CA"); err != nil {
+		return err
+	}
+
+	// If client cert is specified, key must also be specified and vice versa
+	if c.CertFile != "" && c.KeyFile == "" {
+		return fmt.Errorf("TLS key file must be specified when certificate file is provided")
+	}
+	if c.KeyFile != "" && c.CertFile == "" {
+		return fmt.Errorf("TLS certificate file must be specified when key file is provided")
+	}
+
+	return nil
+}
+
+// resolvePath converts relative paths to absolute paths and checks if the file exists
+// Returns the absolute path and an error if the file doesn't exist or path conversion fails
+func resolvePath(path, fileType string) (string, error) {
+	if path == "" {
+		return "", nil
+	}
+
+	// Convert to absolute path (handles relative paths like ./file or ../file)
+	absPath, err := filepath.Abs(path)
+	if err != nil {
+		return "", fmt.Errorf("failed to convert %s file path '%s' to absolute path: %w", fileType, path, err)
+	}
+
+	if _, err := os.Stat(absPath); err != nil {
+		if os.IsNotExist(err) {
+			return "", fmt.Errorf("%s file does not exist: %s", fileType, absPath)
+		}
+		return "", err
+	}
+
+	return absPath, nil
+}