Merge pull request #39 from nunnatsa/fix-ai

TLS flags refactoring

Author: metalice

.github/workflows/ci_checks.yml

@@ -22,5 +22,5 @@ jobs:
       - name: Build
         run: go build .
       - name: Run Unit Tests
-        run: go test .
+        run: go test ./...
 

config/config.go

@@ -0,0 +1,62 @@
+package config
+
+import (
+	"flag"
+	"fmt"
+	"math"
+	"strconv"
+	"strings"
+)
+
+type Config struct {
+	TLS TLSConfig
+}
+
+type TLSConfig struct {
+	minTLSVersion   uint16
+	tlsCipherSuites []uint16
+}
+
+var (
+	minTLSVersionFlag   = flag.Uint("tls-min-version", 0, "The minimum TLS version to use")
+	tlsCipherSuitesFlag = flag.String("tls-cipher-suites", "", "A comma-separated list of cipher suites to use")
+)
+
+func GetConfig() (*Config, error) {
+	cfg := &Config{}
+
+	if *minTLSVersionFlag > 0 {
+		if *minTLSVersionFlag > math.MaxUint16 {
+			return nil, fmt.Errorf("the --tls-min-version flag is with a wrong value:  %d is lager than the max allowed value of %d", *minTLSVersionFlag, math.MaxUint16)
+		}
+
+		cfg.TLS.minTLSVersion = uint16(*minTLSVersionFlag)
+	}
+
+	if *tlsCipherSuitesFlag != "" {
+		ciphers := strings.Split(*tlsCipherSuitesFlag, ",")
+		tlsCipherSuites := make([]uint16, 0, len(ciphers))
+
+		for _, cipherStr := range ciphers {
+			cipherStr = strings.TrimSpace(cipherStr)
+			cipher, err := strconv.ParseUint(cipherStr, 10, 16)
+			if err != nil {
+				return nil, fmt.Errorf("can't parse cipher %q; %w", cipherStr, err)
+			}
+
+			tlsCipherSuites = append(tlsCipherSuites, uint16(cipher))
+		}
+
+		cfg.TLS.tlsCipherSuites = tlsCipherSuites
+	}
+
+	return cfg, nil
+}
+
+func (cfg *Config) GetMinTLSVersion() uint16 {
+	return cfg.TLS.minTLSVersion
+}
+
+func (cfg *Config) GetTLSCipherSuites() []uint16 {
+	return cfg.TLS.tlsCipherSuites
+}

config/config_test.go

@@ -0,0 +1,148 @@
+package config
+
+import (
+	"flag"
+	"fmt"
+	"math"
+	"reflect"
+	"testing"
+)
+
+func TestGetTLSCipherSuites(t *testing.T) {
+	for _, tc := range []struct {
+		name    string
+		flagVal string
+		want    []uint16
+	}{
+		{name: "valid input", flagVal: "1,2,3,4", want: []uint16{1, 2, 3, 4}},
+		{name: "no flag", flagVal: "", want: nil},
+		{name: "max val", flagVal: fmt.Sprintf("%d", math.MaxUint16), want: []uint16{math.MaxUint16}},
+	} {
+		t.Run(tc.flagVal, func(t *testing.T) {
+			err := setFlags("0", tc.flagVal)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			cfg, err := GetConfig()
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			if got, want := cfg.GetTLSCipherSuites(), tc.want; !reflect.DeepEqual(got, want) {
+				t.Errorf("GetTLSCipherSuites() = %v, want %v", got, want)
+			}
+		})
+	}
+}
+
+func TestWrongGetTLSCipherSuites_tooLarge(t *testing.T) {
+	err := setFlags("0", fmt.Sprintf("%d", math.MaxUint16+1))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = GetConfig()
+	if err == nil {
+		t.Fatal("error should have errored")
+	}
+
+	t.Logf("got expected error: %v", err)
+}
+
+func TestWrongGetTLSCipherSuites_negative(t *testing.T) {
+	err := setFlags("0", "-42")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = GetConfig()
+	if err == nil {
+		t.Fatal("error should have errored")
+	}
+
+	t.Logf("got expected error: %v", err)
+}
+
+func TestWrongGetTLSCipherSuites_notNum(t *testing.T) {
+	err := setFlags("0", "not a number")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = GetConfig()
+	if err == nil {
+		t.Fatal("error should have errored")
+	}
+
+	t.Logf("got expected error: %v", err)
+}
+
+func TestWrongGetTLSCipherSuites_float(t *testing.T) {
+	err := setFlags("0", "1.42")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = GetConfig()
+	if err == nil {
+		t.Fatal("error should have errored")
+	}
+
+	t.Logf("got expected error: %v", err)
+}
+
+func TestGetMinTLSVersion(t *testing.T) {
+	for _, tc := range []struct {
+		name    string
+		flagVal string
+		want    uint16
+	}{
+		{name: "valid input", flagVal: "42", want: 42},
+		{name: "no flag", flagVal: "0", want: 0},
+		{name: "max val", flagVal: fmt.Sprintf("%d", math.MaxUint16), want: math.MaxUint16},
+	} {
+		t.Run(tc.flagVal, func(t *testing.T) {
+			err := setFlags(tc.flagVal, "")
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			cfg, err := GetConfig()
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			if got, want := cfg.GetMinTLSVersion(), tc.want; !reflect.DeepEqual(got, want) {
+				t.Errorf("GetMinTLSVersion() = %d, want %d", got, want)
+			}
+		})
+	}
+}
+
+func TestWrongGetMinTLSVersion_tooLarge(t *testing.T) {
+	err := setFlags(fmt.Sprintf("%d", math.MaxUint16+1), "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = GetConfig()
+	if err == nil {
+		t.Fatal("error should have errored")
+	}
+
+	t.Logf("got expected error: %v", err)
+}
+
+func setFlags(minVer, ciphers string) error {
+	err := flag.Set("tls-min-version", minVer)
+	if err != nil {
+		return err
+	}
+	err = flag.Set("tls-cipher-suites", ciphers)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

main.go

@@ -3,18 +3,16 @@ package main
 import (
 	"crypto/tls"
 	"flag"
-	"fmt"
 	"log"
 	"net/http"
 	"os"
-	"strconv"
-	"strings"
 	"time"
 
 	cache "github.com/chenyahui/gin-cache"
 	"github.com/chenyahui/gin-cache/persist"
 	"github.com/gin-contrib/gzip"
 	"github.com/gin-gonic/gin"
+	"github.com/kubevirt-ui/kubevirt-apiserver-proxy/config"
 	"github.com/kubevirt-ui/kubevirt-apiserver-proxy/handlers"
 )
 
@@ -23,37 +21,13 @@ const (
 	apiCacheTime    = 15 * time.Second
 )
 
-var (
-	minTLSVersion   uint16
-	tlsCipherSuites []uint16
-
-	minTLSVersionFlag   = flag.Uint("tls-min-version", 0, "The minimum TLS version to use")
-	tlsCipherSuitesFlag = flag.String("tls-cipher-suites", "", "A comma-separated list of cipher suites to use")
-)
-
-func init() {
+func main() {
 	flag.Parse()
 
-	if *minTLSVersionFlag > 0 {
-		minTLSVersion = uint16(*minTLSVersionFlag)
-	}
-
-	if *tlsCipherSuitesFlag != "" {
-		ciphers := strings.Split(*tlsCipherSuitesFlag, ",")
-		tlsCipherSuites = make([]uint16, 0, len(ciphers))
-
-		for _, cipherStr := range ciphers {
-			cipher, err := strconv.ParseUint(cipherStr, 10, 16)
-			if err != nil {
-				panic(fmt.Errorf("can't parse cipher %q; %w", cipherStr, err))
-			}
-
-			tlsCipherSuites = append(tlsCipherSuites, uint16(cipher))
-		}
+	cfg, err := config.GetConfig()
+	if err != nil {
+		log.Fatal(err)
 	}
-}
-
-func main() {
 
 	router := gin.Default()
 
@@ -72,17 +46,16 @@ func main() {
 		},
 	}
 
-	if minTLSVersion != 0 {
-		server.TLSConfig.MinVersion = minTLSVersion
+	if minTLSVer := cfg.GetMinTLSVersion(); minTLSVer != 0 {
+		server.TLSConfig.MinVersion = minTLSVer
 	}
 
-	if len(tlsCipherSuites) > 0 {
-		server.TLSConfig.CipherSuites = tlsCipherSuites
+	if ciphers := cfg.GetTLSCipherSuites(); len(ciphers) > 0 {
+		server.TLSConfig.CipherSuites = ciphers
 	}
 
 	log.Printf("listening for server 8080 - v0.0.10 - API cache time: %v", apiCacheTime)
 
-	var err error
 	if os.Getenv("APP_ENV") == "dev" {
 		err = server.ListenAndServe()
 	} else {