plugin/tls: respect the path specified by root plugin (#6138)

* plugin/tls: respect the path specified by root plugin Signed-off-by: Marius Kimmina <mar.kimmina@gmail.com> * improve readme Signed-off-by: Marius Kimmina <mar.kimmina@gmail.com> --------- Signed-off-by: Marius Kimmina <mar.kimmina@gmail.com>
author: Marius Kimmina <38843153+mariuskimmina@users.noreply.github.com> 2023-12-08 16:50:30 +0100
committer: GitHub <noreply@github.com> 2023-12-08 10:50:30 -0500
commit: 92ec849acb361d3caae78f500d022cbcdefc5648 (patch)
tree: 4ba93c34993e739a20cc041031862de8caee6cbc /plugin
parent: f9d5d0cb56ee3b74830bd2592212dd2429f48ed7 (diff)
download: coredns-92ec849acb361d3caae78f500d022cbcdefc5648.tar.gz
coredns-92ec849acb361d3caae78f500d022cbcdefc5648.tar.zst
coredns-92ec849acb361d3caae78f500d022cbcdefc5648.zip
6 files changed, 84 insertions, 4 deletions
diff --git a/plugin/etcd/setup.go b/plugin/etcd/setup.go
index 0f70df5bc..ab6c4b798 100644
--- a/plugin/etcd/setup.go
+++ b/plugin/etcd/setup.go
@@ -2,6 +2,7 @@ package etcd
 
 import (
 	"crypto/tls"
+	"path/filepath"
 
 	"github.com/coredns/caddy"
 	"github.com/coredns/coredns/core/dnsserver"
@@ -29,6 +30,7 @@ func setup(c *caddy.Controller) error {
 }
 
 func etcdParse(c *caddy.Controller) (*Etcd, error) {
+	config := dnsserver.GetConfig(c)
 	etc := Etcd{PathPrefix: "skydns"}
 	var (
 		tlsConfig *tls.Config
@@ -66,6 +68,11 @@ func etcdParse(c *caddy.Controller) (*Etcd, error) {
 				c.RemainingArgs()
 			case "tls": // cert key cacertfile
 				args := c.RemainingArgs()
+				for i := range args {
+					if !filepath.IsAbs(args[i]) && config.Root != "" {
+						args[i] = filepath.Join(config.Root, args[i])
+					}
+				}
 				tlsConfig, err = mwtls.NewTLSConfigFromArgs(args...)
 				if err != nil {
 					return &Etcd{}, err
diff --git a/plugin/forward/setup.go b/plugin/forward/setup.go
index 916d7a7a5..5341b7e60 100644
--- a/plugin/forward/setup.go
+++ b/plugin/forward/setup.go
@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
+	"path/filepath"
 	"strconv"
 	"time"
 
@@ -167,6 +168,7 @@ func parseStanza(c *caddy.Controller) (*Forward, error) {
 }
 
 func parseBlock(c *caddy.Controller, f *Forward) error {
+	config := dnsserver.GetConfig(c)
 	switch c.Val() {
 	case "except":
 		ignore := c.RemainingArgs()
@@ -233,6 +235,11 @@ func parseBlock(c *caddy.Controller, f *Forward) error {
 			return c.ArgErr()
 		}
 
+		for i := range args {
+			if !filepath.IsAbs(args[i]) && config.Root != "" {
+				args[i] = filepath.Join(config.Root, args[i])
+			}
+		}
 		tlsConfig, err := pkgtls.NewTLSConfigFromArgs(args...)
 		if err != nil {
 			return err
diff --git a/plugin/grpc/setup.go b/plugin/grpc/setup.go
index 48a3d2c31..d1c676252 100644
--- a/plugin/grpc/setup.go
+++ b/plugin/grpc/setup.go
@@ -3,6 +3,7 @@ package grpc
 import (
 	"crypto/tls"
 	"fmt"
+	"path/filepath"
 
 	"github.com/coredns/caddy"
 	"github.com/coredns/coredns/core/dnsserver"
@@ -111,6 +112,11 @@ func parseBlock(c *caddy.Controller, g *GRPC) error {
 			return c.ArgErr()
 		}
 
+		for i := range args {
+			if !filepath.IsAbs(args[i]) && dnsserver.GetConfig(c).Root != "" {
+				args[i] = filepath.Join(dnsserver.GetConfig(c).Root, args[i])
+			}
+		}
 		tlsConfig, err := pkgtls.NewTLSConfigFromArgs(args...)
 		if err != nil {
 			return err
diff --git a/plugin/pkg/tls/tls_test.go b/plugin/pkg/tls/tls_test.go
index db1cad052..a5635c177 100644
--- a/plugin/pkg/tls/tls_test.go
+++ b/plugin/pkg/tls/tls_test.go
@@ -1,6 +1,7 @@
 package tls
 
 import (
+	"os"
 	"path/filepath"
 	"testing"
 
@@ -22,7 +23,6 @@ func getPEMFiles(t *testing.T) (cert, key, ca string) {
 
 func TestNewTLSConfig(t *testing.T) {
 	cert, key, ca := getPEMFiles(t)
-
 	_, err := NewTLSConfig(cert, key, ca)
 	if err != nil {
 		t.Errorf("Failed to create TLSConfig: %s", err)
@@ -77,6 +77,36 @@ func TestNewTLSConfigFromArgs(t *testing.T) {
 	}
 }
 
+func TestNewTLSConfigFromArgsWithRoot(t *testing.T) {
+	cert, key, ca := getPEMFiles(t)
+	tempDir, err := os.MkdirTemp("", "go-test-pemfiles")
+	defer func() {
+		if err := os.RemoveAll(tempDir); err != nil {
+			t.Error("failed to clean up temporary directory", err)
+		}
+	}()
+	if err != nil {
+		t.Error("failed to create temporary directory", err)
+	}
+	root := tempDir
+	args := []string{cert, key, ca}
+	for i := range args {
+		if !filepath.IsAbs(args[i]) && root != "" {
+			args[i] = filepath.Join(root, args[i])
+		}
+	}
+	c, err := NewTLSConfigFromArgs(args...)
+	if err != nil {
+		t.Errorf("Failed to create TLSConfig: %s", err)
+	}
+	if c.RootCAs == nil {
+		t.Error("RootCAs should not be nil when three args passed")
+	}
+	if len(c.Certificates) != 1 {
+		t.Error("Certificates should have a single entry when three args passed")
+	}
+}
+
 func TestNewHTTPSTransport(t *testing.T) {
 	_, _, ca := getPEMFiles(t)
 
diff --git a/plugin/root/README.md b/plugin/root/README.md
index 1d21bc0eb..33ea89e75 100644
--- a/plugin/root/README.md
+++ b/plugin/root/README.md
@@ -2,14 +2,19 @@
 
 ## Name
 
-*root* - simply specifies the root of where to find (zone) files.
+*root* - simply specifies the root of where to find files. 
 
 ## Description
 
 The default root is the current working directory of CoreDNS. The *root* plugin allows you to change
-this. A relative root path is relative to the current working directory.
+this. A relative root path is relative to the current working directory. 
+**NOTE: The *root* directory is NOT currently supported by all plugins.** 
+Currently the following plugins respect the *root* plugin configuration:
 
-This plugin can only be used once per Server Block.
+* file
+* tls
+
+This plugin can only be used once per Server Block. 
 
 ## Syntax
 
@@ -28,3 +33,22 @@ Serve zone data (when the *file* plugin is used) from `/etc/coredns/zones`:
     root /etc/coredns/zones
 }
 ~~~
+
+When you use the *root* and *tls* plugin together, your cert and key should also be placed in the *root* directory.
+The example below will look for `/config/cert.pem` and `/config/key.pem`
+
+~~~ txt
+tls://example.com:853 {
+    root /config
+    tls cert.pem key.pem
+    whoami
+}
+~~~
+
+## Bugs
+
+**NOTE: The *root* directory is NOT currently supported by all plugins.** 
+Currently the following plugins respect the *root* plugin configuration:
+
+* file
+* tls
diff --git a/plugin/tls/tls.go b/plugin/tls/tls.go
index 2658159a9..ff60b678c 100644
--- a/plugin/tls/tls.go
+++ b/plugin/tls/tls.go
@@ -2,6 +2,7 @@ package tls
 
 import (
 	ctls "crypto/tls"
+	"path/filepath"
 
 	"github.com/coredns/caddy"
 	"github.com/coredns/coredns/core/dnsserver"
@@ -57,6 +58,11 @@ func parseTLS(c *caddy.Controller) error {
 				return c.Errf("unknown option '%s'", c.Val())
 			}
 		}
+		for i := range args {
+			if !filepath.IsAbs(args[i]) && config.Root != "" {
+				args[i] = filepath.Join(config.Root, args[i])
+			}
+		}
 		tls, err := tls.NewTLSConfigFromArgs(args...)
 		if err != nil {
 			return err
author	Marius Kimmina <38843153+mariuskimmina@users.noreply.github.com>	2023-12-08 16:50:30 +0100
committer	GitHub <noreply@github.com>	2023-12-08 10:50:30 -0500
commit	92ec849acb361d3caae78f500d022cbcdefc5648 (patch)
tree	4ba93c34993e739a20cc041031862de8caee6cbc /plugin
parent	f9d5d0cb56ee3b74830bd2592212dd2429f48ed7 (diff)
download	coredns-92ec849acb361d3caae78f500d022cbcdefc5648.tar.gz coredns-92ec849acb361d3caae78f500d022cbcdefc5648.tar.zst coredns-92ec849acb361d3caae78f500d022cbcdefc5648.zip