From 4b685b21a264f97c6506c76a3dc5ffc7a2675fb8 Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Sat, 7 Oct 2023 22:02:10 +0200 Subject: [PATCH] configs: fix backward compatibility Signed-off-by: Nicola Murino --- internal/dataprovider/configs.go | 9 +++++++++ internal/httpd/httpd_test.go | 17 +++++++++-------- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/internal/dataprovider/configs.go b/internal/dataprovider/configs.go index 33488123..3417d28b 100644 --- a/internal/dataprovider/configs.go +++ b/internal/dataprovider/configs.go @@ -97,11 +97,18 @@ func (c *SFTPDConfigs) GetModuliAsString() string { } func (c *SFTPDConfigs) validate() error { + var hostKeyAlgos []string for _, algo := range c.HostKeyAlgos { + if algo == ssh.CertAlgoRSAv01 { + continue + } if !util.Contains(supportedHostKeyAlgos, algo) { return util.NewValidationError(fmt.Sprintf("unsupported host key algorithm %q", algo)) } + hostKeyAlgos = append(hostKeyAlgos, algo) } + c.HostKeyAlgos = hostKeyAlgos + var kexAlgos []string for _, algo := range c.KexAlgorithms { if algo == "diffie-hellman-group18-sha512" { continue @@ -109,7 +116,9 @@ func (c *SFTPDConfigs) validate() error { if !util.Contains(supportedKexAlgos, algo) { return util.NewValidationError(fmt.Sprintf("unsupported KEX algorithm %q", algo)) } + kexAlgos = append(kexAlgos, algo) } + c.KexAlgorithms = kexAlgos for _, cipher := range c.Ciphers { if !util.Contains(supportedCiphers, cipher) { return util.NewValidationError(fmt.Sprintf("unsupported cipher %q", cipher)) diff --git a/internal/httpd/httpd_test.go b/internal/httpd/httpd_test.go index 163bc24b..7f964fe2 100644 --- a/internal/httpd/httpd_test.go +++ b/internal/httpd/httpd_test.go @@ -7887,7 +7887,7 @@ func TestLoaddata(t *testing.T) { configsGet, err := dataprovider.GetConfigs() assert.NoError(t, err) assert.Equal(t, configs.SMTP, configsGet.SMTP) - assert.Equal(t, configs.SFTPD.HostKeyAlgos, configsGet.SFTPD.HostKeyAlgos) + assert.Equal(t, []string{ssh.KeyAlgoRSA}, configsGet.SFTPD.HostKeyAlgos) assert.Len(t, configsGet.SFTPD.Moduli, 0) assert.Len(t, configsGet.SFTPD.KexAlgorithms, 0) assert.Len(t, configsGet.SFTPD.Ciphers, 0) @@ -12705,6 +12705,8 @@ func TestWebConfigsMock(t *testing.T) { assert.Contains(t, rr.Body.String(), ssh.CertAlgoDSAv01) // invalid algo form.Set("sftp_host_key_algos", ssh.KeyAlgoRSA) form.Add("sftp_host_key_algos", ssh.CertAlgoRSAv01) + form.Set("sftp_kex_algos", "diffie-hellman-group18-sha512") + form.Add("sftp_kex_algos", "diffie-hellman-group16-sha512") req, err = http.NewRequest(http.MethodPost, webConfigsPath, bytes.NewBuffer([]byte(form.Encode()))) assert.NoError(t, err) setJWTCookieForReq(req, webToken) @@ -12715,12 +12717,13 @@ func TestWebConfigsMock(t *testing.T) { // check SFTP configs configs, err := dataprovider.GetConfigs() assert.NoError(t, err) - assert.Len(t, configs.SFTPD.HostKeyAlgos, 2) + assert.Len(t, configs.SFTPD.HostKeyAlgos, 1) assert.Contains(t, configs.SFTPD.HostKeyAlgos, ssh.KeyAlgoRSA) - assert.Contains(t, configs.SFTPD.HostKeyAlgos, ssh.CertAlgoRSAv01) assert.Len(t, configs.SFTPD.Moduli, 2) assert.Contains(t, configs.SFTPD.Moduli, "path 1") assert.Contains(t, configs.SFTPD.Moduli, "path 2") + assert.Len(t, configs.SFTPD.KexAlgorithms, 1) + assert.Contains(t, configs.SFTPD.KexAlgorithms, "diffie-hellman-group16-sha512") // invalid form action form.Set("form_action", "") req, err = http.NewRequest(http.MethodPost, webConfigsPath, bytes.NewBuffer([]byte(form.Encode()))) @@ -12762,9 +12765,8 @@ func TestWebConfigsMock(t *testing.T) { // check configs, err = dataprovider.GetConfigs() assert.NoError(t, err) - assert.Len(t, configs.SFTPD.HostKeyAlgos, 2) + assert.Len(t, configs.SFTPD.HostKeyAlgos, 1) assert.Contains(t, configs.SFTPD.HostKeyAlgos, ssh.KeyAlgoRSA) - assert.Contains(t, configs.SFTPD.HostKeyAlgos, ssh.CertAlgoRSAv01) assert.Len(t, configs.SFTPD.Moduli, 2) assert.Equal(t, "mail.example.net", configs.SMTP.Host) assert.Equal(t, 587, configs.SMTP.Port) @@ -12833,9 +12835,8 @@ func TestWebConfigsMock(t *testing.T) { // check configs, err = dataprovider.GetConfigs() assert.NoError(t, err) - assert.Len(t, configs.SFTPD.HostKeyAlgos, 2) + assert.Len(t, configs.SFTPD.HostKeyAlgos, 1) assert.Contains(t, configs.SFTPD.HostKeyAlgos, ssh.KeyAlgoRSA) - assert.Contains(t, configs.SFTPD.HostKeyAlgos, ssh.CertAlgoRSAv01) assert.Len(t, configs.SFTPD.Moduli, 2) assert.Equal(t, 80, configs.ACME.HTTP01Challenge.Port) assert.Equal(t, 7, configs.ACME.Protocols) @@ -12866,7 +12867,7 @@ func TestWebConfigsMock(t *testing.T) { assert.Contains(t, rr.Body.String(), "Configurations updated") configs, err = dataprovider.GetConfigs() assert.NoError(t, err) - assert.Len(t, configs.SFTPD.HostKeyAlgos, 2) + assert.Len(t, configs.SFTPD.HostKeyAlgos, 1) assert.Equal(t, 402, configs.ACME.HTTP01Challenge.Port) assert.Equal(t, 1, configs.ACME.Protocols) assert.Equal(t, domain, configs.ACME.Domain)