change cluster-verify-cn as []string

pingcap · Mar 5, 2020 · 8b426b7 · 8b426b7
1 parent 5df8ec2
commit 8b426b7
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 27 deletions.
diff --git a/config/config.go b/config/config.go
@@ -242,14 +242,14 @@ func (l *Log) getDisableErrorStack() bool {
 
 // Security is the security section of the config.
 type Security struct {
-	SkipGrantTable  bool   `toml:"skip-grant-table" json:"skip-grant-table"`
-	SSLCA           string `toml:"ssl-ca" json:"ssl-ca"`
-	SSLCert         string `toml:"ssl-cert" json:"ssl-cert"`
-	SSLKey          string `toml:"ssl-key" json:"ssl-key"`
-	ClusterSSLCA    string `toml:"cluster-ssl-ca" json:"cluster-ssl-ca"`
-	ClusterSSLCert  string `toml:"cluster-ssl-cert" json:"cluster-ssl-cert"`
-	ClusterSSLKey   string `toml:"cluster-ssl-key" json:"cluster-ssl-key"`
-	ClusterVerifyCN string `toml:"cluster-verify-cn" json:"cluster-verify-cn"`
+	SkipGrantTable  bool     `toml:"skip-grant-table" json:"skip-grant-table"`
+	SSLCA           string   `toml:"ssl-ca" json:"ssl-ca"`
+	SSLCert         string   `toml:"ssl-cert" json:"ssl-cert"`
+	SSLKey          string   `toml:"ssl-key" json:"ssl-key"`
+	ClusterSSLCA    string   `toml:"cluster-ssl-ca" json:"cluster-ssl-ca"`
+	ClusterSSLCert  string   `toml:"cluster-ssl-cert" json:"cluster-ssl-cert"`
+	ClusterSSLKey   string   `toml:"cluster-ssl-key" json:"cluster-ssl-key"`
+	ClusterVerifyCN []string `toml:"cluster-verify-cn" json:"cluster-verify-cn"`
 }
 
 // The ErrConfigValidationFailed error is used so that external callers can do a type assertion

diff --git a/server/http_handler_test.go b/server/http_handler_test.go
@@ -1063,7 +1063,7 @@ func (ts *HTTPHandlerTestSuite) TestDebugZip(c *C) {
 }
 
 func (ts *HTTPHandlerTestSuite) TestCheckCN(c *C) {
-	s := &Server{cfg: &config.Config{Security: config.Security{ClusterVerifyCN: " a,b, c"}}}
+	s := &Server{cfg: &config.Config{Security: config.Security{ClusterVerifyCN: []string{"a ", "b", "c"}}}}
 	tlsConfig := &tls.Config{}
 	s.setCNChecker(tlsConfig)
 	c.Assert(tlsConfig.VerifyPeerCertificate, NotNil)

diff --git a/server/http_status.go b/server/http_status.go
@@ -313,27 +313,23 @@ func (s *Server) setupStatusServerAndRPCServer(addr string, serverMux *http.Serv
 }
 
 func (s *Server) setCNChecker(tlsConfig *tls.Config) *tls.Config {
-	if tlsConfig != nil && len(s.cfg.Security.ClusterVerifyCN) > 0 {
-		cns := strings.Split(s.cfg.Security.ClusterVerifyCN, ",")
-		if len(cns) != 0 {
-			checkCN := make(map[string]struct{})
-			for _, cn := range cns {
-				cn = strings.TrimSpace(cn)
-				checkCN[cn] = struct{}{}
-			}
-			tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-				for _, chain := range verifiedChains {
-					if len(chain) != 0 {
-						if _, match := checkCN[chain[0].Subject.CommonName]; match {
-							return nil
-						}
+	if tlsConfig != nil && len(s.cfg.Security.ClusterVerifyCN) != 0 {
+		checkCN := make(map[string]struct{})
+		for _, cn := range s.cfg.Security.ClusterVerifyCN {
+			cn = strings.TrimSpace(cn)
+			checkCN[cn] = struct{}{}
+		}
+		tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+			for _, chain := range verifiedChains {
+				if len(chain) != 0 {
+					if _, match := checkCN[chain[0].Subject.CommonName]; match {
+						return nil
 					}
 				}
-				return errors.Errorf("client certificate authentication failed. The Common Name from "+
-					"the client certificate was not found in the configuration cluster-verify-cn with value: %s", s.cfg.Security.ClusterVerifyCN)
 			}
-			tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+			return errors.Errorf("client certificate authentication failed. The Common Name from the client certificate was not found in the configuration cluster-verify-cn with value: %s", s.cfg.Security.ClusterVerifyCN)
 		}
+		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
 	}
 	return tlsConfig
 }

diff --git a/server/tidb_test.go b/server/tidb_test.go
@@ -230,7 +230,7 @@ func (ts *tidbTestSuite) TestStatusAPIWithTLSCNCheck(c *C) {
 	cfg.Security.ClusterSSLCA = ca
 	cfg.Security.ClusterSSLCert = filepath.Join(root, "/tests/cncheckcert/server-cert.pem")
 	cfg.Security.ClusterSSLKey = filepath.Join(root, "/tests/cncheckcert/server-key.pem")
-	cfg.Security.ClusterVerifyCN = "tidb-client-2"
+	cfg.Security.ClusterVerifyCN = []string{"tidb-client-2"}
 	server, err := NewServer(cfg, ts.tidbdrv)
 	c.Assert(err, IsNil)
 	go server.Run()