Merge branch 'main' into remove-obsolete-deprecation

.github/workflows/golangci-lint.yml

@@ -43,7 +43,7 @@ jobs:
         uses: golangci/golangci-lint-action@v3
         with:
           # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: v1.51.2
+          version: v1.55.2
 
           # Give the job more time to execute.
           # Regarding `--whole-files`, the linter is supposed to support linting of changed a patch only but,

.go-version

@@ -1 +1 @@
-1.20.12
+1.21.6

.golangci.yml

@@ -83,7 +83,7 @@ linters-settings:
 
   gosimple:
     # Select the Go version to target. The default is '1.13'.
-    go: "1.20.12"
+    go: "1.21.6"
 
   nakedret:
     # make an issue if func has more lines of code than this setting and it has naked returns; default is 30
@@ -117,19 +117,19 @@ linters-settings:
 
   staticcheck:
     # Select the Go version to target. The default is '1.13'.
-    go: "1.20.12"
+    go: "1.21.6"
     # https://staticcheck.io/docs/options#checks
     checks: ["all"]
 
   stylecheck:
     # Select the Go version to target. The default is '1.13'.
-    go: "1.20.12"
+    go: "1.21.6"
     # https://staticcheck.io/docs/options#checks
     checks: ["all"]
 
   unused:
     # Select the Go version to target. The default is '1.13'.
-    go: "1.20.12"
+    go: "1.21.6"
 
   gosec:
     excludes:

NOTICE.txt

@@ -1,5 +1,5 @@
 Elastic Agent Libraries
-Copyright 2022-2023 Elasticsearch BV
+Copyright 2022-2024 Elasticsearch BV
 
 This product includes software developed by The Apache Software
 Foundation (http://www.apache.org/).

dev-tools/mage/linter.go

@@ -31,7 +31,7 @@ import (
 )
 
 const (
-	linterVersion    = "v1.51.2"
+	linterVersion    = "v1.55.2"
 	linterInstallURL = "https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh"
 )
 

go.mod

@@ -1,6 +1,6 @@
 module github.com/elastic/elastic-agent-libs
 
-go 1.20
+go 1.21
 
 require (
 	github.com/Microsoft/go-winio v0.5.2

transport/tlscommon/server_config.go

@@ -27,14 +27,14 @@ import (
 
 // ServerConfig defines the user configurable tls options for any TCP based service.
 type ServerConfig struct {
-	Enabled          *bool               `config:"enabled"`
-	VerificationMode TLSVerificationMode `config:"verification_mode"` // one of 'none', 'full', 'strict', 'certificate'
-	Versions         []TLSVersion        `config:"supported_protocols"`
-	CipherSuites     []CipherSuite       `config:"cipher_suites"`
-	CAs              []string            `config:"certificate_authorities"`
-	Certificate      CertificateConfig   `config:",inline"`
-	CurveTypes       []tlsCurveType      `config:"curve_types"`
-	ClientAuth       tlsClientAuth       `config:"client_authentication"` //`none`, `optional` or `required`
+	Enabled          *bool               `config:"enabled" yaml:"enabled,omitempty"`
+	VerificationMode TLSVerificationMode `config:"verification_mode" yaml:"verification_mode,omitempty"` // one of 'none', 'full', 'strict', 'certificate'
+	Versions         []TLSVersion        `config:"supported_protocols" yaml:"supported_protocols,omitempty"`
+	CipherSuites     []CipherSuite       `config:"cipher_suites" yaml:"cipher_suites,omitempty"`
+	CAs              []string            `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"`
+	Certificate      CertificateConfig   `config:",inline" yaml:",inline"`
+	CurveTypes       []tlsCurveType      `config:"curve_types" yaml:"curve_types,omitempty"`
+	ClientAuth       *TLSClientAuth      `config:"client_authentication" yaml:"client_authentication,omitempty"` //`none`, `optional` or `required`
 	CASha256         []string            `config:"ca_sha256" yaml:"ca_sha256,omitempty"`
 }
 
@@ -80,6 +80,11 @@ func LoadTLSServerConfig(config *ServerConfig) (*TLSConfig, error) {
 		certs = []tls.Certificate{*cert}
 	}
 
+	clientAuth := TLSClientAuthNone
+	if config.ClientAuth != nil {
+		clientAuth = *config.ClientAuth
+	}
+
 	// return config if no error occurred
 	return &TLSConfig{
 		Versions:         config.Versions,
@@ -88,7 +93,7 @@ func LoadTLSServerConfig(config *ServerConfig) (*TLSConfig, error) {
 		ClientCAs:        cas,
 		CipherSuites:     config.CipherSuites,
 		CurvePreferences: curves,
-		ClientAuth:       tls.ClientAuthType(config.ClientAuth),
+		ClientAuth:       tls.ClientAuthType(clientAuth),
 		CASha256:         config.CASha256,
 	}, nil
 }

transport/tlscommon/server_config_test.go

@@ -0,0 +1,94 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package tlscommon
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"gopkg.in/yaml.v2"
+)
+
+// variables so we can use pointers in tests
+var (
+	required = TLSClientAuthRequired
+	optional = TLSClientAuthOptional
+	none     = TLSClientAuthNone
+)
+
+func Test_ServerConfig_Serialization_ClientAuth(t *testing.T) {
+	tests := []struct {
+		name       string
+		cfg        ServerConfig
+		clientAuth *TLSClientAuth
+	}{{
+		name: "with ca",
+		cfg: ServerConfig{
+			Certificate: CertificateConfig{
+				Certificate: "/path/to/cert.crt",
+				Key:         "/path/to/cert.key",
+			},
+			CAs: []string{"/path/to/ca.crt"},
+		},
+		clientAuth: &required,
+	}, {
+		name: "no ca",
+		cfg: ServerConfig{
+			Certificate: CertificateConfig{
+				Certificate: "/path/to/cert.crt",
+				Key:         "/path/to/cert.key",
+			},
+		},
+		clientAuth: nil,
+	}, {
+		name: "with ca and client auth none",
+		cfg: ServerConfig{
+			Certificate: CertificateConfig{
+				Certificate: "/path/to/cert.crt",
+				Key:         "/path/to/cert.key",
+			},
+			CAs:        []string{"/path/to/ca.crt"},
+			ClientAuth: &none,
+		},
+		clientAuth: &none,
+	}, {
+		name: "no ca and client auth none",
+		cfg: ServerConfig{
+			Certificate: CertificateConfig{
+				Certificate: "/path/to/cert.crt",
+				Key:         "/path/to/cert.key",
+			},
+			ClientAuth: &none,
+		},
+		clientAuth: &none,
+	}}
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			p, err := yaml.Marshal(&tc.cfg)
+			require.NoError(t, err)
+			t.Logf("YAML Config:\n%s", string(p))
+			scfg := mustLoadServerConfig(t, string(p))
+			if tc.clientAuth == nil {
+				require.Nil(t, scfg.ClientAuth)
+			} else {
+				require.Equal(t, *tc.clientAuth, *scfg.ClientAuth)
+			}
+		})
+	}
+}

transport/tlscommon/types.go

@@ -74,6 +74,7 @@ var tlsCipherSuites = map[string]CipherSuite{
 var tlsCipherSuitesInverse = make(map[CipherSuite]string, len(tlsCipherSuites))
 var tlsRenegotiationSupportTypesInverse = make(map[TLSRenegotiationSupport]string, len(tlsRenegotiationSupportTypes))
 var tlsVerificationModesInverse = make(map[TLSVerificationMode]string, len(tlsVerificationModes))
+var tlsClientAuthTypesInverse = make(map[TLSClientAuth]string, len(tlsClientAuthTypes))
 
 // Init creates a inverse representation of the values mapping.
 func init() {
@@ -88,6 +89,10 @@ func init() {
 	for name, t := range tlsVerificationModes {
 		tlsVerificationModesInverse[t] = name
 	}
+
+	for name, t := range tlsClientAuthTypes {
+		tlsClientAuthTypesInverse[t] = name
+	}
 }
 
 var tlsCurveTypes = map[string]tlsCurveType{
@@ -103,20 +108,20 @@ var tlsRenegotiationSupportTypes = map[string]TLSRenegotiationSupport{
 	"freely": TLSRenegotiationSupport(tls.RenegotiateFreelyAsClient),
 }
 
-type tlsClientAuth int
+type TLSClientAuth int
 
 const (
-	tlsClientAuthNone     tlsClientAuth = tlsClientAuth(tls.NoClientCert)
-	tlsClientAuthOptional               = tlsClientAuth(tls.VerifyClientCertIfGiven)
-	tlsClientAuthRequired               = tlsClientAuth(tls.RequireAndVerifyClientCert)
+	TLSClientAuthNone     TLSClientAuth = TLSClientAuth(tls.NoClientCert)
+	TLSClientAuthOptional               = TLSClientAuth(tls.VerifyClientCertIfGiven)
+	TLSClientAuthRequired               = TLSClientAuth(tls.RequireAndVerifyClientCert)
 
 	unknownType = "unknown"
 )
 
-var tlsClientAuthTypes = map[string]tlsClientAuth{
-	"none":     tlsClientAuthNone,
-	"optional": tlsClientAuthOptional,
-	"required": tlsClientAuthRequired,
+var tlsClientAuthTypes = map[string]TLSClientAuth{
+	"none":     TLSClientAuthNone,
+	"optional": TLSClientAuthOptional,
+	"required": TLSClientAuthRequired,
 }
 
 // TLSVerificationMode represents the type of verification to do on the remote host:
@@ -179,10 +184,28 @@ func (m *TLSVerificationMode) Unpack(in interface{}) error {
 	return nil
 }
 
-func (m *tlsClientAuth) Unpack(s string) error {
+func (m TLSClientAuth) String() string {
+	if s, ok := tlsClientAuthTypesInverse[m]; ok {
+		return s
+	}
+	return unknownType
+}
+
+func (m TLSClientAuth) MarshalText() ([]byte, error) {
+	if s, ok := tlsClientAuthTypesInverse[m]; ok {
+		return []byte(s), nil
+	}
+	return nil, fmt.Errorf("could not marshal '%+v' to text", m)
+}
+
+func (m *TLSClientAuth) Unpack(s string) error {
+	if s == "" {
+		*m = TLSClientAuthNone
+		return nil
+	}
 	mode, found := tlsClientAuthTypes[s]
 	if !found {
-		return fmt.Errorf("unknown client authentication mode'%v'", s)
+		return fmt.Errorf("unknown client authentication mode '%v'", s)
 	}
 
 	*m = mode