datamodel: forward: server: added 'insecure' config

alesmrazek · alesmrazek · commit 2d6190e6df79 · 2025-02-24T15:26:26.000+01:00
This commit is related to GitHub issue #123.
diff --git a/doc/_static/config.schema.json b/doc/_static/config.schema.json
@@ -1022,6 +1022,11 @@
                                             "description": "Transport protocol for a forward server.",
                                             "default": null
                                         },
+                                        "insecure": {
+                                            "type": "boolean",
+                                            "description": "Allow insecure TLS configuration.",
+                                            "default": false
+                                        },
                                         "pin-sha256": {
                                             "anyOf": [
                                                 {
diff --git a/python/knot_resolver/datamodel/forward_schema.py b/python/knot_resolver/datamodel/forward_schema.py
@@ -11,13 +11,15 @@ class ForwardServerSchema(ConfigSchema):
     ---
     address: IP address(es) of a forward server.
     transport: Transport protocol for a forward server.
+    insecure: Allow insecure TLS configuration.
     pin_sha256: Hash of accepted CA certificate.
     hostname: Hostname of the Forward server.
     ca_file: Path to CA certificate file.
     """
 
     address: ListOrItem[IPAddressOptionalPort]
     transport: Optional[Literal["tls"]] = None
+    insecure: bool = False
     pin_sha256: Optional[ListOrItem[PinSha256]] = None
     hostname: Optional[DomainName] = None
     ca_file: Optional[ReadableFile] = None
diff --git a/python/knot_resolver/datamodel/templates/macros/forward_macros.lua.j2 b/python/knot_resolver/datamodel/templates/macros/forward_macros.lua.j2
@@ -13,6 +13,11 @@ tls=true,
 {%- else -%}
 tls=false,
 {%- endif -%}
+{%- if server.insecure -%}
+insecure=true,
+{%- else -%}
+insecure=false,
+{%- endif -%}
 {%- if server.hostname -%}
 hostname='{{ server.hostname }}',
 {%- endif -%}
diff --git a/tests/manager/datamodel/templates/test_forward_macros.py b/tests/manager/datamodel/templates/test_forward_macros.py
@@ -17,7 +17,7 @@ def test_policy_rule_forward_add():
             },
         }
     )
-    result = "policy.rule_forward_add('.',{dnssec=true,auth=false},{{'2001:148f:fffe::1',tls=false,hostname='odvr.nic.cz',},{'185.43.135.1',tls=false,hostname='odvr.nic.cz',},})"
+    result = "policy.rule_forward_add('.',{dnssec=true,auth=false},{{'2001:148f:fffe::1',tls=false,insecure=false,hostname='odvr.nic.cz',},{'185.43.135.1',tls=false,insecure=false,hostname='odvr.nic.cz',},})"
 
     tmpl = template_from_str(tmpl_str)
     assert tmpl.render(rule=rule) == result

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ def test_policy_rule_forward_add():`
`17`	`17`	`},`
`18`	`18`	`}`
`19`	`19`	`)`
`20`		`- result = "policy.rule_forward_add('.',{dnssec=true,auth=false},{{'2001:148f:fffe::1',tls=false,hostname='odvr.nic.cz',},{'185.43.135.1',tls=false,hostname='odvr.nic.cz',},})"`
	`20`	`+ result = "policy.rule_forward_add('.',{dnssec=true,auth=false},{{'2001:148f:fffe::1',tls=false,insecure=false,hostname='odvr.nic.cz',},{'185.43.135.1',tls=false,insecure=false,hostname='odvr.nic.cz',},})"`
`21`	`21`
`22`	`22`	`tmpl = template_from_str(tmpl_str)`
`23`	`23`	`assert tmpl.render(rule=rule) == result`