datamodel: forward: server: added 'insecure' config

alesmrazek · alesmrazek · commit 73e3a4e5bafb · 2025-02-25T11:20:30.000+01:00
This commit is related to GitHub issue #123.
diff --git a/doc/_static/config.schema.json b/doc/_static/config.schema.json
@@ -1082,11 +1082,17 @@
                                 "type": "boolean",
                                 "description": "Enable/disable DNSSEC.",
                                 "default": true
+                            },
+                            "insecure": {
+                                "type": "boolean",
+                                "description": "Allow insecure TLS configuration.",
+                                "default": false
                             }
                         },
                         "default": {
                             "authoritative": false,
-                            "dnssec": true
+                            "dnssec": true,
+                            "insecure": false
                         }
                     }
                 }
diff --git a/python/knot_resolver/datamodel/forward_schema.py b/python/knot_resolver/datamodel/forward_schema.py
@@ -24,7 +24,7 @@ class ForwardServerSchema(ConfigSchema):
 
     def _validate(self) -> None:
         if self.pin_sha256 and (self.hostname or self.ca_file):
-            raise ValueError("'pin-sha256' cannot be configurad together with 'hostname' or 'ca-file'")
+            raise ValueError("'pin-sha256' cannot be configured together with 'hostname' or 'ca-file'")
 
 
 class ForwardOptionsSchema(ConfigSchema):
@@ -34,10 +34,13 @@ class ForwardOptionsSchema(ConfigSchema):
     ---
     authoritative: The forwarding target is an authoritative server.
     dnssec: Enable/disable DNSSEC.
+    insecure: Allow insecure TLS configuration.
+
     """
 
     authoritative: bool = False
     dnssec: bool = True
+    insecure: bool = False
 
 
 class ForwardSchema(ConfigSchema):
@@ -74,3 +77,14 @@ def is_transport_tls(servers: List[Any]) -> bool:
 
         if self.options.authoritative and is_transport_tls(self.servers):
             raise ValueError("Forwarding to authoritative servers using TLS protocol is not supported.")
+
+        if not self.options.insecure:
+            for server in self.servers:
+                if (
+                    isinstance(server, ForwardServerSchema)
+                    and server.transport == "tls"
+                    and not (server.pin_sha256 or server.hostname or server.ca_file)
+                ):
+                    raise ValueError(
+                        "no way to authenticate server (hostname, ca-file or pin-sha256) and 'insecure' is not set"
+                    )
diff --git a/python/knot_resolver/datamodel/templates/macros/forward_macros.lua.j2 b/python/knot_resolver/datamodel/templates/macros/forward_macros.lua.j2
@@ -4,7 +4,7 @@
 {dnssec={{ boolean(options.dnssec) }},auth={{ boolean(options.authoritative) }}}
 {%- endmacro %}
 
-{% macro forward_server(server) -%}
+{% macro forward_server(server, options) -%}
 {%- if server.address -%}
 {%- for addr in server.address -%}
 {'{{ addr }}',
@@ -13,6 +13,11 @@ tls=true,
 {%- else -%}
 tls=false,
 {%- endif -%}
+{%- if options.insecure -%}
+insecure=true,
+{%- else -%}
+insecure=false,
+{%- endif -%}
 {%- if server.hostname -%}
 hostname='{{ server.hostname }}',
 {%- endif -%}
@@ -29,14 +34,14 @@ ca_file='{{ server.ca_file }}',
 {%- endif -%}
 {%- endmacro %}
 
-{% macro forward_servers(servers) -%}
+{% macro forward_servers(servers, options) -%}
 {
 {%- for server in servers -%}
-{{ forward_server(server) }}
+{{ forward_server(server, options) }}
 {%- endfor -%}
 }
 {%- endmacro %}
 
 {% macro policy_rule_forward_add(subtree,options,servers) -%}
-policy.rule_forward_add('{{ subtree }}',{{ forward_options(options) }},{{ forward_servers(servers) }})
+policy.rule_forward_add('{{ subtree }}',{{ forward_options(options) }},{{ forward_servers(servers, options) }})
 {%- endmacro %}
diff --git a/tests/manager/datamodel/templates/test_forward_macros.py b/tests/manager/datamodel/templates/test_forward_macros.py
@@ -17,7 +17,7 @@ def test_policy_rule_forward_add():
             },
         }
     )
-    result = "policy.rule_forward_add('.',{dnssec=true,auth=false},{{'2001:148f:fffe::1',tls=false,hostname='odvr.nic.cz',},{'185.43.135.1',tls=false,hostname='odvr.nic.cz',},})"
+    result = "policy.rule_forward_add('.',{dnssec=true,auth=false},{{'2001:148f:fffe::1',tls=false,insecure=false,hostname='odvr.nic.cz',},{'185.43.135.1',tls=false,insecure=false,hostname='odvr.nic.cz',},})"
 
     tmpl = template_from_str(tmpl_str)
     assert tmpl.render(rule=rule) == result

Original file line number	Diff line number	Diff line change
`@@ -1082,11 +1082,17 @@`
`1082`	`1082`	`"type": "boolean",`
`1083`	`1083`	`"description": "Enable/disable DNSSEC.",`
`1084`	`1084`	`"default": true`
	`1085`	`+ },`
	`1086`	`+ "insecure": {`
	`1087`	`+ "type": "boolean",`
	`1088`	`+ "description": "Allow insecure TLS configuration.",`
	`1089`	`+ "default": false`
`1085`	`1090`	`}`
`1086`	`1091`	`},`
`1087`	`1092`	`"default": {`
`1088`	`1093`	`"authoritative": false,`
`1089`		`- "dnssec": true`
	`1094`	`+ "dnssec": true,`
	`1095`	`+ "insecure": false`
`1090`	`1096`	`}`
`1091`	`1097`	`}`
`1092`	`1098`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ def test_policy_rule_forward_add():`
`17`	`17`	`},`
`18`	`18`	`}`
`19`	`19`	`)`
`20`		`- result = "policy.rule_forward_add('.',{dnssec=true,auth=false},{{'2001:148f:fffe::1',tls=false,hostname='odvr.nic.cz',},{'185.43.135.1',tls=false,hostname='odvr.nic.cz',},})"`
	`20`	`+ result = "policy.rule_forward_add('.',{dnssec=true,auth=false},{{'2001:148f:fffe::1',tls=false,insecure=false,hostname='odvr.nic.cz',},{'185.43.135.1',tls=false,insecure=false,hostname='odvr.nic.cz',},})"`
`21`	`21`
`22`	`22`	`tmpl = template_from_str(tmpl_str)`
`23`	`23`	`assert tmpl.render(rule=rule) == result`