fixup! fixup! datamodel: forward: server: added 'insecure' config

alesmrazek · alesmrazek · commit ed88470eabb8 · 2025-02-24T19:08:28.000+01:00
diff --git a/doc/_static/config.schema.json b/doc/_static/config.schema.json
@@ -1022,11 +1022,6 @@
                                             "description": "Transport protocol for a forward server.",
                                             "default": null
                                         },
-                                        "insecure": {
-                                            "type": "boolean",
-                                            "description": "Allow insecure TLS configuration.",
-                                            "default": false
-                                        },
                                         "pin-sha256": {
                                             "anyOf": [
                                                 {
@@ -1087,11 +1082,17 @@
                                 "type": "boolean",
                                 "description": "Enable/disable DNSSEC.",
                                 "default": true
+                            },
+                            "insecure": {
+                                "type": "boolean",
+                                "description": "Allow insecure TLS configuration.",
+                                "default": false
                             }
                         },
                         "default": {
                             "authoritative": false,
-                            "dnssec": true
+                            "dnssec": true,
+                            "insecure": false
                         }
                     }
                 }
diff --git a/python/knot_resolver/datamodel/forward_schema.py b/python/knot_resolver/datamodel/forward_schema.py
@@ -11,24 +11,20 @@ class ForwardServerSchema(ConfigSchema):
     ---
     address: IP address(es) of a forward server.
     transport: Transport protocol for a forward server.
-    insecure: Allow insecure TLS configuration.
     pin_sha256: Hash of accepted CA certificate.
     hostname: Hostname of the Forward server.
     ca_file: Path to CA certificate file.
     """
 
     address: ListOrItem[IPAddressOptionalPort]
     transport: Optional[Literal["tls"]] = None
-    insecure: bool = False
     pin_sha256: Optional[ListOrItem[PinSha256]] = None
     hostname: Optional[DomainName] = None
     ca_file: Optional[ReadableFile] = None
 
     def _validate(self) -> None:
         if self.pin_sha256 and (self.hostname or self.ca_file):
-            raise ValueError("'pin-sha256' cannot be configurad together with 'hostname' or 'ca-file'")
-        if not self.insecure and not (self.pin_sha256 or self.hostname or self.ca_file):
-            raise ValueError("no way to authenticate and 'insecure' not set")
+            raise ValueError("'pin-sha256' cannot be configured together with 'hostname' or 'ca-file'")
 
 
 class ForwardOptionsSchema(ConfigSchema):
@@ -38,10 +34,13 @@ class ForwardOptionsSchema(ConfigSchema):
     ---
     authoritative: The forwarding target is an authoritative server.
     dnssec: Enable/disable DNSSEC.
+    insecure: Allow insecure TLS configuration.
+
     """
 
     authoritative: bool = False
     dnssec: bool = True
+    insecure: bool = False
 
 
 class ForwardSchema(ConfigSchema):
@@ -78,3 +77,14 @@ def is_transport_tls(servers: List[Any]) -> bool:
 
         if self.options.authoritative and is_transport_tls(self.servers):
             raise ValueError("Forwarding to authoritative servers using TLS protocol is not supported.")
+
+        if not self.options.insecure:
+            for server in self.servers:
+                if (
+                    isinstance(server, ForwardServerSchema)
+                    and server.transport == "tls"
+                    and not (server.pin_sha256 or server.hostname or server.ca_file)
+                ):
+                    raise ValueError(
+                        "no way to authenticate server (hostname, ca-file or pin-sha256) and 'insecure' is not set"
+                    )
diff --git a/python/knot_resolver/datamodel/templates/macros/forward_macros.lua.j2 b/python/knot_resolver/datamodel/templates/macros/forward_macros.lua.j2
@@ -4,7 +4,7 @@
 {dnssec={{ boolean(options.dnssec) }},auth={{ boolean(options.authoritative) }}}
 {%- endmacro %}
 
-{% macro forward_server(server) -%}
+{% macro forward_server(server, options) -%}
 {%- if server.address -%}
 {%- for addr in server.address -%}
 {'{{ addr }}',
@@ -13,7 +13,7 @@ tls=true,
 {%- else -%}
 tls=false,
 {%- endif -%}
-{%- if server.insecure -%}
+{%- if options.insecure -%}
 insecure=true,
 {%- else -%}
 insecure=false,
@@ -34,14 +34,14 @@ ca_file='{{ server.ca_file }}',
 {%- endif -%}
 {%- endmacro %}
 
-{% macro forward_servers(servers) -%}
+{% macro forward_servers(servers, options) -%}
 {
 {%- for server in servers -%}
-{{ forward_server(server) }}
+{{ forward_server(server, options) }}
 {%- endfor -%}
 }
 {%- endmacro %}
 
 {% macro policy_rule_forward_add(subtree,options,servers) -%}
-policy.rule_forward_add('{{ subtree }}',{{ forward_options(options) }},{{ forward_servers(servers) }})
+policy.rule_forward_add('{{ subtree }}',{{ forward_options(options) }},{{ forward_servers(servers, options) }})
 {%- endmacro %}
