From 78429dd8c87667de517d201766c54afb847916aa Mon Sep 17 00:00:00 2001
From: Francis Dupont <fdupont@isc.org>
Date: Wed, 1 Jun 2022 13:52:35 +0200
Subject: [PATCH] [#1706] Added require-client-certs HA flag

---
 src/hooks/dhcp/high_availability/ha_config.cc     |  7 +++++--
 src/hooks/dhcp/high_availability/ha_config.h      | 15 ++++++++++++++-
 .../dhcp/high_availability/ha_config_parser.cc    | 10 +++++++---
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/src/hooks/dhcp/high_availability/ha_config.cc b/src/hooks/dhcp/high_availability/ha_config.cc
index c56d9691d5..3d355412e4 100644
--- a/src/hooks/dhcp/high_availability/ha_config.cc
+++ b/src/hooks/dhcp/high_availability/ha_config.cc
@@ -166,7 +166,7 @@ HAConfig::HAConfig()
       max_ack_delay_(10000), max_unacked_clients_(10), wait_backup_ack_(false),
       enable_multi_threading_(false), http_dedicated_listener_(false),
       http_listener_threads_(0), http_client_threads_(0),
-      trust_anchor_(), cert_file_(), key_file_(),
+      trust_anchor_(), cert_file_(), key_file_(), require_client_certs_(true),
       peers_(), state_machine_(new StateMachineConfig()) {
 }
 
@@ -335,15 +335,18 @@ HAConfig::validate() {
                               << " TLS parameters must be set");
                 }
                 TlsRole tls_role = TlsRole::CLIENT;
+                bool cert_required = true;
                 // The peer entry for myself will be used for the server side.
                 if (p->second->getName() == getThisServerName()) {
                     tls_role = TlsRole::SERVER;
+                    cert_required = getRequireClientCerts();
                 }
                 TlsContext::configure(p->second->tls_context_,
                                       tls_role,
                                       ca.get(),
                                       cert.get(),
-                                      key.get());
+                                      key.get(),
+                                      cert_required);
             } catch (const isc::Exception& ex) {
                 isc_throw(HAConfigValidationError, "bad TLS config for server "
                           << p->second->getName() << ": " << ex.what());
diff --git a/src/hooks/dhcp/high_availability/ha_config.h b/src/hooks/dhcp/high_availability/ha_config.h
index 53fa3b90c6..fd7710c7ad 100644
--- a/src/hooks/dhcp/high_availability/ha_config.h
+++ b/src/hooks/dhcp/high_availability/ha_config.h
@@ -1,4 +1,4 @@
-// Copyright (C) 2018-2021 Internet Systems Consortium, Inc. ("ISC")
+// Copyright (C) 2018-2022 Internet Systems Consortium, Inc. ("ISC")
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -668,6 +668,18 @@ public:
         key_file_ = key;
     }
 
+    /// @brief Returns require-client-certs.
+    bool getRequireClientCerts() const {
+        return (require_client_certs_);
+    }
+
+    /// @brief Sets require-client-certs.
+    ///
+    /// @param flag Require client certs flag value.
+    void setRequireClientCerts(bool flag) {
+        require_client_certs_ = flag;
+    }
+
     /// @brief Returns configuration of the specified server.
     ///
     /// @param name Server name.
@@ -752,6 +764,7 @@ public:
     util::Optional<std::string> trust_anchor_; ///< Trust anchor.
     util::Optional<std::string> cert_file_;    ///< Certificate file.
     util::Optional<std::string> key_file_;     ///< Private key file.
+    bool require_client_certs_;                ///< Require client certs flag.
     PeerConfigMap peers_;                      ///< Map of peers' configurations.
     StateMachineConfigPtr state_machine_;      ///< State machine configuration.
 };
diff --git a/src/hooks/dhcp/high_availability/ha_config_parser.cc b/src/hooks/dhcp/high_availability/ha_config_parser.cc
index 5f765bf87a..4f44a7d0c1 100644
--- a/src/hooks/dhcp/high_availability/ha_config_parser.cc
+++ b/src/hooks/dhcp/high_availability/ha_config_parser.cc
@@ -31,6 +31,7 @@ const SimpleDefaults HA_CONFIG_DEFAULTS = {
     { "max-ack-delay",           Element::integer, "10000" },
     { "max-response-delay",      Element::integer, "60000" },
     { "max-unacked-clients",     Element::integer, "10" },
+    { "require-client-certs",    Element::boolean, "true" },
     { "send-lease-updates",      Element::boolean, "true" },
     { "sync-leases",             Element::boolean, "true" },
     { "sync-timeout",            Element::integer, "60000" },
@@ -214,21 +215,24 @@ HAConfigParser::parseInternal(const HAConfigPtr& config_storage,
     // Get optional 'trust-anchor'.
     ConstElementPtr ca = c->get("trust-anchor");
     if (ca) {
-        config_storage->setTrustAnchor(getString(c, ("trust-anchor")));
+        config_storage->setTrustAnchor(getString(c, "trust-anchor"));
     }
 
     // Get optional 'cert-file'.
     ConstElementPtr cert = c->get("cert-file");
     if (cert) {
-        config_storage->setCertFile(getString(c, ("cert-file")));
+        config_storage->setCertFile(getString(c, "cert-file"));
     }
 
     // Get optional 'key-file'.
     ConstElementPtr key = c->get("key-file");
     if (key) {
-        config_storage->setKeyFile(getString(c, ("key-file")));
+        config_storage->setKeyFile(getString(c, "key-file"));
     }
 
+    // Get 'require-client-certs'.
+    config_storage->setRequireClientCerts(getBoolean(c, "require-client-certs"));
+
     // Peers configuration parsing.
     const auto& peers_vec = peers->listValue();
 
-- 
2.47.3