policy TLS_FORWARD: improve error reporting for invalid parameters

diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua
index 7a829954a21c7a5c82b79c305159c6e112b0e180..9d162869332ae95e5c231406fed594d0aaea81ca 100644 (file)
--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -128,20 +128,25 @@ local function forward(target)
        end
 end
 
--- Forward request and all subrequests to upstream over TCP; validate answers
+-- Forward request and all subrequests to upstream over TLS; validate answers
 local function tls_forward(target)
        local sockaddr_list = {}
        local addr_list = {}
        local ca_files = {}
        local hostnames = {}
        local pins = {}
-       if type(target) ~= 'table' then
-               assert(false, 'wrong TLS_FORWARD target')
+       if type(target) ~= 'table' or #target < 1 then
+               error('TLS_FORWARD argument must be a non-empty table')
        end
-       for _, upstream_list_entry in pairs(target) do
+       for idx, upstream_list_entry in pairs(target) do
+               if type(upstream_list_entry) ~= 'table' then
+                       error('TLS_FORWARD target must be a non-empty table (found '
+                             .. type(upstream_list_entry) .. ' at position ' .. idx .. ')')
+               end
                local upstream_addr = upstream_list_entry[1]
                if type(upstream_addr) ~= 'string' then
-                       assert(false, 'bad IP address in TLS_FORWARD target')
+                       error('TLS_FORWARD target must start with an IP address (found '
+                             .. type(upstream_addr) .. ' at the beginning of target position ' .. idx .. ')')
                end
                table.insert(sockaddr_list, addr2sock(upstream_addr, 853))
                table.insert(addr_list, upstream_addr)

diff --git a/modules/policy/policy_test.lua b/modules/policy/policy_test.lua
index de46ec58a056cde857f5ce7a980faa4226922360..65d32102758f498b00df1c9370b952cebc2fc8e5 100644 (file)
--- a/modules/policy/policy_test.lua
+++ b/modules/policy/policy_test.lua
@@ -7,7 +7,8 @@ modules = { 'policy' }
 local function test_tls_forward()
        boom(policy.TLS_FORWARD, {}, 'TLS_FORWARD without arguments')
        boom(policy.TLS_FORWARD, {'1'}, 'TLS_FORWARD with non-table argument')
-       -- boom(policy.TLS_FORWARD, {{}}, 'TLS_FORWARD with empty table')
+       boom(policy.TLS_FORWARD, {{}}, 'TLS_FORWARD with empty table')
+       boom(policy.TLS_FORWARD, {{{}}}, 'TLS_FORWARD with empty target table')
        boom(policy.TLS_FORWARD, {{{bleble=''}}}, 'TLS_FORWARD with invalid parameters in table')
 
        boom(policy.TLS_FORWARD, {{'1'}}, 'TLS_FORWARD with invalid IP address')
@@ -16,13 +17,13 @@ local function test_tls_forward()
 
        -- boom(policy.TLS_FORWARD, {{{'::1', pin=''}}}, 'TLS_FORWARD with empty pin')
        -- boom(policy.TLS_FORWARD, {{{'::1', pin='č'}}}, 'TLS_FORWARD with bad pin')
-       ok(policy.TLS_FORWARD, {{{'::1', pin='ZTNiMGM0NDI5OGZjMWMxNDlhZmJmNGM4OTk2ZmI5MjQyN2FlNDFlNDY0OWI5MzRjYTQ5NTk5MWI3ODUyYjg1NQ=='}}}, 'TLS_FORWARD with base64 pin')
-       ok(policy.TLS_FORWARD, {{{'::1', pin={
+       ok(policy.TLS_FORWARD({{'::1', pin='ZTNiMGM0NDI5OGZjMWMxNDlhZmJmNGM4OTk2ZmI5MjQyN2FlNDFlNDY0OWI5MzRjYTQ5NTk5MWI3ODUyYjg1NQ=='}}), 'TLS_FORWARD with base64 pin')
+       ok(policy.TLS_FORWARD({{'::1', pin={
                                        'ZTNiMGM0NDI5OGZjMWMxNDlhZmJmNGM4OTk2ZmI5MjQyN2FlNDFlNDY0OWI5MzRjYTQ5NTk5MWI3ODUyYjg1NQ==',
                                        'MTcwYWUzMGNjZDlmYmE2MzBhZjhjZGE2ODQxZTAwYzZiNjU3OWNlYzc3NmQ0MTllNzAyZTIwYzY5YzQ4OGZmOA=='
-                               }}}}, 'TLS_FORWARD with table of pins')
+                               }}}), 'TLS_FORWARD with table of pins')
 
-       ok(policy.TLS_FORWARD, {{{'::1', hostname='test.', ca='/tmp/ca.crt'}}}, 'TLS_FORWARD with hostname + CA cert')
+       ok(policy.TLS_FORWARD({{'::1', hostname='test.', ca='/tmp/ca.crt'}}), 'TLS_FORWARD with hostname + CA cert')
        -- boom(policy.TLS_FORWARD, {{{'::1', hostname='test.'}}}, 'TLS_FORWARD with just hostname')
        -- boom(policy.TLS_FORWARD, {{{'::1', ca='/tmp/ca.crt'}}}, 'TLS_FORWARD with just CA cert')
        -- boom(policy.TLS_FORWARD, {{{'::1', hostname='', ca='/tmp/ca.crt'}}}, 'TLS_FORWARD with invalid hostname + CA cert')