datamodel: forward: server: added 'insecure' config

diff --git a/doc/_static/config.schema.json b/doc/_static/config.schema.json
index 754403734593b0883c841125a729260247674051..dec1170159e1289f8224f8193d160984a5605215 100644 (file)
--- a/doc/_static/config.schema.json
+++ b/doc/_static/config.schema.json
@@ -1097,11 +1097,17 @@
                                 "type": "boolean",
                                 "description": "Enable/disable DNSSEC.",
                                 "default": true
+                            },
+                            "insecure": {
+                                "type": "boolean",
+                                "description": "Allow insecure TLS configuration.",
+                                "default": false
                             }
                         },
                         "default": {
                             "authoritative": false,
-                            "dnssec": true
+                            "dnssec": true,
+                            "insecure": false
                         }
                     }
                 }

diff --git a/python/knot_resolver/datamodel/forward_schema.py b/python/knot_resolver/datamodel/forward_schema.py
index 6b693e6be475c4dccdca895ab3c640bbcc75153f..978bb5c3a9b37dc86cfa2a2b8a7abdefbc9ea3d9 100644 (file)
--- a/python/knot_resolver/datamodel/forward_schema.py
+++ b/python/knot_resolver/datamodel/forward_schema.py
@@ -24,7 +24,7 @@ class ForwardServerSchema(ConfigSchema):
 
     def _validate(self) -> None:
         if self.pin_sha256 and (self.hostname or self.ca_file):
-            raise ValueError("'pin-sha256' cannot be configurad together with 'hostname' or 'ca-file'")
+            raise ValueError("'pin-sha256' cannot be configured together with 'hostname' or 'ca-file'")
 
 
 class ForwardOptionsSchema(ConfigSchema):
@@ -34,10 +34,13 @@ class ForwardOptionsSchema(ConfigSchema):
     ---
     authoritative: The forwarding target is an authoritative server.
     dnssec: Enable/disable DNSSEC.
+    insecure: Allow insecure TLS configuration.
+
     """
 
     authoritative: bool = False
     dnssec: bool = True
+    insecure: bool = False
 
 
 class ForwardSchema(ConfigSchema):
@@ -74,3 +77,14 @@ class ForwardSchema(ConfigSchema):
 
         if self.options.authoritative and is_transport_tls(self.servers):
             raise ValueError("Forwarding to authoritative servers using TLS protocol is not supported.")
+
+        if not self.options.insecure:
+            for server in self.servers:
+                if (
+                    isinstance(server, ForwardServerSchema)
+                    and server.transport == "tls"
+                    and not (server.pin_sha256 or server.hostname or server.ca_file)
+                ):
+                    raise ValueError(
+                        "no way to authenticate server (hostname, ca-file or pin-sha256) and 'insecure' is not set"
+                    )

diff --git a/python/knot_resolver/datamodel/templates/macros/forward_macros.lua.j2 b/python/knot_resolver/datamodel/templates/macros/forward_macros.lua.j2
index 1f3549b168c866ee656aba0d6b86d46d17d1a993..ce4143e2f5376f3c9fc7542f4126bb9155b773f8 100644 (file)
--- a/python/knot_resolver/datamodel/templates/macros/forward_macros.lua.j2
+++ b/python/knot_resolver/datamodel/templates/macros/forward_macros.lua.j2
@@ -4,7 +4,7 @@
 {dnssec={{ boolean(options.dnssec) }},auth={{ boolean(options.authoritative) }}}
 {%- endmacro %}
 
-{% macro forward_server(server) -%}
+{% macro forward_server(server, options) -%}
 {%- if server.address is defined and server.address-%}
 {%- for addr in server.address -%}
 {'{{ addr }}',
@@ -13,6 +13,11 @@ tls=true,
 {%- else -%}
 tls=false,
 {%- endif -%}
+{%- if options.insecure -%}
+insecure=true,
+{%- else -%}
+insecure=false,
+{%- endif -%}
 {%- if server.hostname -%}
 hostname='{{ server.hostname }}',
 {%- endif -%}
@@ -29,14 +34,14 @@ ca_file='{{ server.ca_file }}',
 {%- endif -%}
 {%- endmacro %}
 
-{% macro forward_servers(servers) -%}
+{% macro forward_servers(servers, options) -%}
 {
 {%- for server in servers -%}
-{{ forward_server(server) }}
+{{ forward_server(server, options) }}
 {%- endfor -%}
 }
 {%- endmacro %}
 
 {% macro policy_rule_forward_add(subtree,options,servers) -%}
-policy.rule_forward_add('{{ subtree }}',{{ forward_options(options) }},{{ forward_servers(servers) }})
+policy.rule_forward_add('{{ subtree }}',{{ forward_options(options) }},{{ forward_servers(servers, options) }})
 {%- endmacro %}

diff --git a/tests/manager/datamodel/templates/test_forward_macros.py b/tests/manager/datamodel/templates/test_forward_macros.py
index 0ed2ec9b948c0375e9b706e22de83e3a29d8c101..6447aabc23120f57ee2fed66d69a614e21fec7d1 100644 (file)
--- a/tests/manager/datamodel/templates/test_forward_macros.py
+++ b/tests/manager/datamodel/templates/test_forward_macros.py
@@ -17,7 +17,7 @@ def test_policy_rule_forward_add():
             },
         }
     )
-    result = "policy.rule_forward_add('.',{dnssec=true,auth=false},{{'2001:148f:fffe::1',tls=false,hostname='odvr.nic.cz',},{'185.43.135.1',tls=false,hostname='odvr.nic.cz',},})"
+    result = "policy.rule_forward_add('.',{dnssec=true,auth=false},{{'2001:148f:fffe::1',tls=false,insecure=false,hostname='odvr.nic.cz',},{'185.43.135.1',tls=false,insecure=false,hostname='odvr.nic.cz',},})"
 
     tmpl = template_from_str(tmpl_str)
     assert tmpl.render(rule=rule) == result