tailcfg: break DERPNode.DERPTestPort into DERPPort & InsecureForTests

The DERPTestPort int meant two things before: which port to use, and whether to disable TLS verification. Users would like to set the port without disabling TLS, so break it into two options. Updates #1264 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2024-11-25 11:05:45 +00:00 · 2021-07-09 11:16:43 -07:00 · 2021-07-09 11:16:43 -07:00 · 7e7c4c1bbe
commit 7e7c4c1bbe
parent 92077ae78c
5 changed files with 41 additions and 35 deletions
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@ -410,9 +410,7 @@ func (c *Client) dialRegion(ctx context.Context, reg *tailcfg.DERPRegion) (net.C
 func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
 	tlsConf := tlsdial.Config(c.tlsServerName(node), c.TLSConfig)
 	if node != nil {
-		if node.DERPTestPort != 0 {
-			tlsConf.InsecureSkipVerify = true
-		}
+		tlsConf.InsecureSkipVerify = node.InsecureForTests
 		if node.CertName != "" {
 			tlsdial.SetConfigExpectedCert(tlsConf, node.CertName)
 		}
@ -511,8 +509,8 @@ type res struct {
 				dst = n.HostName
 			}
 			port := "443"
-			if n.DERPTestPort != 0 {
-				port = fmt.Sprint(n.DERPTestPort)
+			if n.DERPPort != 0 {
+				port = fmt.Sprint(n.DERPPort)
 			}
 			c, err := c.dialContext(ctx, proto, net.JoinHostPort(dst, port))
 			select {
--- a/tailcfg/derpmap.go
+++ b/tailcfg/derpmap.go
@ -130,10 +130,15 @@ type DERPNode struct {
 	// server.
 	STUNOnly bool `json:",omitempty"`

-	// DERPTestPort is used in tests to override the port, instead
-	// of using the default port of 443. If non-zero, TLS
-	// verification is skipped.
-	DERPTestPort int `json:",omitempty"`
+	// DERPPort optionally provides an alternate TLS port number
+	// for the DERP HTTPS server.
+	//
+	// If zero, 443 is used.
+	DERPPort int `json:",omitempty"`
+
+	// InsecureForTests is used by unit tests to disable TLS verification.
+	// It should not be set by users.
+	InsecureForTests bool `json:",omitempty"`

 	// STUNTestIP is used in tests to override the STUN server's IP.
 	// If empty, it's assumed to be the same as the DERP server.
--- a/tailcfg/tailcfg_clone.go
+++ b/tailcfg/tailcfg_clone.go
@ -335,7 +335,8 @@ func (src *DERPNode) Clone() *DERPNode {
 	IPv6             string
 	STUNPort         int
 	STUNOnly         bool
-	DERPTestPort int
+	DERPPort         int
+	InsecureForTests bool
 	STUNTestIP       string
 }{})

--- a/tstest/integration/integration.go
+++ b/tstest/integration/integration.go
@ -151,7 +151,8 @@ func RunDERPAndSTUN(t testing.TB, logf logger.Logf, ipAddress string) (derpMap *
 						IPv4:             ipAddress,
 						IPv6:             "none",
 						STUNPort:         stunAddr.Port,
-						DERPTestPort: httpsrv.Listener.Addr().(*net.TCPAddr).Port,
+						DERPPort:         httpsrv.Listener.Addr().(*net.TCPAddr).Port,
+						InsecureForTests: true,
 						STUNTestIP:       stunAddr.IP.String(),
 					},
 				},
--- a/wgengine/magicsock/magicsock_test.go
+++ b/wgengine/magicsock/magicsock_test.go
@ -101,7 +101,8 @@ func runDERPAndStun(t *testing.T, logf logger.Logf, l nettype.PacketListener, st
 						IPv4:             "127.0.0.1",
 						IPv6:             "none",
 						STUNPort:         stunAddr.Port,
-						DERPTestPort: httpsrv.Listener.Addr().(*net.TCPAddr).Port,
+						DERPPort:         httpsrv.Listener.Addr().(*net.TCPAddr).Port,
+						InsecureForTests: true,
 						STUNTestIP:       stunIP.String(),
 					},
 				},