xref: /trafficserver/iocore/net/YamlSNIConfig.h (revision 325029bb)
1 /** @file
2 
3   @section license License
4 
5   Licensed to the Apache Software Foundation (ASF) under one
6   or more contributor license agreements.  See the NOTICE file
7   distributed with this work for additional information
8   regarding copyright ownership.  The ASF licenses this file
9   to you under the Apache License, Version 2.0 (the
10   "License"); you may not use this file except in compliance
11   with the License.  You may obtain a copy of the License at
12 
13       http://www.apache.org/licenses/LICENSE-2.0
14 
15   Unless required by applicable law or agreed to in writing, software
16   distributed under the License is distributed on an "AS IS" BASIS,
17   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18   See the License for the specific language governing permissions and
19   limitations under the License.
20 */
21 
22 #pragma once
23 
24 #include <vector>
25 #include <string>
26 #include <optional>
27 
28 #include "tscore/Errata.h"
29 
30 #define TSDECL(id) constexpr char TS_##id[] = #id
31 TSDECL(fqdn);
32 TSDECL(disable_h2);
33 TSDECL(verify_client);
34 TSDECL(tunnel_route);
35 TSDECL(forward_route);
36 TSDECL(partial_blind_route);
37 TSDECL(verify_server_policy);
38 TSDECL(verify_server_properties);
39 TSDECL(verify_origin_server);
40 TSDECL(client_cert);
41 TSDECL(client_key);
42 TSDECL(ip_allow);
43 TSDECL(valid_tls_versions_in);
44 TSDECL(http2);
45 TSDECL(host_sni_policy);
46 #undef TSDECL
47 
48 const int start = 0;
49 struct YamlSNIConfig {
50   enum class Action {
51     disable_h2 = start,
52     verify_client,
53     tunnel_route,             // blind tunnel action
54     forward_route,            // decrypt data and then blind tunnel action
55     partial_blind_route,      // decrypt data; partial blind routing
56     verify_server_policy,     // this applies to server side vc only
57     verify_server_properties, // this applies to server side vc only
58     client_cert,
59     h2,             // this applies to client side only
60     host_sni_policy // Applies to client side only
61   };
62   enum class Level { NONE = 0, MODERATE, STRICT };
63   enum class Policy : uint8_t { DISABLED = 0, PERMISSIVE, ENFORCED, UNSET };
64   enum class Property : uint8_t { NONE = 0, SIGNATURE_MASK = 0x1, NAME_MASK = 0x2, ALL_MASK = 0x3, UNSET };
65   enum class TLSProtocol : uint8_t { TLSv1 = 0, TLSv1_1, TLSv1_2, TLSv1_3, TLS_MAX = TLSv1_3 };
66   enum class Control : uint8_t { NONE = 0, ENABLE, DISABLE };
67 
YamlSNIConfigYamlSNIConfig68   YamlSNIConfig() {}
69 
70   struct Item {
71     std::string fqdn;
72     std::optional<bool> offer_h2; // Has no value by default, so do not initialize!
73     uint8_t verify_client_level = 255;
74     uint8_t host_sni_policy     = 255;
75     std::string tunnel_destination;
76     bool tunnel_decrypt               = false;
77     bool tls_upstream                 = false;
78     Policy verify_server_policy       = Policy::UNSET;
79     Property verify_server_properties = Property::UNSET;
80     std::string client_cert;
81     std::string client_key;
82     std::string ip_allow;
83     bool protocol_unset = true;
84     unsigned long protocol_mask;
85 
86     void EnableProtocol(YamlSNIConfig::TLSProtocol proto);
87   };
88 
89   ts::Errata loader(const char *cfgFilename);
90 
91   std::vector<YamlSNIConfig::Item> items;
92 };
93