From d4610972474eed37b3eeac187dc56f217889dd2e Mon Sep 17 00:00:00 2001
From: Juan Font <juan.font@esa.int>
Date: Sat, 19 Nov 2022 10:33:15 +0000
Subject: [PATCH] Remove mTLS stuff from code

---
 app.go                   | 26 --------------------------
 app_test.go              | 17 -----------------
 config.go                | 25 ++-----------------------
 integration/hsic/hsic.go |  3 +--
 4 files changed, 3 insertions(+), 68 deletions(-)

diff --git a/app.go b/app.go
index c97c3f1..26a88ca 100644
--- a/app.go
+++ b/app.go
@@ -101,27 +101,6 @@ type Headscale struct {
 	pollNetMapStreamWG sync.WaitGroup
 }
 
-// Look up the TLS constant relative to user-supplied TLS client
-// authentication mode. If an unknown mode is supplied, the default
-// value, tls.RequireAnyClientCert, is returned. The returned boolean
-// indicates if the supplied mode was valid.
-func LookupTLSClientAuthMode(mode string) (tls.ClientAuthType, bool) {
-	switch mode {
-	case DisabledClientAuth:
-		// Client cert is _not_ required.
-		return tls.NoClientCert, true
-	case RelaxedClientAuth:
-		// Client cert required, but _not verified_.
-		return tls.RequireAnyClientCert, true
-	case EnforcedClientAuth:
-		// Client cert is _required and verified_.
-		return tls.RequireAndVerifyClientCert, true
-	default:
-		// Return the default when an unknown value is supplied.
-		return tls.RequireAnyClientCert, false
-	}
-}
-
 func NewHeadscale(cfg *Config) (*Headscale, error) {
 	privateKey, err := readOrCreatePrivateKey(cfg.PrivateKeyPath)
 	if err != nil {
@@ -855,12 +834,7 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 			log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
 		}
 
-		log.Info().Msg(fmt.Sprintf(
-			"Client authentication (mTLS) is \"%s\". See the docs to learn about configuring this setting.",
-			h.cfg.TLS.ClientAuthMode))
-
 		tlsConfig := &tls.Config{
-			ClientAuth:   h.cfg.TLS.ClientAuthMode,
 			NextProtos:   []string{"http/1.1"},
 			Certificates: make([]tls.Certificate, 1),
 			MinVersion:   tls.VersionTLS12,
diff --git a/app_test.go b/app_test.go
index c2ebe4a..5f23fd2 100644
--- a/app_test.go
+++ b/app_test.go
@@ -59,20 +59,3 @@ func (s *Suite) ResetDB(c *check.C) {
 	}
 	app.db = db
 }
-
-// Enusre an error is returned when an invalid auth mode
-// is supplied.
-func (s *Suite) TestInvalidClientAuthMode(c *check.C) {
-	_, isValid := LookupTLSClientAuthMode("invalid")
-	c.Assert(isValid, check.Equals, false)
-}
-
-// Ensure that all client auth modes return a nil error.
-func (s *Suite) TestAuthModes(c *check.C) {
-	modes := []string{"disabled", "relaxed", "enforced"}
-
-	for _, v := range modes {
-		_, isValid := LookupTLSClientAuthMode(v)
-		c.Assert(isValid, check.Equals, true)
-	}
-}
diff --git a/config.go b/config.go
index 03df59e..b4cad5b 100644
--- a/config.go
+++ b/config.go
@@ -1,7 +1,6 @@
 package headscale
 
 import (
-	"crypto/tls"
 	"errors"
 	"fmt"
 	"io/fs"
@@ -75,9 +74,8 @@ type Config struct {
 }
 
 type TLSConfig struct {
-	CertPath       string
-	KeyPath        string
-	ClientAuthMode tls.ClientAuthType
+	CertPath string
+	KeyPath  string
 
 	LetsEncrypt LetsEncryptConfig
 }
@@ -154,7 +152,6 @@ func LoadConfig(path string, isFile bool) error {
 
 	viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
 	viper.SetDefault("tls_letsencrypt_challenge_type", http01ChallengeType)
-	viper.SetDefault("tls_client_auth_mode", "relaxed")
 
 	viper.SetDefault("log.level", "info")
 	viper.SetDefault("log.format", TextLogFormat)
@@ -224,19 +221,6 @@ func LoadConfig(path string, isFile bool) error {
 		errorText += "Fatal config error: server_url must start with https:// or http://\n"
 	}
 
-	_, authModeValid := LookupTLSClientAuthMode(
-		viper.GetString("tls_client_auth_mode"),
-	)
-
-	if !authModeValid {
-		errorText += fmt.Sprintf(
-			"Invalid tls_client_auth_mode supplied: %s. Accepted values: %s, %s, %s.",
-			viper.GetString("tls_client_auth_mode"),
-			DisabledClientAuth,
-			RelaxedClientAuth,
-			EnforcedClientAuth)
-	}
-
 	// Minimum inactivity time out is keepalive timeout (60s) plus a few seconds
 	// to avoid races
 	minInactivityTimeout, _ := time.ParseDuration("65s")
@@ -266,10 +250,6 @@ func LoadConfig(path string, isFile bool) error {
 }
 
 func GetTLSConfig() TLSConfig {
-	tlsClientAuthMode, _ := LookupTLSClientAuthMode(
-		viper.GetString("tls_client_auth_mode"),
-	)
-
 	return TLSConfig{
 		LetsEncrypt: LetsEncryptConfig{
 			Hostname: viper.GetString("tls_letsencrypt_hostname"),
@@ -285,7 +265,6 @@ func GetTLSConfig() TLSConfig {
 		KeyPath: AbsolutePathFromConfigPath(
 			viper.GetString("tls_key_path"),
 		),
-		ClientAuthMode: tlsClientAuthMode,
 	}
 }
 
diff --git a/integration/hsic/hsic.go b/integration/hsic/hsic.go
index 544785d..77d1db6 100644
--- a/integration/hsic/hsic.go
+++ b/integration/hsic/hsic.go
@@ -71,7 +71,6 @@ func WithTLS() Option {
 		// TODO(kradalby): Move somewhere appropriate
 		hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_TLS_CERT_PATH=%s", tlsCertPath))
 		hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_TLS_KEY_PATH=%s", tlsKeyPath))
-		hsic.env = append(hsic.env, "HEADSCALE_TLS_CLIENT_AUTH_MODE=disabled")
 
 		hsic.tlsCert = cert
 		hsic.tlsKey = key
@@ -371,7 +370,7 @@ func (t *HeadscaleInContainer) WriteFile(path string, data []byte) error {
 	return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
 }
 
-//nolint
+// nolint
 func createCertificate() ([]byte, []byte, error) {
 	// From:
 	// https://shaneutt.com/blog/golang-ca-and-signed-cert-go/