MEDIUM: Add support for the ssl-f-use keyword

Author: oliwer

.aspell.yml

@@ -31,3 +31,4 @@ allowed:
   - quic
   - userlist
   - cve
+  - ssl

.gitignore

@@ -1,4 +1,5 @@
 build/
+e2e/logs/
 vendor/
 cmd/dataplaneapi/*
 .vscode/

configure_data_plane.go

@@ -847,6 +847,13 @@ func configureAPI(api *operations.DataPlaneAPI) http.Handler { //nolint:cyclop,m
 	api.LogProfileEditLogProfileHandler = &handlers.EditLogProfileHandler{Client: client, ReloadAgent: ra}
 	api.LogProfileDeleteLogProfileHandler = &handlers.DeleteLogProfileHandlerImpl{Client: client, ReloadAgent: ra}
 
+	// ssl-f-use handlers
+	api.SslFrontUseGetAllSSLFrontUsesHandler = &handlers.GetAllSSLFrontUsesHandlerImpl{Client: client}
+	api.SslFrontUseCreateSSLFrontUseHandler = &handlers.CreateSSLFrontUseHandlerImpl{Client: client, ReloadAgent: ra}
+	api.SslFrontUseGetSSLFrontUseHandler = &handlers.GetSSLFrontUseHandlerImpl{Client: client}
+	api.SslFrontUseReplaceSSLFrontUseHandler = &handlers.ReplaceSSLFrontUseHandlerImpl{Client: client, ReloadAgent: ra}
+	api.SslFrontUseDeleteSSLFrontUseHandler = &handlers.DeleteSSLFrontUseHandlerImpl{Client: client, ReloadAgent: ra}
+
 	// setup info handler
 	api.InformationGetInfoHandler = &handlers.GetInfoHandlerImpl{SystemInfo: haproxyOptions.ShowSystemInfo, BuildTime: BuildTime, Version: Version}
 

e2e/tests/ssl_front_use/data/3.pem

@@ -0,0 +1,79 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC/ZGXoEmYgWL2m
+nd41cr1kRSPISmWw12o8vdGZP2OLoL8E2X8IFF6mIyNxakdhOYILBADGArCiNzYp
+f0XpxO0LsOWC8m7lckF+Dyyh7TSmQ5TcxxT8Bf5JxvZEAwM09FIZooVDy0vJeo3g
+xC08MIqtTaZbstyuRLKkigu75QWnun+qhgcxV9IMN8s/Ee6X5wFsneCvLHFgzELS
+9gcephLieBEfPLDpDh8mGnUgvEmyBJjDRz6cFYOEvsqW0D+6krUDe3ELnV20TFeY
+CrvBPZ+ZHFZWoSjE3ainpQHd9w0Kx4w0SIrYAs2AOC1qakkrh5QjFiky30DpJ6EU
+yg/eltW5AgMBAAECggEARk1RpXpEqzMNjstEWSupZ9CBwUuaqOenrWIoQHtpTFui
+btyZbdVVov8bQMjCKXNfUj6JLjLEwQE40uteOe1NCVNUKtJ0a7GZXv2h7mTcRwph
+/urdyWlGK8F6qibVIblxAtuQygM99mcfAGXvG8HU3q28IsjDiPvRBuFyR/VrK12R
+AY/cU5kADrRwLeswT8Clw7DhNhWEMcvAuS0R8liyXhQ8IG4WOZYIkBF3NI+GB3X+
+PE4SFZfk2CvbGSth1vvVKv7TAVczw81Ek6FJXV6A/XP3mFjuDqDU0NbEL4QQds2z
+S/0JpEzx5LurN/UEIAyf/u+iEtPc56oUdAXJpHfWFQKBgQD86aOJDADg9F3HAdvG
+Xkh60B6PZ63r6iw6wCsJD2olOl+XF7GdGXKGzCZQsz2fob1E4zhb8kduHNEPeBG7
+x5WyS7fqycRyz3oEyozz9KLcggfOU+yyuQ2kn/1O51/aiABlkinyj7ed/FL9jqeE
+LdUM6194QEPgQnghjYMj6UcHpwKBgQDBuoFsgmA1OvtuSpijnZ/0ueI9Lkh8Quk2
+HusTKglP4KnuRCKm60PRXxxsFNxQgxuXhxEgBuMwJo1RO+CLjzh540pFnAN235QZ
+F2FKio5hQT7olo8Weu6IEbLE5nzTDEcnuKZrmqEGFlsUXLBW3zYgn1PorWDRMvv6
+m+T4+NDjnwKBgDbKjwlDtnUFu8M/XdON3Xnt2JEMzxsK8mYP98LQuhgymz7qfSoh
+tzQIykw1aKZKrexcpXsV8++hApGtW3oo9P9ZdBDDgXG2DSM4lmzLlPTcnsBOYjsd
+6BzAJGqRqax4Rk266qeIBymM3pXb7+Ks4zkXTOmKUqok/E2YkM6Y3TCFAoGBALg2
+jscNmkpDkb4odMhwJB/jebvPfOGcBoKOF94bRMuNyEhmxcSPReebVz13AKAWa3BE
+4QXhRrsMjahHFZffUkak2IUkey7YHs1VLBBjfEwCbL1iHSG1N4hvu9v7h4pvzGF6
+9dSwLpnJPEY6dPvGOIQAvRstcji7EFwXTT1p68flAoGANxFyWNiCC0LZ1t+4aS4j
+cA7piBgu1bfc1LtL9wBj7LeCLW942S1yCcHd/YI3KMc8ZP8MkD2eKuMOCD48JVN7
+k1Pnh+V+/Bnin1owach62ckZjgubLQfbffiGmpEo3KqP4g8h7lst6Xbja1DatJ2Q
+Ml0WvPvs/l61lp1CI36UuUA=
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICoDCCAYgCAhACMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNVBAMMCEludGVybTIu
+MB4XDTIwMTEyNTEyMTIwNFoXDTIxMTEyNTEyMTIwNFowGDEWMBQGA1UEAwwNMS5l
+eGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9kZegS
+ZiBYvaad3jVyvWRFI8hKZbDXajy90Zk/Y4ugvwTZfwgUXqYjI3FqR2E5ggsEAMYC
+sKI3Nil/RenE7Quw5YLybuVyQX4PLKHtNKZDlNzHFPwF/knG9kQDAzT0UhmihUPL
+S8l6jeDELTwwiq1Npluy3K5EsqSKC7vlBae6f6qGBzFX0gw3yz8R7pfnAWyd4K8s
+cWDMQtL2Bx6mEuJ4ER88sOkOHyYadSC8SbIEmMNHPpwVg4S+ypbQP7qStQN7cQud
+XbRMV5gKu8E9n5kcVlahKMTdqKelAd33DQrHjDRIitgCzYA4LWpqSSuHlCMWKTLf
+QOknoRTKD96W1bkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAeeAoG3xpVfAcA2ZN
+aJA0uEB7ZH5BjhFsvmc1kEZylkEo6STVs1uTTvc9+v3PqzYANycbHy/3N0EUo5OX
+X6tfo3SMn3c8MyZu/3960Vcs1YJApdC1P3FvHj25IQGz8qLgsmION1tijg0ySPQb
+CYFXZ8T0ZYHA2X2QMieYiB9cNcmaL3Mlx04nf2Vfb+e/6kCWKkETlfSDIde9/J2M
+kVAYLGWWnwWvfRvjEaZ7SZNWslBttUTEr4PiFkvdPU01UF3VAjkcAOcDzvueGdmT
+d5Eg1BEWWmNBdT+Yg5hoy5Hx8R7H9ZcyoXnIMKCa9pOoIBIEk/hmcXj3smmjAMfO
+wTO08w==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICsTCCAZmgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHUm9v
+dC1jYTAeFw0yMDExMjUxMjEyMDRaFw0yMTExMjUxMjEyMDRaMBMxETAPBgNVBAMM
+CEludGVybTEuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0/VPbQ2O
+YERPdfjLsTn/eGu4R98iNOw3pwyOtxK5b7w/b3sheGvoA7iRdyk6TBQ6e6sGUnUj
+fImyxNnWHRNBsX6NwwYk3DvFMvVgIfYi657m+7JaPYT+TcsLF223n2mDP3PHQe4B
+etOdP81gC2c+l1cmPSduMwzi3Ze64gQ15PvyTjVcTRuVCFZIpdAZ2DLEFMviuc7O
+vnxA+DFfN5Ve5gCJIEmxEtkHtolqZbhBIVPsfz5CofjD9bPm452ibssNoZgKU030
+9h2QPzvOhJ4iN2UDto2/Mq6xemEXxhVV7GyJ5iKtlnz1TYNAVPKkzhY+J9fnG/yT
+/MOwREaq+/9AbwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4IBAQCyqfVs2oawxgymfI/Nk6aGG+EjG+aBixu9tO45hQT2mEyb5ztP49ZwFOpc
++ys1snq3gtol2r7J+Up96DJ3aF6U3OE3iDqbtfjosMmi+rQQDRK/hp6QcU5rQucY
+hDiooiuajp7bhUgEdjhDW7GbV9yT1bA9WL5urFoGE0THUKLoMV4GCRQAQsodEx+B
+yos50UBCHuSkeJWRGmR4lpyIprPJaQgC7E83FfLe5UDsP1bioDiW4RZk4sqryy/z
+VJQNGgXYnlftf6J6WOPLdzU51R21yGCRjmNP0G9Vay9Wq7WOdDqjiQjWZyXWFf6H
+bbp7qAgS2JLTieLZ3GXBg0RTi+lK
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICsjCCAZqgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwEzERMA8GA1UEAwwISW50
+ZXJtMS4wHhcNMjAxMTI1MTIxMjA0WhcNMjExMTI1MTIxMjA0WjATMREwDwYDVQQD
+DAhJbnRlcm0yLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKto0lJW
+e+0+6u/gxG3NNfoqHWAMiDm+Ogcv1aIUTxTK8CO6dlwLTAMDg47wXgZSE+fpwtJf
+OCV9uwUvoVrdBazPil13KTQKHkN3jV6TnrU92gJpb1uBCQwQQXvCaQeUrMNPC7h3
+lYaxAODH62B5Pl2PY/DXdaKNbsN0chOZmNl87FgtXH4/ITOqqHY/vLW4ikYbADHi
+HLZOXFFV6VK6tNm5NgbKpDeUG5I5mjilZSfxnHHJAFIrIy19wK+wyPr9X+Eyph7Z
+slYDDZ/+RRIEp3tNlaac+g+uv1CJZWdRcTb+q/fAMd/emL0ofg3XKRNtSwfDuDNh
+z7i68VKL/6Xtd3cCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF
+AAOCAQEAYUwKKDKMG0ZwUJwJuqXZfCrf+95t9aeb+ALcFw7gABrdSFY9VmDQj2wW
+wl1afkV0jAREEnOtHJ0wioAhD86TUMoj99+UMEtp/r9QPH1XMClnCS0kp1M9ogCu
+PlqFamJlKhIa3xvvKSamU6G7qlbVzi2y7x/SBhK/U/FDo4bElgwG6WVXsluOQ6fT
+uUAJTqNfWcSdw2ntIGbwlbg1sco3a2JENB/5tyTSIWlwwUo6d+s2W3ZcNePWAPdr
+gEAVV1yOWsb1OVse2NRye5lH3cc+x0O1XYzWiC6G3GWYUmoPhl50fsidrd6WQIt5
++6MXQJQW+CgBnPiCdSfN58mxv49xJQ==
+-----END CERTIFICATE-----

e2e/tests/ssl_front_use/data/haproxy.cfg

@@ -0,0 +1,33 @@
+# _version=42
+
+global
+    log         127.0.0.1 local2
+    chroot      /var/lib/haproxy
+    pidfile     /var/run/haproxy.pid
+    maxconn     4000
+    user        haproxy
+    group       haproxy
+    stats socket /var/lib/haproxy/stats level admin
+
+defaults mydefaults
+    mode                    http
+    log                     global
+    option                  httplog
+    option                  dontlognull
+    option http-server-close
+    option forwardfor       except 127.0.0.0/8
+    option                  redispatch
+    retries                 3
+    timeout http-request    10s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+    timeout http-keep-alive 10s
+    timeout check           10s
+    maxconn                 3000
+
+frontend front1
+    #bind ip:port
+    mode http
+    option http-server-close

e2e/tests/ssl_front_use/data/post.json

@@ -0,0 +1,5 @@
+{
+    "certificate": "/etc/haproxy/ssl/cert.pem",
+    "allow_0rtt": true,
+    "no_alpn": true
+}

e2e/tests/ssl_front_use/data/put.json

@@ -0,0 +1,6 @@
+{
+    "certificate": "/etc/haproxy/ssl/cert.pem",
+    "allow_0rtt": false,
+    "no_alpn": true,
+    "verify": "none"
+}

e2e/tests/ssl_front_use/test.bats

@@ -0,0 +1,66 @@
+#!/usr/bin/env bats
+#
+# Copyright 2025 HAProxy Technologies
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http:#www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+load '../../libs/dataplaneapi'
+load '../../libs/debug'
+load '../../libs/get_json_path'
+load '../../libs/haproxy_config_setup'
+load '../../libs/haproxy_version'
+load '../../libs/resource_client'
+load '../../libs/version'
+
+load 'utils/_helpers'
+
+cert=/etc/haproxy/ssl/cert.pem
+
+@test "ssl_front_uses: get/create/modify/delete (>=3.2)" {
+  haproxy_version_ge "3.2" || skip
+
+  run docker cp "${BATS_TEST_DIRNAME}/data/3.pem" "${DOCKER_CONTAINER_NAME}:$cert"
+
+  # debug "ssl-f-use: create"
+  resource_post "$(ssl_front_uses_path front1)" "data/post.json"
+  assert_equal "$SC" "202"
+
+  # debug "ssl-f-use: get all"
+  resource_get "$(ssl_front_uses_path front1)"
+  assert_equal "$SC" "200"
+  assert_equal "$(get_json_path "$BODY" '.|length')" 1
+  assert_equal "$(get_json_path "$BODY" '.[0].certificate')" "$cert"
+  assert_equal "$(get_json_path "$BODY" '.[0].allow_0rtt')" true
+
+  # debug "ssl-f-use: get one"
+  resource_get "$(ssl_front_uses_path front1 0)"
+  assert_equal "$SC" "200"
+  assert_equal "$(get_json_path "$BODY" '.certificate')" "$cert"
+  assert_equal "$(get_json_path "$BODY" '.allow_0rtt')" true
+
+  # debug "ssl-f-use: edit"
+  resource_put "$(ssl_front_uses_path front1 0)" "data/put.json"
+  assert_equal "$SC" "202"
+  assert_equal "$(get_json_path "$BODY" '.certificate')" "$cert"
+  assert_equal "$(get_json_path "$BODY" '.allow_0rtt')" null
+  assert_equal "$(get_json_path "$BODY" '.no_alpn')" true
+  assert_equal "$(get_json_path "$BODY" '.verify')" none
+
+  # debug "ssl-f-use: delete"
+  resource_delete "$(ssl_front_uses_path front1 0)"
+  assert_equal "$SC" "202"
+  resource_get "$(ssl_front_uses_path front1)"
+  assert_equal "$SC" "200"
+  assert_equal "$(get_json_path "$BODY" '.|length')" 0
+}

e2e/tests/ssl_front_use/utils/_helpers.bash

@@ -0,0 +1,4 @@
+# /services/haproxy/configuration/frontends/{parent_name}/ssl_front_uses/{index}
+ssl_front_uses_path() {
+    echo "/services/haproxy/configuration/frontends/${1:?}/ssl_front_uses${2:+/$2}"
+}