Leon/issue 40 and 42

[zluudg]

Summary by CodeRabbit

• New Features
  • TLS setup now requires explicit certificate, key, and CA file paths in config.
  • Adds upfront validation that those files are accessible and emits clear, file-specific errors; initialization stops on misconfiguration.
  • Error messages now report which config file is in use when TLS keys are missing.
• Chores
  • Updated a core dependency to a newer version.
  • Packaging: disables separate debug package on RHEL 9+ and marks the shipped YAML config as a ghosted/managed file.

[coderabbitai]

Walkthrough

TLS setup now requires explicit certs.cert, certs.key, and certs.cacertfile with existence checks and uses NewClientConfig; go.mod updates the tapir module pseudo-version; RPM spec disables separate debug package on RHEL 9+, removes Source3, and marks tapir-cli.yaml as %ghost.

Changes

Cohort / File(s)	Summary
TLS initialization hardening cmd/root.go	Replaces derived cert path logic with explicit config keys certs.cert, certs.key, certs.cacertfile; validates they are non-empty and os.Stat-accessible; constructs TLS with NewClientConfig(caCertPath, keyPath, certPath); logs fatal and exits on missing files or TLS init failure; uses api.SetupTLS when UseTLS enabled, otherwise api.Setup.
Dependency bump go.mod	Updates github.com/dnstapir/tapir to v0.0.0-20250916134600-6f3506c45053.
RPM packaging changes rpm/SPECS/tapir-cli.spec	Adds %if 0%{?rhel} >= 9 block setting %global debug_package %{nil} to disable separate debug subpackage on RHEL 9+; removes Source3: tapir-cli.yaml; changes installed tapir-cli.yaml entry to a %ghost file with ownership 0660,-,dnstapir.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant CLI as tapir-cli
  participant Cfg as Config
  participant FS as Filesystem
  participant TLS as TLS Builder
  participant API as API Client

  CLI->>Cfg: Load config
  alt UseTLS == true
    Cfg-->>CLI: certs.cert, certs.key, certs.cacertfile
    CLI->>FS: os.Stat(cert), os.Stat(key), os.Stat(cacert)
    alt Any missing/inaccessible
      CLI-->>CLI: Log fatal and exit
    else All accessible
      CLI->>TLS: NewClientConfig(cacert, key, cert)
      alt TLS init fails
        CLI-->>CLI: Log fatal and exit
      else Success
        CLI->>API: SetupTLS(tlsConfig)
        API-->>CLI: Client ready
      end
    end
  else UseTLS == false
    CLI->>API: Setup()
    API-->>CLI: Client ready
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Leon/issue/31/rpm packaging #33 — Modifies rpm/SPECS/tapir-cli.spec and packaging entries (overlaps spec changes).
• Leon/issue/28/nodeman support #30 — Also changes cmd/root.go TLS/config handling and overlaps RootInitConfig logic.

Suggested reviewers

• johanix

Poem

A nibble of certs, a crunch of keys,
I hop through configs with effortless ease.
CA in paw, I stat every file—
If paths are true, I thump with a smile.
On RHEL nine, no debug crumbs to chase. 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title Check	❓ Inconclusive	The title "Leon/issue 40 and 42" is essentially a branch name and only references issue numbers rather than describing what changed; it is vague and does not summarize the primary changes in this PR (explicit TLS cert/key/CA path validation in cmd/root.go, a go.mod dependency bump, and RPM spec adjustments). Because it fails to convey the main intent or highlight the most important change to a reviewer scanning history, the check is inconclusive.	Rename the PR to a concise, descriptive title that highlights the main change, for example: "Validate explicit TLS cert/key/CA paths and update packaging and deps". Use imperative, present-tense phrasing and avoid branch names or only issue numbers; put "Fixes #40, #42" in the PR body instead.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch leon/issue-40-and-42

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 567fbf3 and 416630f.

📒 Files selected for processing (1)

• rpm/SPECS/tapir-cli.spec (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• rpm/SPECS/tapir-cli.spec

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

cmd/root.go (1)

139-142: Don’t ship with InsecureSkipVerify = true by default. Gate it via config and default to safe.

This disables hostname/cert verification and enables trivial MITM. Make it opt-in via config (e.g., cli.tapir-pop.tls.insecure_skip_verify).

Apply:

-        tlsConfig.InsecureSkipVerify = true
+        if viper.GetBool("cli.tapir-pop.tls.insecure_skip_verify") {
+            tlsConfig.InsecureSkipVerify = true
+        }

Nit: in the comment above, s/VerifyPerrCertificate/VerifyPeerCertificate/.

🧹 Nitpick comments (2)

cmd/root.go (2)

121-127: Namespace TLS config keys to avoid collisions and improve clarity.

Using top-level keys like certs.cert may clash with other components. Prefer a scoped path such as cli.tapir-pop.tls.{cert,key,cacertfile}.

Apply:

-        certPath := viper.GetString("certs.cert")
-        keyPath := viper.GetString("certs.key")
-        caCertPath := viper.GetString("certs.cacertfile")
+        certPath := viper.GetString("cli.tapir-pop.tls.cert")
+        keyPath := viper.GetString("cli.tapir-pop.tls.key")
+        caCertPath := viper.GetString("cli.tapir-pop.tls.cacertfile")
-        if certPath == "" || keyPath == "" || caCertPath == "" {
-            log.Fatalf("Error: missing TLS config keys: certs.cert, certs.key and/or certs.cacertfile in %s", viper.ConfigFileUsed())
-        }
+        if certPath == "" || keyPath == "" || caCertPath == "" {
+            log.Fatalf("Error: missing TLS config keys: cli.tapir-pop.tls.cert, cli.tapir-pop.tls.key and/or cli.tapir-pop.tls.cacertfile in %s", viper.ConfigFileUsed())
+        }

---

128-132: Avoid TOCTOU and non-reliable readability checks; rely on load step or open files.

os.Stat doesn’t guarantee readability and introduces TOCTOU. Either drop the pre-check and rely on NewClientConfig errors, or open/close files to assert readability.

Option A (simpler — rely on load):

-        for _, f := range []string{certPath, keyPath, caCertPath} {
-            if _, statErr := os.Stat(f); statErr != nil {
-                log.Fatalf("Error: TLS file not accessible: %s (%v)", f, statErr)
-            }
-        }

Option B (assert readability):

+        for _, f := range []string{certPath, keyPath, caCertPath} {
+            fd, openErr := os.Open(f)
+            if openErr != nil {
+                log.Fatalf("Error: TLS file not readable: %s (%v)", f, openErr)
+            }
+            _ = fd.Close()
+        }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ccf712c and 1ffacad.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• cmd/root.go (1 hunks)
• go.mod (1 hunks)
• rpm/SPECS/tapir-cli.spec (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-14T12:03:40.980Z

Learnt from: zluudg
PR: dnstapir/cli#41
File: rpm/SPECS/tapir-cli.spec:42-42
Timestamp: 2025-08-14T12:03:40.980Z
Learning: User zluudg prefers not to auto-start or auto-enable systemd services in the dnstapir/cli RPM package, preferring manual activation instead.

Applied to files:

• rpm/SPECS/tapir-cli.spec

🔇 Additional comments (2)

rpm/SPECS/tapir-cli.spec (1)

19-22: LGTM: disables debuginfo on RHEL ≥ 9.

The conditional %global debug_package %{nil} is correct and early enough in the spec. This also aligns with your prior preference to avoid opinionated post-install behaviors.

cmd/root.go (1)

133-136: Request NewClientConfig Signature
Please fetch the source for tapir.NewClientConfig at commit 19067e68eca0 and share its exact function signature (parameter names and order), so we can confirm whether it expects (ca, key, cert) or (ca, cert, key).

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

cmd/root.go (1)

140-141: Don’t hardcode InsecureSkipVerify; gate it via config.

This disables server verification globally. Make it opt-in via a config flag.

-        tlsConfig.InsecureSkipVerify = true
+        if viper.GetBool("certs.insecure_skip_verify") {
+            tlsConfig.InsecureSkipVerify = true
+        }

🧹 Nitpick comments (1)

cmd/root.go (1)

128-132: Harden TLS file checks: ensure regular files and readability.

os.Stat won’t catch directories or unreadable files. Add checks for regular file type and openability.

-        for _, f := range []string{certPath, keyPath, caCertPath} {
-            if _, statErr := os.Stat(f); statErr != nil {
-                log.Fatalf("Error: TLS file not accessible: %s (%v)", f, statErr)
-            }
-        }
+        for _, f := range []string{certPath, keyPath, caCertPath} {
+            fi, statErr := os.Stat(f)
+            if statErr != nil {
+                log.Fatalf("Error: TLS file not accessible: %s (%v)", f, statErr)
+            }
+            if !fi.Mode().IsRegular() {
+                log.Fatalf("Error: TLS path is not a regular file: %s", f)
+            }
+            if fd, openErr := os.Open(f); openErr != nil {
+                log.Fatalf("Error: TLS file not readable: %s (%v)", f, openErr)
+            } else {
+                _ = fd.Close()
+            }
+        }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1ffacad and 648840a.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• cmd/root.go (1 hunks)
• go.mod (1 hunks)
• rpm/SPECS/tapir-cli.spec (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• rpm/SPECS/tapir-cli.spec

🔇 Additional comments (2)

go.mod (1)

8-8: tapir bump: verified

go mod tidy && go build succeeded; NewClientConfig present with signature: func NewClientConfig(caFile, keyFile, certFile string) (*tls.Config, error).

cmd/root.go (1)

133-134: Resolved — NewClientConfig order is (caFile, keyFile, certFile); tapir.NewClientConfig(caCertPath, keyPath, certPath) is correct.

[zluudg]

fix #40 and fix #42