Reject --mutual-tls and --client-ca when TLS is not enabled (#330)

folbricht · web-flow · commit 1577f3b3bf88 · 2026-04-18T17:50:17.000+02:00
Previously --mutual-tls and --client-ca were silently ignored when
--cert/--key were not provided, which could lead an operator to
believe client certificate authentication was enforcing access
while the server was actually listening on plain HTTP. Both
chunk-server and index-server now refuse to start in that state.
diff --git a/cmd/desync/options.go b/cmd/desync/options.go
@@ -87,6 +87,14 @@ func (o cmdServerOptions) validate() error {
 	if (o.key == "") != (o.cert == "") {
 		return errors.New("--key and --cert options need to be provided together")
 	}
+	if o.key == "" {
+		if o.mutualTLS {
+			return errors.New("--mutual-tls requires --cert and --key (TLS must be enabled)")
+		}
+		if o.clientCA != "" {
+			return errors.New("--client-ca requires --cert and --key (TLS must be enabled)")
+		}
+	}
 	return nil
 }
 
diff --git a/cmd/desync/options_test.go b/cmd/desync/options_test.go
@@ -99,6 +99,33 @@ func TestErrorRetryOptions(t *testing.T) {
 	}
 }
 
+func TestServerOptionsValidate(t *testing.T) {
+	for _, test := range []struct {
+		name    string
+		opt     cmdServerOptions
+		wantErr string
+	}{
+		{"no TLS, no mTLS", cmdServerOptions{}, ""},
+		{"TLS only", cmdServerOptions{cert: "c", key: "k"}, ""},
+		{"TLS with mutualTLS", cmdServerOptions{cert: "c", key: "k", mutualTLS: true}, ""},
+		{"TLS with clientCA", cmdServerOptions{cert: "c", key: "k", clientCA: "ca"}, ""},
+		{"key without cert", cmdServerOptions{key: "k"}, "--key and --cert"},
+		{"cert without key", cmdServerOptions{cert: "c"}, "--key and --cert"},
+		{"mutualTLS without TLS", cmdServerOptions{mutualTLS: true}, "--mutual-tls requires"},
+		{"clientCA without TLS", cmdServerOptions{clientCA: "ca"}, "--client-ca requires"},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			err := test.opt.validate()
+			if test.wantErr == "" {
+				require.NoError(t, err)
+				return
+			}
+			require.Error(t, err)
+			require.Contains(t, err.Error(), test.wantErr)
+		})
+	}
+}
+
 func TestStringOptions(t *testing.T) {
 	for _, test := range []struct {
 		name                string

Original file line number	Diff line number	Diff line change
`@@ -87,6 +87,14 @@ func (o cmdServerOptions) validate() error {`
`87`	`87`	`if (o.key == "") != (o.cert == "") {`
`88`	`88`	`return errors.New("--key and --cert options need to be provided together")`
`89`	`89`	`}`
	`90`	`+ if o.key == "" {`
	`91`	`+ if o.mutualTLS {`
	`92`	`+ return errors.New("--mutual-tls requires --cert and --key (TLS must be enabled)")`
	`93`	`+ }`
	`94`	`+ if o.clientCA != "" {`
	`95`	`+ return errors.New("--client-ca requires --cert and --key (TLS must be enabled)")`
	`96`	`+ }`
	`97`	`+ }`
`90`	`98`	`return nil`
`91`	`99`	`}`
`92`	`100`