v0.2.0 restructured to pipeline architecture, dirty

src/internal/config/ssl.go

@@ -1,6 +1,8 @@
 // FILE: src/internal/config/ssl.go
 package config
 
+import "fmt"
+
 type SSLConfig struct {
 	Enabled  bool   `toml:"enabled"`
 	CertFile string `toml:"cert_file"`
@@ -17,4 +19,39 @@ type SSLConfig struct {
 
 	// Cipher suites (comma-separated list)
 	CipherSuites string `toml:"cipher_suites"`
+}
+
+func validateSSLOptions(serverType, pipelineName string, sinkIndex int, ssl map[string]any) error {
+	if enabled, ok := ssl["enabled"].(bool); ok && enabled {
+		certFile, certOk := ssl["cert_file"].(string)
+		keyFile, keyOk := ssl["key_file"].(string)
+
+		if !certOk || certFile == "" || !keyOk || keyFile == "" {
+			return fmt.Errorf("pipeline '%s' sink[%d] %s: SSL enabled but cert/key files not specified",
+				pipelineName, sinkIndex, serverType)
+		}
+
+		if clientAuth, ok := ssl["client_auth"].(bool); ok && clientAuth {
+			if caFile, ok := ssl["client_ca_file"].(string); !ok || caFile == "" {
+				return fmt.Errorf("pipeline '%s' sink[%d] %s: client auth enabled but CA file not specified",
+					pipelineName, sinkIndex, serverType)
+			}
+		}
+
+		// Validate TLS versions
+		validVersions := map[string]bool{"TLS1.0": true, "TLS1.1": true, "TLS1.2": true, "TLS1.3": true}
+		if minVer, ok := ssl["min_version"].(string); ok && minVer != "" {
+			if !validVersions[minVer] {
+				return fmt.Errorf("pipeline '%s' sink[%d] %s: invalid min TLS version: %s",
+					pipelineName, sinkIndex, serverType, minVer)
+			}
+		}
+		if maxVer, ok := ssl["max_version"].(string); ok && maxVer != "" {
+			if !validVersions[maxVer] {
+				return fmt.Errorf("pipeline '%s' sink[%d] %s: invalid max TLS version: %s",
+					pipelineName, sinkIndex, serverType, maxVer)
+			}
+		}
+	}
+	return nil
 }