Add forward authentication option

2017-08-25 12:22:03 -04:00 · 2017-08-25 12:22:03 -04:00 · 52b69fbcb8
commit 52b69fbcb8
parent f16219f90a
11 changed files with 252 additions and 105 deletions
--- a/provider/docker/docker.go
+++ b/provider/docker/docker.go
@ -47,12 +47,12 @@ var _ provider.Provider = (*Provider)(nil)
 // Provider holds configurations of the provider.
 type Provider struct {
 	provider.BaseProvider `mapstructure:",squash"`
-	Endpoint              string              `description:"Docker server endpoint. Can be a tcp or a unix socket endpoint"`
-	Domain                string              `description:"Default domain used"`
-	TLS                   *provider.ClientTLS `description:"Enable Docker TLS support"`
-	ExposedByDefault      bool                `description:"Expose containers by default"`
-	UseBindPortIP         bool                `description:"Use the ip address from the bound port, rather than from the inner network"`
-	SwarmMode             bool                `description:"Use Docker on Swarm Mode"`
+	Endpoint              string           `description:"Docker server endpoint. Can be a tcp or a unix socket endpoint"`
+	Domain                string           `description:"Default domain used"`
+	TLS                   *types.ClientTLS `description:"Enable Docker TLS support"`
+	ExposedByDefault      bool             `description:"Expose containers by default"`
+	UseBindPortIP         bool             `description:"Use the ip address from the bound port, rather than from the inner network"`
+	SwarmMode             bool             `description:"Use Docker on Swarm Mode"`
 }

 // dockerData holds the need data to the Provider p
--- a/provider/kv/kv.go
+++ b/provider/kv/kv.go
@ -21,11 +21,11 @@ import (
 // Provider holds common configurations of key-value providers.
 type Provider struct {
 	provider.BaseProvider `mapstructure:",squash"`
-	Endpoint              string              `description:"Comma separated server endpoints"`
-	Prefix                string              `description:"Prefix used for KV store"`
-	TLS                   *provider.ClientTLS `description:"Enable TLS support"`
-	Username              string              `description:"KV Username"`
-	Password              string              `description:"KV Password"`
+	Endpoint              string           `description:"Comma separated server endpoints"`
+	Prefix                string           `description:"Prefix used for KV store"`
+	TLS                   *types.ClientTLS `description:"Enable TLS support"`
+	Username              string           `description:"KV Username"`
+	Password              string           `description:"KV Password"`
 	storeType             store.Backend
 	kvclient              store.Store
 }
--- a/provider/marathon/marathon.go
+++ b/provider/marathon/marathon.go
@ -53,18 +53,18 @@ var servicesPropertiesRegexp = regexp.MustCompile(`^traefik\.(?P<service_name>.+
 // Provider holds configuration of the provider.
 type Provider struct {
 	provider.BaseProvider
-	Endpoint                string              `description:"Marathon server endpoint. You can also specify multiple endpoint for Marathon"`
-	Domain                  string              `description:"Default domain used"`
-	ExposedByDefault        bool                `description:"Expose Marathon apps by default"`
-	GroupsAsSubDomains      bool                `description:"Convert Marathon groups to subdomains"`
-	DCOSToken               string              `description:"DCOSToken for DCOS environment, This will override the Authorization header"`
-	MarathonLBCompatibility bool                `description:"Add compatibility with marathon-lb labels"`
-	TLS                     *provider.ClientTLS `description:"Enable Docker TLS support"`
-	DialerTimeout           flaeg.Duration      `description:"Set a non-default connection timeout for Marathon"`
-	KeepAlive               flaeg.Duration      `description:"Set a non-default TCP Keep Alive time in seconds"`
-	ForceTaskHostname       bool                `description:"Force to use the task's hostname."`
-	Basic                   *Basic              `description:"Enable basic authentication"`
-	RespectReadinessChecks  bool                `description:"Filter out tasks with non-successful readiness checks during deployments"`
+	Endpoint                string           `description:"Marathon server endpoint. You can also specify multiple endpoint for Marathon"`
+	Domain                  string           `description:"Default domain used"`
+	ExposedByDefault        bool             `description:"Expose Marathon apps by default"`
+	GroupsAsSubDomains      bool             `description:"Convert Marathon groups to subdomains"`
+	DCOSToken               string           `description:"DCOSToken for DCOS environment, This will override the Authorization header"`
+	MarathonLBCompatibility bool             `description:"Add compatibility with marathon-lb labels"`
+	TLS                     *types.ClientTLS `description:"Enable Docker TLS support"`
+	DialerTimeout           flaeg.Duration   `description:"Set a non-default connection timeout for Marathon"`
+	KeepAlive               flaeg.Duration   `description:"Set a non-default TCP Keep Alive time in seconds"`
+	ForceTaskHostname       bool             `description:"Force to use the task's hostname."`
+	Basic                   *Basic           `description:"Enable basic authentication"`
+	RespectReadinessChecks  bool             `description:"Filter out tasks with non-successful readiness checks during deployments"`
 	readyChecker            *readinessChecker
 	marathonClient          marathon.Marathon
 }
--- a/provider/provider.go
+++ b/provider/provider.go
@ -2,11 +2,7 @@ package provider

 import (
 	"bytes"
-	"crypto/tls"
-	"crypto/x509"
-	"fmt"
 	"io/ioutil"
-	"os"
 	"strings"
 	"text/template"
 	"unicode"
@ -123,71 +119,3 @@ func ReverseStringSlice(slice *[]string) {
 		(*slice)[i], (*slice)[j] = (*slice)[j], (*slice)[i]
 	}
 }
-
-// ClientTLS holds TLS specific configurations as client
-// CA, Cert and Key can be either path or file contents
-type ClientTLS struct {
-	CA                 string `description:"TLS CA"`
-	Cert               string `description:"TLS cert"`
-	Key                string `description:"TLS key"`
-	InsecureSkipVerify bool   `description:"TLS insecure skip verify"`
-}
-
-// CreateTLSConfig creates a TLS config from ClientTLS structures
-func (clientTLS *ClientTLS) CreateTLSConfig() (*tls.Config, error) {
-	var err error
-	if clientTLS == nil {
-		log.Warnf("clientTLS is nil")
-		return nil, nil
-	}
-	caPool := x509.NewCertPool()
-	if clientTLS.CA != "" {
-		var ca []byte
-		if _, errCA := os.Stat(clientTLS.CA); errCA == nil {
-			ca, err = ioutil.ReadFile(clientTLS.CA)
-			if err != nil {
-				return nil, fmt.Errorf("Failed to read CA. %s", err)
-			}
-		} else {
-			ca = []byte(clientTLS.CA)
-		}
-		caPool.AppendCertsFromPEM(ca)
-	}
-
-	cert := tls.Certificate{}
-	_, errKeyIsFile := os.Stat(clientTLS.Key)
-
-	if !clientTLS.InsecureSkipVerify && (len(clientTLS.Cert) == 0 || len(clientTLS.Key) == 0) {
-		return nil, fmt.Errorf("TLS Certificate or Key file must be set when TLS configuration is created")
-	}
-
-	if len(clientTLS.Cert) > 0 && len(clientTLS.Key) > 0 {
-		if _, errCertIsFile := os.Stat(clientTLS.Cert); errCertIsFile == nil {
-			if errKeyIsFile == nil {
-				cert, err = tls.LoadX509KeyPair(clientTLS.Cert, clientTLS.Key)
-				if err != nil {
-					return nil, fmt.Errorf("Failed to load TLS keypair: %v", err)
-				}
-			} else {
-				return nil, fmt.Errorf("tls cert is a file, but tls key is not")
-			}
-		} else {
-			if errKeyIsFile != nil {
-				cert, err = tls.X509KeyPair([]byte(clientTLS.Cert), []byte(clientTLS.Key))
-				if err != nil {
-					return nil, fmt.Errorf("Failed to load TLS keypair: %v", err)
-
-				}
-			} else {
-				return nil, fmt.Errorf("tls key is a file, but tls cert is not")
-			}
-		}
-	}
-
-	TLSConfig := &tls.Config{
-		Certificates:       []tls.Certificate{cert},
-		RootCAs:            caPool,
-		InsecureSkipVerify: clientTLS.InsecureSkipVerify,
-	}
-	return TLSConfig, nil
-}
--- a/provider/provider_test.go
+++ b/provider/provider_test.go
@ -12,7 +12,7 @@ import (

 type myProvider struct {
 	BaseProvider
-	TLS *ClientTLS
+	TLS *types.ClientTLS
 }

 func (p *myProvider) Foo() string {
@ -202,7 +202,7 @@ func TestInsecureSkipVerifyClientTLS(t *testing.T) {
 		BaseProvider{
 			Filename: "",
 		},
-		&ClientTLS{
+		&types.ClientTLS{
 			InsecureSkipVerify: true,
 		},
 	}
@ -220,7 +220,7 @@ func TestInsecureSkipVerifyFalseClientTLS(t *testing.T) {
 		BaseProvider{
 			Filename: "",
 		},
-		&ClientTLS{
+		&types.ClientTLS{
 			InsecureSkipVerify: false,
 		},
 	}