homelab/traefik
1
0
Fork 0
Code Activity

Remove old global config and use new static config

Browse source
This commit is contained in:
SALLEYRON Julien 2018-11-27 17:42:04 +01:00 committed by Traefiker Bot
parent c39d21c178
commit 5d91c7e15c
114 changed files with 2485 additions and 3646 deletions
Download patch file Download diff file Expand all files Collapse all files

52
tls/certificate_store.go
View file

@ -2,6 +2,7 @@ package tls
import (
"crypto/tls"
"crypto/x509"
"net"
"sort"
"strings"
@ -15,7 +16,6 @@ import (
// CertificateStore store for dynamic and static certificates
type CertificateStore struct {
DynamicCerts *safe.Safe
StaticCerts *safe.Safe
DefaultCertificate *tls.Certificate
CertCache *cache.Cache
SniStrict bool
@ -24,23 +24,42 @@ type CertificateStore struct {
// NewCertificateStore create a store for dynamic and static certificates
func NewCertificateStore() *CertificateStore {
return &CertificateStore{
StaticCerts: &safe.Safe{},
DynamicCerts: &safe.Safe{},
CertCache: cache.New(1*time.Hour, 10*time.Minute),
}
}
// GetAllDomains return a slice with all the certificate domain
func (c CertificateStore) GetAllDomains() []string {
func (c CertificateStore) getDefaultCertificateDomains() []string {
var allCerts []string
// Get static certificates
if c.StaticCerts != nil && c.StaticCerts.Get() != nil {
for domains := range c.StaticCerts.Get().(map[string]*tls.Certificate) {
allCerts = append(allCerts, domains)
}
if c.DefaultCertificate == nil {
return allCerts
}
x509Cert, err := x509.ParseCertificate(c.DefaultCertificate.Certificate[0])
if err != nil {
log.WithoutContext().Errorf("Could not parse default certicate: %v", err)
return allCerts
}
if len(x509Cert.Subject.CommonName) > 0 {
allCerts = append(allCerts, x509Cert.Subject.CommonName)
}
allCerts = append(allCerts, x509Cert.DNSNames...)
for _, ipSan := range x509Cert.IPAddresses {
allCerts = append(allCerts, ipSan.String())
}
return allCerts
}
// GetAllDomains return a slice with all the certificate domain
func (c CertificateStore) GetAllDomains() []string {
allCerts := c.getDefaultCertificateDomains()
// Get dynamic certificates
if c.DynamicCerts != nil && c.DynamicCerts.Get() != nil {
for domains := range c.DynamicCerts.Get().(map[string]*tls.Certificate) {
@ -77,16 +96,6 @@ func (c CertificateStore) GetBestCertificate(clientHello *tls.ClientHelloInfo) *
}
}
if c.StaticCerts != nil && c.StaticCerts.Get() != nil {
for domains, cert := range c.StaticCerts.Get().(map[string]*tls.Certificate) {
for _, certDomain := range strings.Split(domains, ",") {
if MatchDomain(domainToCheck, certDomain) {
matchedCerts[certDomain] = cert
}
}
}
}
if len(matchedCerts) > 0 {
// sort map by keys
keys := make([]string, 0, len(matchedCerts))
@ -103,11 +112,6 @@ func (c CertificateStore) GetBestCertificate(clientHello *tls.ClientHelloInfo) *
return nil
}
// ContainsCertificates checks if there are any certs in the store
func (c CertificateStore) ContainsCertificates() bool {
return c.StaticCerts.Get() != nil || c.DynamicCerts.Get() != nil
}
// ResetCache clears the cache in the store
func (c CertificateStore) ResetCache() {
if c.CertCache != nil {

59
tls/certificate_store_test.go
View file

@ -14,91 +14,45 @@ import (
)
func TestGetBestCertificate(t *testing.T) {
// FIXME Add tests for defaultCert
testCases := []struct {
desc string
domainToCheck string
staticCert string
dynamicCert string
expectedCert string
}{
{
desc: "Empty Store, returns no certs",
domainToCheck: "snitest.com",
staticCert: "",
dynamicCert: "",
expectedCert: "",
},
{
desc: "Empty static cert store",
desc: "Best Match with no corresponding",
domainToCheck: "snitest.com",
staticCert: "",
dynamicCert: "snitest.com",
expectedCert: "snitest.com",
},
{
desc: "Empty dynamic cert store",
domainToCheck: "snitest.com",
staticCert: "snitest.com",
dynamicCert: "",
expectedCert: "snitest.com",
dynamicCert: "snitest.org",
expectedCert: "",
},
{
desc: "Best Match",
domainToCheck: "snitest.com",
staticCert: "snitest.com",
dynamicCert: "snitest.org",
dynamicCert: "snitest.com",
expectedCert: "snitest.com",
},
{
desc: "Best Match with wildcard dynamic and exact static",
desc: "Best Match with dynamic wildcard",
domainToCheck: "www.snitest.com",
staticCert: "www.snitest.com",
dynamicCert: "*.snitest.com",
expectedCert: "www.snitest.com",
},
{
desc: "Best Match with wildcard static and exact dynamic",
domainToCheck: "www.snitest.com",
staticCert: "*.snitest.com",
dynamicCert: "www.snitest.com",
expectedCert: "www.snitest.com",
},
{
desc: "Best Match with static wildcard only",
domainToCheck: "www.snitest.com",
staticCert: "*.snitest.com",
dynamicCert: "",
expectedCert: "*.snitest.com",
},
{
desc: "Best Match with dynamic wildcard only",
domainToCheck: "www.snitest.com",
staticCert: "",
dynamicCert: "*.snitest.com",
expectedCert: "*.snitest.com",
},
{
desc: "Best Match with two wildcard certs",
domainToCheck: "foo.www.snitest.com",
staticCert: "*.www.snitest.com",
dynamicCert: "*.snitest.com",
expectedCert: "*.www.snitest.com",
},
}
for _, test := range testCases {
test := test
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
staticMap := map[string]*tls.Certificate{}
dynamicMap := map[string]*tls.Certificate{}
if test.staticCert != "" {
cert, err := loadTestCert(test.staticCert)
require.NoError(t, err)
staticMap[test.staticCert] = cert
}
if test.dynamicCert != "" {
cert, err := loadTestCert(test.dynamicCert)
require.NoError(t, err)
@ -107,7 +61,6 @@ func TestGetBestCertificate(t *testing.T) {
store := &CertificateStore{
DynamicCerts: safe.New(dynamicMap),
StaticCerts: safe.New(staticMap),
CertCache: cache.New(1*time.Hour, 10*time.Minute),
}

1
tls/tls.go
View file

@ -24,7 +24,6 @@ type ClientCA struct {
type TLS struct {
MinVersion string `export:"true"`
CipherSuites []string
Certificates Certificates
ClientCA ClientCA
DefaultCertificate *Certificate
SniStrict bool `export:"true"`