Dynamic Configuration Refactoring

2018-11-14 10:18:03 +01:00 · 2018-11-14 10:18:03 +01:00 · a09dfa3ce1
commit a09dfa3ce1
parent d3ae88f108
452 changed files with 21023 additions and 9419 deletions
--- a/old/middlewares/tlsClientHeaders.go
+++ b/old/middlewares/tlsClientHeaders.go
@ -0,0 +1,251 @@
+package middlewares
+
+import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/containous/traefik/old/log"
+	"github.com/containous/traefik/old/types"
+)
+
+const xForwardedTLSClientCert = "X-Forwarded-Tls-Client-Cert"
+const xForwardedTLSClientCertInfos = "X-Forwarded-Tls-Client-Cert-Infos"
+
+// TLSClientCertificateInfos is a struct for specifying the configuration for the tlsClientHeaders middleware.
+type TLSClientCertificateInfos struct {
+	NotAfter  bool
+	NotBefore bool
+	Subject   *TLSCLientCertificateSubjectInfos
+	Sans      bool
+}
+
+// TLSCLientCertificateSubjectInfos contains the configuration for the certificate subject infos.
+type TLSCLientCertificateSubjectInfos struct {
+	Country      bool
+	Province     bool
+	Locality     bool
+	Organization bool
+	CommonName   bool
+	SerialNumber bool
+}
+
+// TLSClientHeaders is a middleware that helps setup a few tls infos features.
+type TLSClientHeaders struct {
+	PEM   bool                       // pass the sanitized pem to the backend in a specific header
+	Infos *TLSClientCertificateInfos // pass selected informations from the client certificate
+}
+
+func newTLSCLientCertificateSubjectInfos(infos *types.TLSCLientCertificateSubjectInfos) *TLSCLientCertificateSubjectInfos {
+	if infos == nil {
+		return nil
+	}
+
+	return &TLSCLientCertificateSubjectInfos{
+		SerialNumber: infos.SerialNumber,
+		CommonName:   infos.CommonName,
+		Country:      infos.Country,
+		Locality:     infos.Locality,
+		Organization: infos.Organization,
+		Province:     infos.Province,
+	}
+}
+
+func newTLSClientInfos(infos *types.TLSClientCertificateInfos) *TLSClientCertificateInfos {
+	if infos == nil {
+		return nil
+	}
+
+	return &TLSClientCertificateInfos{
+		NotBefore: infos.NotBefore,
+		NotAfter:  infos.NotAfter,
+		Sans:      infos.Sans,
+		Subject:   newTLSCLientCertificateSubjectInfos(infos.Subject),
+	}
+}
+
+// NewTLSClientHeaders constructs a new TLSClientHeaders instance from supplied frontend header struct.
+func NewTLSClientHeaders(frontend *types.Frontend) *TLSClientHeaders {
+	if frontend == nil {
+		return nil
+	}
+
+	var pem bool
+	var infos *TLSClientCertificateInfos
+
+	if frontend.PassTLSClientCert != nil {
+		conf := frontend.PassTLSClientCert
+		pem = conf.PEM
+		infos = newTLSClientInfos(conf.Infos)
+	}
+
+	return &TLSClientHeaders{
+		PEM:   pem,
+		Infos: infos,
+	}
+}
+
+func (s *TLSClientHeaders) ServeHTTP(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
+	s.ModifyRequestHeaders(r)
+	// If there is a next, call it.
+	if next != nil {
+		next(w, r)
+	}
+}
+
+// sanitize As we pass the raw certificates, remove the useless data and make it http request compliant
+func sanitize(cert []byte) string {
+	s := string(cert)
+	r := strings.NewReplacer("-----BEGIN CERTIFICATE-----", "",
+		"-----END CERTIFICATE-----", "",
+		"\n", "")
+	cleaned := r.Replace(s)
+
+	return url.QueryEscape(cleaned)
+}
+
+// extractCertificate extract the certificate from the request
+func extractCertificate(cert *x509.Certificate) string {
+	b := pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
+	certPEM := pem.EncodeToMemory(&b)
+	if certPEM == nil {
+		log.Error("Cannot extract the certificate content")
+		return ""
+	}
+	return sanitize(certPEM)
+}
+
+// getXForwardedTLSClientCert Build a string with the client certificates
+func getXForwardedTLSClientCert(certs []*x509.Certificate) string {
+	var headerValues []string
+
+	for _, peerCert := range certs {
+		headerValues = append(headerValues, extractCertificate(peerCert))
+	}
+
+	return strings.Join(headerValues, ",")
+}
+
+// getSANs get the Subject Alternate Name values
+func getSANs(cert *x509.Certificate) []string {
+	var sans []string
+	if cert == nil {
+		return sans
+	}
+
+	sans = append(cert.DNSNames, cert.EmailAddresses...)
+
+	var ips []string
+	for _, ip := range cert.IPAddresses {
+		ips = append(ips, ip.String())
+	}
+	sans = append(sans, ips...)
+
+	var uris []string
+	for _, uri := range cert.URIs {
+		uris = append(uris, uri.String())
+	}
+
+	return append(sans, uris...)
+}
+
+// getSubjectInfos extract the requested informations from the certificate subject
+func (s *TLSClientHeaders) getSubjectInfos(cs *pkix.Name) string {
+	var subject string
+
+	if s.Infos != nil && s.Infos.Subject != nil {
+		options := s.Infos.Subject
+
+		var content []string
+
+		if options.Country && len(cs.Country) > 0 {
+			content = append(content, fmt.Sprintf("C=%s", cs.Country[0]))
+		}
+
+		if options.Province && len(cs.Province) > 0 {
+			content = append(content, fmt.Sprintf("ST=%s", cs.Province[0]))
+		}
+
+		if options.Locality && len(cs.Locality) > 0 {
+			content = append(content, fmt.Sprintf("L=%s", cs.Locality[0]))
+		}
+
+		if options.Organization && len(cs.Organization) > 0 {
+			content = append(content, fmt.Sprintf("O=%s", cs.Organization[0]))
+		}
+
+		if options.CommonName && len(cs.CommonName) > 0 {
+			content = append(content, fmt.Sprintf("CN=%s", cs.CommonName))
+		}
+
+		if len(content) > 0 {
+			subject = `Subject="` + strings.Join(content, ",") + `"`
+		}
+	}
+
+	return subject
+}
+
+// getXForwardedTLSClientCertInfos Build a string with the wanted client certificates informations
+// like Subject="C=%s,ST=%s,L=%s,O=%s,CN=%s",NB=%d,NA=%d,SAN=%s;
+func (s *TLSClientHeaders) getXForwardedTLSClientCertInfos(certs []*x509.Certificate) string {
+	var headerValues []string
+
+	for _, peerCert := range certs {
+		var values []string
+		var sans string
+		var nb string
+		var na string
+
+		subject := s.getSubjectInfos(&peerCert.Subject)
+		if len(subject) > 0 {
+			values = append(values, subject)
+		}
+
+		ci := s.Infos
+		if ci != nil {
+			if ci.NotBefore {
+				nb = fmt.Sprintf("NB=%d", uint64(peerCert.NotBefore.Unix()))
+				values = append(values, nb)
+			}
+			if ci.NotAfter {
+				na = fmt.Sprintf("NA=%d", uint64(peerCert.NotAfter.Unix()))
+				values = append(values, na)
+			}
+
+			if ci.Sans {
+				sans = fmt.Sprintf("SAN=%s", strings.Join(getSANs(peerCert), ","))
+				values = append(values, sans)
+			}
+		}
+
+		value := strings.Join(values, ",")
+		headerValues = append(headerValues, value)
+	}
+
+	return strings.Join(headerValues, ";")
+}
+
+// ModifyRequestHeaders set the wanted headers with the certificates informations
+func (s *TLSClientHeaders) ModifyRequestHeaders(r *http.Request) {
+	if s.PEM {
+		if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
+			r.Header.Set(xForwardedTLSClientCert, getXForwardedTLSClientCert(r.TLS.PeerCertificates))
+		} else {
+			log.Warn("Try to extract certificate on a request without TLS")
+		}
+	}
+
+	if s.Infos != nil {
+		if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
+			headerContent := s.getXForwardedTLSClientCertInfos(r.TLS.PeerCertificates)
+			r.Header.Set(xForwardedTLSClientCertInfos, url.QueryEscape(headerContent))
+		} else {
+			log.Warn("Try to extract certificate on a request without TLS")
+		}
+	}
+}