Merge 'v2.3' into master.

2020-10-08 14:03:30 +02:00 · 2020-10-08 14:03:30 +02:00 · afcec56be4
commit afcec56be4
parent 326be29568 d2435cf43b
27 changed files with 499 additions and 34 deletions
--- a/pkg/config/runtime/runtime.go
+++ b/pkg/config/runtime/runtime.go
@ -23,7 +23,7 @@ type Configuration struct {
 	TCPRouters  map[string]*TCPRouterInfo  `json:"tcpRouters,omitempty"`
 	TCPServices map[string]*TCPServiceInfo `json:"tcpServices,omitempty"`
 	UDPRouters  map[string]*UDPRouterInfo  `json:"udpRouters,omitempty"`
-	UDPServices map[string]*UDPServiceInfo `json:"updServices,omitempty"`
+	UDPServices map[string]*UDPServiceInfo `json:"udpServices,omitempty"`
 }

 // NewConfig returns a Configuration initialized with the given conf. It never returns nil.
--- a/pkg/provider/acme/local_store.go
+++ b/pkg/provider/acme/local_store.go
@ -34,7 +34,10 @@ func (s *LocalStore) save(resolverName string, storedData *StoredData) {
 	defer s.lock.Unlock()

 	s.storedData[resolverName] = storedData
-	s.saveDataChan <- s.storedData
+
+	// we cannot pass s.storedData directly, map is reference type and as result
+	// we can face with race condition, so we need to work with objects copy
+	s.saveDataChan <- s.unSafeCopyOfStoredData()
 }

 func (s *LocalStore) get(resolverName string) (*StoredData, error) {
@ -81,7 +84,10 @@ func (s *LocalStore) get(resolverName string) (*StoredData, error) {
 				}
 				if len(certificates) < len(storedData.Certificates) {
 					storedData.Certificates = certificates
-					s.saveDataChan <- s.storedData
+
+					// we cannot pass s.storedData directly, map is reference type and as result
+					// we can face with race condition, so we need to work with objects copy
+					s.saveDataChan <- s.unSafeCopyOfStoredData()
 				}
 			}
 		}
@ -111,6 +117,15 @@ func (s *LocalStore) listenSaveAction() {
 	})
 }

+// unSafeCopyOfStoredData creates maps copy of storedData. Is not thread safe, you should use `s.lock`.
+func (s *LocalStore) unSafeCopyOfStoredData() map[string]*StoredData {
+	result := map[string]*StoredData{}
+	for k, v := range s.storedData {
+		result[k] = v
+	}
+	return result
+}
+
 // GetAccount returns ACME Account.
 func (s *LocalStore) GetAccount(resolverName string) (*Account, error) {
 	storedData, err := s.get(resolverName)
--- a/pkg/provider/acme/local_store_test.go
+++ b/pkg/provider/acme/local_store_test.go
@ -0,0 +1,87 @@
+package acme
+
+import (
+	"fmt"
+	"io/ioutil"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestLocalStore_GetAccount(t *testing.T) {
+	acmeFile := filepath.Join(t.TempDir(), "acme.json")
+
+	email := "some42@email.com"
+	filePayload := fmt.Sprintf(`{
+  "test": {
+    "Account": {
+      "Email": "%s"
+    }
+  }
+}`, email)
+
+	err := ioutil.WriteFile(acmeFile, []byte(filePayload), 0o600)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		desc     string
+		filename string
+		expected *Account
+	}{
+		{
+			desc:     "empty file",
+			filename: filepath.Join(t.TempDir(), "acme-empty.json"),
+			expected: nil,
+		},
+		{
+			desc:     "file with data",
+			filename: acmeFile,
+			expected: &Account{Email: "some42@email.com"},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			s := NewLocalStore(test.filename)
+
+			account, err := s.GetAccount("test")
+			require.NoError(t, err)
+
+			assert.Equal(t, test.expected, account)
+		})
+	}
+}
+
+func TestLocalStore_SaveAccount(t *testing.T) {
+	acmeFile := filepath.Join(t.TempDir(), "acme.json")
+
+	s := NewLocalStore(acmeFile)
+
+	email := "some@email.com"
+
+	err := s.SaveAccount("test", &Account{Email: email})
+	require.NoError(t, err)
+
+	time.Sleep(100 * time.Millisecond)
+
+	file, err := ioutil.ReadFile(acmeFile)
+	require.NoError(t, err)
+
+	expected := `{
+  "test": {
+    "Account": {
+      "Email": "some@email.com",
+      "Registration": null,
+      "PrivateKey": null,
+      "KeyType": ""
+    },
+    "Certificates": null
+  }
+}`
+
+	assert.Equal(t, expected, string(file))
+}
--- a/pkg/provider/acme/provider.go
+++ b/pkg/provider/acme/provider.go
@ -220,7 +220,7 @@ func (p *Provider) getClient() (*lego.Client, error) {

 	config := lego.NewConfig(account)
 	config.CADirURL = caServer
-	config.Certificate.KeyType = account.KeyType
+	config.Certificate.KeyType = GetKeyType(ctx, p.KeyType)
 	config.UserAgent = fmt.Sprintf("containous-traefik/%s", version.Version)

 	client, err := lego.NewClient(config)
--- a/pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/fake/fake_serverstransport.go
+++ b/pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/fake/fake_serverstransport.go
@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)

-Copyright (c) 2016-2020 Containous SAS
+Copyright (c) 2016-2020 Containous SAS; 2020-2020 Traefik Labs

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/serverstransport.go
+++ b/pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/serverstransport.go
@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)

-Copyright (c) 2016-2020 Containous SAS
+Copyright (c) 2016-2020 Containous SAS; 2020-2020 Traefik Labs

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefik/v1alpha1/serverstransport.go
+++ b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefik/v1alpha1/serverstransport.go
@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)

-Copyright (c) 2016-2020 Containous SAS
+Copyright (c) 2016-2020 Containous SAS; 2020-2020 Traefik Labs

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/pkg/provider/kubernetes/crd/generated/listers/traefik/v1alpha1/serverstransport.go
+++ b/pkg/provider/kubernetes/crd/generated/listers/traefik/v1alpha1/serverstransport.go
@ -1,7 +1,7 @@
 /*
 The MIT License (MIT)

-Copyright (c) 2016-2020 Containous SAS
+Copyright (c) 2016-2020 Containous SAS; 2020-2020 Traefik Labs

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/pkg/tls/tlsmanager.go
+++ b/pkg/tls/tlsmanager.go
@ -106,7 +106,7 @@ func (m *Manager) Get(storeName, configName string) (*tls.Config, error) {
 	tlsConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
 		domainToCheck := types.CanonicalDomain(clientHello.ServerName)

-		if m.TLSAlpnGetter != nil {
+		if m.TLSAlpnGetter != nil && isACMETLS(clientHello) {
 			cert, err := m.TLSAlpnGetter(domainToCheck)
 			if err != nil {
 				return nil, err
@ -282,3 +282,13 @@ func buildDefaultCertificate(defaultCertificate *Certificate) (*tls.Certificate,
 	}
 	return &cert, nil
 }
+
+func isACMETLS(clientHello *tls.ClientHelloInfo) bool {
+	for _, proto := range clientHello.SupportedProtos {
+		if proto == tlsalpn01.ACMETLS1Protocol {
+			return true
+		}
+	}
+
+	return false
+}