Merge branch 'v1.7' into master

2018-09-07 18:19:32 +02:00 · 2018-09-07 18:19:32 +02:00 · bd4846aa9c
commit bd4846aa9c
parent 4055654e9b c68ebaa2ca
82 changed files with 3573 additions and 877 deletions
--- a/provider/kv/keynames.go
+++ b/provider/kv/keynames.go
@ -24,15 +24,28 @@ const (
 	pathBackendBufferingMemRequestBodyBytes     = pathBackendBuffering + "memrequestbodybytes"
 	pathBackendBufferingRetryExpression         = pathBackendBuffering + "retryexpression"

-	pathFrontends                              = "/frontends/"
-	pathFrontendBackend                        = "/backend"
-	pathFrontendPriority                       = "/priority"
-	pathFrontendPassHostHeader                 = "/passhostheader"
-	pathFrontendPassTLSCert                    = "/passtlscert"
-	pathFrontendWhiteListSourceRange           = "/whitelist/sourcerange"
-	pathFrontendWhiteListIPStrategy            = "/whitelist/ipstrategy"
-	pathFrontendWhiteListIPStrategyDepth       = pathFrontendWhiteListIPStrategy + "/depth"
-	pathFrontendWhiteListIPStrategyExcludedIPs = pathFrontendWhiteListIPStrategy + "/excludedips"
+	pathFrontends                                         = "/frontends/"
+	pathFrontendBackend                                   = "/backend"
+	pathFrontendPriority                                  = "/priority"
+	pathFrontendPassHostHeader                            = "/passhostheader"
+	pathFrontendPassTLSClientCert                         = "/passTLSClientCert"
+	pathFrontendPassTLSClientCertPem                      = pathFrontendPassTLSClientCert + "/pem"
+	pathFrontendPassTLSClientCertInfos                    = pathFrontendPassTLSClientCert + "/infos"
+	pathFrontendPassTLSClientCertInfosNotAfter            = pathFrontendPassTLSClientCertInfos + "/notAfter"
+	pathFrontendPassTLSClientCertInfosNotBefore           = pathFrontendPassTLSClientCertInfos + "/notBefore"
+	pathFrontendPassTLSClientCertInfosSans                = pathFrontendPassTLSClientCertInfos + "/sans"
+	pathFrontendPassTLSClientCertInfosSubject             = pathFrontendPassTLSClientCertInfos + "/subject"
+	pathFrontendPassTLSClientCertInfosSubjectCommonName   = pathFrontendPassTLSClientCertInfosSubject + "/commonName"
+	pathFrontendPassTLSClientCertInfosSubjectCountry      = pathFrontendPassTLSClientCertInfosSubject + "/country"
+	pathFrontendPassTLSClientCertInfosSubjectLocality     = pathFrontendPassTLSClientCertInfosSubject + "/locality"
+	pathFrontendPassTLSClientCertInfosSubjectOrganization = pathFrontendPassTLSClientCertInfosSubject + "/organization"
+	pathFrontendPassTLSClientCertInfosSubjectProvince     = pathFrontendPassTLSClientCertInfosSubject + "/province"
+	pathFrontendPassTLSClientCertInfosSubjectSerialNumber = pathFrontendPassTLSClientCertInfosSubject + "/serialNumber"
+	pathFrontendPassTLSCert                               = "/passtlscert"
+	pathFrontendWhiteListSourceRange                      = "/whitelist/sourcerange"
+	pathFrontendWhiteListIPStrategy                       = "/whitelist/ipstrategy"
+	pathFrontendWhiteListIPStrategyDepth                  = pathFrontendWhiteListIPStrategy + "/depth"
+	pathFrontendWhiteListIPStrategyExcludedIPs            = pathFrontendWhiteListIPStrategy + "/excludedips"

 	pathFrontendAuth                             = "/auth/"
 	pathFrontendAuthBasic                        = pathFrontendAuth + "basic/"
--- a/provider/kv/kv_config.go
+++ b/provider/kv/kv_config.go
@ -41,18 +41,19 @@ func (p *Provider) buildConfiguration() *types.Configuration {
 		"getTLSSection": p.getTLSSection,

 		// Frontend functions
-		"getBackendName":    p.getFuncString(pathFrontendBackend, ""),
-		"getPriority":       p.getFuncInt(pathFrontendPriority, label.DefaultFrontendPriority),
-		"getPassHostHeader": p.getFuncBool(pathFrontendPassHostHeader, label.DefaultPassHostHeader),
-		"getPassTLSCert":    p.getFuncBool(pathFrontendPassTLSCert, label.DefaultPassTLSCert),
-		"getEntryPoints":    p.getFuncList(pathFrontendEntryPoints),
-		"getAuth":           p.getAuth,
-		"getRoutes":         p.getRoutes,
-		"getRedirect":       p.getRedirect,
-		"getErrorPages":     p.getErrorPages,
-		"getRateLimit":      p.getRateLimit,
-		"getHeaders":        p.getHeaders,
-		"getWhiteList":      p.getWhiteList,
+		"getBackendName":       p.getFuncString(pathFrontendBackend, ""),
+		"getPriority":          p.getFuncInt(pathFrontendPriority, label.DefaultFrontendPriority),
+		"getPassHostHeader":    p.getFuncBool(pathFrontendPassHostHeader, label.DefaultPassHostHeader),
+		"getPassTLSCert":       p.getFuncBool(pathFrontendPassTLSCert, label.DefaultPassTLSCert),
+		"getPassTLSClientCert": p.getTLSClientCert,
+		"getEntryPoints":       p.getFuncList(pathFrontendEntryPoints),
+		"getAuth":              p.getAuth,
+		"getRoutes":            p.getRoutes,
+		"getRedirect":          p.getRedirect,
+		"getErrorPages":        p.getErrorPages,
+		"getRateLimit":         p.getRateLimit,
+		"getHeaders":           p.getHeaders,
+		"getWhiteList":         p.getWhiteList,

 		// Backend functions
 		"getServers":        p.getServers,
@ -334,6 +335,39 @@ func (p *Provider) getTLSSection(prefix string) []*tls.Configuration {
 	return tlsSection
 }

+// getTLSClientCert create TLS client header configuration from labels
+func (p *Provider) getTLSClientCert(rootPath string) *types.TLSClientHeaders {
+	if !p.hasPrefix(rootPath, pathFrontendPassTLSClientCert) {
+		return nil
+	}
+
+	tlsClientHeaders := &types.TLSClientHeaders{
+		PEM: p.getBool(false, rootPath, pathFrontendPassTLSClientCertPem),
+	}
+
+	if p.hasPrefix(rootPath, pathFrontendPassTLSClientCertInfos) {
+		infos := &types.TLSClientCertificateInfos{
+			NotAfter:  p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosNotAfter),
+			NotBefore: p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosNotBefore),
+			Sans:      p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosSans),
+		}
+
+		if p.hasPrefix(rootPath, pathFrontendPassTLSClientCertInfosSubject) {
+			subject := &types.TLSCLientCertificateSubjectInfos{
+				CommonName:   p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosSubjectCommonName),
+				Country:      p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosSubjectCountry),
+				Locality:     p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosSubjectLocality),
+				Organization: p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosSubjectOrganization),
+				Province:     p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosSubjectProvince),
+				SerialNumber: p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosSubjectSerialNumber),
+			}
+			infos.Subject = subject
+		}
+		tlsClientHeaders.Infos = infos
+	}
+	return tlsClientHeaders
+}
+
 // GetAuth Create auth from path
 func (p *Provider) getAuth(rootPath string) *types.Auth {
 	if p.hasPrefix(rootPath, pathFrontendAuth) {
--- a/provider/kv/kv_config_test.go
+++ b/provider/kv/kv_config_test.go
@ -277,6 +277,18 @@ func TestProviderBuildConfiguration(t *testing.T) {
 					withPair(pathFrontendBackend, "backend1"),
 					withPair(pathFrontendPriority, "6"),
 					withPair(pathFrontendPassHostHeader, "false"),
+
+					withPair(pathFrontendPassTLSClientCertPem, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosNotBefore, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosNotAfter, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosSans, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosSubjectCommonName, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosSubjectCountry, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosSubjectLocality, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosSubjectOrganization, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosSubjectProvince, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosSubjectSerialNumber, "true"),
+
 					withPair(pathFrontendPassTLSCert, "true"),
 					withList(pathFrontendEntryPoints, "http", "https"),
 					withList(pathFrontendWhiteListSourceRange, "1.1.1.1/24", "1234:abcd::42/32"),
@ -403,6 +415,22 @@ func TestProviderBuildConfiguration(t *testing.T) {
 								ExcludedIPs: []string{"1.1.1.1/24", "1234:abcd::42/32"},
 							},
 						},
+						PassTLSClientCert: &types.TLSClientHeaders{
+							PEM: true,
+							Infos: &types.TLSClientCertificateInfos{
+								NotBefore: true,
+								Sans:      true,
+								NotAfter:  true,
+								Subject: &types.TLSCLientCertificateSubjectInfos{
+									CommonName:   true,
+									Country:      true,
+									Locality:     true,
+									Organization: true,
+									Province:     true,
+									SerialNumber: true,
+								},
+							},
+						},
 						Auth: &types.Auth{
 							HeaderField: "X-WebAuth-User",
 							Basic: &types.Basic{