Pass the TLS Cert infos in headers

2018-08-29 11:36:03 +02:00 · 2018-08-29 11:36:03 +02:00 · efc6560d83
commit efc6560d83
parent 56488d435f
58 changed files with 3352 additions and 927 deletions
--- a/provider/kv/keynames.go
+++ b/provider/kv/keynames.go
@ -25,14 +25,27 @@ const (
 	pathBackendBufferingMemRequestBodyBytes     = pathBackendBuffering + "memrequestbodybytes"
 	pathBackendBufferingRetryExpression         = pathBackendBuffering + "retryexpression"

-	pathFrontends                         = "/frontends/"
-	pathFrontendBackend                   = "/backend"
-	pathFrontendPriority                  = "/priority"
-	pathFrontendPassHostHeaderDeprecated  = "/passHostHeader" // Deprecated
-	pathFrontendPassHostHeader            = "/passhostheader"
-	pathFrontendPassTLSCert               = "/passtlscert"
-	pathFrontendWhiteListSourceRange      = "/whitelist/sourcerange"
-	pathFrontendWhiteListUseXForwardedFor = "/whitelist/usexforwardedfor"
+	pathFrontends                                         = "/frontends/"
+	pathFrontendBackend                                   = "/backend"
+	pathFrontendPriority                                  = "/priority"
+	pathFrontendPassHostHeaderDeprecated                  = "/passHostHeader" // Deprecated
+	pathFrontendPassHostHeader                            = "/passhostheader"
+	pathFrontendPassTLSClientCert                         = "/passTLSClientCert"
+	pathFrontendPassTLSClientCertPem                      = pathFrontendPassTLSClientCert + "/pem"
+	pathFrontendPassTLSClientCertInfos                    = pathFrontendPassTLSClientCert + "/infos"
+	pathFrontendPassTLSClientCertInfosNotAfter            = pathFrontendPassTLSClientCertInfos + "/notAfter"
+	pathFrontendPassTLSClientCertInfosNotBefore           = pathFrontendPassTLSClientCertInfos + "/notBefore"
+	pathFrontendPassTLSClientCertInfosSans                = pathFrontendPassTLSClientCertInfos + "/sans"
+	pathFrontendPassTLSClientCertInfosSubject             = pathFrontendPassTLSClientCertInfos + "/subject"
+	pathFrontendPassTLSClientCertInfosSubjectCommonName   = pathFrontendPassTLSClientCertInfosSubject + "/commonName"
+	pathFrontendPassTLSClientCertInfosSubjectCountry      = pathFrontendPassTLSClientCertInfosSubject + "/country"
+	pathFrontendPassTLSClientCertInfosSubjectLocality     = pathFrontendPassTLSClientCertInfosSubject + "/locality"
+	pathFrontendPassTLSClientCertInfosSubjectOrganization = pathFrontendPassTLSClientCertInfosSubject + "/organization"
+	pathFrontendPassTLSClientCertInfosSubjectProvince     = pathFrontendPassTLSClientCertInfosSubject + "/province"
+	pathFrontendPassTLSClientCertInfosSubjectSerialNumber = pathFrontendPassTLSClientCertInfosSubject + "/serialNumber"
+	pathFrontendPassTLSCert                               = "/passtlscert"
+	pathFrontendWhiteListSourceRange                      = "/whitelist/sourcerange"
+	pathFrontendWhiteListUseXForwardedFor                 = "/whitelist/usexforwardedfor"

 	pathFrontendBasicAuth                        = "/basicauth" // Deprecated
 	pathFrontendAuth                             = "/auth/"
--- a/provider/kv/kv_config.go
+++ b/provider/kv/kv_config.go
@ -41,19 +41,20 @@ func (p *Provider) buildConfiguration() *types.Configuration {
 		"getTLSSection": p.getTLSSection,

 		// Frontend functions
-		"getBackendName":    p.getFuncString(pathFrontendBackend, ""),
-		"getPriority":       p.getFuncInt(pathFrontendPriority, label.DefaultFrontendPriority),
-		"getPassHostHeader": p.getPassHostHeader(),
-		"getPassTLSCert":    p.getFuncBool(pathFrontendPassTLSCert, label.DefaultPassTLSCert),
-		"getEntryPoints":    p.getFuncList(pathFrontendEntryPoints),
-		"getBasicAuth":      p.getFuncList(pathFrontendBasicAuth), // Deprecated
-		"getAuth":           p.getAuth,
-		"getRoutes":         p.getRoutes,
-		"getRedirect":       p.getRedirect,
-		"getErrorPages":     p.getErrorPages,
-		"getRateLimit":      p.getRateLimit,
-		"getHeaders":        p.getHeaders,
-		"getWhiteList":      p.getWhiteList,
+		"getBackendName":       p.getFuncString(pathFrontendBackend, ""),
+		"getPriority":          p.getFuncInt(pathFrontendPriority, label.DefaultFrontendPriority),
+		"getPassHostHeader":    p.getPassHostHeader(),
+		"getPassTLSCert":       p.getFuncBool(pathFrontendPassTLSCert, label.DefaultPassTLSCert),
+		"getPassTLSClientCert": p.getTLSClientCert,
+		"getEntryPoints":       p.getFuncList(pathFrontendEntryPoints),
+		"getBasicAuth":         p.getFuncList(pathFrontendBasicAuth), // Deprecated
+		"getAuth":              p.getAuth,
+		"getRoutes":            p.getRoutes,
+		"getRedirect":          p.getRedirect,
+		"getErrorPages":        p.getErrorPages,
+		"getRateLimit":         p.getRateLimit,
+		"getHeaders":           p.getHeaders,
+		"getWhiteList":         p.getWhiteList,

 		// Backend functions
 		"getServers":              p.getServers,
@ -369,6 +370,39 @@ func (p *Provider) getTLSSection(prefix string) []*tls.Configuration {
 	return tlsSection
 }

+// getTLSClientCert create TLS client header configuration from labels
+func (p *Provider) getTLSClientCert(rootPath string) *types.TLSClientHeaders {
+	if !p.hasPrefix(rootPath, pathFrontendPassTLSClientCert) {
+		return nil
+	}
+
+	tlsClientHeaders := &types.TLSClientHeaders{
+		PEM: p.getBool(false, rootPath, pathFrontendPassTLSClientCertPem),
+	}
+
+	if p.hasPrefix(rootPath, pathFrontendPassTLSClientCertInfos) {
+		infos := &types.TLSClientCertificateInfos{
+			NotAfter:  p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosNotAfter),
+			NotBefore: p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosNotBefore),
+			Sans:      p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosSans),
+		}
+
+		if p.hasPrefix(rootPath, pathFrontendPassTLSClientCertInfosSubject) {
+			subject := &types.TLSCLientCertificateSubjectInfos{
+				CommonName:   p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosSubjectCommonName),
+				Country:      p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosSubjectCountry),
+				Locality:     p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosSubjectLocality),
+				Organization: p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosSubjectOrganization),
+				Province:     p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosSubjectProvince),
+				SerialNumber: p.getBool(false, rootPath, pathFrontendPassTLSClientCertInfosSubjectSerialNumber),
+			}
+			infos.Subject = subject
+		}
+		tlsClientHeaders.Infos = infos
+	}
+	return tlsClientHeaders
+}
+
 // hasDeprecatedBasicAuth check if the frontend basic auth use the deprecated configuration
 func (p *Provider) hasDeprecatedBasicAuth(rootPath string) bool {
 	return len(p.getList(rootPath, pathFrontendBasicAuth)) > 0
--- a/provider/kv/kv_config_test.go
+++ b/provider/kv/kv_config_test.go
@ -277,6 +277,18 @@ func TestProviderBuildConfiguration(t *testing.T) {
 					withPair(pathFrontendBackend, "backend1"),
 					withPair(pathFrontendPriority, "6"),
 					withPair(pathFrontendPassHostHeader, "false"),
+
+					withPair(pathFrontendPassTLSClientCertPem, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosNotBefore, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosNotAfter, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosSans, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosSubjectCommonName, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosSubjectCountry, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosSubjectLocality, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosSubjectOrganization, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosSubjectProvince, "true"),
+					withPair(pathFrontendPassTLSClientCertInfosSubjectSerialNumber, "true"),
+
 					withPair(pathFrontendPassTLSCert, "true"),
 					withList(pathFrontendEntryPoints, "http", "https"),
 					withList(pathFrontendWhiteListSourceRange, "1.1.1.1/24", "1234:abcd::42/32"),
@ -401,6 +413,22 @@ func TestProviderBuildConfiguration(t *testing.T) {
 							SourceRange:      []string{"1.1.1.1/24", "1234:abcd::42/32"},
 							UseXForwardedFor: true,
 						},
+						PassTLSClientCert: &types.TLSClientHeaders{
+							PEM: true,
+							Infos: &types.TLSClientCertificateInfos{
+								NotBefore: true,
+								Sans:      true,
+								NotAfter:  true,
+								Subject: &types.TLSCLientCertificateSubjectInfos{
+									CommonName:   true,
+									Country:      true,
+									Locality:     true,
+									Organization: true,
+									Province:     true,
+									SerialNumber: true,
+								},
+							},
+						},
 						Auth: &types.Auth{
 							HeaderField: "X-WebAuth-User",
 							Basic: &types.Basic{