traefik/pkg/types/tls.go

package types

import (
	"context"
	"crypto/tls"
	"crypto/x509"
	"errors"
	"fmt"
	"os"

	"github.com/rs/zerolog/log"
)

// +k8s:deepcopy-gen=true

// ClientTLS holds TLS specific configurations as client
// CA, Cert and Key can be either path or file contents.
type ClientTLS struct {
	CA string `description:"TLS CA" json:"ca,omitempty" toml:"ca,omitempty" yaml:"ca,omitempty"`
	// Deprecated: TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634).
	CAOptional         bool   `description:"TLS CA.Optional" json:"caOptional,omitempty" toml:"caOptional,omitempty" yaml:"caOptional,omitempty" export:"true"`
	Cert               string `description:"TLS cert" json:"cert,omitempty" toml:"cert,omitempty" yaml:"cert,omitempty"`
	Key                string `description:"TLS key" json:"key,omitempty" toml:"key,omitempty" yaml:"key,omitempty" loggable:"false"`
	InsecureSkipVerify bool   `description:"TLS insecure skip verify" json:"insecureSkipVerify,omitempty" toml:"insecureSkipVerify,omitempty" yaml:"insecureSkipVerify,omitempty" export:"true"`
}

// CreateTLSConfig creates a TLS config from ClientTLS structures.
func (c *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, error) {
	if c == nil {
		log.Ctx(ctx).Warn().Msg("clientTLS is nil")
		return nil, nil
	}

	if c.CAOptional {
		log.Ctx(ctx).Warn().Msg("CAOptional is deprecated, TLS client authentication is a server side option.")
	}

	// Not initialized, to rely on system bundle.
	var caPool *x509.CertPool

	if c.CA != "" {
		var ca []byte
		if _, errCA := os.Stat(c.CA); errCA == nil {
			var err error
			ca, err = os.ReadFile(c.CA)
			if err != nil {
				return nil, fmt.Errorf("failed to read CA. %w", err)
			}
		} else {
			ca = []byte(c.CA)
		}

		caPool = x509.NewCertPool()
		if !caPool.AppendCertsFromPEM(ca) {
			return nil, errors.New("failed to parse CA")
		}
	}

	hasCert := len(c.Cert) > 0
	hasKey := len(c.Key) > 0

	if hasCert != hasKey {
		return nil, errors.New("both TLS cert and key must be defined")
	}

	if !hasCert || !hasKey {
		return &tls.Config{
			RootCAs:            caPool,
			InsecureSkipVerify: c.InsecureSkipVerify,
		}, nil
	}

	cert, err := loadKeyPair(c.Cert, c.Key)
	if err != nil {
		return nil, err
	}

	return &tls.Config{
		Certificates:       []tls.Certificate{cert},
		RootCAs:            caPool,
		InsecureSkipVerify: c.InsecureSkipVerify,
	}, nil
}

func loadKeyPair(cert, key string) (tls.Certificate, error) {
	keyPair, err := tls.X509KeyPair([]byte(cert), []byte(key))
	if err == nil {
		return keyPair, nil
	}

	_, err = os.Stat(cert)
	if err != nil {
		return tls.Certificate{}, errors.New("cert file does not exist")
	}

	_, err = os.Stat(key)
	if err != nil {
		return tls.Certificate{}, errors.New("key file does not exist")
	}

	keyPair, err = tls.LoadX509KeyPair(cert, key)
	if err != nil {
		return tls.Certificate{}, err
	}

	return keyPair, nil
}
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`package types`

			`import (`
			`"context"`
			`"crypto/tls"`
			`"crypto/x509"`
fix: do not require a TLS client cert when InsecureSkipVerify is false Co-authored-by: Tom Moulard <tom.moulard@traefik.io> 2021-10-26 08:54:11 +00:00			`"errors"`
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`"fmt"`
			`"os"`

New logger for the Traefik logs 2022-11-21 17:36:05 +00:00			`"github.com/rs/zerolog/log"`
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`)`

fix: do not require a TLS client cert when InsecureSkipVerify is false Co-authored-by: Tom Moulard <tom.moulard@traefik.io> 2021-10-26 08:54:11 +00:00			`// +k8s:deepcopy-gen=true`

Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`// ClientTLS holds TLS specific configurations as client`
Update linter 2020-05-11 10:06:07 +00:00			`// CA, Cert and Key can be either path or file contents.`
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`type ClientTLS struct {`
Deprecate caOptional option in client TLS configuration 2022-04-28 12:58:08 +00:00			CA string `description:"TLS CA" json:"ca,omitempty" toml:"ca,omitempty" yaml:"ca,omitempty"`
			`// Deprecated: TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634).`
Improve anonymize configuration 2020-10-30 11:44:05 +00:00			CAOptional bool `description:"TLS CA.Optional" json:"caOptional,omitempty" toml:"caOptional,omitempty" yaml:"caOptional,omitempty" export:"true"`
Use the same case everywhere 2019-07-01 09:30:05 +00:00			Cert string `description:"TLS cert" json:"cert,omitempty" toml:"cert,omitempty" yaml:"cert,omitempty"`
Redact credentials before logging Co-authored-by: Tom Moulard <tom.moulard@traefik.io> Co-authored-by: Mathieu Lonjaret <mathieu.lonjaret@gmail.com> 2022-01-24 10:08:05 +00:00			Key string `description:"TLS key" json:"key,omitempty" toml:"key,omitempty" yaml:"key,omitempty" loggable:"false"`
Improve anonymize configuration 2020-10-30 11:44:05 +00:00			InsecureSkipVerify bool `description:"TLS insecure skip verify" json:"insecureSkipVerify,omitempty" toml:"insecureSkipVerify,omitempty" yaml:"insecureSkipVerify,omitempty" export:"true"`
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`}`

Update linter 2020-05-11 10:06:07 +00:00			`// CreateTLSConfig creates a TLS config from ClientTLS structures.`
Update valkeyrie to v1.0.0 2022-09-12 15:40:09 +00:00			`func (c ClientTLS) CreateTLSConfig(ctx context.Context) (tls.Config, error) {`
			`if c == nil {`
New logger for the Traefik logs 2022-11-21 17:36:05 +00:00			`log.Ctx(ctx).Warn().Msg("clientTLS is nil")`
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`return nil, nil`
			`}`

Update valkeyrie to v1.0.0 2022-09-12 15:40:09 +00:00			`if c.CAOptional {`
New logger for the Traefik logs 2022-11-21 17:36:05 +00:00			`log.Ctx(ctx).Warn().Msg("CAOptional is deprecated, TLS client authentication is a server side option.")`
Deprecate caOptional option in client TLS configuration 2022-04-28 12:58:08 +00:00			`}`

fix: use host's root CA set if ClientTLS ca is not defined Co-authored-by: Tom Moulard <tom.moulard@traefik.io> 2021-11-03 16:38:07 +00:00			`// Not initialized, to rely on system bundle.`
			`var caPool *x509.CertPool`

Update valkeyrie to v1.0.0 2022-09-12 15:40:09 +00:00			`if c.CA != "" {`
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`var ca []byte`
Update valkeyrie to v1.0.0 2022-09-12 15:40:09 +00:00			`if _, errCA := os.Stat(c.CA); errCA == nil {`
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`var err error`
Update valkeyrie to v1.0.0 2022-09-12 15:40:09 +00:00			`ca, err = os.ReadFile(c.CA)`
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`if err != nil {`
Update linter 2020-05-11 10:06:07 +00:00			`return nil, fmt.Errorf("failed to read CA. %w", err)`
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`}`
			`} else {`
Update valkeyrie to v1.0.0 2022-09-12 15:40:09 +00:00			`ca = []byte(c.CA)`
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`}`

fix: use host's root CA set if ClientTLS ca is not defined Co-authored-by: Tom Moulard <tom.moulard@traefik.io> 2021-11-03 16:38:07 +00:00			`caPool = x509.NewCertPool()`
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`if !caPool.AppendCertsFromPEM(ca) {`
fix: do not require a TLS client cert when InsecureSkipVerify is false Co-authored-by: Tom Moulard <tom.moulard@traefik.io> 2021-10-26 08:54:11 +00:00			`return nil, errors.New("failed to parse CA")`
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`}`
			`}`

Update valkeyrie to v1.0.0 2022-09-12 15:40:09 +00:00			`hasCert := len(c.Cert) > 0`
			`hasKey := len(c.Key) > 0`
fix: do not require a TLS client cert when InsecureSkipVerify is false Co-authored-by: Tom Moulard <tom.moulard@traefik.io> 2021-10-26 08:54:11 +00:00
			`if hasCert != hasKey {`
			`return nil, errors.New("both TLS cert and key must be defined")`
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`}`

fix: do not require a TLS client cert when InsecureSkipVerify is false Co-authored-by: Tom Moulard <tom.moulard@traefik.io> 2021-10-26 08:54:11 +00:00			`if !hasCert \|\| !hasKey {`
			`return &tls.Config{`
			`RootCAs: caPool,`
Update valkeyrie to v1.0.0 2022-09-12 15:40:09 +00:00			`InsecureSkipVerify: c.InsecureSkipVerify,`
fix: do not require a TLS client cert when InsecureSkipVerify is false Co-authored-by: Tom Moulard <tom.moulard@traefik.io> 2021-10-26 08:54:11 +00:00			`}, nil`
			`}`

Update valkeyrie to v1.0.0 2022-09-12 15:40:09 +00:00			`cert, err := loadKeyPair(c.Cert, c.Key)`
fix: do not require a TLS client cert when InsecureSkipVerify is false Co-authored-by: Tom Moulard <tom.moulard@traefik.io> 2021-10-26 08:54:11 +00:00			`if err != nil {`
			`return nil, err`
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`}`

Add internal provider Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com> 2019-11-14 15:40:05 +00:00			`return &tls.Config{`
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`Certificates: []tls.Certificate{cert},`
			`RootCAs: caPool,`
Update valkeyrie to v1.0.0 2022-09-12 15:40:09 +00:00			`InsecureSkipVerify: c.InsecureSkipVerify,`
Add internal provider Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com> 2019-11-14 15:40:05 +00:00			`}, nil`
Adds Docker provider support Co-authored-by: Julien Salleyron <julien@containo.us> 2019-01-18 14:18:04 +00:00			`}`
fix: do not require a TLS client cert when InsecureSkipVerify is false Co-authored-by: Tom Moulard <tom.moulard@traefik.io> 2021-10-26 08:54:11 +00:00
			`func loadKeyPair(cert, key string) (tls.Certificate, error) {`
			`keyPair, err := tls.X509KeyPair([]byte(cert), []byte(key))`
			`if err == nil {`
			`return keyPair, nil`
			`}`

			`_, err = os.Stat(cert)`
			`if err != nil {`
			`return tls.Certificate{}, errors.New("cert file does not exist")`
			`}`

			`_, err = os.Stat(key)`
			`if err != nil {`
			`return tls.Certificate{}, errors.New("key file does not exist")`
			`}`

			`keyPair, err = tls.LoadX509KeyPair(cert, key)`
			`if err != nil {`
			`return tls.Certificate{}, err`
			`}`

			`return keyPair, nil`
			`}`