baalajimaestro/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Add serial number certificate to forward headers

Browse source
This commit is contained in:
David 2019-12-12 00:32:03 +01:00 committed by Traefiker Bot
parent 3f1484480e
commit 5f50d2e230
8 changed files with 52 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
docs/content/middlewares/passtlsclientcert.md
View file

@ -70,6 +70,7 @@ http:
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.serialnumber=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"

1
docs/content/reference/dynamic-configuration/file.toml
View file

@ -196,6 +196,7 @@
notAfter = true
notBefore = true
sans = true
serialNumber = true
[http.middlewares.Middleware12.passTLSClientCert.info.subject]
country = true
province = true

1
docs/content/reference/dynamic-configuration/file.yaml
View file

@ -239,6 +239,7 @@ http:
commonName: true
serialNumber: true
domainComponent: true
serialNumber: true
Middleware13:
rateLimit:
average: 42

1
docs/content/reference/dynamic-configuration/kv-ref.md
View file

@ -92,6 +92,7 @@
| `traefik/http/middlewares/Middleware12/passTLSClientCert/info/notAfter` | `true` |
| `traefik/http/middlewares/Middleware12/passTLSClientCert/info/notBefore` | `true` |
| `traefik/http/middlewares/Middleware12/passTLSClientCert/info/sans` | `true` |
| `traefik/http/middlewares/Middleware12/passTLSClientCert/info/serialNumber` | `true` |
| `traefik/http/middlewares/Middleware12/passTLSClientCert/info/subject/commonName` | `true` |
| `traefik/http/middlewares/Middleware12/passTLSClientCert/info/subject/country` | `true` |
| `traefik/http/middlewares/Middleware12/passTLSClientCert/info/subject/domainComponent` | `true` |

11
pkg/config/dynamic/middlewares.go
View file

@ -377,11 +377,12 @@ type StripPrefixRegex struct {
// TLSClientCertificateInfo holds the client TLS certificate info configuration.
type TLSClientCertificateInfo struct {
NotAfter bool `json:"notAfter,omitempty" toml:"notAfter,omitempty" yaml:"notAfter,omitempty"`
NotBefore bool `json:"notBefore,omitempty" toml:"notBefore,omitempty" yaml:"notBefore,omitempty"`
Sans bool `json:"sans,omitempty" toml:"sans,omitempty" yaml:"sans,omitempty"`
Subject *TLSCLientCertificateDNInfo `json:"subject,omitempty" toml:"subject,omitempty" yaml:"subject,omitempty"`
Issuer *TLSCLientCertificateDNInfo `json:"issuer,omitempty" toml:"issuer,omitempty" yaml:"issuer,omitempty"`
NotAfter bool `json:"notAfter,omitempty" toml:"notAfter,omitempty" yaml:"notAfter,omitempty"`
NotBefore bool `json:"notBefore,omitempty" toml:"notBefore,omitempty" yaml:"notBefore,omitempty"`
Sans bool `json:"sans,omitempty" toml:"sans,omitempty" yaml:"sans,omitempty"`
Subject *TLSCLientCertificateDNInfo `json:"subject,omitempty" toml:"subject,omitempty" yaml:"subject,omitempty"`
Issuer *TLSCLientCertificateDNInfo `json:"issuer,omitempty" toml:"issuer,omitempty" yaml:"issuer,omitempty"`
SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty"`
}
// +k8s:deepcopy-gen=true

12
pkg/config/label/label_test.go
View file

@ -84,6 +84,7 @@ func TestDecodeConfiguration(t *testing.T) {
"traefik.http.middlewares.Middleware11.passtlsclientcert.info.notafter": "true",
"traefik.http.middlewares.Middleware11.passtlsclientcert.info.notbefore": "true",
"traefik.http.middlewares.Middleware11.passtlsclientcert.info.sans": "true",
"traefik.http.middlewares.Middleware11.passTLSClientCert.info.serialNumber": "true",
"traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.commonname": "true",
"traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.country": "true",
"traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.domaincomponent": "true",
@ -294,8 +295,9 @@ func TestDecodeConfiguration(t *testing.T) {
PassTLSClientCert: &dynamic.PassTLSClientCert{
PEM: true,
Info: &dynamic.TLSClientCertificateInfo{
NotAfter: true,
NotBefore: true,
NotAfter: true,
NotBefore: true,
SerialNumber: true,
Subject: &dynamic.TLSCLientCertificateDNInfo{
Country: true,
Province: true,
@ -699,8 +701,9 @@ func TestEncodeConfiguration(t *testing.T) {
PassTLSClientCert: &dynamic.PassTLSClientCert{
PEM: true,
Info: &dynamic.TLSClientCertificateInfo{
NotAfter: true,
NotBefore: true,
NotAfter: true,
NotBefore: true,
SerialNumber: true,
Subject: &dynamic.TLSCLientCertificateDNInfo{
Country: true,
Province: true,
@ -1061,6 +1064,7 @@ func TestEncodeConfiguration(t *testing.T) {
"traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.NotAfter": "true",
"traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.NotBefore": "true",
"traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Sans": "true",
"traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.SerialNumber": "true",
"traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Country": "true",
"traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Province": "true",
"traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Locality": "true",

29
pkg/middlewares/passtlsclientcert/pass_tls_client_cert.go
View file

@ -64,11 +64,12 @@ func newDistinguishedNameOptions(info *dynamic.TLSCLientCertificateDNInfo) *Dist
// tlsClientCertificateInfo is a struct for specifying the configuration for the passTLSClientCert middleware.
type tlsClientCertificateInfo struct {
notAfter bool
notBefore bool
sans bool
subject *DistinguishedNameOptions
issuer *DistinguishedNameOptions
notAfter bool
notBefore bool
sans bool
subject *DistinguishedNameOptions
issuer *DistinguishedNameOptions
serialNumber bool
}
func newTLSClientCertificateInfo(info *dynamic.TLSClientCertificateInfo) *tlsClientCertificateInfo {
@ -77,11 +78,12 @@ func newTLSClientCertificateInfo(info *dynamic.TLSClientCertificateInfo) *tlsCli
}
return &tlsClientCertificateInfo{
issuer: newDistinguishedNameOptions(info.Issuer),
notAfter: info.NotAfter,
notBefore: info.NotBefore,
subject: newDistinguishedNameOptions(info.Subject),
sans: info.Sans,
issuer: newDistinguishedNameOptions(info.Issuer),
notAfter: info.NotAfter,
notBefore: info.NotBefore,
subject: newDistinguishedNameOptions(info.Subject),
serialNumber: info.SerialNumber,
sans: info.Sans,
}
}
@ -155,6 +157,13 @@ func (p *passTLSClientCert) getCertInfo(ctx context.Context, certs []*x509.Certi
values = append(values, fmt.Sprintf(`Issuer="%s"`, strings.TrimSuffix(issuer, subFieldSeparator)))
}
if p.info.serialNumber && peerCert.SerialNumber != nil {
sn := peerCert.SerialNumber.String()
if sn != "" {
values = append(values, fmt.Sprintf(`SerialNumber="%s"`, strings.TrimSuffix(sn, subFieldSeparator)))
}
}
if p.info.notBefore {
values = append(values, fmt.Sprintf(`NB="%d"`, uint64(peerCert.NotBefore.Unix())))
}

23
pkg/middlewares/passtlsclientcert/pass_tls_client_cert_test.go
View file

@ -345,6 +345,7 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
minimalCheeseCertAllInfo := strings.Join([]string{
`Subject="C=FR,ST=Some-State,O=Cheese"`,
`Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2"`,
`SerialNumber="481535886039632329873080491016862977516759989652"`,
`NB="1544094636"`,
`NA="1632568236"`,
}, fieldSeparator)
@ -352,6 +353,7 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
completeCertAllInfo := strings.Join([]string{
`Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com"`,
`Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2"`,
`SerialNumber="1"`,
`NB="1544094616"`,
`NA="1607166616"`,
`SAN="*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2"`,
@ -399,9 +401,10 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
certContents: []string{minimalCheeseCrt},
config: dynamic.PassTLSClientCert{
Info: &dynamic.TLSClientCertificateInfo{
NotAfter: true,
NotBefore: true,
Sans: true,
NotAfter: true,
NotBefore: true,
Sans: true,
SerialNumber: true,
Subject: &dynamic.TLSCLientCertificateDNInfo{
CommonName: true,
Country: true,
@ -446,9 +449,10 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
certContents: []string{completeCheeseCrt},
config: dynamic.PassTLSClientCert{
Info: &dynamic.TLSClientCertificateInfo{
NotAfter: true,
NotBefore: true,
Sans: true,
NotAfter: true,
NotBefore: true,
Sans: true,
SerialNumber: true,
Subject: &dynamic.TLSCLientCertificateDNInfo{
Country: true,
Province: true,
@ -476,9 +480,10 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
certContents: []string{minimalCheeseCrt, completeCheeseCrt},
config: dynamic.PassTLSClientCert{
Info: &dynamic.TLSClientCertificateInfo{
NotAfter: true,
NotBefore: true,
Sans: true,
NotAfter: true,
NotBefore: true,
Sans: true,
SerialNumber: true,
Subject: &dynamic.TLSCLientCertificateDNInfo{
Country: true,
Province: true,