traefik/middlewares/passtlsclientcert/pass_tls_client_cert.go

package passtlsclientcert

import (
	"context"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"fmt"
	"net/http"
	"net/url"
	"strings"

	"github.com/containous/traefik/config"
	"github.com/containous/traefik/middlewares"
	"github.com/containous/traefik/tracing"
	"github.com/opentracing/opentracing-go/ext"
	"github.com/sirupsen/logrus"
)

const (
	xForwardedTLSClientCert      = "X-Forwarded-Tls-Client-Cert"
	xForwardedTLSClientCertInfos = "X-Forwarded-Tls-Client-Cert-infos"
	typeName                     = "PassClientTLSCert"
)

// passTLSClientCert is a middleware that helps setup a few tls info features.
type passTLSClientCert struct {
	next  http.Handler
	name  string
	pem   bool                       // pass the sanitized pem to the backend in a specific header
	infos *tlsClientCertificateInfos // pass selected information from the client certificate
}

// New constructs a new PassTLSClientCert instance from supplied frontend header struct.
func New(ctx context.Context, next http.Handler, config config.PassTLSClientCert, name string) (http.Handler, error) {
	middlewares.GetLogger(ctx, name, typeName).Debug("Creating middleware")

	return &passTLSClientCert{
		next:  next,
		name:  name,
		pem:   config.PEM,
		infos: newTLSClientInfos(config.Infos),
	}, nil
}

// tlsClientCertificateInfos is a struct for specifying the configuration for the passTLSClientCert middleware.
type tlsClientCertificateInfos struct {
	notAfter  bool
	notBefore bool
	subject   *tlsCLientCertificateSubjectInfos
	sans      bool
}

func newTLSClientInfos(infos *config.TLSClientCertificateInfos) *tlsClientCertificateInfos {
	if infos == nil {
		return nil
	}

	return &tlsClientCertificateInfos{
		notBefore: infos.NotBefore,
		notAfter:  infos.NotAfter,
		sans:      infos.Sans,
		subject:   newTLSCLientCertificateSubjectInfos(infos.Subject),
	}
}

// tlsCLientCertificateSubjectInfos contains the configuration for the certificate subject infos.
type tlsCLientCertificateSubjectInfos struct {
	country      bool
	province     bool
	locality     bool
	Organization bool
	commonName   bool
	serialNumber bool
}

func newTLSCLientCertificateSubjectInfos(infos *config.TLSCLientCertificateSubjectInfos) *tlsCLientCertificateSubjectInfos {
	if infos == nil {
		return nil
	}

	return &tlsCLientCertificateSubjectInfos{
		serialNumber: infos.SerialNumber,
		commonName:   infos.CommonName,
		country:      infos.Country,
		locality:     infos.Locality,
		Organization: infos.Organization,
		province:     infos.Province,
	}
}

func (p *passTLSClientCert) GetTracingInformation() (string, ext.SpanKindEnum) {
	return p.name, tracing.SpanKindNoneEnum
}

func (p *passTLSClientCert) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
	logger := middlewares.GetLogger(req.Context(), p.name, typeName)
	p.modifyRequestHeaders(logger, req)
	p.next.ServeHTTP(rw, req)
}

// getSubjectInfos extract the requested information from the certificate subject.
func (p *passTLSClientCert) getSubjectInfos(cs *pkix.Name) string {
	var subject string

	if p.infos != nil && p.infos.subject != nil {
		options := p.infos.subject

		var content []string

		if options.country && len(cs.Country) > 0 {
			content = append(content, fmt.Sprintf("C=%s", cs.Country[0]))
		}

		if options.province && len(cs.Province) > 0 {
			content = append(content, fmt.Sprintf("ST=%s", cs.Province[0]))
		}

		if options.locality && len(cs.Locality) > 0 {
			content = append(content, fmt.Sprintf("L=%s", cs.Locality[0]))
		}

		if options.Organization && len(cs.Organization) > 0 {
			content = append(content, fmt.Sprintf("O=%s", cs.Organization[0]))
		}

		if options.commonName && len(cs.CommonName) > 0 {
			content = append(content, fmt.Sprintf("CN=%s", cs.CommonName))
		}

		if len(content) > 0 {
			subject = `Subject="` + strings.Join(content, ",") + `"`
		}
	}

	return subject
}

// getXForwardedTLSClientCertInfos Build a string with the wanted client certificates information
// like Subject="C=%s,ST=%s,L=%s,O=%s,CN=%s",NB=%d,NA=%d,SAN=%s;
func (p *passTLSClientCert) getXForwardedTLSClientCertInfos(certs []*x509.Certificate) string {
	var headerValues []string

	for _, peerCert := range certs {
		var values []string
		var sans string
		var nb string
		var na string

		subject := p.getSubjectInfos(&peerCert.Subject)
		if len(subject) > 0 {
			values = append(values, subject)
		}

		ci := p.infos
		if ci != nil {
			if ci.notBefore {
				nb = fmt.Sprintf("NB=%d", uint64(peerCert.NotBefore.Unix()))
				values = append(values, nb)
			}
			if ci.notAfter {
				na = fmt.Sprintf("NA=%d", uint64(peerCert.NotAfter.Unix()))
				values = append(values, na)
			}

			if ci.sans {
				sans = fmt.Sprintf("SAN=%s", strings.Join(getSANs(peerCert), ","))
				values = append(values, sans)
			}
		}

		value := strings.Join(values, ",")
		headerValues = append(headerValues, value)
	}

	return strings.Join(headerValues, ";")
}

// modifyRequestHeaders set the wanted headers with the certificates information.
func (p *passTLSClientCert) modifyRequestHeaders(logger logrus.FieldLogger, r *http.Request) {
	if p.pem {
		if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
			r.Header.Set(xForwardedTLSClientCert, getXForwardedTLSClientCert(logger, r.TLS.PeerCertificates))
		} else {
			logger.Warn("Try to extract certificate on a request without TLS")
		}
	}

	if p.infos != nil {
		if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
			headerContent := p.getXForwardedTLSClientCertInfos(r.TLS.PeerCertificates)
			r.Header.Set(xForwardedTLSClientCertInfos, url.QueryEscape(headerContent))
		} else {
			logger.Warn("Try to extract certificate on a request without TLS")
		}
	}
}

// sanitize As we pass the raw certificates, remove the useless data and make it http request compliant.
func sanitize(cert []byte) string {
	s := string(cert)
	r := strings.NewReplacer("-----BEGIN CERTIFICATE-----", "",
		"-----END CERTIFICATE-----", "",
		"\n", "")
	cleaned := r.Replace(s)

	return url.QueryEscape(cleaned)
}

// extractCertificate extract the certificate from the request.
func extractCertificate(logger logrus.FieldLogger, cert *x509.Certificate) string {
	b := pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}
	certPEM := pem.EncodeToMemory(&b)
	if certPEM == nil {
		logger.Error("Cannot extract the certificate content")
		return ""
	}
	return sanitize(certPEM)
}

// getXForwardedTLSClientCert Build a string with the client certificates.
func getXForwardedTLSClientCert(logger logrus.FieldLogger, certs []*x509.Certificate) string {
	var headerValues []string

	for _, peerCert := range certs {
		headerValues = append(headerValues, extractCertificate(logger, peerCert))
	}

	return strings.Join(headerValues, ",")
}

// getSANs get the Subject Alternate Name values.
func getSANs(cert *x509.Certificate) []string {
	var sans []string
	if cert == nil {
		return sans
	}

	sans = append(cert.DNSNames, cert.EmailAddresses...)

	var ips []string
	for _, ip := range cert.IPAddresses {
		ips = append(ips, ip.String())
	}
	sans = append(sans, ips...)

	var uris []string
	for _, uri := range cert.URIs {
		uris = append(uris, uri.String())
	}

	return append(sans, uris...)
}
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`package passtlsclientcert`

			`import (`
			`"context"`
			`"crypto/x509"`
			`"crypto/x509/pkix"`
			`"encoding/pem"`
			`"fmt"`
			`"net/http"`
			`"net/url"`
			`"strings"`

			`"github.com/containous/traefik/config"`
			`"github.com/containous/traefik/middlewares"`
			`"github.com/containous/traefik/tracing"`
			`"github.com/opentracing/opentracing-go/ext"`
			`"github.com/sirupsen/logrus"`
			`)`

			`const (`
			`xForwardedTLSClientCert = "X-Forwarded-Tls-Client-Cert"`
			`xForwardedTLSClientCertInfos = "X-Forwarded-Tls-Client-Cert-infos"`
			`typeName = "PassClientTLSCert"`
			`)`

			`// passTLSClientCert is a middleware that helps setup a few tls info features.`
			`type passTLSClientCert struct {`
			`next http.Handler`
			`name string`
			`pem bool // pass the sanitized pem to the backend in a specific header`
			`infos *tlsClientCertificateInfos // pass selected information from the client certificate`
			`}`

			`// New constructs a new PassTLSClientCert instance from supplied frontend header struct.`
			`func New(ctx context.Context, next http.Handler, config config.PassTLSClientCert, name string) (http.Handler, error) {`
			`middlewares.GetLogger(ctx, name, typeName).Debug("Creating middleware")`

			`return &passTLSClientCert{`
			`next: next,`
			`name: name,`
			`pem: config.PEM,`
			`infos: newTLSClientInfos(config.Infos),`
			`}, nil`
			`}`

			`// tlsClientCertificateInfos is a struct for specifying the configuration for the passTLSClientCert middleware.`
			`type tlsClientCertificateInfos struct {`
			`notAfter bool`
			`notBefore bool`
			`subject *tlsCLientCertificateSubjectInfos`
			`sans bool`
			`}`

			`func newTLSClientInfos(infos config.TLSClientCertificateInfos) tlsClientCertificateInfos {`
			`if infos == nil {`
			`return nil`
			`}`

			`return &tlsClientCertificateInfos{`
			`notBefore: infos.NotBefore,`
			`notAfter: infos.NotAfter,`
			`sans: infos.Sans,`
			`subject: newTLSCLientCertificateSubjectInfos(infos.Subject),`
			`}`
			`}`

			`// tlsCLientCertificateSubjectInfos contains the configuration for the certificate subject infos.`
			`type tlsCLientCertificateSubjectInfos struct {`
			`country bool`
			`province bool`
			`locality bool`
			`Organization bool`
			`commonName bool`
			`serialNumber bool`
			`}`

			`func newTLSCLientCertificateSubjectInfos(infos config.TLSCLientCertificateSubjectInfos) tlsCLientCertificateSubjectInfos {`
			`if infos == nil {`
			`return nil`
			`}`

			`return &tlsCLientCertificateSubjectInfos{`
			`serialNumber: infos.SerialNumber,`
			`commonName: infos.CommonName,`
			`country: infos.Country,`
			`locality: infos.Locality,`
			`Organization: infos.Organization,`
			`province: infos.Province,`
			`}`
			`}`

			`func (p *passTLSClientCert) GetTracingInformation() (string, ext.SpanKindEnum) {`
			`return p.name, tracing.SpanKindNoneEnum`
			`}`

			`func (p passTLSClientCert) ServeHTTP(rw http.ResponseWriter, req http.Request) {`
			`logger := middlewares.GetLogger(req.Context(), p.name, typeName)`
			`p.modifyRequestHeaders(logger, req)`
			`p.next.ServeHTTP(rw, req)`
			`}`

			`// getSubjectInfos extract the requested information from the certificate subject.`
			`func (p passTLSClientCert) getSubjectInfos(cs pkix.Name) string {`
			`var subject string`

			`if p.infos != nil && p.infos.subject != nil {`
			`options := p.infos.subject`

			`var content []string`

			`if options.country && len(cs.Country) > 0 {`
			`content = append(content, fmt.Sprintf("C=%s", cs.Country[0]))`
			`}`

			`if options.province && len(cs.Province) > 0 {`
			`content = append(content, fmt.Sprintf("ST=%s", cs.Province[0]))`
			`}`

			`if options.locality && len(cs.Locality) > 0 {`
			`content = append(content, fmt.Sprintf("L=%s", cs.Locality[0]))`
			`}`

			`if options.Organization && len(cs.Organization) > 0 {`
			`content = append(content, fmt.Sprintf("O=%s", cs.Organization[0]))`
			`}`

			`if options.commonName && len(cs.CommonName) > 0 {`
			`content = append(content, fmt.Sprintf("CN=%s", cs.CommonName))`
			`}`

			`if len(content) > 0 {`
			subject = `Subject="` + strings.Join(content, ",") + `"`
			`}`
			`}`

			`return subject`
			`}`

			`// getXForwardedTLSClientCertInfos Build a string with the wanted client certificates information`
			`// like Subject="C=%s,ST=%s,L=%s,O=%s,CN=%s",NB=%d,NA=%d,SAN=%s;`
			`func (p passTLSClientCert) getXForwardedTLSClientCertInfos(certs []x509.Certificate) string {`
			`var headerValues []string`

			`for _, peerCert := range certs {`
			`var values []string`
			`var sans string`
			`var nb string`
			`var na string`

			`subject := p.getSubjectInfos(&peerCert.Subject)`
			`if len(subject) > 0 {`
			`values = append(values, subject)`
			`}`

			`ci := p.infos`
			`if ci != nil {`
			`if ci.notBefore {`
			`nb = fmt.Sprintf("NB=%d", uint64(peerCert.NotBefore.Unix()))`
			`values = append(values, nb)`
			`}`
			`if ci.notAfter {`
			`na = fmt.Sprintf("NA=%d", uint64(peerCert.NotAfter.Unix()))`
			`values = append(values, na)`
			`}`

			`if ci.sans {`
			`sans = fmt.Sprintf("SAN=%s", strings.Join(getSANs(peerCert), ","))`
			`values = append(values, sans)`
			`}`
			`}`

			`value := strings.Join(values, ",")`
			`headerValues = append(headerValues, value)`
			`}`

			`return strings.Join(headerValues, ";")`
			`}`

			`// modifyRequestHeaders set the wanted headers with the certificates information.`
			`func (p passTLSClientCert) modifyRequestHeaders(logger logrus.FieldLogger, r http.Request) {`
			`if p.pem {`
			`if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {`
			`r.Header.Set(xForwardedTLSClientCert, getXForwardedTLSClientCert(logger, r.TLS.PeerCertificates))`
			`} else {`
			`logger.Warn("Try to extract certificate on a request without TLS")`
			`}`
			`}`

			`if p.infos != nil {`
			`if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {`
			`headerContent := p.getXForwardedTLSClientCertInfos(r.TLS.PeerCertificates)`
			`r.Header.Set(xForwardedTLSClientCertInfos, url.QueryEscape(headerContent))`
			`} else {`
			`logger.Warn("Try to extract certificate on a request without TLS")`
			`}`
			`}`
			`}`

			`// sanitize As we pass the raw certificates, remove the useless data and make it http request compliant.`
			`func sanitize(cert []byte) string {`
			`s := string(cert)`
			`r := strings.NewReplacer("-----BEGIN CERTIFICATE-----", "",`
			`"-----END CERTIFICATE-----", "",`
			`"\n", "")`
			`cleaned := r.Replace(s)`

			`return url.QueryEscape(cleaned)`
			`}`

			`// extractCertificate extract the certificate from the request.`
			`func extractCertificate(logger logrus.FieldLogger, cert *x509.Certificate) string {`
			`b := pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw}`
			`certPEM := pem.EncodeToMemory(&b)`
			`if certPEM == nil {`
			`logger.Error("Cannot extract the certificate content")`
			`return ""`
			`}`
			`return sanitize(certPEM)`
			`}`

			`// getXForwardedTLSClientCert Build a string with the client certificates.`
			`func getXForwardedTLSClientCert(logger logrus.FieldLogger, certs []*x509.Certificate) string {`
			`var headerValues []string`

			`for _, peerCert := range certs {`
			`headerValues = append(headerValues, extractCertificate(logger, peerCert))`
			`}`

			`return strings.Join(headerValues, ",")`
			`}`

			`// getSANs get the Subject Alternate Name values.`
			`func getSANs(cert *x509.Certificate) []string {`
			`var sans []string`
			`if cert == nil {`
			`return sans`
			`}`

			`sans = append(cert.DNSNames, cert.EmailAddresses...)`

			`var ips []string`
			`for _, ip := range cert.IPAddresses {`
			`ips = append(ips, ip.String())`
			`}`
			`sans = append(sans, ips...)`

			`var uris []string`
			`for _, uri := range cert.URIs {`
			`uris = append(uris, uri.String())`
			`}`

			`return append(sans, uris...)`
			`}`