serv/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-01-14 23:06:27 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

caddyhttp: Add support to resolve DN in CEL expression (#3608)

Browse source
This commit is contained in:
v-rosa 2020-07-31 22:06:30 +01:00 committed by GitHub
parent 3860b235d0
commit 514eef33fe
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 98 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
modules/caddyhttp/celmatcher.go
View file

@ -15,6 +15,7 @@
package caddyhttp package caddyhttp
import ( import (
"crypto/x509/pkix"
"encoding/json" "encoding/json"
"fmt" "fmt"
"net/http" "net/http"
@ -199,6 +200,27 @@ func (cr celHTTPRequest) Equal(other ref.Val) ref.Val {
func (celHTTPRequest) Type() ref.Type { return httpRequestCELType } func (celHTTPRequest) Type() ref.Type { return httpRequestCELType }
func (cr celHTTPRequest) Value() interface{} { return cr } func (cr celHTTPRequest) Value() interface{} { return cr }
var pkixNameCELType = types.NewTypeValue("pkix.Name", traits.ReceiverType)
// celPkixName wraps an pkix.Name with
// methods to satisfy the ref.Val interface.
type celPkixName struct{ *pkix.Name }
func (pn celPkixName) ConvertToNative(typeDesc reflect.Type) (interface{}, error) {
return pn.Name, nil
}
func (celPkixName) ConvertToType(typeVal ref.Type) ref.Val {
panic("not implemented")
}
func (pn celPkixName) Equal(other ref.Val) ref.Val {
if o, ok := other.Value().(string); ok {
return types.Bool(pn.Name.String() == o)
}
return types.ValOrErr(other, "%v is not comparable type", other)
}
func (celPkixName) Type() ref.Type { return pkixNameCELType }
func (pn celPkixName) Value() interface{} { return pn }
// celTypeAdapter can adapt our custom types to a CEL value. // celTypeAdapter can adapt our custom types to a CEL value.
type celTypeAdapter struct{} type celTypeAdapter struct{}
@ -206,6 +228,8 @@ func (celTypeAdapter) NativeToValue(value interface{}) ref.Val {
switch v := value.(type) { switch v := value.(type) {
case celHTTPRequest: case celHTTPRequest:
return v return v
case pkix.Name:
return celPkixName{&v}
case time.Time: case time.Time:
// TODO: eliminate direct protobuf dependency, sigh -- just wrap stdlib time.Time instead... // TODO: eliminate direct protobuf dependency, sigh -- just wrap stdlib time.Time instead...
return types.Timestamp{Timestamp: &timestamp.Timestamp{Seconds: v.Unix(), Nanos: int32(v.Nanosecond())}} return types.Timestamp{Timestamp: &timestamp.Timestamp{Seconds: v.Unix(), Nanos: int32(v.Nanosecond())}}

75
modules/caddyhttp/celmatcher_test.go
View file

@ -15,6 +15,11 @@
package caddyhttp package caddyhttp
import ( import (
"context"
"crypto/tls"
"crypto/x509"
"encoding/pem"
"net/http/httptest"
"testing" "testing"
"github.com/caddyserver/caddy/v2" "github.com/caddyserver/caddy/v2"
@ -27,7 +32,7 @@ func TestMatchExpressionProvision(t *testing.T) {
wantErr bool wantErr bool
}{ }{
{ {
name: "boolean mtaches succeed", name: "boolean matches succeed",
expression: &MatchExpression{ expression: &MatchExpression{
Expr: "{http.request.uri.query} != ''", Expr: "{http.request.uri.query} != ''",
}, },
@ -49,3 +54,71 @@ func TestMatchExpressionProvision(t *testing.T) {
}) })
} }
} }
func TestMatchExpressionMatch(t *testing.T) {
clientCert := []byte(`-----BEGIN CERTIFICATE-----
MIIB9jCCAV+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1DYWRk
eSBUZXN0IENBMB4XDTE4MDcyNDIxMzUwNVoXDTI4MDcyMTIxMzUwNVowHTEbMBkG
A1UEAwwSY2xpZW50LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDFDEpzF0ew68teT3xDzcUxVFaTII+jXH1ftHXxxP4BEYBU4q90qzeKFneF
z83I0nC0WAQ45ZwHfhLMYHFzHPdxr6+jkvKPASf0J2v2HDJuTM1bHBbik5Ls5eq+
fVZDP8o/VHKSBKxNs8Goc2NTsr5b07QTIpkRStQK+RJALk4x9QIDAQABo0swSTAJ
BgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8A
AAEwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEANSjz2Sk+
eqp31wM9il1n+guTNyxJd+FzVAH+hCZE5K+tCgVDdVFUlDEHHbS/wqb2PSIoouLV
3Q9fgDkiUod+uIK0IynzIKvw+Cjg+3nx6NQ0IM0zo8c7v398RzB4apbXKZyeeqUH
9fNwfEi+OoXR6s+upSKobCmLGLGi9Na5s5g=
-----END CERTIFICATE-----`)
tests := []struct {
name string
expression *MatchExpression
wantErr bool
wantResult bool
clientCertificate []byte
}{
{
name: "boolean matches succeed for placeholder http.request.tls.client.subject",
expression: &MatchExpression{
Expr: "{http.request.tls.client.subject} == 'CN=client.localdomain'",
},
clientCertificate: clientCert,
wantResult: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := tt.expression.Provision(caddy.Context{}); (err != nil) != tt.wantErr {
t.Errorf("MatchExpression.Provision() error = %v, wantErr %v", err, tt.wantErr)
}
req := httptest.NewRequest("GET", "https://example.com/foo", nil)
repl := caddy.NewReplacer()
ctx := context.WithValue(req.Context(), caddy.ReplacerCtxKey, repl)
req = req.WithContext(ctx)
addHTTPVarsToReplacer(repl, req, httptest.NewRecorder())
if tt.clientCertificate != nil {
block, _ := pem.Decode(clientCert)
if block == nil {
t.Fatalf("failed to decode PEM certificate")
}
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
t.Fatalf("failed to decode PEM certificate: %v", err)
}
req.TLS = &tls.ConnectionState{
PeerCertificates: []*x509.Certificate{cert},
}
}
if tt.expression.Match(req) != tt.wantResult {
t.Errorf("MatchExpression.Match() expected to return '%t', for expression : '%s'", tt.wantResult, tt.expression)
}
})
}
}