wip: Add replacer vars for mTLS connection details. #67
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is based on the effort in caddyhttp's replacer but with added Subject/Issuer details. Also include a minor update to add the cipher_suite replacer for parity.
|
Hey, thanks for the PR. Sorry I haven't replied yet. Been really busy trying to get Caddy 2.6 ready to go. This is still on my list 🙃 |
mholt
approved these changes
Sep 7, 2022
|
I think I should remove some of those FIXMEs. What would you like me to do with them? |
mholt
reviewed
Dec 13, 2023
| @@ -104,6 +120,209 @@ func (t *Handler) Handle(cx *layer4.Connection, next layer4.Handler) error { | |||
| return next.Handle(cx.Wrap(tlsConn)) | |||
| } | |||
|
|
|||
| // FIXME: Should this perhaps be moved instead to caddytls? | |||
There was a problem hiding this comment.
Let's start by trying it here first, then it'll be easier to consider moving it upstream. 👍
mholt
reviewed
Dec 13, 2023
| input string | ||
| expect string | ||
| }{ | ||
| // FIXME: These are set during the match phase, but it's unclear how to construct a test that properly |
There was a problem hiding this comment.
I probably need to build out more test tools for this module (and Caddy too).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is based on the effort in caddyhttp's replacer but
with added Subject/Issuer details.
Also include a minor update to add the cipher_suite replacer for parity.
May be a wee bit overkill, but we actually do OU tests on incoming connections to validate which component in our stack issued the client cert. It did make me think one could refactor this to be sitting in caddy's caddytls module so both may share the Replacer with corresponding prefixes.
I added a basic test based on the http module but didn't know how to go about mocking the entire connection so some of the clientHello replacer values aren't tested.