Merge pull request #150 from joewilliams/metrics

tlsconfig trace implementation
spiffe · Sep 17, 2020 · 5bab594 · 5bab594
2 parents 13cad8a + 0ca6ea6
commit 5bab594
Show file tree

Hide file tree

Showing 6 changed files with 182 additions and 49 deletions.
diff --git a/v2/spiffetls/dial.go b/v2/spiffetls/dial.go
@@ -59,9 +59,9 @@ func DialWithMode(ctx context.Context, network, addr string, mode DialMode, opti
 	case tlsClientMode:
 		tlsconfig.HookTLSClientConfig(tlsConfig, m.bundle, m.authorizer)
 	case mtlsClientMode:
-		tlsconfig.HookMTLSClientConfig(tlsConfig, m.svid, m.bundle, m.authorizer)
+		tlsconfig.HookMTLSClientConfig(tlsConfig, m.svid, m.bundle, m.authorizer, opt.tlsoptions...)
 	case mtlsWebClientMode:
-		tlsconfig.HookMTLSWebClientConfig(tlsConfig, m.svid, m.roots)
+		tlsconfig.HookMTLSWebClientConfig(tlsConfig, m.svid, m.roots, opt.tlsoptions...)
 	default:
 		return nil, spiffetlsErr.New("unknown client mode: %v", m.mode)
 	}

diff --git a/v2/spiffetls/listen.go b/v2/spiffetls/listen.go
@@ -89,9 +89,9 @@ func NewListenerWithMode(ctx context.Context, inner net.Listener, mode ListenMod
 
 	switch m.mode {
 	case tlsServerMode:
-		tlsconfig.HookTLSServerConfig(tlsConfig, m.svid)
+		tlsconfig.HookTLSServerConfig(tlsConfig, m.svid, opt.tlsoptions...)
 	case mtlsServerMode:
-		tlsconfig.HookMTLSServerConfig(tlsConfig, m.svid, m.bundle, m.authorizer)
+		tlsconfig.HookMTLSServerConfig(tlsConfig, m.svid, m.bundle, m.authorizer, opt.tlsoptions...)
 	case mtlsWebServerMode:
 		tlsconfig.HookMTLSWebServerConfig(tlsConfig, m.cert, m.bundle, m.authorizer)
 	default:

diff --git a/v2/spiffetls/option.go b/v2/spiffetls/option.go
@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 	"net"
 
+	"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
 	"github.com/zeebo/errs"
 )
 
@@ -23,12 +24,14 @@ func (fn dialOption) apply(c *dialConfig) {
 type dialConfig struct {
 	baseTLSConf *tls.Config
 	dialer      *net.Dialer
+	tlsoptions  []tlsconfig.Option
 }
 
 type listenOption func(*listenConfig)
 
 type listenConfig struct {
 	baseTLSConf *tls.Config
+	tlsoptions  []tlsconfig.Option
 }
 
 func (fn listenOption) apply(c *listenConfig) {
@@ -44,6 +47,13 @@ func WithDialTLSConfigBase(base *tls.Config) DialOption {
 	})
 }
 
+// WithDialTLSOptions provides options to use for the TLS config.
+func WithDialTLSOptions(opts ...tlsconfig.Option) DialOption {
+	return dialOption(func(c *dialConfig) {
+		c.tlsoptions = opts
+	})
+}
+
 // WithDialer provides a net dialer to use. If unset, the standard net dialer
 // will be used.
 func WithDialer(dialer *net.Dialer) DialOption {
@@ -65,3 +75,10 @@ func WithListenTLSConfigBase(base *tls.Config) ListenOption {
 		c.baseTLSConf = base
 	})
 }
+
+// WithListenTLSOptions provides options to use when doing Server mTLS.
+func WithListenTLSOptions(opts ...tlsconfig.Option) ListenOption {
+	return listenOption(func(c *listenConfig) {
+		c.tlsoptions = opts
+	})
+}
diff --git a/v2/spiffetls/tlsconfig/config.go b/v2/spiffetls/tlsconfig/config.go
@@ -10,79 +10,108 @@ import (
 
 // TLSClientConfig returns a TLS configuration which verifies and authorizes
 // the server X509-SVID.
-func TLSClientConfig(bundle x509bundle.Source, authorizer Authorizer) *tls.Config {
+func TLSClientConfig(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config {
 	config := new(tls.Config)
-	HookTLSClientConfig(config, bundle, authorizer)
+	HookTLSClientConfig(config, bundle, authorizer, opts...)
 	return config
 }
 
 // HookTLSClientConfig sets up the TLS configuration to verify and authorize
 // the server X509-SVID. If there is an existing callback set for
 // VerifyPeerCertificate it will be wrapped by by this package and invoked
 // after SPIFFE authentication has completed.
-func HookTLSClientConfig(config *tls.Config, bundle x509bundle.Source, authorizer Authorizer) {
+func HookTLSClientConfig(config *tls.Config, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) {
 	resetAuthFields(config)
 	config.InsecureSkipVerify = true
-	config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer)
+	config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer, opts...)
+}
+
+// A Option changes the defaults used to by mTLS ClientConfig functions.
+type Option interface {
+	apply(*options)
+}
+
+type option func(*options)
+
+func (fn option) apply(o *options) { fn(o) }
+
+type options struct {
+	trace Trace
+}
+
+func newOptions(opts []Option) *options {
+	out := &options{}
+	for _, opt := range opts {
+		opt.apply(out)
+	}
+	return out
+}
+
+// WithTrace will use the provided tracing callbacks
+// when various TLS config functions gets invoked.
+func WithTrace(trace Trace) Option {
+	return option(func(opts *options) {
+		opts.trace = trace
+	})
 }
 
 // MTLSClientConfig returns a TLS configuration which presents an X509-SVID
 // to the server and verifies and authorizes the server X509-SVID.
-func MTLSClientConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer) *tls.Config {
+func MTLSClientConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config {
 	config := new(tls.Config)
-	HookMTLSClientConfig(config, svid, bundle, authorizer)
+	HookMTLSClientConfig(config, svid, bundle, authorizer, opts...)
 	return config
 }
 
 // HookMTLSClientConfig sets up the TLS configuration to present an X509-SVID
 // to the server and verify and authorize the server X509-SVID. If there is an
 // existing callback set for VerifyPeerCertificate it will be wrapped by by
 // this package and invoked after SPIFFE authentication has completed.
-func HookMTLSClientConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer) {
+func HookMTLSClientConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) {
 	resetAuthFields(config)
-	config.GetClientCertificate = GetClientCertificate(svid)
+	config.GetClientCertificate = GetClientCertificate(svid, opts...)
 	config.InsecureSkipVerify = true
-	config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer)
+	config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer, opts...)
 }
 
 // MTLSWebClientConfig returns a TLS configuration which presents an X509-SVID
 // to the server and verifies the server certificate using provided roots (or
 // the system roots if nil).
-func MTLSWebClientConfig(svid x509svid.Source, roots *x509.CertPool) *tls.Config {
+func MTLSWebClientConfig(svid x509svid.Source, roots *x509.CertPool, opts ...Option) *tls.Config {
 	config := new(tls.Config)
-	HookMTLSWebClientConfig(config, svid, roots)
+	HookMTLSWebClientConfig(config, svid, roots, opts...)
 	return config
 }
 
 // HookMTLSWebClientConfig sets up the TLS configuration to present an
 // X509-SVID to the server and verifies the server certificate using the
 // provided roots (or the system roots if nil).
-func HookMTLSWebClientConfig(config *tls.Config, svid x509svid.Source, roots *x509.CertPool) {
+func HookMTLSWebClientConfig(config *tls.Config, svid x509svid.Source, roots *x509.CertPool, opts ...Option) {
 	resetAuthFields(config)
-	config.GetClientCertificate = GetClientCertificate(svid)
+	config.GetClientCertificate = GetClientCertificate(svid, opts...)
 	config.RootCAs = roots
 }
 
 // TLSServerConfig returns a TLS configuration which presents an X509-SVID
 // to the client and does not require or verify client certificates.
-func TLSServerConfig(svid x509svid.Source) *tls.Config {
+func TLSServerConfig(svid x509svid.Source, opts ...Option) *tls.Config {
 	config := new(tls.Config)
-	HookTLSServerConfig(config, svid)
+	HookTLSServerConfig(config, svid, opts...)
 	return config
 }
 
 // HookTLSServerConfig sets up the TLS configuration to present an X509-SVID
 // to the client and to not require or verify client certificates.
-func HookTLSServerConfig(config *tls.Config, svid x509svid.Source) {
+func HookTLSServerConfig(config *tls.Config, svid x509svid.Source, opts ...Option) {
 	resetAuthFields(config)
-	config.GetCertificate = GetCertificate(svid)
+	config.GetCertificate = GetCertificate(svid, opts...)
 }
 
 // MTLSServerConfig returns a TLS configuration which presents an X509-SVID
 // to the client and requires, verifies, and authorizes client X509-SVIDs.
-func MTLSServerConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer) *tls.Config {
+func MTLSServerConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config {
 	config := new(tls.Config)
-	HookMTLSServerConfig(config, svid, bundle, authorizer)
+	HookMTLSServerConfig(config, svid, bundle, authorizer, opts...)
 	return config
 }
 
@@ -91,19 +120,19 @@ func MTLSServerConfig(svid x509svid.Source, bundle x509bundle.Source, authorizer
 // there is an existing callback set for VerifyPeerCertificate it will be
 // wrapped by by this package and invoked after SPIFFE authentication has
 // completed.
-func HookMTLSServerConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer) {
+func HookMTLSServerConfig(config *tls.Config, svid x509svid.Source, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) {
 	resetAuthFields(config)
 	config.ClientAuth = tls.RequireAnyClientCert
-	config.GetCertificate = GetCertificate(svid)
-	config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer)
+	config.GetCertificate = GetCertificate(svid, opts...)
+	config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer, opts...)
 }
 
 // MTLSWebServerConfig returns a TLS configuration which presents a web
 // server certificate to the client and requires, verifies, and authorizes
 // client X509-SVIDs.
-func MTLSWebServerConfig(cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer) *tls.Config {
+func MTLSWebServerConfig(cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) *tls.Config {
 	config := new(tls.Config)
-	HookMTLSWebServerConfig(config, cert, bundle, authorizer)
+	HookMTLSWebServerConfig(config, cert, bundle, authorizer, opts...)
 	return config
 }
 
@@ -112,34 +141,36 @@ func MTLSWebServerConfig(cert *tls.Certificate, bundle x509bundle.Source, author
 // X509-SVIDs. If there is an existing callback set for VerifyPeerCertificate
 // it will be wrapped by by this package and invoked after SPIFFE
 // authentication has completed.
-func HookMTLSWebServerConfig(config *tls.Config, cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer) {
+func HookMTLSWebServerConfig(config *tls.Config, cert *tls.Certificate, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) {
 	resetAuthFields(config)
 	config.ClientAuth = tls.RequireAnyClientCert
 	config.Certificates = []tls.Certificate{*cert}
-	config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer)
+	config.VerifyPeerCertificate = WrapVerifyPeerCertificate(config.VerifyPeerCertificate, bundle, authorizer, opts...)
 }
 
 // GetCertificate returns a GetCertificate callback for tls.Config. It uses the
 // given X509-SVID getter to obtain a server X509-SVID for the TLS handshake.
-func GetCertificate(svid x509svid.Source) func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
+func GetCertificate(svid x509svid.Source, opts ...Option) func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
+	opt := newOptions(opts)
 	return func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
-		return getTLSCertificate(svid)
+		return getTLSCertificate(svid, opt.trace)
 	}
 }
 
 // GetClientCertificate returns a GetClientCertificate callback for tls.Config.
 // It uses the given X509-SVID getter to obtain a client X509-SVID for the TLS
 // handshake.
-func GetClientCertificate(svid x509svid.Source) func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
+func GetClientCertificate(svid x509svid.Source, opts ...Option) func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
+	opt := newOptions(opts)
 	return func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
-		return getTLSCertificate(svid)
+		return getTLSCertificate(svid, opt.trace)
 	}
 }
 
 // VerifyPeerCertificate returns a VerifyPeerCertificate callback for
 // tls.Config. It uses the given bundle source and authorizer to verify and
 // authorize X509-SVIDs provided by peers during the TLS handshake.
-func VerifyPeerCertificate(bundle x509bundle.Source, authorizer Authorizer) func([][]byte, [][]*x509.Certificate) error {
+func VerifyPeerCertificate(bundle x509bundle.Source, authorizer Authorizer, opts ...Option) func([][]byte, [][]*x509.Certificate) error {
 	return func(raw [][]byte, _ [][]*x509.Certificate) error {
 		id, certs, err := x509svid.ParseAndVerify(raw, bundle)
 		if err != nil {
@@ -154,9 +185,9 @@ func VerifyPeerCertificate(bundle x509bundle.Source, authorizer Authorizer) func
 // SPIFFE authentication against the peer certificates using the given bundle and
 // authorizer. The wrapped callback will be passed the verified chains.
 // Note: TLS clients must set `InsecureSkipVerify` when doing SPIFFE authentication to disable hostname verification.
-func WrapVerifyPeerCertificate(wrapped func([][]byte, [][]*x509.Certificate) error, bundle x509bundle.Source, authorizer Authorizer) func([][]byte, [][]*x509.Certificate) error {
+func WrapVerifyPeerCertificate(wrapped func([][]byte, [][]*x509.Certificate) error, bundle x509bundle.Source, authorizer Authorizer, opts ...Option) func([][]byte, [][]*x509.Certificate) error {
 	if wrapped == nil {
-		return VerifyPeerCertificate(bundle, authorizer)
+		return VerifyPeerCertificate(bundle, authorizer, opts...)
 	}
 
 	return func(raw [][]byte, _ [][]*x509.Certificate) error {
@@ -173,10 +204,18 @@ func WrapVerifyPeerCertificate(wrapped func([][]byte, [][]*x509.Certificate) err
 	}
 }
 
-func getTLSCertificate(svid x509svid.Source) (*tls.Certificate, error) {
+func getTLSCertificate(svid x509svid.Source, trace Trace) (*tls.Certificate, error) {
+	var traceVal interface{}
+	if trace.GetCertificate != nil {
+		traceVal = trace.GetCertificate()
+	}
+
 	s, err := svid.GetX509SVID()
 	if err != nil {
-		return nil, err
+		if trace.GotCertificate != nil {
+			trace.GotCertificate(traceVal, GotCertificateInfo{Err: err})
+			return nil, err
+		}
 	}
 
 	cert := &tls.Certificate{
@@ -188,6 +227,10 @@ func getTLSCertificate(svid x509svid.Source) (*tls.Certificate, error) {
 		cert.Certificate = append(cert.Certificate, svidCert.Raw)
 	}
 
+	if trace.GotCertificate != nil {
+		trace.GotCertificate(traceVal, GotCertificateInfo{Cert: cert})
+	}
+
 	return cert, nil
 }