Add TLS Cipher header

RiskIdent · Jul 22, 2024 · 978507a · 978507a
1 parent b81b791
commit 978507a
Show file tree

Hide file tree

Showing 8 changed files with 127 additions and 126 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -12,7 +12,7 @@ jobs:
     name: Main Process
     runs-on: ubuntu-latest
     env:
-      GO_VERSION: 1.19
+      GO_VERSION: 1.22
       GOLANGCI_LINT_VERSION: v1.50.0
       YAEGI_VERSION: v0.14.2
       CGO_ENABLED: 0
@@ -24,20 +24,20 @@ jobs:
 
       # https://github.com/marketplace/actions/setup-go-environment
       - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ env.GO_VERSION }}
 
       # https://github.com/marketplace/actions/checkout
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           path: go/src/github.com/${{ github.repository }}
           fetch-depth: 0
 
       # https://github.com/marketplace/actions/cache
       - name: Cache Go modules
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ${{ github.workspace }}/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}

diff --git a/.traefik.yml b/.traefik.yml
@@ -1,12 +1,11 @@
-displayName: Demo Plugin
+displayName: TLS headers
 type: middleware
 iconPath: .assets/icon.png
 
-import: github.com/traefik/plugindemo
+import: github.com/RiskIdent/traefik-tls-headers-plugin
 
-summary: '[Demo] Add Request Header'
+summary: 'Add TLS information to request headers'
 
 testData:
   Headers:
-    X-Demo: test
-    X-URL: '{{URL}}'
+    X-TLS-Cipher: TLS_AES_128_GCM_SHA256
diff --git a/demo.go b/demo.go
diff --git a/demo_test.go b/demo_test.go
diff --git a/go.mod b/go.mod
@@ -1,3 +1,3 @@
-module github.com/traefik/plugindemo
+module github.com/RiskIdent/traefik-tls-headers-plugin
 
-go 1.19
+go 1.22.5
diff --git a/go.sum b/go.sum
diff --git a/plugin.go b/plugin.go
@@ -0,0 +1,57 @@
+// Package plugin contains the Traefik plugin for adding headers based on the
+// TLS information
+package plugin
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"net/http"
+)
+
+var errMissingHeaderConfig = errors.New("missing header config: must set headers.cipher")
+
+// Config the plugin configuration.
+type Config struct {
+	Headers ConfigHeaders `json:"headers,omitempty"`
+}
+
+// ConfigHeaders defines the headers to use for the different values.
+type ConfigHeaders struct {
+	Cipher string `json:"port,omitempty"`
+}
+
+// CreateConfig creates the default plugin configuration.
+func CreateConfig() *Config {
+	return &Config{
+		Headers: ConfigHeaders{},
+	}
+}
+
+// TLSHeadersPlugin is the main handler model for this Traefik plugin.
+type TLSHeadersPlugin struct {
+	next    http.Handler
+	headers ConfigHeaders
+	name    string
+}
+
+// New created a new TLSHeadersPlugin.
+func New(_ context.Context, next http.Handler, config *Config, name string) (http.Handler, error) {
+	if config.Headers == (ConfigHeaders{}) {
+		return nil, errMissingHeaderConfig
+	}
+
+	return &TLSHeadersPlugin{
+		headers: config.Headers,
+		next:    next,
+		name:    name,
+	}, nil
+}
+
+func (a *TLSHeadersPlugin) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
+	if a.headers.Cipher != "" && req.TLS != nil {
+		req.Header.Set(a.headers.Cipher, tls.CipherSuiteName(req.TLS.CipherSuite))
+	}
+
+	a.next.ServeHTTP(rw, req)
+}
diff --git a/plugin_test.go b/plugin_test.go
@@ -0,0 +1,60 @@
+package plugin_test
+
+import (
+	"context"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	plugin "github.com/RiskIdent/traefik-tls-headers-plugin"
+)
+
+func TestInvalidConfig(t *testing.T) {
+	cfg := plugin.CreateConfig()
+	next := http.HandlerFunc(func(http.ResponseWriter, *http.Request) {})
+	_, err := plugin.New(context.Background(), next, cfg, "traefik-tls-headers-plugin")
+	if err == nil {
+		t.Fatal("expected error")
+	}
+}
+
+func TestTLSCipher(t *testing.T) {
+	cfg := plugin.CreateConfig()
+	cfg.Headers.Cipher = "X-TLS-Cipher"
+	next := http.HandlerFunc(func(_ http.ResponseWriter, r *http.Request) {
+		assertHeader(t, r.Header, "X-TLS-Cipher", "TLS_AES_128_GCM_SHA256")
+	})
+	handler, err := plugin.New(context.Background(), next, cfg, "traefik-tls-headers-plugin")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	server := httptest.NewTLSServer(handler)
+	defer server.Close()
+
+	req, err := http.NewRequest(http.MethodGet, server.URL, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	client := server.Client()
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func(Body io.ReadCloser) {
+		err := Body.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
+	}(resp.Body)
+}
+
+func assertHeader(t *testing.T, header http.Header, key, expected string) {
+	t.Helper()
+
+	if header.Get(key) != expected {
+		t.Errorf("invalid header value\nwant: %s=%q\ngot:  %s=%q", key, expected, key, header.Get(key))
+	}
+}