added new auth-tls-match-cn annotation (#8434)

* added new auth-tls-match-cn annotation * added few more tests
2022-04-15 15:59:10 -04:00 · 2022-04-15 15:59:10 -04:00 · f9372aa495
commit f9372aa495
parent 81c2afd975
5 changed files with 116 additions and 0 deletions
--- a/internal/ingress/annotations/authtls/main.go
+++ b/internal/ingress/annotations/authtls/main.go
@ -18,6 +18,7 @@ package authtls

 import (
 	"fmt"
+
 	networking "k8s.io/api/networking/v1"

 	"regexp"
@ -35,6 +36,7 @@ const (

 var (
 	authVerifyClientRegex = regexp.MustCompile(`on|off|optional|optional_no_ca`)
+	commonNameRegex       = regexp.MustCompile(`CN=`)
 )

 // Config contains the AuthSSLCert used for mutual authentication
@ -45,6 +47,7 @@ type Config struct {
 	ValidationDepth    int    `json:"validationDepth"`
 	ErrorPage          string `json:"errorPage"`
 	PassCertToUpstream bool   `json:"passCertToUpstream"`
+	MatchCN            string `json:"matchCN"`
 	AuthTLSError       string
 }

@ -127,5 +130,10 @@ func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) {
 		config.PassCertToUpstream = false
 	}

+	config.MatchCN, err = parser.GetStringAnnotation("auth-tls-match-cn", ing)
+	if err != nil || !commonNameRegex.MatchString(config.MatchCN) {
+		config.MatchCN = ""
+	}
+
 	return config, nil
 }