codit/backend/internal/middleware/tls_client_log.go

package middleware

import "crypto/x509"
import "crypto/x509/pkix"
import "net/http"
import "strings"

import "codit/internal/pkiutil"

type ClientCertLogInfo struct {
	SubjectCN   string
	IssuerCN    string
	Serial      string
	UserID      string
	Username    string
	ProfileID   string
	Permissions string
	Scope       string
}

func ClientCertLogFields(r *http.Request) ClientCertLogInfo {
	var certs []*x509.Certificate
	var cert *x509.Certificate
	var info ClientCertLogInfo
	var authInfo pkiutil.ClientAuthorizationInfo
	var hasAuthInfo bool
	var err error

	info = ClientCertLogInfo{
		SubjectCN:   "-",
		IssuerCN:    "-",
		Serial:      "-",
		UserID:      "-",
		Username:    "-",
		ProfileID:   "-",
		Permissions: "-",
		Scope:       "-",
	}
	if r == nil || r.TLS == nil {
		return info
	}
	certs = r.TLS.PeerCertificates
	if len(certs) == 0 || certs[0] == nil {
		return info
	}
	cert = certs[0]
	info.SubjectCN = clientCertName(cert.Subject)
	info.IssuerCN = clientCertName(cert.Issuer)
	if cert.SerialNumber != nil {
		info.Serial = cert.SerialNumber.Text(16)
		if strings.TrimSpace(info.Serial) == "" {
			info.Serial = "-"
		}
	}
	authInfo, hasAuthInfo, err = pkiutil.ParseClientAuthorizationFromCertificate(cert)
	if err != nil || !hasAuthInfo {
		return info
	}
	if strings.TrimSpace(authInfo.UserID) != "" {
		info.UserID = authInfo.UserID
	}
	if strings.TrimSpace(authInfo.Username) != "" {
		info.Username = authInfo.Username
	}
	if strings.TrimSpace(authInfo.ProfileID) != "" {
		info.ProfileID = authInfo.ProfileID
	}
	if len(authInfo.Permissions) > 0 {
		info.Permissions = strings.Join(authInfo.Permissions, ",")
	}
	if strings.TrimSpace(authInfo.Scope) != "" {
		info.Scope = authInfo.Scope
	}
	return info
}

func clientCertName(name pkix.Name) string {
	if strings.TrimSpace(name.CommonName) != "" {
		return name.CommonName
	}
	if strings.TrimSpace(name.String()) != "" {
		return name.String()
	}
	return "-"
}