caddytls: set server name in context (#6324)

willnorris · web-flow · commit e66040a6f0b3 · 2024-05-18T03:52:19.000-06:00
Set the requested server name in a context value for CertGetter
implementations to use. Pass ctx to tscert.GetCertificateWithContext.

Signed-off-by: Will Norris &lt;will@tailscale.com&gt;
diff --git a/go.mod b/go.mod
@@ -26,7 +26,7 @@ require (
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
-	github.com/tailscale/tscert v0.0.0-20230806124524-28a91b69a046
+	github.com/tailscale/tscert v0.0.0-20240517230440-bbccfbf48933
 	github.com/yuin/goldmark v1.7.1
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1
diff --git a/go.sum b/go.sum
@@ -410,8 +410,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tailscale/tscert v0.0.0-20230806124524-28a91b69a046 h1:8rUlviSVOEe7TMk7W0gIPrW8MqEzYfZHpsNWSf8s2vg=
-github.com/tailscale/tscert v0.0.0-20230806124524-28a91b69a046/go.mod h1:kNGUQ3VESx3VZwRwA9MSCUegIl6+saPL8Noq82ozCaU=
+github.com/tailscale/tscert v0.0.0-20240517230440-bbccfbf48933 h1:pV0H+XIvFoP7pl1MRtyPXh5hqoxB5I7snOtTHgrn6HU=
+github.com/tailscale/tscert v0.0.0-20240517230440-bbccfbf48933/go.mod h1:kNGUQ3VESx3VZwRwA9MSCUegIl6+saPL8Noq82ozCaU=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
 github.com/urfave/cli v1.22.14 h1:ebbhrRiGK2i4naQJr+1Xj92HXZCrK7MsyTS/ob3HnAk=
 github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA=
diff --git a/modules/caddytls/certmanagers.go b/modules/caddytls/certmanagers.go
@@ -22,6 +22,9 @@ func init() {
 	caddy.RegisterModule(HTTPCertGetter{})
 }
 
+// For referencing the requested SNI server name.
+const ClientHelloSNICtxKey caddy.CtxKey = "client_hello_sni"
+
 // Tailscale is a module that can get certificates from the local Tailscale process.
 type Tailscale struct {
 	logger *zap.Logger
@@ -41,14 +44,15 @@ func (ts *Tailscale) Provision(ctx caddy.Context) error {
 }
 
 func (ts Tailscale) GetCertificate(ctx context.Context, hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	ctx = context.WithValue(ctx, ClientHelloSNICtxKey, hello.ServerName)
 	canGetCert, err := ts.canHazCertificate(ctx, hello)
 	if err == nil && !canGetCert {
 		return nil, nil // pass-thru: Tailscale can't offer a cert for this name
 	}
 	if err != nil {
 		ts.logger.Warn("could not get status; will try to get certificate anyway", zap.Error(err))
 	}
-	return tscert.GetCertificate(hello)
+	return tscert.GetCertificateWithContext(ctx, hello)
 }
 
 // canHazCertificate returns true if Tailscale reports it can get a certificate for the given ClientHello.

-Original file line number
+Diff line change
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
 -	github.com/tailscale/tscert v0.0.0-20230806124524-28a91b69a046
 +	github.com/tailscale/tscert v0.0.0-20240517230440-bbccfbf48933
 	github.com/yuin/goldmark v1.7.1
 	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,9 @@ func init() {`
`22`	`22`	`caddy.RegisterModule(HTTPCertGetter{})`
`23`	`23`	`}`
`24`	`24`
	`25`	`+// For referencing the requested SNI server name.`
	`26`	`+const ClientHelloSNICtxKey caddy.CtxKey = "client_hello_sni"`
	`27`	`+`
`25`	`28`	`// Tailscale is a module that can get certificates from the local Tailscale process.`
`26`	`29`	`type Tailscale struct {`
`27`	`30`	`logger *zap.Logger`
`@@ -41,14 +44,15 @@ func (ts *Tailscale) Provision(ctx caddy.Context) error {`
`41`	`44`	`}`
`42`	`45`
`43`	`46`	`func (ts Tailscale) GetCertificate(ctx context.Context, hello tls.ClientHelloInfo) (tls.Certificate, error) {`
	`47`	`+ ctx = context.WithValue(ctx, ClientHelloSNICtxKey, hello.ServerName)`
`44`	`48`	`canGetCert, err := ts.canHazCertificate(ctx, hello)`
`45`	`49`	`if err == nil && !canGetCert {`
`46`	`50`	`return nil, nil // pass-thru: Tailscale can't offer a cert for this name`
`47`	`51`	`}`
`48`	`52`	`if err != nil {`
`49`	`53`	`ts.logger.Warn("could not get status; will try to get certificate anyway", zap.Error(err))`
`50`	`54`	`}`
`51`		`- return tscert.GetCertificate(hello)`
	`55`	`+ return tscert.GetCertificateWithContext(ctx, hello)`
`52`	`56`	`}`
`53`	`57`
`54`	`58`	`// canHazCertificate returns true if Tailscale reports it can get a certificate for the given ClientHello.`