Record tls peer in logParts struct

* Record the TLS peer name in the logParts structure.

* By default use the CN of the first peer certificate.

* Allow a function to be specified which can extract whatever
  data is required from the connection and optionally return
  ok=false in order to close the connection.

* Add a test for the above

Signed-off-by: Alex Bligh <[email protected]>

Author: abligh

server.go

@@ -23,6 +23,10 @@ const (
 	datagramReadBufferSize    = 64 * 1024
 )
 
+// A function type which gets the TLS peer name from the connection. Can return
+// ok=false to terminate the connection
+type TlsPeerNameFunc func(tlsConn *tls.Conn) (tlsPeer string, ok bool)
+
 type Server struct {
 	listeners               []net.Listener
 	connections             []net.Conn
@@ -33,11 +37,12 @@ type Server struct {
 	handler                 Handler
 	lastError               error
 	readTimeoutMilliseconds int64
+	tlsPeerNameFunc         TlsPeerNameFunc
 }
 
 //NewServer returns a new Server
 func NewServer() *Server {
-	return &Server{}
+	return &Server{tlsPeerNameFunc: defaultTlsPeerName}
 }
 
 //Sets the syslog format (RFC3164 or RFC5424 or RFC6587)
@@ -55,6 +60,21 @@ func (s *Server) SetTimeout(millseconds int64) {
 	s.readTimeoutMilliseconds = millseconds
 }
 
+// Set the function that extracts a TLS peer name from the TLS connection
+func (s *Server) SetTlsPeerNameFunc(tlsPeerNameFunc TlsPeerNameFunc) {
+	s.tlsPeerNameFunc = tlsPeerNameFunc
+}
+
+// Default TLS peer name function - returns the CN of the certificate
+func defaultTlsPeerName(tlsConn *tls.Conn) (tlsPeer string, ok bool) {
+	state := tlsConn.ConnectionState()
+	if len(state.PeerCertificates) <= 0 {
+		return "", false
+	}
+	cn := state.PeerCertificates[0].Subject.CommonName
+	return cn, true
+}
+
 //Configure the server for listen on an UDP addr
 func (s *Server) ListenUDP(addr string) error {
 	udpAddr, err := net.ResolveUDPAddr("udp", addr)
@@ -171,20 +191,37 @@ func (s *Server) goScanConnection(connection net.Conn) {
 		scanner.Split(sf)
 	}
 
-	var scanCloser *ScanCloser
-	scanCloser = &ScanCloser{scanner, connection}
-
 	remoteAddr := connection.RemoteAddr()
 	var client string
 	if remoteAddr != nil {
 		client = remoteAddr.String()
 	}
 
+	tlsPeer := ""
+	if tlsConn, ok := connection.(*tls.Conn); ok {
+		// Handshake now so we get the TLS peer information
+		if err := tlsConn.Handshake(); err != nil {
+			connection.Close()
+			return
+		}
+		if s.tlsPeerNameFunc != nil {
+			var ok bool
+			tlsPeer, ok = s.tlsPeerNameFunc(tlsConn)
+			if !ok {
+				connection.Close()
+				return
+			}
+		}
+	}
+
+	var scanCloser *ScanCloser
+	scanCloser = &ScanCloser{scanner, connection}
+
 	s.wait.Add(1)
-	go s.scan(scanCloser, client)
+	go s.scan(scanCloser, client, tlsPeer)
 }
 
-func (s *Server) scan(scanCloser *ScanCloser, client string) {
+func (s *Server) scan(scanCloser *ScanCloser, client string, tlsPeer string) {
 loop:
 	for {
 		select {
@@ -196,7 +233,7 @@ loop:
 			scanCloser.closer.SetReadDeadline(time.Now().Add(time.Duration(s.readTimeoutMilliseconds) * time.Millisecond))
 		}
 		if scanCloser.Scan() {
-			s.parser([]byte(scanCloser.Text()), client)
+			s.parser([]byte(scanCloser.Text()), client, tlsPeer)
 		} else {
 			break loop
 		}
@@ -206,7 +243,7 @@ loop:
 	s.wait.Done()
 }
 
-func (s *Server) parser(line []byte, client string) {
+func (s *Server) parser(line []byte, client string, tlsPeer string) {
 	parser := s.format.GetParser(line)
 	err := parser.Parse()
 	if err != nil {
@@ -215,6 +252,7 @@ func (s *Server) parser(line []byte, client string) {
 
 	logParts := parser.Dump()
 	logParts["client"] = client
+	logParts["tls_peer"] = tlsPeer
 
 	s.handler.Handle(logParts, int64(len(line)), err)
 }
@@ -315,10 +353,10 @@ func (s *Server) goParseDatagrams() {
 				}
 				if sf := s.format.GetSplitFunc(); sf != nil {
 					if _, token, err := sf(msg.message, true); err == nil {
-						s.parser(token, msg.client)
+						s.parser(token, msg.client, "")
 					}
 				} else {
-					s.parser(msg.message, msg.client)
+					s.parser(msg.message, msg.client, "")
 				}
 			}
 		}

servertls_test.go

@@ -81,6 +81,7 @@ func (s *ServerSuite) TestTLS(c *C) {
 	c.Check(handler.LastLogParts["hostname"], Equals, "hostname")
 	c.Check(handler.LastLogParts["tag"], Equals, "tag")
 	c.Check(handler.LastLogParts["content"], Equals, "content")
+	c.Check(handler.LastLogParts["tls_peer"], Equals, "dummycert1")
 	c.Check(handler.LastMessageLength, Equals, int64(len(exampleSyslog)))
 	c.Check(handler.LastError, IsNil)
 }