From 6515ec1021b89942c45c76a289af9957a287b7ef Mon Sep 17 00:00:00 2001 From: geigerj0 <112163019+geigerj0@users.noreply.github.com> Date: Tue, 5 May 2026 12:03:03 +0200 Subject: [PATCH 1/3] log peer cert --- handlers/middleware/middleware.go | 17 ++++++++++- handlers/middleware/middleware_test.go | 39 ++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 1 deletion(-) diff --git a/handlers/middleware/middleware.go b/handlers/middleware/middleware.go index 3b9357f9a..f5a420886 100644 --- a/handlers/middleware/middleware.go +++ b/handlers/middleware/middleware.go @@ -21,11 +21,26 @@ type Emitter interface { func LogWrap(logger, accessLogger lager.Logger, loggableHandlerFunc LoggableHandlerFunc) http.HandlerFunc { lagerDataFromReq := func(r *http.Request) lager.Data { - return lager.Data{ + lagerData := lager.Data{ "method": r.Method, "remote_addr": r.RemoteAddr, "request": r.URL.String(), } + + if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 { + indexLeafCertConnectionIsVerifiedAgainst := 0 // see also https://github.com/golang/go/blob/e929fb78e47dc191a402d34ca949d2e0c67e31b8/src/crypto/tls/common.go#L281-L282 + cert := r.TLS.PeerCertificates[indexLeafCertConnectionIsVerifiedAgainst] + + lagerData["peer_cert_subject_common_name"] = cert.Subject.CommonName + lagerData["peer_cert_subject_organizational_unit"] = cert.Subject.OrganizationalUnit + lagerData["peer_cert_subject_organization"] = cert.Subject.Organization + + lagerData["peer_cert_issuer_common_name"] = cert.Issuer.CommonName + lagerData["peer_cert_issuer_organizational_unit"] = cert.Issuer.OrganizationalUnit + lagerData["peer_cert_issuer_organization"] = cert.Issuer.Organization + } + + return lagerData } if accessLogger != nil { diff --git a/handlers/middleware/middleware_test.go b/handlers/middleware/middleware_test.go index c877d00ff..2f8349ff3 100644 --- a/handlers/middleware/middleware_test.go +++ b/handlers/middleware/middleware_test.go @@ -2,6 +2,9 @@ package middleware_test import ( "code.cloudfoundry.org/bbs/cmd/bbs/config" + "crypto/tls" + "crypto/x509" + "crypto/x509/pkix" "net/http" "time" @@ -308,6 +311,42 @@ var _ = Describe("Test Middleware", func() { Expect(accessLogger.Buffer()).To(gbytes.Say("remote_addr\":\"127.0.0.1:8080\"")) Expect(accessLogger.Buffer()).To(gbytes.Say("request\":\"http://example.com\"")) }) + + When("request has TLS peer certificates", func() { + BeforeEach(func() { + handler := middleware.LogWrap(logger, accessLogger, loggableHandlerFunc) + req, err := http.NewRequest("GET", "http://example.com", nil) + Expect(err).NotTo(HaveOccurred()) + req.RemoteAddr = "127.0.0.1:8080" + req.TLS = &tls.ConnectionState{ + PeerCertificates: []*x509.Certificate{ + { + Subject: pkix.Name{ + CommonName: "subject-cn", + OrganizationalUnit: []string{"subject-ou"}, + Organization: []string{"subject-o"}, + }, + Issuer: pkix.Name{ + CommonName: "issuer-cn", + OrganizationalUnit: []string{"issuer-ou"}, + Organization: []string{"issuer-o"}, + }, + }, + }, + } + + handler.ServeHTTP(nil, req) + }) + + It("logs peer certificate information", func() { + Expect(logger.Buffer()).To(gbytes.Say("peer_cert_subject_common_name\":\"subject-cn\"")) + Expect(logger.Buffer()).To(gbytes.Say("peer_cert_subject_organization\":\\[\"subject-o\"\\]")) + Expect(logger.Buffer()).To(gbytes.Say("peer_cert_subject_organizational_unit\":\\[\"subject-ou\"\\]")) + Expect(logger.Buffer()).To(gbytes.Say("peer_cert_issuer_common_name\":\"issuer-cn\"")) + Expect(logger.Buffer()).To(gbytes.Say("peer_cert_issuer_organization\":\\[\"issuer-o\"\\]")) + Expect(logger.Buffer()).To(gbytes.Say("peer_cert_issuer_organizational_unit\":\\[\"issuer-ou\"\\]")) + }) + }) }) }) }) From 089c196c025da92a72663dfab20baeb314ba1024 Mon Sep 17 00:00:00 2001 From: geigerj0 <112163019+geigerj0@users.noreply.github.com> Date: Tue, 5 May 2026 14:00:59 +0200 Subject: [PATCH 2/3] improve test --- handlers/middleware/middleware_test.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/handlers/middleware/middleware_test.go b/handlers/middleware/middleware_test.go index 2f8349ff3..3a21a2de9 100644 --- a/handlers/middleware/middleware_test.go +++ b/handlers/middleware/middleware_test.go @@ -314,10 +314,12 @@ var _ = Describe("Test Middleware", func() { When("request has TLS peer certificates", func() { BeforeEach(func() { + accessLogger = lagertest.NewTestLogger("") + accessLogger.RegisterSink(lager.NewWriterSink(GinkgoWriter, lager.INFO)) + handler := middleware.LogWrap(logger, accessLogger, loggableHandlerFunc) - req, err := http.NewRequest("GET", "http://example.com", nil) + req, err := http.NewRequest("", "", nil) Expect(err).NotTo(HaveOccurred()) - req.RemoteAddr = "127.0.0.1:8080" req.TLS = &tls.ConnectionState{ PeerCertificates: []*x509.Certificate{ { From 3c234ad6d8ae128dd50022fefa809833342f0dff Mon Sep 17 00:00:00 2001 From: geigerj0 <112163019+geigerj0@users.noreply.github.com> Date: Tue, 5 May 2026 14:02:19 +0200 Subject: [PATCH 3/3] improve test --- handlers/middleware/middleware_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handlers/middleware/middleware_test.go b/handlers/middleware/middleware_test.go index 3a21a2de9..cb4534f8b 100644 --- a/handlers/middleware/middleware_test.go +++ b/handlers/middleware/middleware_test.go @@ -315,7 +315,7 @@ var _ = Describe("Test Middleware", func() { When("request has TLS peer certificates", func() { BeforeEach(func() { accessLogger = lagertest.NewTestLogger("") - accessLogger.RegisterSink(lager.NewWriterSink(GinkgoWriter, lager.INFO)) + accessLogger.RegisterSink(lager.NewWriterSink(GinkgoWriter, lager.INFO)) // peer cert information should be logged at INFO level handler := middleware.LogWrap(logger, accessLogger, loggableHandlerFunc) req, err := http.NewRequest("", "", nil)