add adaptions for mtls verification for servisemesh training, move dockerfiles in seperate folder

Author: stroebitzer

Makefile

@@ -25,37 +25,37 @@ run: build
 
 .PHONY: docker-lint
 docker-lint: 
-	hadolint Dockerfile
+	hadolint docker/Dockerfile
 
 .PHONY: docker-lint-all
 docker-lint-all: 
-	hadolint Dockerfile
-	hadolint Dockerfile-A
-	hadolint Dockerfile-B --ignore DL3025
-	hadolint Dockerfile-distroless --ignore DL3006
+	hadolint docker/Dockerfile
+	hadolint docker/Dockerfile-A
+	hadolint docker/Dockerfile-B --ignore DL3025
+	hadolint docker/Dockerfile-distroless --ignore DL3006
 
 .PHONY: docker-build
-docker-build: build
-	docker build -t ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION} .
+docker-build: build docker-lint
+	docker build -f docker/Dockerfile -t ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION} .
 
 .PHONY: docker-run
 docker-run: docker-build
 	docker run -it --rm -p 8080:8080 -m=10m --cpus=".5" --name ${APPLICATION_NAME} ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION}
 
 .PHONY: docker-build-all
 docker-build-all: lint docker-lint
-	docker build -t ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION} .
-	docker build -f Dockerfile-A -t ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION_A} .
-	docker build -f Dockerfile-B -t ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION_B} .
-	docker build -f Dockerfile-distroless -t ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION_DISTROLESS} .
+	docker build -f docker/Dockerfile -t ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION} .
+	docker build -f docker/Dockerfile-A -t ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION_A} .
+	docker build -f docker/Dockerfile-B -t ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION_B} .
+	docker build -f docker/Dockerfile-distroless -t ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION_DISTROLESS} .
 
 .PHONY: docker-push
 docker-push: 
-	docker buildx build --push --platform linux/arm64,linux/amd64 --tag ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION} .
+	docker buildx build --push --platform linux/arm64,linux/amd64  -f docker/Dockerfile --tag ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION} .
 
 .PHONY: docker-push-all
 docker-push-all: 
-	docker buildx build --push --platform linux/arm64,linux/amd64 --tag ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION} .
-	docker buildx build --push --platform linux/arm64,linux/amd64 -f Dockerfile-A --tag ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION_A} .
-	docker buildx build --push --platform linux/arm64,linux/amd64 -f Dockerfile-B --tag ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION_B} .
-	docker buildx build --push --platform linux/arm64,linux/amd64 -f Dockerfile-distroless --tag ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION_DISTROLESS} .
+	docker buildx build --push --platform linux/arm64,linux/amd64 -f docker/Dockerfile --tag ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION} .
+	docker buildx build --push --platform linux/arm64,linux/amd64 -f docker/Dockerfile-A --tag ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION_A} .
+	docker buildx build --push --platform linux/arm64,linux/amd64 -f docker/Dockerfile-B --tag ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION_B} .
+	docker buildx build --push --platform linux/arm64,linux/amd64 -f docker/Dockerfile-distroless --tag ${IMAGE_REPOSITORY}/${APPLICATION_NAME}:${BUILD_VERSION_DISTROLESS} .

Dockerfile docker/DockerfileDockerfile renamed to docker/Dockerfile

@@ -2,8 +2,6 @@ package main
 
 import (
 	"bufio"
-	"crypto/x509"
-	"encoding/base64"
 	"fmt"
 	"io"
 	"net/http"
@@ -133,31 +131,7 @@ func request(url string) error {
 		}
 	}()
 
-	log.Infof("StatusCode of response %d", resp.StatusCode)
-
-	if resp.TLS == nil {
-		log.Info("Response is not encrypted")
-		clientCertHeader := resp.Header.Get("X-Client-Cert")
-		if clientCertHeader != "" {
-			certData, err := base64.StdEncoding.DecodeString(clientCertHeader)
-			if err != nil {
-				log.Errorf("error decoding proxied certificate: %s", err)
-			}
-			cert, err := x509.ParseCertificate(certData)
-			if err != nil {
-				log.Errorf("error parsing proxied certificate: %s", err)
-			}
-			log.Info(getCertString("Proxied certificate", cert))
-		} else {
-			log.Infof("No proxied certificate found")
-		}
-	} else {
-		log.Info("Response is encrypted")
-		log.Infof("TLS Version: %d", resp.TLS.Version)
-		for i, cert := range resp.TLS.PeerCertificates {
-			log.Info(getCertString(fmt.Sprintf("Certificate %d", i+1), cert))
-		}
-	}
+	log.Info(newResponseInfo(resp))
 
 	bodyBytes, err := io.ReadAll(resp.Body)
 	if err != nil {
@@ -167,24 +141,10 @@ func request(url string) error {
 	if len(bodyString) >= 100 {
 		bodyString = bodyString[:100]
 	}
-	log.Infof("Response Body: %s", bodyString)
+	log.Infof("Response Body: \n%s", bodyString)
 	return nil
 }
 
-func getCertString(header string, cert *x509.Certificate) string {
-	var sb strings.Builder
-	sb.WriteString(fmt.Sprintf("%s: \n", header))
-	sb.WriteString(fmt.Sprintf("\tCertificate Subject: %s\n", cert.Subject.String()))
-	sb.WriteString(fmt.Sprintf("\tCertificate Issuer: %s\n", cert.Issuer.String()))
-	sb.WriteString(fmt.Sprintf("\tCertificate Serial Number: %s\n", cert.SerialNumber.String()))
-	sb.WriteString(fmt.Sprintf("\tCertificate Not Before: %s\n", cert.NotBefore.String()))
-	sb.WriteString(fmt.Sprintf("\tCertificate Not After: %s\n", cert.NotAfter.String()))
-	sb.WriteString(fmt.Sprintf("\tCertificate DNS Names: %v\n", cert.DNSNames))
-	sb.WriteString(fmt.Sprintf("\tCertificate Email Addresses: %v\n", cert.EmailAddresses))
-	sb.WriteString(fmt.Sprintf("\tCertificate IP Addresses: %v\n", cert.IPAddresses))
-	return sb.String()
-}
-
 func leakMem() {
 	memLeak := make([]string, 0)
 	count := 0

Dockerfile-A docker/Dockerfile-ADockerfile-A renamed to docker/Dockerfile-A

@@ -0,0 +1,49 @@
+package main
+
+import (
+	_ "embed"
+	"fmt"
+	"net/http"
+	"strings"
+)
+
+type requestInfo struct {
+	Method     string
+	Url        string
+	Proto      string
+	Host       string
+	RemoteAddr string
+	RequestUri string
+	TLS        bool
+	Header     map[string][]string
+}
+
+func newRequestInfo(r *http.Request) *requestInfo {
+	return &requestInfo{
+		Method:     r.Method,
+		Url:        r.URL.String(),
+		Proto:      r.Proto,
+		Host:       r.Host,
+		RemoteAddr: r.RemoteAddr,
+		RequestUri: r.RequestURI,
+		TLS:        r.TLS != nil,
+		Header:     r.Header,
+	}
+}
+
+func (ri *requestInfo) String() string {
+	var sb strings.Builder
+	sb.WriteString("Request Info:\n")
+	sb.WriteString(fmt.Sprintf("\tMethod:     %v\n", ri.Method))
+	sb.WriteString(fmt.Sprintf("\tUrl:        %v\n", ri.Url))
+	sb.WriteString(fmt.Sprintf("\tProto:      %v\n", ri.Proto))
+	sb.WriteString(fmt.Sprintf("\tHost:       %v\n", ri.Host))
+	sb.WriteString(fmt.Sprintf("\tRemoteAddr: %v\n", ri.RemoteAddr))
+	sb.WriteString(fmt.Sprintf("\tRequestUri: %v\n", ri.RequestUri))
+	sb.WriteString(fmt.Sprintf("\tTLS:        %v\n", ri.TLS))
+	sb.WriteString("\tHeader:\n")
+	for key, value := range ri.Header {
+		sb.WriteString(fmt.Sprintf("\t\t%v: %v\n", key,value))
+	}
+	return sb.String()
+}

Dockerfile-B docker/Dockerfile-BDockerfile-B renamed to docker/Dockerfile-B

@@ -0,0 +1,80 @@
+package main
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	_ "embed"
+	"fmt"
+	"net/http"
+	"strings"
+)
+
+type certInfo struct {
+	Subject        string
+	Issuer         string
+}
+
+type tlsInfo struct {
+	ServerName  string
+	CertInfos   []*certInfo
+}
+
+type responseInfo struct {
+	Status     string
+	Proto      string
+	TlsInfo    *tlsInfo
+	Header     map[string][]string
+}
+
+func newCertInfos(certs []*x509.Certificate) []*certInfo {
+	certInfos := make([]*certInfo, len(certs))
+	for i, cert := range certs {
+		certInfos[i] = &certInfo{
+			Subject:        strings.TrimSpace(cert.Subject.CommonName),
+			Issuer:         strings.TrimSpace(cert.Issuer.CommonName),
+		}
+	} 
+	return certInfos
+}
+
+func newTLSInfo(s *tls.ConnectionState) *tlsInfo {
+	if s == nil {
+		return nil
+	} else {
+		return &tlsInfo{
+			ServerName:  s.ServerName,
+			CertInfos:  newCertInfos(s.PeerCertificates),
+		}
+	}
+}
+
+func newResponseInfo(r *http.Response) *responseInfo {
+	return &responseInfo{
+		Status:     r.Status,
+		Proto:      r.Proto,
+		TlsInfo:    newTLSInfo(r.TLS),
+		Header:     r.Header,
+	}
+}
+
+func (ri *responseInfo) String() string {
+	var sb strings.Builder
+	sb.WriteString("Response Info:\n")
+	sb.WriteString(fmt.Sprintf("\tStatus: %v\n", ri.Status))
+	sb.WriteString(fmt.Sprintf("\tProto: %v\n", ri.Proto))
+	if ri.TlsInfo == nil {
+		sb.WriteString("\tTLS: false\n")
+	} else {
+		sb.WriteString("\tTLS:\n")
+		sb.WriteString(fmt.Sprintf("\t\tServer Name: %s\n", ri.TlsInfo.ServerName))
+		sb.WriteString("\t\tCertificates:\n")
+		for _, ci := range ri.TlsInfo.CertInfos {
+			sb.WriteString(fmt.Sprintf("\t\t\tCertificate Subject: %s - Certificate Issuer: %s\n", ci.Subject, ci.Issuer))
+		}
+	}
+	sb.WriteString("\tHeader:\n")
+	for key, value := range ri.Header {
+		sb.WriteString(fmt.Sprintf("\t\t%v: %v\n", key, value))
+	}
+	return sb.String()
+}

Dockerfile-distroless docker/Dockerfile-distrolessDockerfile-distroless renamed to docker/Dockerfile-distroless

@@ -34,9 +34,10 @@ <h3>About the Request</h3>
   RemoteAddr: {{.RequestInfo.RemoteAddr}}<br>
   RequestUri: {{.RequestInfo.RequestUri}}<br>
   TLS: {{.RequestInfo.TLS}}<br>
-  HeaderXForwardedProto: {{.RequestInfo.HeaderXForwardedProto}}<br>
-  HeaderXForwardedFor: {{.RequestInfo.HeaderXForwardedFor}}<br>
-  HeaderXForwardedPort: {{.RequestInfo.HeaderXForwardedPort}}<br>
+  Header:<br>
+  {{ range $key, $value := .RequestInfo.Header }}
+  {{$key}}: {{$value}}<br>
+  {{ end}}
 
   {{if .CatImageURL}}
   <h2>The cute cat</h2>