Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update TO to handle Client-Cert-Subject HTTP header for client cert authentication. #8013

Closed
wants to merge 7 commits into from
Closed

Update TO to handle Client-Cert-Subject HTTP header for client cert authentication. #8013

wants to merge 7 commits into from

Conversation

jagan-parthiban
Copy link
Contributor

Overview,

Traffic Ops needs to accept Impersonation Certificates as described in the blueprint: https://github.com/apache/trafficcontrol/blob/master/blueprints/client-certificate-auth.md#traffic-ops-impact

Currently, TO only accepts a UID presented directly in the Subject of a client certificate. TO MUST accept a UID presented in the Client-Cert-Subject field as well. If a client certificate with an empty UID in the Subject field is presented in a request that also contains a Client-Cert-Subject HTTP header, TO MUST use the contents of the Client-Cert-Subject header to determine the UID of the client.

Which Traffic Control components are affected by this PR?

  • Traffic Ops

What is the best way to verify this PR?

Manual Testing,

  1. Test certificates can be created using the file located at,

trafficcontrol/experimental/certificate_auth/certs/generate_certs.go

  1. Ensure that the UID field is empty at line,

    trafficcontrol/experimental/certificate_auth/certs/generate_certs.go

    Line 58 in a892235

    uid = "userid"

    uid = ""

  2. Running go run generate_certs.go will produce private keys and certificates for Root, Intermediate, and Client. Place the Root certificate in the directory location specified in the cdn.conf file,

"client_certificate_authentication" : {
    "root_certificates_directory" : "/etc/pki/tls/certs/"
}

  1. Launch a Traffic Ops instance.

  2. In the trafficcontrol/experimental/certificate_auth/example/client.go file, uncomment the following line to set UID via Client-Cert-Subject header and change the UID value to match the user you want to authenticate,

req.Header.Set("Client-Cert-Subject", "CN=client,OU=client,O=client,L=client,ST=client,C=US,UID=userID")

  1. run the client.go file to send a request to the user/login Traffic Ops with the Client and Intermediate certs along with the http header Client-Cert-Subject ,

go run client.go

  1. Upon success, a 200 OK status code will be returned along with the following body:
{
    "alerts": [
        {
            "text": "Successfully logged in.",
            "level": "success"
        }
    ]
}

If this is a bugfix, which Traffic Control versions contained the bug?

PR submission checklist

@jagan-parthiban jagan-parthiban changed the title Do Not Merge - Update TO to handle impersonation certificate Incomplete - Update TO to handle impersonation certificate May 22, 2024
@jagan-parthiban jagan-parthiban marked this pull request as ready for review May 22, 2024 08:32
@jagan-parthiban jagan-parthiban force-pushed the to/client-cert-subject branch from 1bf6e3d to d138a40 Compare May 23, 2024 05:42
@jagan-parthiban jagan-parthiban changed the title Incomplete - Update TO to handle impersonation certificate Update TO to handle Client-Cert-Subject HTTP header May 23, 2024
@jagan-parthiban jagan-parthiban changed the title Update TO to handle Client-Cert-Subject HTTP header Update TO to handle Client-Cert-Subject HTTP header for client cert authentication. May 23, 2024
ericholguin
ericholguin requested changes May 30, 2024
View reviewed changes
traffic_ops/traffic_ops_golang/login/login.go Outdated

// skipped certificate-based auth, log and continue
if !triedAuthentication {
log.Infof("skipped certificate-based auth because either no certs provided by the client or no configuration is set")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should remove this otherwise it will fill up our logs every time someone tries to authenticate

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

traffic_ops/traffic_ops_golang/login/login.go Outdated

// Failed certificate-based auth, perform standard form auth
if !authenticated {
log.Infof("user %s could not be successfully authenticated using client certificates", form.Username)
if triedAuthentication && !authenticated {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the case that cert authentication isn't tried (triedAuthentication = false) the code will not enter this conditional, which means form auth wont work unless a user tries to authenticate with a certificate.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Missed it. Fixed.

@jagan-parthiban
Copy link
Contributor Author

Not Planned For Now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericholguin ericholguin ericholguin requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jagan-parthiban @ericholguin @jparth603